Thanks Gavin Wahl for reporting this issue.
CVE-2019-12781: Incorrect HTTP detection with reverse-proxy connecting via HTTPS
When deployed behind a reverse-proxy connecting to Django via HTTPS,django.http.HttpRequest.schemewould incorrectly detect client requests made via HTTP as using HTTPS. This entails incorrect results foris_secure(), andbuild_absolute_uri(), and that HTTP requests would not be redirected to HTTPS in accordance withSECURE_SSL_REDIRECT.
HttpRequest.schemenow respectsSECURE_PROXY_SSL_HEADER, if it is configured, and the appropriate header is set on the request, for both HTTP and HTTPS requests.
If you deploy Django behind a reverse-proxy that forwards HTTP requests, and that connects to Django via HTTPS, be sure to verify that your application correctly handles code paths relying onscheme,is_secure(),build_absolute_uri(), andSECURE_SSL_REDIRECT.
Patches to resolve the issue have been applied to Django's master branch and the 2.2, 2.1, and 1.11 release branches. The patches may be obtained from the following changesets:
The following releases have been issued:
The PGP key ID used for this release is Mariusz Felisiak: 2EF56372BA48CD1B.
General notes regarding security reporting
As always, we ask that potential security issues be reported via private email email@example.com, and not via Django's Trac instance, Django's GitHub repositories, or the django-developers list. Please see our security policies for further information.