diffstat for python-django-1.11.21 python-django-1.11.22 Django.egg-info/PKG-INFO | 2 Django.egg-info/SOURCES.txt | 1 PKG-INFO | 2 debian/changelog | 8 django/__init__.py | 2 django/contrib/admin/static/admin/js/SelectBox.js | 4 django/contrib/admin/static/admin/js/actions.js | 98 +++++----- django/contrib/admin/static/admin/js/admin/DateTimeShortcuts.js | 8 django/contrib/admin/static/admin/js/core.js | 30 +-- django/contrib/admin/static/admin/js/inlines.js | 28 +- django/contrib/admin/static/admin/js/urlify.js | 12 - django/contrib/gis/static/gis/js/OLMapWidget.js | 18 - django/http/request.py | 7 docs/ref/settings.txt | 11 - docs/releases/1.11.21.txt | 2 docs/releases/1.11.22.txt | 27 ++ docs/releases/index.txt | 1 docs/releases/security.txt | 25 ++ js_tests/admin/inlines.test.js | 2 package.json | 2 tests/gis_tests/test_geoip2.py | 6 tests/settings_tests/tests.py | 12 + 22 files changed, 193 insertions(+), 115 deletions(-) diff -Nru python-django-1.11.21/Django.egg-info/PKG-INFO python-django-1.11.22/Django.egg-info/PKG-INFO --- python-django-1.11.21/Django.egg-info/PKG-INFO 2019-06-03 06:49:09.000000000 -0300 +++ python-django-1.11.22/Django.egg-info/PKG-INFO 2019-07-01 03:44:45.000000000 -0300 @@ -1,6 +1,6 @@ Metadata-Version: 2.1 Name: Django -Version: 1.11.21 +Version: 1.11.22 Summary: A high-level Python Web framework that encourages rapid development and clean, pragmatic design. Home-page: https://www.djangoproject.com/ Author: Django Software Foundation diff -Nru python-django-1.11.21/Django.egg-info/SOURCES.txt python-django-1.11.22/Django.egg-info/SOURCES.txt --- python-django-1.11.21/Django.egg-info/SOURCES.txt 2019-06-03 06:49:09.000000000 -0300 +++ python-django-1.11.22/Django.egg-info/SOURCES.txt 2019-07-01 03:44:46.000000000 -0300 @@ -3549,6 +3549,7 @@ docs/releases/1.11.2.txt docs/releases/1.11.20.txt docs/releases/1.11.21.txt +docs/releases/1.11.22.txt docs/releases/1.11.3.txt docs/releases/1.11.4.txt docs/releases/1.11.5.txt diff -Nru python-django-1.11.21/PKG-INFO python-django-1.11.22/PKG-INFO --- python-django-1.11.21/PKG-INFO 2019-06-03 06:49:14.000000000 -0300 +++ python-django-1.11.22/PKG-INFO 2019-07-01 03:44:48.000000000 -0300 @@ -1,6 +1,6 @@ Metadata-Version: 2.1 Name: Django -Version: 1.11.21 +Version: 1.11.22 Summary: A high-level Python Web framework that encourages rapid development and clean, pragmatic design. Home-page: https://www.djangoproject.com/ Author: Django Software Foundation diff -Nru python-django-1.11.21/debian/changelog python-django-1.11.22/debian/changelog --- python-django-1.11.21/debian/changelog 2019-06-04 21:07:07.000000000 -0300 +++ python-django-1.11.22/debian/changelog 2019-07-01 17:09:52.000000000 -0300 @@ -1,3 +1,11 @@ +python-django (1:1.11.22-1) unstable; urgency=medium + + * New upstream security release. + + (Closes: #931316) + + -- Chris Lamb Mon, 01 Jul 2019 17:09:52 -0300 + python-django (1:1.11.21-1) unstable; urgency=medium * New upstream security release. diff -Nru python-django-1.11.21/django/__init__.py python-django-1.11.22/django/__init__.py --- python-django-1.11.21/django/__init__.py 2019-06-03 06:47:49.000000000 -0300 +++ python-django-1.11.22/django/__init__.py 2019-07-01 03:43:22.000000000 -0300 @@ -2,7 +2,7 @@ from django.utils.version import get_version -VERSION = (1, 11, 21, 'final', 0) +VERSION = (1, 11, 22, 'final', 0) __version__ = get_version(VERSION) diff -Nru python-django-1.11.21/django/contrib/admin/static/admin/js/SelectBox.js