Skip to content

Instantly share code, notes, and snippets.

@ryu22e

ryu22e/settings.py

Last active July 3, 2019 04:32
Show Gist options
  • Save ryu22e/9aed7053587120e20ea8d0318fe5a0d4 to your computer and use it in GitHub Desktop.
Save ryu22e/9aed7053587120e20ea8d0318fe5a0d4 to your computer and use it in GitHub Desktop.
Download ZIP
Djangoの脆弱性CVE-2019–12781について解説(1)
Raw
settings.py
# django_example/settings.py
# 以下を追記
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
# http→httpsへのリダイレクトをさせたいなら以下コメントアウトを外す
# SECURE_SSL_REDIRECT = True
Raw
urls.py
# django_example/urls.py
from django.contrib import admin
from django.urls import path
from . import views # ←ここを追記
urlpatterns = [
path('', views.index), # ←ここを追記
path('admin/', admin.site.urls),
]
Raw
views.py
# django_example/views.py
from django.http import HttpResponse
def index(request):
url = request.build_absolute_uri('dummy')
return HttpResponse(f"request.is_secure(): {request.is_secure()}\nrequest.build_absolute_uri(): {url}\n")
@ryu22e
Copy link
Author

ryu22e commented Jul 2, 2019
edited
Loading 

# Django 2.2.2
$ curl -H 'X-FORWARDED-SSL: on' http://127.0.0.1
request.is_secure(): True
request.build_absolute_uri(): https://127.0.0.1/dummy
# Django 2.2.3
$ curl -H 'X-FORWARDED-SSL: on' http://127.0.0.1
request.is_secure(): False
request.build_absolute_uri(): http://127.0.0.1/dummy

@ryu22e
Copy link
Author

ryu22e commented Jul 2, 2019
edited
Loading

gunicorn -b 127.0.0.1:8000 django_example.wsgi

@ryu22e
Copy link
Author

ryu22e commented Jul 3, 2019 

Django==2.2.2
gunicorn==19.7.1
pkg-resources==0.0.0
pytz==2019.1
sqlparse==0.3.0

@ryu22e
Copy link
Author

ryu22e commented Jul 3, 2019 

<html>
  <head>
    <title>Bad Request</title>
  </head>
  <body>
    <h1><p>Bad Request</p></h1>
    Contradictory scheme headers
  </body>
</html>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment