1
0
mirror of https://github.com/django/django.git synced 2024-12-23 01:25:58 +00:00

Refs #33526 -- Made CSRF_COOKIE_SECURE/SESSION_COOKIE_SECURE/SESSION_COOKIE_HTTPONLY don't pass on truthy values.

This commit is contained in:
Mariusz Felisiak 2022-02-21 07:54:47 +01:00 committed by GitHub
parent fe3518d25e
commit 1299bc33e1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 43 additions and 15 deletions

View File

@ -37,7 +37,7 @@ def check_csrf_cookie_secure(app_configs, **kwargs):
passed_check = ( passed_check = (
settings.CSRF_USE_SESSIONS settings.CSRF_USE_SESSIONS
or not _csrf_middleware() or not _csrf_middleware()
or settings.CSRF_COOKIE_SECURE or settings.CSRF_COOKIE_SECURE is True
) )
return [] if passed_check else [W016] return [] if passed_check else [W016]

View File

@ -65,8 +65,9 @@ W015 = Warning(
@register(Tags.security, deploy=True) @register(Tags.security, deploy=True)
def check_session_cookie_secure(app_configs, **kwargs): def check_session_cookie_secure(app_configs, **kwargs):
if settings.SESSION_COOKIE_SECURE is True:
return []
errors = [] errors = []
if not settings.SESSION_COOKIE_SECURE:
if _session_app(): if _session_app():
errors.append(W010) errors.append(W010)
if _session_middleware(): if _session_middleware():
@ -78,8 +79,9 @@ def check_session_cookie_secure(app_configs, **kwargs):
@register(Tags.security, deploy=True) @register(Tags.security, deploy=True)
def check_session_cookie_httponly(app_configs, **kwargs): def check_session_cookie_httponly(app_configs, **kwargs):
if settings.SESSION_COOKIE_HTTPONLY is True:
return []
errors = [] errors = []
if not settings.SESSION_COOKIE_HTTPONLY:
if _session_app(): if _session_app():
errors.append(W013) errors.append(W013)
if _session_middleware(): if _session_middleware():

View File

@ -19,6 +19,15 @@ class CheckSessionCookieSecureTest(SimpleTestCase):
""" """
self.assertEqual(sessions.check_session_cookie_secure(None), [sessions.W010]) self.assertEqual(sessions.check_session_cookie_secure(None), [sessions.W010])
@override_settings(
SESSION_COOKIE_SECURE="1",
INSTALLED_APPS=["django.contrib.sessions"],
MIDDLEWARE=[],
)
def test_session_cookie_secure_with_installed_app_truthy(self):
"""SESSION_COOKIE_SECURE must be boolean."""
self.assertEqual(sessions.check_session_cookie_secure(None), [sessions.W010])
@override_settings( @override_settings(
SESSION_COOKIE_SECURE=False, SESSION_COOKIE_SECURE=False,
INSTALLED_APPS=[], INSTALLED_APPS=[],
@ -69,6 +78,15 @@ class CheckSessionCookieHttpOnlyTest(SimpleTestCase):
""" """
self.assertEqual(sessions.check_session_cookie_httponly(None), [sessions.W013]) self.assertEqual(sessions.check_session_cookie_httponly(None), [sessions.W013])
@override_settings(
SESSION_COOKIE_HTTPONLY="1",
INSTALLED_APPS=["django.contrib.sessions"],
MIDDLEWARE=[],
)
def test_session_cookie_httponly_with_installed_app_truthy(self):
"""SESSION_COOKIE_HTTPONLY must be boolean."""
self.assertEqual(sessions.check_session_cookie_httponly(None), [sessions.W013])
@override_settings( @override_settings(
SESSION_COOKIE_HTTPONLY=False, SESSION_COOKIE_HTTPONLY=False,
INSTALLED_APPS=[], INSTALLED_APPS=[],
@ -131,6 +149,14 @@ class CheckCSRFCookieSecureTest(SimpleTestCase):
""" """
self.assertEqual(csrf.check_csrf_cookie_secure(None), [csrf.W016]) self.assertEqual(csrf.check_csrf_cookie_secure(None), [csrf.W016])
@override_settings(
MIDDLEWARE=["django.middleware.csrf.CsrfViewMiddleware"],
CSRF_COOKIE_SECURE="1",
)
def test_with_csrf_cookie_secure_truthy(self):
"""CSRF_COOKIE_SECURE must be boolean."""
self.assertEqual(csrf.check_csrf_cookie_secure(None), [csrf.W016])
@override_settings( @override_settings(
MIDDLEWARE=["django.middleware.csrf.CsrfViewMiddleware"], MIDDLEWARE=["django.middleware.csrf.CsrfViewMiddleware"],
CSRF_USE_SESSIONS=True, CSRF_USE_SESSIONS=True,