ASA-2019-00402 – Django: Incorrect HTTP detection with reverse-proxy connecting via HTTPS


Allele Security Alert

ASA-2019-00402

Identifier(s)

ASA-2019-00402, CVE-2019-12781

Title

Incorrect HTTP detection with reverse-proxy connecting via HTTPS

Vendor(s)

Django Software Foundation

Product(s)

Django

Affected version(s)

Django master development branch
Django 2.2.x before version 2.2.3
Django 2.1.x before version 2.1.10
Django 1.11.x before version 1.11.22

Fixed version(s)

Django version 1.11.22
Django version 2.1.10
Django version 2.2.3

Proof of concept

Unknown

Description

When deployed behind a reverse-proxy connecting to Django via HTTPS, django.http.HttpRequest.scheme would incorrectly detect client requests made via HTTP as using HTTPS. This entails incorrect results for is_secure(), and build_absolute_uri(), and that HTTP requests would not be redirected to HTTPS in accordance with SECURE_SSL_REDIRECT.

Technical details

Unknown

Credits

Gavin Wahl

Reference(s)

Django security releases issued: 2.2.3, 2.1.10 and 1.11.22
https://www.djangoproject.com/weblog/2019/jul/01/security-releases/

Fixed CVE-2019-12781 — Made HttpRequest always trust SECURE_PROXY_SSL_HEADER if set.
https://github.com/django/django/commit/54d0f5e62f54c29a12dd96f44bacd810cbe03ac8

[2.2.x] Fixed CVE-2019-12781 — Made HttpRequest always trust SECURE_PROXY_SSL_HEADER if set.
https://github.com/django/django/commit/77706a3e4766da5d5fb75c4db22a0a59a28e6cd6

[2.1.x] Fixed CVE-2019-12781 — Made HttpRequest always trust SECURE_PROXY_SSL_HEADER if set.
https://github.com/django/django/commit/1e40f427bb8d0fb37cc9f830096a97c36c97af6f

[1.11.x] Fixed CVE-2019-12781 — Made HttpRequest always trust SECURE_PROXY_SSL_HEADER if set.
https://github.com/django/django/commit/32124fc41e75074141b05f10fc55a4f01ff7f050

CVE-2019-12781
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12781

CVE-2019-12781
https://nvd.nist.gov/vuln/detail/CVE-2019-12781

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: July 3, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.