python-django-1.11.22/django/contrib/admin/static/admin/js/SelectBox.js --- python-django-1.11.21/django/contrib/admin/static/admin/js/SelectBox.js 2019-02-11 06:55:36.000000000 -0200 +++ python-django-1.11.22/django/contrib/admin/static/admin/js/SelectBox.js 2019-07-01 03:39:09.000000000 -0300 @@ -19,7 +19,7 @@ var box = document.getElementById(id); var node; $(box).empty(); // clear all options - var new_options = box.outerHTML.slice(0, -9); // grab just the opening tag + var new_options = box.outerHTML.slice(0, -9); // grab just the opening tag var cache = SelectBox.cache[id]; for (var i = 0, j = cache.length; i < j; i++) { node = cache[i]; @@ -48,7 +48,7 @@ token = tokens[k]; if (node_text.indexOf(token) === -1) { node.displayed = 0; - break; // Once the first token isn't found we're done + break; // Once the first token isn't found we're done } } } diff -Nru python-django-1.11.21/django/contrib/admin/static/admin/js/actions.js python-django-1.11.22/django/contrib/admin/static/admin/js/actions.js --- python-django-1.11.21/django/contrib/admin/static/admin/js/actions.js 2019-06-03 06:44:24.000000000 -0300 +++ python-django-1.11.22/django/contrib/admin/static/admin/js/actions.js 2019-07-01 03:39:45.000000000 -0300 @@ -8,59 +8,59 @@ var actionCheckboxes = $(this); var list_editable_changed = false; var showQuestion = function() { - $(options.acrossClears).hide(); - $(options.acrossQuestions).show(); - $(options.allContainer).hide(); - }, - showClear = function() { - $(options.acrossClears).show(); - $(options.acrossQuestions).hide(); - $(options.actionContainer).toggleClass(options.selectedClass); - $(options.allContainer).show(); - $(options.counterContainer).hide(); - }, - reset = function() { - $(options.acrossClears).hide(); - $(options.acrossQuestions).hide(); - $(options.allContainer).hide(); - $(options.counterContainer).show(); - }, - clearAcross = function() { - reset(); - $(options.acrossInput).val(0); - $(options.actionContainer).removeClass(options.selectedClass); - }, - checker = function(checked) { - if (checked) { - showQuestion(); - } else { + $(options.acrossClears).hide(); + $(options.acrossQuestions).show(); + $(options.allContainer).hide(); + }, + showClear = function() { + $(options.acrossClears).show(); + $(options.acrossQuestions).hide(); + $(options.actionContainer).toggleClass(options.selectedClass); + $(options.allContainer).show(); + $(options.counterContainer).hide(); + }, + reset = function() { + $(options.acrossClears).hide(); + $(options.acrossQuestions).hide(); + $(options.allContainer).hide(); + $(options.counterContainer).show(); + }, + clearAcross = function() { reset(); - } - $(actionCheckboxes).prop("checked", checked) - .parent().parent().toggleClass(options.selectedClass, checked); - }, - updateCounter = function() { - var sel = $(actionCheckboxes).filter(":checked").length; - // data-actions-icnt is defined in the generated HTML - // and contains the total amount of objects in the queryset - var actions_icnt = $('.action-counter').data('actionsIcnt'); - $(options.counterContainer).html(interpolate( - ngettext('%(sel)s of %(cnt)s selected', '%(sel)s of %(cnt)s selected', sel), { - sel: sel, - cnt: actions_icnt - }, true)); - $(options.allToggle).prop("checked", function() { - var value; - if (sel === actionCheckboxes.length) { - value = true; + $(options.acrossInput).val(0); + $(options.actionContainer).removeClass(options.selectedClass); + }, + checker = function(checked) { + if (checked) { showQuestion(); } else { - value = false; - clearAcross(); + reset(); } - return value; - }); - }; + $(actionCheckboxes).prop("checked", checked) + .parent().parent().toggleClass(options.selectedClass, checked); + }, + updateCounter = function() { + var sel = $(actionCheckboxes).filter(":checked").length; + // data-actions-icnt is defined in the generated HTML + // and contains the total amount of objects in the queryset + var actions_icnt = $('.action-counter').data('actionsIcnt'); + $(options.counterContainer).html(interpolate( + ngettext('%(sel)s of %(cnt)s selected', '%(sel)s of %(cnt)s selected', sel), { + sel: sel, + cnt: actions_icnt + }, true)); + $(options.allToggle).prop("checked", function() { + var value; + if (sel === actionCheckboxes.length) { + value = true; + showQuestion(); + } else { + value = false; + clearAcross(); + } + return value; + }); + }; // Show counter by default $(options.counterContainer).show(); // Check state of checkboxes and reinit state if needed diff -Nru python-django-1.11.21/django/contrib/admin/static/admin/js/admin/DateTimeShortcuts.js python-django-1.11.22/django/contrib/admin/static/admin/js/admin/DateTimeShortcuts.js --- python-django-1.11.21/django/contrib/admin/static/admin/js/admin/DateTimeShortcuts.js 2019-06-03 06:44:24.000000000 -0300 +++ python-django-1.11.22/django/contrib/admin/static/admin/js/admin/DateTimeShortcuts.js 2019-07-01 03:39:45.000000000 -0300 @@ -11,10 +11,10 @@ dismissClockFunc: [], dismissCalendarFunc: [], calendarDivName1: 'calendarbox', // name of calendar
that gets toggled - calendarDivName2: 'calendarin', // name of
that contains calendar - calendarLinkName: 'calendarlink',// name of the link that is used to toggle - clockDivName: 'clockbox', // name of clock
that gets toggled - clockLinkName: 'clocklink', // name of the link that is used to toggle + calendarDivName2: 'calendarin', // name of
that contains calendar + calendarLinkName: 'calendarlink', // name of the link that is used to toggle + clockDivName: 'clockbox', // name of clock
that gets toggled + clockLinkName: 'clocklink', // name of the link that is used to toggle shortCutsClass: 'datetimeshortcuts', // class of the clock and cal shortcuts timezoneWarningClass: 'timezonewarning', // class of the warning for timezone mismatch timezoneOffset: 0, diff -Nru python-django-1.11.21/django/contrib/admin/static/admin/js/core.js python-django-1.11.22/django/contrib/admin/static/admin/js/core.js --- python-django-1.11.21/django/contrib/admin/static/admin/js/core.js 2019-06-03 06:44:24.000000000 -0300 +++ python-django-1.11.22/django/contrib/admin/static/admin/js/core.js 2019-07-01 03:39:45.000000000 -0300 @@ -191,9 +191,9 @@ return result; }; -// ---------------------------------------------------------------------------- -// String object extensions -// ---------------------------------------------------------------------------- + // ---------------------------------------------------------------------------- + // String object extensions + // ---------------------------------------------------------------------------- String.prototype.pad_left = function(pad_length, pad_string) { var new_string = this; for (var i = 0; new_string.length < pad_length; i++) { @@ -209,18 +209,18 @@ var day, month, year; while (i < split_format.length) { switch (split_format[i]) { - case "%d": - day = date[i]; - break; - case "%m": - month = date[i] - 1; - break; - case "%Y": - year = date[i]; - break; - case "%y": - year = date[i]; - break; + case "%d": + day = date[i]; + break; + case "%m": + month = date[i] - 1; + break; + case "%Y": + year = date[i]; + break; + case "%y": + year = date[i]; + break; } ++i; } diff -Nru python-django-1.11.21/django/contrib/admin/static/admin/js/inlines.js python-django-1.11.22/django/contrib/admin/static/admin/js/inlines.js --- python-django-1.11.21/django/contrib/admin/static/admin/js/inlines.js 2019-06-03 06:44:24.000000000 -0300 +++ python-django-1.11.22/django/contrib/admin/static/admin/js/inlines.js 2019-07-01 03:39:45.000000000 -0300 @@ -63,8 +63,8 @@ var template = $("#" + options.prefix + "-empty"); var row = template.clone(true); row.removeClass(options.emptyCssClass) - .addClass(options.formCssClass) - .attr("id", options.prefix + "-" + nextIndex); + .addClass(options.formCssClass) + .attr("id", options.prefix + "-" + nextIndex); if (row.is("tr")) { // If the forms are laid out in table rows, insert // the remove button into the last table cell: @@ -131,16 +131,16 @@ /* Setup plugin defaults */ $.fn.formset.defaults = { - prefix: "form", // The form prefix for your django formset - addText: "add another", // Text for the add link - deleteText: "remove", // Text for the delete link - addCssClass: "add-row", // CSS class applied to the add link - deleteCssClass: "delete-row", // CSS class applied to the delete link - emptyCssClass: "empty-row", // CSS class applied to the empty row - formCssClass: "dynamic-form", // CSS class applied to each form in a formset - added: null, // Function called each time a new form is added - removed: null, // Function called each time a form is deleted - addButton: null // Existing add button to use + prefix: "form", // The form prefix for your django formset + addText: "add another", // Text for the add link + deleteText: "remove", // Text for the delete link + addCssClass: "add-row", // CSS class applied to the add link + deleteCssClass: "delete-row", // CSS class applied to the delete link + emptyCssClass: "empty-row", // CSS class applied to the empty row + formCssClass: "dynamic-form", // CSS class applied to each form in a formset + added: null, // Function called each time a new form is added + removed: null, // Function called each time a form is deleted + addButton: null // Existing add button to use }; @@ -149,8 +149,8 @@ var $rows = $(this); var alternatingRows = function(row) { $($rows.selector).not(".add-row").removeClass("row1 row2") - .filter(":even").addClass("row1").end() - .filter(":odd").addClass("row2"); + .filter(":even").addClass("row1").end() + .filter(":odd").addClass("row2"); }; var reinitDateTimeShortCuts = function() { diff -Nru python-django-1.11.21/django/contrib/admin/static/admin/js/urlify.js python-django-1.11.22/django/contrib/admin/static/admin/js/urlify.js --- python-django-1.11.21/django/contrib/admin/static/admin/js/urlify.js 2019-06-03 06:44:24.000000000 -0300 +++ python-django-1.11.22/django/contrib/admin/static/admin/js/urlify.js 2019-07-01 03:39:45.000000000 -0300 @@ -119,7 +119,7 @@ var Downcoder = { 'Initialize': function() { - if (Downcoder.map) { // already made + if (Downcoder.map) { // already made return; } Downcoder.map = {}; @@ -168,12 +168,12 @@ // characters, whitespace, and dash; remove other characters. s = XRegExp.replace(s, XRegExp('[^-_\\p{L}\\p{N}\\s]', 'g'), ''); } else { - s = s.replace(/[^-\w\s]/g, ''); // remove unneeded chars + s = s.replace(/[^-\w\s]/g, ''); // remove unneeded chars } - s = s.replace(/^\s+|\s+$/g, ''); // trim leading/trailing