Changes between Initial Version and Version 2 of Ticket #27961
- Timestamp:
- Mar 20, 2017, 12:17:45 AM (7 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #27961
- Property Component contrib.redirects → HTTP handling
-
Ticket #27961 – Description
initial v2 1 nginx + gunicorn: 2 1. 3 `proxy_set_header X-Forwarded-Proto $scheme;` 4 `HTTP_X_FORWARDED_PROTO=None` 5 ''No redirect.'' 6 2. 1 I'm using nginx + gunicorn and display pages via HTTPS: 2 1. Both default settings: 3 Nginx setting: `proxy_set_header X-Forwarded-Proto $scheme;` 4 Django setting: `HTTP_X_FORWARDED_PROTO=None` 5 Result: ''No redirect.'' I'm not getting a ''ERR_TOO_MANY_REDIRECTS'' complain from Chrome. 6 7 2. Use default setting in nginx; use a wrong setting in Django, i.e. the 'httpsssss' part: 7 8 `proxy_set_header X-Forwarded-Proto $scheme;` 8 9 `HTTP_X_FORWARDED_PROTO='httpssssssss'` 9 10 ''No redirect.'' 10 3. 11 12 3. Use default setting in nginx; use a wrong setting in Django: 11 13 `proxy_set_header X-Forwarded-Proto $scheme;` 12 14 `HTTP_X_FORWARDED_PROTASDF='httpssssssss'` 13 15 ''No redirect.'' 14 4. 16 17 4. Use custom HTTPS indicator in both nginx and Django: 15 18 proxy_set_header X-Forwarded-Protooo $scheme; 16 19 `HTTP_X_FORWARDED_PROTOOO='https'` 17 ''No redirect.'' 18 5. 20 ''No redirect.'' This is the expected behavior. 21 22 5. Use custom HTTPS indicator in both nginx and Django, and testing for a unsafe protocol ( != 'https'): 19 23 proxy_set_header X-Forwarded-Protooo $scheme; 20 `HTTP_X_FORWARDED_PROTOOO=None` 21 ''ERR_TOO_MANY_REDIRECTS'' 22 6. 24 `HTTP_X_FORWARDED_PROTOOO='httpsssss'` 25 Chrome complains ''ERR_TOO_MANY_REDIRECTS''. This is the expected behavior. 26 27 6. A fix testing by myself: 23 28 Add an else clause under [these lines](https://github.com/django/django/blob/master/django/http/request.py#L196-L197). 24 29 … … 31 36 `proxy_set_header X-Forwarded-Proto $scheme;` 32 37 `HTTP_X_FORWARDED_PROTO='httpssssssss'` 33 Chrome would report the expected ''ERR_TOO_MANY_REDIRECTS'' 38 Chrome would report the expected ''ERR_TOO_MANY_REDIRECTS''. 39 34 40 Did someone forget to add the else clause, or there are 3 'http' 'ftp' and 'ftps' scheme left? 35 41 If a site use 5. An attacker may set request `X-Forwarded-Proto` header to bypass the HTTPS check and result in 1,2,3.