p15693087
/
django
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Refs #16859 -- Disabled CSRF_COOKIE_* checks when using CSRF_USE_SESSIONS.

This commit is contained in:
Raphael Michel 2016-12-17 15:59:48 +01:00 committed by Tim Graham
parent 2f44fa7f06
commit 33e86b3488
2 changed files with 24 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
django/core/checks/security/csrf.py
View File

@ -43,6 +43,7 @@ def check_csrf_middleware(app_configs, **kwargs):
@register(Tags.security, deploy=True) @register(Tags.security, deploy=True)
def check_csrf_cookie_secure(app_configs, **kwargs): def check_csrf_cookie_secure(app_configs, **kwargs):
passed_check = ( passed_check = (
settings.CSRF_USE_SESSIONS or
not _csrf_middleware() or not _csrf_middleware() or
settings.CSRF_COOKIE_SECURE settings.CSRF_COOKIE_SECURE
) )
@ -52,6 +53,7 @@ def check_csrf_cookie_secure(app_configs, **kwargs):
@register(Tags.security, deploy=True) @register(Tags.security, deploy=True)
def check_csrf_cookie_httponly(app_configs, **kwargs): def check_csrf_cookie_httponly(app_configs, **kwargs):
passed_check = ( passed_check = (
settings.CSRF_USE_SESSIONS or
not _csrf_middleware() or not _csrf_middleware() or
settings.CSRF_COOKIE_HTTPONLY settings.CSRF_COOKIE_HTTPONLY
) )

22
tests/check_framework/test_security.py
View File

@ -166,6 +166,17 @@ class CheckCSRFCookieSecureTest(SimpleTestCase):
""" """
self.assertEqual(self.func(None), [csrf.W016]) self.assertEqual(self.func(None), [csrf.W016])
@override_settings(
MIDDLEWARE=["django.middleware.csrf.CsrfViewMiddleware"],
CSRF_USE_SESSIONS=True,
CSRF_COOKIE_SECURE=False)
def test_use_sessions_with_csrf_cookie_secure_false(self):
"""
No warning if CSRF_COOKIE_SECURE isn't True while CSRF_USE_SESSIONS
is True.
"""
self.assertEqual(self.func(None), [])
@override_settings(MIDDLEWARE=[], MIDDLEWARE_CLASSES=[], CSRF_COOKIE_SECURE=False) @override_settings(MIDDLEWARE=[], MIDDLEWARE_CLASSES=[], CSRF_COOKIE_SECURE=False)
def test_with_csrf_cookie_secure_false_no_middleware(self): def test_with_csrf_cookie_secure_false_no_middleware(self):
""" """
@ -197,6 +208,17 @@ class CheckCSRFCookieHttpOnlyTest(SimpleTestCase):
""" """
self.assertEqual(self.func(None), [csrf.W017]) self.assertEqual(self.func(None), [csrf.W017])
@override_settings(
MIDDLEWARE=["django.middleware.csrf.CsrfViewMiddleware"],
CSRF_USE_SESSIONS=True,
CSRF_COOKIE_HTTPONLY=False)
def test_use_sessions_with_csrf_cookie_httponly_false(self):
"""
No warning if CSRF_COOKIE_HTTPONLY isn't True while CSRF_USE_SESSIONS
is True.
"""
self.assertEqual(self.func(None), [])
@override_settings(MIDDLEWARE=[], MIDDLEWARE_CLASSES=[], CSRF_COOKIE_HTTPONLY=False) @override_settings(MIDDLEWARE=[], MIDDLEWARE_CLASSES=[], CSRF_COOKIE_HTTPONLY=False)
def test_with_csrf_cookie_httponly_false_no_middleware(self): def test_with_csrf_cookie_httponly_false_no_middleware(self):
""" """