spaces - s = s.replace(/[-\s]+/g, '-'); // convert spaces to hyphens - s = s.toLowerCase(); // convert to lowercase - return s.substring(0, num_chars); // trim to first num_chars chars + s = s.replace(/^\s+|\s+$/g, ''); // trim leading/trailing spaces + s = s.replace(/[-\s]+/g, '-'); // convert spaces to hyphens + s = s.toLowerCase(); // convert to lowercase + return s.substring(0, num_chars); // trim to first num_chars chars } window.URLify = URLify; })(); diff -Nru python-django-1.11.21/django/contrib/gis/static/gis/js/OLMapWidget.js python-django-1.11.22/django/contrib/gis/static/gis/js/OLMapWidget.js --- python-django-1.11.21/django/contrib/gis/static/gis/js/OLMapWidget.js 2019-06-03 06:44:25.000000000 -0300 +++ python-django-1.11.22/django/contrib/gis/static/gis/js/OLMapWidget.js 2019-07-01 03:39:46.000000000 -0300 @@ -207,15 +207,15 @@ } else { geometry = features[0].getGeometry().clone(); for (var j = 1; j < features.length; j++) { - switch(geometry.getType()) { - case "MultiPoint": - geometry.appendPoint(features[j].getGeometry().getPoint(0)); - break; - case "MultiLineString": - geometry.appendLineString(features[j].getGeometry().getLineString(0)); - break; - case "MultiPolygon": - geometry.appendPolygon(features[j].getGeometry().getPolygon(0)); + switch (geometry.getType()) { + case "MultiPoint": + geometry.appendPoint(features[j].getGeometry().getPoint(0)); + break; + case "MultiLineString": + geometry.appendLineString(features[j].getGeometry().getLineString(0)); + break; + case "MultiPolygon": + geometry.appendPolygon(features[j].getGeometry().getPolygon(0)); } } } diff -Nru python-django-1.11.21/django/http/request.py python-django-1.11.22/django/http/request.py --- python-django-1.11.21/django/http/request.py 2019-06-03 06:44:25.000000000 -0300 +++ python-django-1.11.22/django/http/request.py 2019-07-01 03:39:53.000000000 -0300 @@ -199,13 +199,14 @@ def scheme(self): if settings.SECURE_PROXY_SSL_HEADER: try: - header, value = settings.SECURE_PROXY_SSL_HEADER + header, secure_value = settings.SECURE_PROXY_SSL_HEADER except ValueError: raise ImproperlyConfigured( 'The SECURE_PROXY_SSL_HEADER setting must be a tuple containing two values.' ) - if self.META.get(header) == value: - return 'https' + header_value = self.META.get(header) + if header_value is not None: + return 'https' if header_value == secure_value else 'http' return self._get_scheme() def is_secure(self): diff -Nru python-django-1.11.21/docs/ref/settings.txt python-django-1.11.22/docs/ref/settings.txt --- python-django-1.11.21/docs/ref/settings.txt 2019-06-03 06:44:25.000000000 -0300 +++ python-django-1.11.22/docs/ref/settings.txt 2019-07-01 03:39:53.000000000 -0300 @@ -2189,10 +2189,13 @@ "https://". This is important for Django's CSRF protection, and may be used by your own code or third-party apps. -If your Django app is behind a proxy, though, the proxy may be "swallowing" the -fact that a request is HTTPS, using a non-HTTPS connection between the proxy -and Django. In this case, ``is_secure()`` would always return ``False`` -- even -for requests that were made via HTTPS by the end user. +If your Django app is behind a proxy, though, the proxy may be "swallowing" +whether the original request uses HTTPS or not. If there is a non-HTTPS +connection between the proxy and Django then ``is_secure()`` would always +return ``False`` -- even for requests that were made via HTTPS by the end user. +In contrast, if there is an HTTPS connection between the proxy