01.07.2019       Выпуск 289 (01.07.2019 - 07.07.2019)       Релизы

Django security releases issued: 2.2.3, 2.1.10 and 1.11.22

Читать>>




Экспериментальная функция:

Ниже вы видите текст статьи по ссылке. По нему можно быстро понять ссылка достойна прочтения или нет

Просим обратить внимание, что текст по ссылке и здесь может не совпадать.

Thanks Gavin Wahl for reporting this issue.

CVE-2019-12781: Incorrect HTTP detection with reverse-proxy connecting via HTTPS

When deployed behind a reverse-proxy connecting to Django via HTTPS,django.http.HttpRequest.schemewould incorrectly detect client requests made via HTTP as using HTTPS. This entails incorrect results foris_secure(), andbuild_absolute_uri(), and that HTTP requests would not be redirected to HTTPS in accordance withSECURE_SSL_REDIRECT.

HttpRequest.schemenow respectsSECURE_PROXY_SSL_HEADER, if it is configured, and the appropriate header is set on the request, for both HTTP and HTTPS requests.

If you deploy Django behind a reverse-proxy that forwards HTTP requests, and that connects to Django via HTTPS, be sure to verify that your application correctly handles code paths relying onscheme,is_secure(),build_absolute_uri(), andSECURE_SSL_REDIRECT.

Resolution

Patches to resolve the issue have been applied to Django's master branch and the 2.2, 2.1, and 1.11 release branches. The patches may be obtained from the following changesets:

The following releases have been issued:

The PGP key ID used for this release is Mariusz Felisiak: 2EF56372BA48CD1B.

General notes regarding security reporting

As always, we ask that potential security issues be reported via private email tosecurity@djangoproject.com, and not via Django's Trac instance, Django's GitHub repositories, or the django-developers list. Please see our security policies for further information.






Разместим вашу рекламу

Пиши: mail@pythondigest.ru

Нашли опечатку?

Выделите фрагмент и отправьте нажатием Ctrl+Enter.

Система Orphus