Django: CVE-2019-12781: Incorrect HTTP detection with reverse-proxy connecting via HTTPS

[Mariusz Felisiak <felisiak.mariusz () gmail com>]

https://www.djangoproject.com/weblog/2019/jul/01/security-releases/

In accordance with `our security release policy 
<https://docs.djangoproject.com/en/dev/internals/security/>`_, the 
Django team is issuing `Django 1.11.22 
<https://docs.djangoproject.com/en/dev/releases/1.11.22/>`_, `Django 
2.1.10 <https://docs.djangoproject.com/en/dev/releases/2.1.10/>`_, and 
`Django 2.2.3 <https://docs.djangoproject.com/en/dev/releases/2.2.3/>`_. 
These releases addresses the security issues detailed below. We 
encourage all users of Django to upgrade as soon as possible.

Thanks Gavin Wahl for reporting this issue.

CVE-2019-12781: Incorrect HTTP detection with reverse-proxy connecting 
via HTTPS
================================================================================

When deployed behind a reverse-proxy connecting to Django via HTTPS, 
``django.http.HttpRequest.scheme`` would incorrectly detect client 
requests made via HTTP as using HTTPS. This entails incorrect results 
for ``is_secure()``, and ``build_absolute_uri()``, and that HTTP 
requests would not be redirected to HTTPS in accordance with 
``SECURE_SSL_REDIRECT``.

``HttpRequest.scheme`` now respects ``SECURE_PROXY_SSL_HEADER``, if it 
is configured, and the appropriate header is set on the request, for 
both HTTP and HTTPS requests.

If you deploy Django behind a reverse-proxy that forwards HTTP requests, 
and that connects to Django via HTTPS, be sure to verify that your 
application
correctly handles code paths relying on ``scheme``, ``is_secure()``, 
``build_absolute_uri()``, and ``SECURE_SSL_REDIRECT``.

Affected supported versions
===========================

* Django master development branch
* Django 2.2 before version 2.2.3
* Django 2.1 before version 2.1.10
* Django 1.11 before version 1.11.22

Resolution
==========

Patches to resolve the issue have been applied to Django's master branch 
and the 2.2, 2.1, and 1.11 release branches. The patches may be obtained 
from the following changesets:

* On the `master branch 
<https://github.com/django/django/commit/54d0f5e62f54c29a12dd96f44bacd810cbe03ac8>`__
* On the `2.2 release branch 
<https://github.com/django/django/commit/77706a3e4766da5d5fb75c4db22a0a59a28e6cd6>`__
* On the `2.1 release branch 
<https://github.com/django/django/commit/1e40f427bb8d0fb37cc9f830096a97c36c97af6f>`__
* On the `1.11 release branch 
<https://github.com/django/django/commit/32124fc41e75074141b05f10fc55a4f01ff7f050>`__

The following releases have been issued:

* Django 1.11.22 (`download Django 1.11.22 
<https://www.djangoproject.com/m/releases/1.11/Django-1.11.22.tar.gz>`_ 
| `1.11.22 checksums 
<https://www.djangoproject.com/m/pgp/Django-1.11.22.checksum.txt>`_)
* Django 2.1.10 (`download Django 2.1.10 
<https://www.djangoproject.com/m/releases/2.1/Django-2.1.10.tar.gz>`_ | 
`2.1.10 checksums 
<https://www.djangoproject.com/m/pgp/Django-2.1.10.checksum.txt>`_)
* Django 2.2.3 (`download Django 2.2.3 
<https://www.djangoproject.com/m/releases/2.2/Django-2.2.3.tar.gz>`_ | 
`2.2.3 checksums 
<https://www.djangoproject.com/m/pgp/Django-2.2.3.checksum.txt>`_)

The PGP key ID used for this release is Mariusz Felisiak: 2EF56372BA48CD1B.

General notes regarding security reporting
==========================================

As always, we ask that potential security issues be reported via
private email to ``security () djangoproject com``, and not via Django's
Trac instance, Django's GitHub repositories, or the django-developers list.
Please see `our security policies 
<https://www.djangoproject.com/security/>`_
for further information.