Refs #33526 -- Made CSRF_COOKIE_SECURE/SESSION_COOKIE_SECURE/SESSION_COOKIE_HTTPONLY don't pass on truthy values.

2022-02-21 07:54:47 +01:00 · 2022-02-21 07:54:47 +01:00 · 1299bc33e1
parent fe3518d25e
commit 1299bc33e1
3 changed files with 43 additions and 15 deletions
--- a/django/core/checks/security/csrf.py
+++ b/django/core/checks/security/csrf.py
@ -37,7 +37,7 @@ def check_csrf_cookie_secure(app_configs, **kwargs):
    passed_check = (
        settings.CSRF_USE_SESSIONS
        or not _csrf_middleware()
-        or settings.CSRF_COOKIE_SECURE
+        or settings.CSRF_COOKIE_SECURE is True
    )
    return [] if passed_check else [W016]

--- a/django/core/checks/security/sessions.py
+++ b/django/core/checks/security/sessions.py
@ -65,27 +65,29 @@ W015 = Warning(

@register(Tags.security, deploy=True)
 def check_session_cookie_secure(app_configs, **kwargs):
+    if settings.SESSION_COOKIE_SECURE is True:
+        return []
    errors = []
-    if not settings.SESSION_COOKIE_SECURE:
-        if _session_app():
-            errors.append(W010)
-        if _session_middleware():
-            errors.append(W011)
-        if len(errors) > 1:
-            errors = [W012]
+    if _session_app():
+        errors.append(W010)
+    if _session_middleware():
+        errors.append(W011)
+    if len(errors) > 1:
+        errors = [W012]
    return errors


@register(Tags.security, deploy=True)
 def check_session_cookie_httponly(app_configs, **kwargs):
+    if settings.SESSION_COOKIE_HTTPONLY is True:
+        return []
    errors = []
-    if not settings.SESSION_COOKIE_HTTPONLY:
-        if _session_app():
-            errors.append(W013)
-        if _session_middleware():
-            errors.append(W014)
-        if len(errors) > 1:
-            errors = [W015]
+    if _session_app():
+        errors.append(W013)
+    if _session_middleware():
+        errors.append(W014)
+    if len(errors) > 1:
+        errors = [W015]
    return errors


--- a/tests/check_framework/test_security.py
+++ b/tests/check_framework/test_security.py
@ -19,6 +19,15 @@ class CheckSessionCookieSecureTest(SimpleTestCase):
        """
        self.assertEqual(sessions.check_session_cookie_secure(None), [sessions.W010])

+    @override_settings(
+        SESSION_COOKIE_SECURE="1",
+        INSTALLED_APPS=["django.contrib.sessions"],
+        MIDDLEWARE=[],
+    )
+    def test_session_cookie_secure_with_installed_app_truthy(self):
+        """SESSION_COOKIE_SECURE must be boolean."""
+        self.assertEqual(sessions.check_session_cookie_secure(None), [sessions.W010])
+
    @override_settings(
        SESSION_COOKIE_SECURE=False,
        INSTALLED_APPS=[],
@ -69,6 +78,15 @@ class CheckSessionCookieHttpOnlyTest(SimpleTestCase):
        """
        self.assertEqual(sessions.check_session_cookie_httponly(None), [sessions.W013])

+    @override_settings(
+        SESSION_COOKIE_HTTPONLY="1",
+        INSTALLED_APPS=["django.contrib.sessions"],
+        MIDDLEWARE=[],
+    )
+    def test_session_cookie_httponly_with_installed_app_truthy(self):
+        """SESSION_COOKIE_HTTPONLY must be boolean."""
+        self.assertEqual(sessions.check_session_cookie_httponly(None), [sessions.W013])
+
    @override_settings(
        SESSION_COOKIE_HTTPONLY=False,
        INSTALLED_APPS=[],
@ -131,6 +149,14 @@ class CheckCSRFCookieSecureTest(SimpleTestCase):
        """
        self.assertEqual(csrf.check_csrf_cookie_secure(None), [csrf.W016])

+    @override_settings(
+        MIDDLEWARE=["django.middleware.csrf.CsrfViewMiddleware"],
+        CSRF_COOKIE_SECURE="1",
+    )
+    def test_with_csrf_cookie_secure_truthy(self):
+        """CSRF_COOKIE_SECURE must be boolean."""
+        self.assertEqual(csrf.check_csrf_cookie_secure(None), [csrf.W016])
+
    @override_settings(
        MIDDLEWARE=["django.middleware.csrf.CsrfViewMiddleware"],
        CSRF_USE_SESSIONS=True,