2019 年 7 月 1 日
Django 2.1.10 fixes a security issue in 2.1.9.
When deployed behind a reverse-proxy connecting to Django via HTTPS,
django.http.HttpRequest.scheme would incorrectly detect client
requests made via HTTP as using HTTPS. This entails incorrect results for
is_secure(), and
build_absolute_uri(), and that HTTP
requests would not be redirected to HTTPS in accordance with
SECURE_SSL_REDIRECT.
HttpRequest.scheme now respects SECURE_PROXY_SSL_HEADER, if it
is configured, and the appropriate header is set on the request, for both HTTP
and HTTPS requests.
If you deploy Django behind a reverse-proxy that forwards HTTP requests, and
that connects to Django via HTTPS, be sure to verify that your application
correctly handles code paths relying on scheme, is_secure(),
build_absolute_uri(), and SECURE_SSL_REDIRECT.
5月 12, 2023