Django/django
11
0
Fork 0
Code Pull Requests Projects Releases Activity

[1.11.x] Fixed CVE-2019-12781 -- Made HttpRequest always trust SECURE_PROXY_SSL_HEADER if set.

Browse Source 
An HTTP request would not be redirected to HTTPS when the
SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings were used if
the proxy connected to Django via HTTPS.

HttpRequest.scheme will now always trust the SECURE_PROXY_SSL_HEADER if
set, rather than falling back to the request scheme when the
SECURE_PROXY_SSL_HEADER did not have the secure value.

Thanks to Gavin Wahl for the report and initial patch suggestion, and
Shai Berger for review.

Backport of 54d0f5e62f54c29a12dd96f44bacd810cbe03ac8 from master.
This commit is contained in:
Carlton Gibson 2019-06-13 10:57:29 +02:00 committed by Mariusz Felisiak
parent 58553bb297
commit 32124fc41e
4 changed files with 43 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
django/http/request.py
View File

@ -199,13 +199,14 @@ class HttpRequest(object):
def scheme(self): def scheme(self):
if settings.SECURE_PROXY_SSL_HEADER: if settings.SECURE_PROXY_SSL_HEADER:
try: try:
header, value = settings.SECURE_PROXY_SSL_HEADER header, secure_value = settings.SECURE_PROXY_SSL_HEADER
except ValueError: except ValueError:
raise ImproperlyConfigured( raise ImproperlyConfigured(
'The SECURE_PROXY_SSL_HEADER setting must be a tuple containing two values.' 'The SECURE_PROXY_SSL_HEADER setting must be a tuple containing two values.'
) )
if self.META.get(header) == value: header_value = self.META.get(header)
return 'https' if header_value is not None:
return 'https' if header_value == secure_value else 'http'
return self._get_scheme() return self._get_scheme()
def is_secure(self): def is_secure(self):

11
docs/ref/settings.txt
View File

@ -2189,10 +2189,13 @@ whether a request is secure by looking at whether the requested URL uses
"https://". This is important for Django's CSRF protection, and may be used "https://". This is important for Django's CSRF protection, and may be used
by your own code or third-party apps. by your own code or third-party apps.
If your Django app is behind a proxy, though, the proxy may be "swallowing" the If your Django app is behind a proxy, though, the proxy may be "swallowing"
fact that a request is HTTPS, using a non-HTTPS connection between the proxy whether the original request uses HTTPS or not. If there is a non-HTTPS
and Django. In this case, ``is_secure()`` would always return ``False`` -- even connection between the proxy and Django then ``is_secure()`` would always
for requests that were made via HTTPS by the end user. return ``False`` -- even for requests that were made via HTTPS by the end user.
In contrast, if there is an HTTPS connection between the proxy and Django then
``is_secure()`` would always return ``True`` -- even for requests that were
made originally via HTTP.
In this situation, you'll want to configure your proxy to set a custom HTTP In this situation, you'll want to configure your proxy to set a custom HTTP
header that tells Django whether the request came in via HTTPS, and you'll want header that tells Django whether the request came in via HTTPS, and you'll want

20
docs/releases/1.11.22.txt
View File

@ -5,3 +5,23 @@ Django 1.11.22 release notes
*July 1, 2019* *July 1, 2019*
Django 1.11.22 fixes a security issue in 1.11.21. Django 1.11.22 fixes a security issue in 1.11.21.
CVE-2019-12781: Incorrect HTTP detection with reverse-proxy connecting via HTTPS
--------------------------------------------------------------------------------
When deployed behind a reverse-proxy connecting to Django via HTTPS,
:attr:`django.http.HttpRequest.scheme` would incorrectly detect client
requests made via HTTP as using HTTPS. This entails incorrect results for
:meth:`~django.http.HttpRequest.is_secure`, and
:meth:`~django.http.HttpRequest.build_absolute_uri`, and that HTTP
requests would not be redirected to HTTPS in accordance with
:setting:`SECURE_SSL_REDIRECT`.
``HttpRequest.scheme`` now respects :setting:`SECURE_PROXY_SSL_HEADER`, if it
is configured, and the appropriate header is set on the request, for both HTTP
and HTTPS requests.
If you deploy Django behind a reverse-proxy that forwards HTTP requests, and
that connects to Django via HTTPS, be sure to verify that your application
correctly handles code paths relying on ``scheme``, ``is_secure()``,
``build_absolute_uri()``, and ``SECURE_SSL_REDIRECT``.

12
tests/settings_tests/tests.py
View File

@ -334,6 +334,18 @@ class SecureProxySslHeaderTest(SimpleTestCase):
req.META['HTTP_X_FORWARDED_PROTOCOL'] = 'https' req.META['HTTP_X_FORWARDED_PROTOCOL'] = 'https'
self.assertIs(req.is_secure(), True) self.assertIs(req.is_secure(), True)
@override_settings(SECURE_PROXY_SSL_HEADER=('HTTP_X_FORWARDED_PROTOCOL', 'https'))
def test_xheader_preferred_to_underlying_request(self):
class ProxyRequest(HttpRequest):
def _get_scheme(self):
"""Proxy always connecting via HTTPS"""
return 'https'
# Client connects via HTTP.
req = ProxyRequest()
req.META['HTTP_X_FORWARDED_PROTOCOL'] = 'http'
self.assertIs(req.is_secure(), False)
class IsOverriddenTest(SimpleTestCase): class IsOverriddenTest(SimpleTestCase):
def test_configure(self): def test_configure(self):