and Django then +``is_secure()`` would always return ``True`` -- even for requests that were +made originally via HTTP. In this situation, you'll want to configure your proxy to set a custom HTTP header that tells Django whether the request came in via HTTPS, and you'll want diff -Nru python-django-1.11.21/docs/releases/1.11.21.txt python-django-1.11.22/docs/releases/1.11.21.txt --- python-django-1.11.21/docs/releases/1.11.21.txt 2019-06-03 06:38:19.000000000 -0300 +++ python-django-1.11.22/docs/releases/1.11.21.txt 2019-07-01 03:39:09.000000000 -0300 @@ -16,6 +16,6 @@ ``AdminURLFieldWidget`` now validates the provided value using :class:`~django.core.validators.URLValidator` before displaying the clickable -link. You may customise the validator by passing a ``validator_class`` kwarg to +link. You may customize the validator by passing a ``validator_class`` kwarg to ``AdminURLFieldWidget.__init__()``, e.g. when using :attr:`~django.contrib.admin.ModelAdmin.formfield_overrides`. diff -Nru python-django-1.11.21/docs/releases/1.11.22.txt python-django-1.11.22/docs/releases/1.11.22.txt --- python-django-1.11.21/docs/releases/1.11.22.txt 1969-12-31 21:00:00.000000000 -0300 +++ python-django-1.11.22/docs/releases/1.11.22.txt 2019-07-01 03:39:53.000000000 -0300 @@ -0,0 +1,27 @@ +============================ +Django 1.11.22 release notes +============================ + +*July 1, 2019* + +Django 1.11.22 fixes a security issue in 1.11.21. + +CVE-2019-12781: Incorrect HTTP detection with reverse-proxy connecting via HTTPS +-------------------------------------------------------------------------------- + +When deployed behind a reverse-proxy connecting to Django via HTTPS, +:attr:`django.http.HttpRequest.scheme` would incorrectly detect client +requests made via HTTP as using HTTPS. This entails incorrect results for +:meth:`~django.http.HttpRequest.is_secure`, and +:meth:`~django.http.HttpRequest.build_absolute_uri`, and that HTTP +requests would not be redirected to HTTPS in accordance with +:setting:`SECURE_SSL_REDIRECT`. + +``HttpRequest.scheme`` now respects :setting:`SECURE_PROXY_SSL_HEADER`, if it +is configured, and the appropriate header is set on the request, for both HTTP +and HTTPS requests. + +If you deploy Django behind a reverse-proxy that forwards HTTP requests, and +that connects to Django via HTTPS, be sure to verify that your application +correctly handles code paths relying on ``scheme``, ``is_secure()``, +``build_absolute_uri()``, and ``SECURE_SSL_REDIRECT``. diff -Nru python-django-1.11.21/docs/releases/index.txt python-django-1.11.22/docs/releases/index.txt --- python-django-1.11.21/docs/releases/index.txt 2019-06-03 06:44:25.000000000 -0300 +++ python-django-1.11.22/docs/releases/index.txt 2019-07-01 03:39:46.000000000 -0300 @@ -26,6 +26,7 @@ .. toctree:: :maxdepth: 1 + 1.11.22 1.11.21 1.11.20 1.11.19 diff -Nru python-django-1.11.21/docs/releases/security.txt python-django-1.11.22/docs/releases/security.txt --- python-django-1.11.21/docs/releases/security.txt 2019-06-03 04:27:55.000000000 -0300 +++ python-django-1.11.22/docs/releases/security.txt 2019-07-01 03:39:09.000000000 -0300 @@ -936,3 +936,28 @@ * Django 2.0 :commit:`(patch <1f42f82566c9d2d73aff1c42790d6b1b243f7676>` and :commit:`correction) <392e040647403fc8007708d52ce01d915b014849>` * Django 1.11 :commit:`(patch) <0bbb560183fabf0533289700845dafa94951f227>` + +June 3, 2019 - :cve:`2019-11358` +-------------------------------- + +Prototype pollution in bundled