mirror of
https://github.com/django/django.git
synced 2024-12-23 01:25:58 +00:00
Refs #33526 -- Made CSRF_COOKIE_SECURE/SESSION_COOKIE_SECURE/SESSION_COOKIE_HTTPONLY don't pass on truthy values.
This commit is contained in:
parent
fe3518d25e
commit
1299bc33e1
@ -37,7 +37,7 @@ def check_csrf_cookie_secure(app_configs, **kwargs):
|
|||||||
passed_check = (
|
passed_check = (
|
||||||
settings.CSRF_USE_SESSIONS
|
settings.CSRF_USE_SESSIONS
|
||||||
or not _csrf_middleware()
|
or not _csrf_middleware()
|
||||||
or settings.CSRF_COOKIE_SECURE
|
or settings.CSRF_COOKIE_SECURE is True
|
||||||
)
|
)
|
||||||
return [] if passed_check else [W016]
|
return [] if passed_check else [W016]
|
||||||
|
|
||||||
|
@ -65,8 +65,9 @@ W015 = Warning(
|
|||||||
|
|
||||||
@register(Tags.security, deploy=True)
|
@register(Tags.security, deploy=True)
|
||||||
def check_session_cookie_secure(app_configs, **kwargs):
|
def check_session_cookie_secure(app_configs, **kwargs):
|
||||||
|
if settings.SESSION_COOKIE_SECURE is True:
|
||||||
|
return []
|
||||||
errors = []
|
errors = []
|
||||||
if not settings.SESSION_COOKIE_SECURE:
|
|
||||||
if _session_app():
|
if _session_app():
|
||||||
errors.append(W010)
|
errors.append(W010)
|
||||||
if _session_middleware():
|
if _session_middleware():
|
||||||
@ -78,8 +79,9 @@ def check_session_cookie_secure(app_configs, **kwargs):
|
|||||||
|
|
||||||
@register(Tags.security, deploy=True)
|
@register(Tags.security, deploy=True)
|
||||||
def check_session_cookie_httponly(app_configs, **kwargs):
|
def check_session_cookie_httponly(app_configs, **kwargs):
|
||||||
|
if settings.SESSION_COOKIE_HTTPONLY is True:
|
||||||
|
return []
|
||||||
errors = []
|
errors = []
|
||||||
if not settings.SESSION_COOKIE_HTTPONLY:
|
|
||||||
if _session_app():
|
if _session_app():
|
||||||
errors.append(W013)
|
errors.append(W013)
|
||||||
if _session_middleware():
|
if _session_middleware():
|
||||||
|
@ -19,6 +19,15 @@ class CheckSessionCookieSecureTest(SimpleTestCase):
|
|||||||
"""
|
"""
|
||||||
self.assertEqual(sessions.check_session_cookie_secure(None), [sessions.W010])
|
self.assertEqual(sessions.check_session_cookie_secure(None), [sessions.W010])
|
||||||
|
|
||||||
|
@override_settings(
|
||||||
|
SESSION_COOKIE_SECURE="1",
|
||||||
|
INSTALLED_APPS=["django.contrib.sessions"],
|
||||||
|
MIDDLEWARE=[],
|
||||||
|
)
|
||||||
|
def test_session_cookie_secure_with_installed_app_truthy(self):
|
||||||
|
"""SESSION_COOKIE_SECURE must be boolean."""
|
||||||
|
self.assertEqual(sessions.check_session_cookie_secure(None), [sessions.W010])
|
||||||
|
|
||||||
@override_settings(
|
@override_settings(
|
||||||
SESSION_COOKIE_SECURE=False,
|
SESSION_COOKIE_SECURE=False,
|
||||||
INSTALLED_APPS=[],
|
INSTALLED_APPS=[],
|
||||||
@ -69,6 +78,15 @@ class CheckSessionCookieHttpOnlyTest(SimpleTestCase):
|
|||||||
"""
|
"""
|
||||||
self.assertEqual(sessions.check_session_cookie_httponly(None), [sessions.W013])
|
self.assertEqual(sessions.check_session_cookie_httponly(None), [sessions.W013])
|
||||||
|
|
||||||
|
@override_settings(
|
||||||
|
SESSION_COOKIE_HTTPONLY="1",
|
||||||
|
INSTALLED_APPS=["django.contrib.sessions"],
|
||||||
|
MIDDLEWARE=[],
|
||||||
|
)
|
||||||
|
def test_session_cookie_httponly_with_installed_app_truthy(self):
|
||||||
|
"""SESSION_COOKIE_HTTPONLY must be boolean."""
|
||||||
|
self.assertEqual(sessions.check_session_cookie_httponly(None), [sessions.W013])
|
||||||
|
|
||||||
@override_settings(
|
@override_settings(
|
||||||
SESSION_COOKIE_HTTPONLY=False,
|
SESSION_COOKIE_HTTPONLY=False,
|
||||||
INSTALLED_APPS=[],
|
INSTALLED_APPS=[],
|
||||||
@ -131,6 +149,14 @@ class CheckCSRFCookieSecureTest(SimpleTestCase):
|
|||||||
"""
|
"""
|
||||||
self.assertEqual(csrf.check_csrf_cookie_secure(None), [csrf.W016])
|
self.assertEqual(csrf.check_csrf_cookie_secure(None), [csrf.W016])
|
||||||
|
|
||||||
|
@override_settings(
|
||||||
|
MIDDLEWARE=["django.middleware.csrf.CsrfViewMiddleware"],
|
||||||
|
CSRF_COOKIE_SECURE="1",
|
||||||
|
)
|
||||||
|
def test_with_csrf_cookie_secure_truthy(self):
|
||||||
|
"""CSRF_COOKIE_SECURE must be boolean."""
|
||||||
|
self.assertEqual(csrf.check_csrf_cookie_secure(None), [csrf.W016])
|
||||||
|
|
||||||
@override_settings(
|
@override_settings(
|
||||||
MIDDLEWARE=["django.middleware.csrf.CsrfViewMiddleware"],
|
MIDDLEWARE=["django.middleware.csrf.CsrfViewMiddleware"],
|
||||||
CSRF_USE_SESSIONS=True,
|
CSRF_USE_SESSIONS=True,
|
||||||
|
Loading…
Reference in New Issue
Block a user