1
0
mirror of https://github.com/django/django.git synced 2024-12-22 17:16:24 +00:00

Refs #33526 -- Made CSRF_COOKIE_SECURE/SESSION_COOKIE_SECURE/SESSION_COOKIE_HTTPONLY don't pass on truthy values.

This commit is contained in:
Mariusz Felisiak 2022-02-21 07:54:47 +01:00 committed by GitHub
parent fe3518d25e
commit 1299bc33e1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 43 additions and 15 deletions

View File

@ -37,7 +37,7 @@ def check_csrf_cookie_secure(app_configs, **kwargs):
passed_check = (
settings.CSRF_USE_SESSIONS
or not _csrf_middleware()
or settings.CSRF_COOKIE_SECURE
or settings.CSRF_COOKIE_SECURE is True
)
return [] if passed_check else [W016]

View File

@ -65,8 +65,9 @@ W015 = Warning(
@register(Tags.security, deploy=True)
def check_session_cookie_secure(app_configs, **kwargs):
if settings.SESSION_COOKIE_SECURE is True:
return []
errors = []
if not settings.SESSION_COOKIE_SECURE:
if _session_app():
errors.append(W010)
if _session_middleware():
@ -78,8 +79,9 @@ def check_session_cookie_secure(app_configs, **kwargs):
@register(Tags.security, deploy=True)
def check_session_cookie_httponly(app_configs, **kwargs):
if settings.SESSION_COOKIE_HTTPONLY is True:
return []
errors = []
if not settings.SESSION_COOKIE_HTTPONLY:
if _session_app():
errors.append(W013)
if _session_middleware():

View File

@ -19,6 +19,15 @@ class CheckSessionCookieSecureTest(SimpleTestCase):
"""
self.assertEqual(sessions.check_session_cookie_secure(None), [sessions.W010])
@override_settings(
SESSION_COOKIE_SECURE="1",
INSTALLED_APPS=["django.contrib.sessions"],
MIDDLEWARE=[],
)
def test_session_cookie_secure_with_installed_app_truthy(self):
"""SESSION_COOKIE_SECURE must be boolean."""
self.assertEqual(sessions.check_session_cookie_secure(None), [sessions.W010])
@override_settings(
SESSION_COOKIE_SECURE=False,
INSTALLED_APPS=[],
@ -69,6 +78,15 @@ class CheckSessionCookieHttpOnlyTest(SimpleTestCase):
"""
self.assertEqual(sessions.check_session_cookie_httponly(None), [sessions.W013])
@override_settings(
SESSION_COOKIE_HTTPONLY="1",
INSTALLED_APPS=["django.contrib.sessions"],
MIDDLEWARE=[],
)
def test_session_cookie_httponly_with_installed_app_truthy(self):
"""SESSION_COOKIE_HTTPONLY must be boolean."""
self.assertEqual(sessions.check_session_cookie_httponly(None), [sessions.W013])
@override_settings(
SESSION_COOKIE_HTTPONLY=False,
INSTALLED_APPS=[],
@ -131,6 +149,14 @@ class CheckCSRFCookieSecureTest(SimpleTestCase):
"""
self.assertEqual(csrf.check_csrf_cookie_secure(None), [csrf.W016])
@override_settings(
MIDDLEWARE=["django.middleware.csrf.CsrfViewMiddleware"],
CSRF_COOKIE_SECURE="1",
)
def test_with_csrf_cookie_secure_truthy(self):
"""CSRF_COOKIE_SECURE must be boolean."""
self.assertEqual(csrf.check_csrf_cookie_secure(None), [csrf.W016])
@override_settings(
MIDDLEWARE=["django.middleware.csrf.CsrfViewMiddleware"],
CSRF_USE_SESSIONS=True,