Opened 8 years ago
Last modified 3 years ago
#27961 closed Bug
HTTP_X_FORWARDED_PROTO is bypassed — at Initial Version
| Reported by: | cryptogun | Owned by: | nobody |
|---|---|---|---|
| Component: | HTTP handling | Version: | 1.10 |
| Severity: | Normal | Keywords: | redirect HTTPS X-Forwarded-Proto |
| Cc: | Triage Stage: | Accepted | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
nginx + gunicorn:
1.
proxy_set_header X-Forwarded-Proto $scheme;
HTTP_X_FORWARDED_PROTO=None
No redirect.
2.
proxy_set_header X-Forwarded-Proto $scheme;
HTTP_X_FORWARDED_PROTO='httpssssssss'
No redirect.
3.
proxy_set_header X-Forwarded-Proto $scheme;
HTTP_X_FORWARDED_PROTASDF='httpssssssss'
No redirect.
4.
proxy_set_header X-Forwarded-Protooo $scheme;
HTTP_X_FORWARDED_PROTOOO='https'
No redirect.
5.
proxy_set_header X-Forwarded-Protooo $scheme;
HTTP_X_FORWARDED_PROTOOO=None
ERR_TOO_MANY_REDIRECTS
6.
Add an else clause under [these lines](https://github.com/django/django/blob/master/django/http/request.py#L196-L197).
else:
return 'http'
And set:
proxy_set_header X-Forwarded-Proto $scheme;
HTTP_X_FORWARDED_PROTO='httpssssssss'
Chrome would report the expected ERR_TOO_MANY_REDIRECTS
Did someone forget to add the else clause, or there are 3 'http' 'ftp' and 'ftps' scheme left?
If a site use 5. An attacker may set request X-Forwarded-Proto header to bypass the HTTPS check and result in 1,2,3.