Django 2.2.3 release notes — Django documentation
Django 2.2.3 release notes
July 1, 2019
Django 2.2.3 fixes a security issue and several bugs in 2.2.2. Also, the latest string translations from Transifex are incorporated.
CVE-2019-12781: Incorrect HTTP detection with reverse-proxy connecting via HTTPS
When deployed behind a reverse-proxy connecting to Django via HTTPS, django.http.HttpRequest.scheme would incorrectly detect client requests made via HTTP as using HTTPS. This entails incorrect results for is_secure(), and build_absolute_uri(), and that HTTP requests would not be redirected to HTTPS in accordance with :setting:`SECURE_SSL_REDIRECT`.
HttpRequest.scheme
now respects :setting:`SECURE_PROXY_SSL_HEADER`, if it is configured, and the appropriate header is set on the request, for both HTTP and HTTPS requests.
If you deploy Django behind a reverse-proxy that forwards HTTP requests, and that connects to Django via HTTPS, be sure to verify that your application correctly handles code paths relying on scheme
, is_secure()
, build_absolute_uri()
, and SECURE_SSL_REDIRECT
.
Bugfixes
- Fixed a regression in Django 2.2 where Avg, StdDev, and Variance crash with
filter
argument (:ticket:`30542`). - Fixed a regression in Django 2.2.2 where auto-reloader crashes with
AttributeError
, e.g. when usingipdb
(:ticket:`30588`).