Refs #33526 -- Made CSRF_COOKIE_SECURE/SESSION_COOKIE_SECURE/SESSION_COOKIE_HTTPONLY don't pass on truthy values.
This commit is contained in:
parent
fe3518d25e
commit
1299bc33e1
|
@ -37,7 +37,7 @@ def check_csrf_cookie_secure(app_configs, **kwargs):
|
|||
passed_check = (
|
||||
settings.CSRF_USE_SESSIONS
|
||||
or not _csrf_middleware()
|
||||
or settings.CSRF_COOKIE_SECURE
|
||||
or settings.CSRF_COOKIE_SECURE is True
|
||||
)
|
||||
return [] if passed_check else [W016]
|
||||
|
||||
|
|
|
@ -65,27 +65,29 @@ W015 = Warning(
|
|||
|
||||
@register(Tags.security, deploy=True)
|
||||
def check_session_cookie_secure(app_configs, **kwargs):
|
||||
if settings.SESSION_COOKIE_SECURE is True:
|
||||
return []
|
||||
errors = []
|
||||
if not settings.SESSION_COOKIE_SECURE:
|
||||
if _session_app():
|
||||
errors.append(W010)
|
||||
if _session_middleware():
|
||||
errors.append(W011)
|
||||
if len(errors) > 1:
|
||||
errors = [W012]
|
||||
if _session_app():
|
||||
errors.append(W010)
|
||||
if _session_middleware():
|
||||
errors.append(W011)
|
||||
if len(errors) > 1:
|
||||
errors = [W012]
|
||||
return errors
|
||||
|
||||
|
||||
@register(Tags.security, deploy=True)
|
||||
def check_session_cookie_httponly(app_configs, **kwargs):
|
||||
if settings.SESSION_COOKIE_HTTPONLY is True:
|
||||
return []
|
||||
errors = []
|
||||
if not settings.SESSION_COOKIE_HTTPONLY:
|
||||
if _session_app():
|
||||
errors.append(W013)
|
||||
if _session_middleware():
|
||||
errors.append(W014)
|
||||
if len(errors) > 1:
|
||||
errors = [W015]
|
||||
if _session_app():
|
||||
errors.append(W013)
|
||||
if _session_middleware():
|
||||
errors.append(W014)
|
||||
if len(errors) > 1:
|
||||
errors = [W015]
|
||||
return errors
|
||||
|
||||
|
||||
|
|
|
@ -19,6 +19,15 @@ class CheckSessionCookieSecureTest(SimpleTestCase):
|
|||
"""
|
||||
self.assertEqual(sessions.check_session_cookie_secure(None), [sessions.W010])
|
||||
|
||||
@override_settings(
|
||||
SESSION_COOKIE_SECURE="1",
|
||||
INSTALLED_APPS=["django.contrib.sessions"],
|
||||
MIDDLEWARE=[],
|
||||
)
|
||||
def test_session_cookie_secure_with_installed_app_truthy(self):
|
||||
"""SESSION_COOKIE_SECURE must be boolean."""
|
||||
self.assertEqual(sessions.check_session_cookie_secure(None), [sessions.W010])
|
||||
|
||||
@override_settings(
|
||||
SESSION_COOKIE_SECURE=False,
|
||||
INSTALLED_APPS=[],
|
||||
|
@ -69,6 +78,15 @@ class CheckSessionCookieHttpOnlyTest(SimpleTestCase):
|
|||
"""
|
||||
self.assertEqual(sessions.check_session_cookie_httponly(None), [sessions.W013])
|
||||
|
||||
@override_settings(
|
||||
SESSION_COOKIE_HTTPONLY="1",
|
||||
INSTALLED_APPS=["django.contrib.sessions"],
|
||||
MIDDLEWARE=[],
|
||||
)
|
||||
def test_session_cookie_httponly_with_installed_app_truthy(self):
|
||||
"""SESSION_COOKIE_HTTPONLY must be boolean."""
|
||||
self.assertEqual(sessions.check_session_cookie_httponly(None), [sessions.W013])
|
||||
|
||||
@override_settings(
|
||||
SESSION_COOKIE_HTTPONLY=False,
|
||||
INSTALLED_APPS=[],
|
||||
|
@ -131,6 +149,14 @@ class CheckCSRFCookieSecureTest(SimpleTestCase):
|
|||
"""
|
||||
self.assertEqual(csrf.check_csrf_cookie_secure(None), [csrf.W016])
|
||||
|
||||
@override_settings(
|
||||
MIDDLEWARE=["django.middleware.csrf.CsrfViewMiddleware"],
|
||||
CSRF_COOKIE_SECURE="1",
|
||||
)
|
||||
def test_with_csrf_cookie_secure_truthy(self):
|
||||
"""CSRF_COOKIE_SECURE must be boolean."""
|
||||
self.assertEqual(csrf.check_csrf_cookie_secure(None), [csrf.W016])
|
||||
|
||||
@override_settings(
|
||||
MIDDLEWARE=["django.middleware.csrf.CsrfViewMiddleware"],
|
||||
CSRF_USE_SESSIONS=True,
|
||||
|
|
Loading…
Reference in New Issue