jQuery. `Full description +`__ + +Versions affected +~~~~~~~~~~~~~~~~~ + +* Django 2.2 :commit:`(patch) ` +* Django 2.1 :commit:`(patch) <95649bc08547a878cebfa1d019edec8cb1b80829>` + +June 3, 2019 - :cve:`2019-12308` +-------------------------------- + +XSS via "Current URL" link generated by ``AdminURLFieldWidget``. `Full +description `__ + +Versions affected +~~~~~~~~~~~~~~~~~ + +* Django 2.2 :commit:`(patch) ` +* Django 2.1 :commit:`(patch) <09186a13d975de6d049f8b3e05484f66b01ece62>` +* Django 1.11 :commit:`(patch) ` diff -Nru python-django-1.11.21/js_tests/admin/inlines.test.js python-django-1.11.22/js_tests/admin/inlines.test.js --- python-django-1.11.21/js_tests/admin/inlines.test.js 2019-06-03 06:44:25.000000000 -0300 +++ python-django-1.11.22/js_tests/admin/inlines.test.js 2019-07-01 03:39:46.000000000 -0300 @@ -54,7 +54,7 @@ QUnit.test('existing add button', function(assert) { var $ = django.jQuery; - $('#qunit-fixture').empty(); // Clear the table added in beforeEach + $('#qunit-fixture').empty(); // Clear the table added in beforeEach $('#qunit-fixture').append($('#tabular-formset').text()); this.table = $('table.inline'); this.inlineRow = this.table.find('tr'); diff -Nru python-django-1.11.21/package.json python-django-1.11.22/package.json --- python-django-1.11.21/package.json 2019-02-11 07:55:38.000000000 -0200 +++ python-django-1.11.22/package.json 2019-07-01 03:39:09.000000000 -0300 @@ -9,7 +9,7 @@ "npm": ">=1.3.0 <3.0.0" }, "devDependencies": { - "eslint": "^0.22.1", + "eslint": "^4.18.2", "grunt": "^1.0.1", "grunt-cli": "^1.2.0", "grunt-contrib-qunit": "^1.2.0" diff -Nru python-django-1.11.21/tests/gis_tests/test_geoip2.py python-django-1.11.22/tests/gis_tests/test_geoip2.py --- python-django-1.11.21/tests/gis_tests/test_geoip2.py 2019-06-03 06:44:26.000000000 -0300 +++ python-django-1.11.22/tests/gis_tests/test_geoip2.py 2019-07-01 03:39:46.000000000 -0300 @@ -24,7 +24,7 @@ "GeoIP is required along with the GEOIP_PATH setting." ) class GeoIPTest(unittest.TestCase): - addr = '128.249.1.1' + addr = '75.41.39.1' fqdn = 'tmc.edu' def test01_init(self): @@ -99,7 +99,7 @@ @mock.patch('socket.gethostbyname') def test04_city(self, gethostbyname): "GeoIP city querying methods." - gethostbyname.return_value = '128.249.1.1' + gethostbyname.return_value = '75.41.39.1' g = GeoIP2(country='') for query in (self.fqdn, self.addr): @@ -122,7 +122,7 @@ # City information dictionary. d = g.city(query) self.assertEqual('US', d['country_code']) - self.assertEqual('Houston', d['city']) + self.assertEqual('Dallas', d['city']) self.assertEqual('TX', d['region']) geom = g.geos(query) diff -Nru python-django-1.11.21/tests/settings_tests/tests.py python-django-1.11.22/tests/settings_tests/tests.py --- python-django-1.11.21/tests/settings_tests/tests.py 2019-06-03 06:44:26.000000000 -0300 +++ python-django-1.11.22/tests/settings_tests/tests.py 2019-07-01 03:39:53.000000000 -0300 @@ -334,6 +334,18 @@ req.META['HTTP_X_FORWARDED_PROTOCOL'] = 'https' self.assertIs(req.is_secure(), True) + @override_settings(SECURE_PROXY_SSL_HEADER=('HTTP_X_FORWARDED_PROTOCOL', 'https')) + def test_xheader_preferred_to_underlying_request(self): + class ProxyRequest(HttpRequest): + def _get_scheme(self): + """Proxy always connecting via HTTPS""" + return 'https' + + # Client connects via HTTP. + req = ProxyRequest() + req.META['HTTP_X_FORWARDED_PROTOCOL'] = 'http' + self.assertIs(req.is_secure(), False) + class IsOverriddenTest(SimpleTestCase): def test_configure(self):