#27961: HTTP_X_FORWARDED_PROTO is bypassed
-------------------------------------+-------------------------------------
Reporter: cryptogun | Owner: nobody
Type: Bug | Status: new
Component: HTTP handling | Version: 1.10
Severity: Normal | Resolution:
Keywords: redirect HTTPS X | Triage Stage:
-Forwarded-Proto | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Description changed by Tim Graham:
Old description:
> I'm using nginx + gunicorn and display pages via HTTPS:
> 1. Both default settings:
> Nginx setting: `proxy_set_header X-Forwarded-Proto $scheme;`
> Django setting: ~~`HTTP_X_FORWARDED_PROTO=None`~~
> `SECURE_PROXY_SSL_HEADER = None`
> Result: ''No redirect.'' I'm not getting a ''ERR_TOO_MANY_REDIRECTS''
> complain from Chrome.
>
> 2. Use default setting in nginx; use a wrong setting in Django, i.e. the
> 'httpsssss' part:
> `proxy_set_header X-Forwarded-Proto $scheme;`
> ~~`HTTP_X_FORWARDED_PROTO='httpssssssss'`~~ SECURE_PROXY_SSL_HEADER =
> ('HTTP_X_FORWARDED_PROTO', 'httpssssssss')
> ''No redirect.''
>
> 3. Use default setting in nginx; use a wrong setting in Django:
> `proxy_set_header X-Forwarded-Proto $scheme;`
> ~~`HTTP_X_FORWARDED_PROTASDF='httpssssssss'`~~ SECURE_PROXY_SSL_HEADER =
> ('HTTP_X_FORWARDED_PROTASDF', 'httpssssssss')
> ''No redirect.''
>
> 4. Use custom HTTPS indicator in both nginx and Django:
> proxy_set_header X-Forwarded-Protooo $scheme;
> ~~`HTTP_X_FORWARDED_PROTOOO='https'`~~ SECURE_PROXY_SSL_HEADER =
> ('HTTP_X_FORWARDED_PROTOOO', 'https')
> ''No redirect.'' This is the expected behavior.
>
> 5. Use custom HTTPS indicator in both nginx and Django, and testing for a
> unsafe protocol ( != 'https'):
> proxy_set_header X-Forwarded-Protooo $scheme;
> ~~`HTTP_X_FORWARDED_PROTOOO='httpsssss'`~~ SECURE_PROXY_SSL_HEADER =
> ('HTTP_X_FORWARDED_PROTOOO', 'httpsssss')
> Chrome complains ''ERR_TOO_MANY_REDIRECTS''. This is the expected
> behavior.
>
> 6. A fix testing by myself:
> Add an else clause under [these
> lines](https://github.com/django/django/blob/master/django/http/request.py#L196-L197).
>
> {{{
> else:
> return 'http'
> }}}
>
> And set:
> `proxy_set_header X-Forwarded-Proto $scheme;`
> ~~`HTTP_X_FORWARDED_PROTO='httpssssssss'`~~ SECURE_PROXY_SSL_HEADER =
> ('HTTP_X_FORWARDED_PROTO', 'httpssssssss')
> Chrome would report the expected ''ERR_TOO_MANY_REDIRECTS''.
>
> Did someone forget to add the else clause, or there are 3 'http' 'ftp'
> and 'ftps' scheme left?
> If a site use 5. An attacker may set request `X-Forwarded-Proto` header
> to bypass the HTTPS check and result in 1,2,3.
New description:
I'm using nginx + gunicorn and display pages via HTTPS:
1. Both default settings:
Nginx setting: `proxy_set_header X-Forwarded-Proto $scheme;`
Django setting: `SECURE_PROXY_SSL_HEADER = None`
Result: ''No redirect.'' I'm not getting a ''ERR_TOO_MANY_REDIRECTS''
complain from Chrome.
2. Use default setting in nginx; use a wrong setting in Django, i.e. the
'httpsssss' part:
`proxy_set_header X-Forwarded-Proto $scheme;`
`SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'httpssssssss')`
''No redirect.''
3. Use default setting in nginx; use a wrong setting in Django:
`proxy_set_header X-Forwarded-Proto $scheme;`
`SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTASDF', 'httpssssssss')`
''No redirect.''
4. Use custom HTTPS indicator in both nginx and Django:
proxy_set_header X-Forwarded-Protooo $scheme;
`SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTOOO', 'https')`
''No redirect.'' This is the expected behavior.
5. Use custom HTTPS indicator in both nginx and Django, and testing for a
unsafe protocol ( != 'https'):
proxy_set_header X-Forwarded-Protooo $scheme;
`SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTOOO', 'httpsssss')`
Chrome complains ''ERR_TOO_MANY_REDIRECTS''. This is the expected
behavior.
6. A fix testing by myself:
Add an else clause under
[https://github.com/django/django/blob/001cf53280f7e2b72199237f37c340d2639fe143/django/http/request.py#L196-L197
these lines].
{{{
else:
return 'http'
}}}
And set:
`proxy_set_header X-Forwarded-Proto $scheme;`
`SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'httpssssssss')`
Chrome would report the expected ''ERR_TOO_MANY_REDIRECTS''.
Did someone forget to add the else clause, or there are 3 'http' 'ftp' and
'ftps' scheme left?
If a site use 5. An attacker may set request `X-Forwarded-Proto` header to
bypass the HTTPS check and result in 1,2,3.
--
--
Ticket URL: <https://code.djangoproject.com/ticket/27961#comment:6>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/067.d08532842e8265fc49395c4f787998e1%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
