Re: [Django] #27961: HTTP_X_FORWARDED_PROTO is bypassed

Sun, 19 Mar 2017 22:35:47 -0700 

#27961: HTTP_X_FORWARDED_PROTO is bypassed
-------------------------------------+-------------------------------------
     Reporter:  cryptogun            |                    Owner:  nobody
         Type:  Bug                  |                   Status:  new
    Component:  HTTP handling        |                  Version:  1.10
     Severity:  Normal               |               Resolution:
     Keywords:  redirect HTTPS X     |             Triage Stage:
  -Forwarded-Proto                   |  Unreviewed
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------

Comment (by cryptogun):

 Replying to [comment:1 Tim Graham]:
 > I'm having trouble understanding the report. What is the second line in
 each item (e.g. `HTTP_X_FORWARDED_PROTO=None` supposed to represent?
 Values of the [https://docs.djangoproject.com/en/stable/ref/settings
 /#secure-proxy-ssl-header SECURE_PROXY_SSL_HEADER] setting? By the way, if
 there is a security issue here, please
 [https://docs.djangoproject.com/en/dev/internals/security/#reporting-
 security-issues report the issue to the security team].
 Yes your guess is right. Django sets `HTTP_X_FORWARDED_PROTO` to None by
 default as the link you provided tells. I've updated the main thread to
 make it more clear.
 I think this is a small issue so not reported it to the security team.
 Since normally we do a HTTP to HTTPS redirect in nginx by this setting
 `listen: 80; return 302 https://$server_name$request_uri;`

--
Ticket URL: <https://code.djangoproject.com/ticket/27961#comment:3>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/067.389c0ce634778140591c8cbe1fbe23a0%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to