id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
27961	HTTP_X_FORWARDED_PROTO is bypassed	cryptogun	nobody	"I'm using nginx + gunicorn and display pages via HTTPS:
1. Both default settings:
Nginx setting: `proxy_set_header X-Forwarded-Proto $scheme;`
Django setting: ~~`HTTP_X_FORWARDED_PROTO=None`~~ `SECURE_PROXY_SSL_HEADER = None`
Result: ''No redirect.'' I'm not getting a ''ERR_TOO_MANY_REDIRECTS'' complain from Chrome.

2. Use default setting in nginx; use a wrong setting in Django, i.e. the 'httpsssss' part:
`proxy_set_header X-Forwarded-Proto $scheme;`
~~`HTTP_X_FORWARDED_PROTO='httpssssssss'`~~ SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'httpssssssss')
''No redirect.''

3. Use default setting in nginx; use a wrong setting in Django:
`proxy_set_header X-Forwarded-Proto $scheme;`
~~`HTTP_X_FORWARDED_PROTASDF='httpssssssss'`~~ SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTASDF', 'httpssssssss')
''No redirect.''

4. Use custom HTTPS indicator in both nginx and Django:
proxy_set_header X-Forwarded-Protooo $scheme;
~~`HTTP_X_FORWARDED_PROTOOO='https'`~~ SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTOOO', 'https')
''No redirect.'' This is the expected behavior.

5. Use custom HTTPS indicator in both nginx and Django, and testing for a unsafe protocol ( != 'https'):
proxy_set_header X-Forwarded-Protooo $scheme;
~~`HTTP_X_FORWARDED_PROTOOO='httpsssss'`~~ SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTOOO', 'httpsssss')
Chrome complains ''ERR_TOO_MANY_REDIRECTS''. This is the expected behavior.

6. A fix testing by myself:
Add an else clause under [these lines](https://github.com/django/django/blob/master/django/http/request.py#L196-L197).

{{{
            else:
                return 'http'
}}}

And set:
`proxy_set_header X-Forwarded-Proto $scheme;`
~~`HTTP_X_FORWARDED_PROTO='httpssssssss'`~~ SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'httpssssssss')
Chrome would report the expected ''ERR_TOO_MANY_REDIRECTS''.
  
Did someone forget to add the else clause, or there are 3 'http' 'ftp' and 'ftps' scheme left?
If a site use 5. An attacker may set request `X-Forwarded-Proto` header to bypass the HTTPS check and result in 1,2,3."	Bug	new	HTTP handling	1.10	Normal		redirect HTTPS X-Forwarded-Proto		Unreviewed	0	0	0	0	0	0