Changes between Initial Version and Version 2 of Ticket #27961


Ignore:
Timestamp:
03/20/2017 12:17:45 AM (15 months ago)
Author:
cryptogun
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #27961

    • Property Component changed from contrib.redirects to HTTP handling
  • Ticket #27961 – Description

    initial v2  
    1 nginx + gunicorn:
    2 1.
    3 `proxy_set_header X-Forwarded-Proto $scheme;`
    4 `HTTP_X_FORWARDED_PROTO=None`
    5 ''No redirect.''
    6 2.
     1I'm using nginx + gunicorn and display pages via HTTPS:
     21. Both default settings:
     3Nginx setting: `proxy_set_header X-Forwarded-Proto $scheme;`
     4Django setting: `HTTP_X_FORWARDED_PROTO=None`
     5Result: ''No redirect.'' I'm not getting a ''ERR_TOO_MANY_REDIRECTS'' complain from Chrome.
     6
     72. Use default setting in nginx; use a wrong setting in Django, i.e. the 'httpsssss' part:
    78`proxy_set_header X-Forwarded-Proto $scheme;`
    89`HTTP_X_FORWARDED_PROTO='httpssssssss'`
    910''No redirect.''
    10 3.
     11
     123. Use default setting in nginx; use a wrong setting in Django:
    1113`proxy_set_header X-Forwarded-Proto $scheme;`
    1214`HTTP_X_FORWARDED_PROTASDF='httpssssssss'`
    1315''No redirect.''
    14 4.
     16
     174. Use custom HTTPS indicator in both nginx and Django:
    1518proxy_set_header X-Forwarded-Protooo $scheme;
    1619`HTTP_X_FORWARDED_PROTOOO='https'`
    17 ''No redirect.''
    18 5.
     20''No redirect.'' This is the expected behavior.
     21
     225. Use custom HTTPS indicator in both nginx and Django, and testing for a unsafe protocol ( != 'https'):
    1923proxy_set_header X-Forwarded-Protooo $scheme;
    20 `HTTP_X_FORWARDED_PROTOOO=None`
    21 ''ERR_TOO_MANY_REDIRECTS''
    22 6.
     24`HTTP_X_FORWARDED_PROTOOO='httpsssss'`
     25Chrome complains ''ERR_TOO_MANY_REDIRECTS''. This is the expected behavior.
     26
     276. A fix testing by myself:
    2328Add an else clause under [these lines](https://github.com/django/django/blob/master/django/http/request.py#L196-L197).
    2429
     
    3136`proxy_set_header X-Forwarded-Proto $scheme;`
    3237`HTTP_X_FORWARDED_PROTO='httpssssssss'`
    33 Chrome would report the expected ''ERR_TOO_MANY_REDIRECTS''
     38Chrome would report the expected ''ERR_TOO_MANY_REDIRECTS''.
     39 
    3440Did someone forget to add the else clause, or there are 3 'http' 'ftp' and 'ftps' scheme left?
    3541If a site use 5. An attacker may set request `X-Forwarded-Proto` header to bypass the HTTPS check and result in 1,2,3.
Back to Top