From 1299bc33e131a3c44b544b58c706bc998c4228ed Mon Sep 17 00:00:00 2001 From: Mariusz Felisiak Date: Mon, 21 Feb 2022 07:54:47 +0100 Subject: [PATCH] Refs #33526 -- Made CSRF_COOKIE_SECURE/SESSION_COOKIE_SECURE/SESSION_COOKIE_HTTPONLY don't pass on truthy values. --- django/core/checks/security/csrf.py | 2 +- django/core/checks/security/sessions.py | 30 +++++++++++++------------ tests/check_framework/test_security.py | 26 +++++++++++++++++++++ 3 files changed, 43 insertions(+), 15 deletions(-) diff --git a/django/core/checks/security/csrf.py b/django/core/checks/security/csrf.py index af59589ae5a..d00f2259c67 100644 --- a/django/core/checks/security/csrf.py +++ b/django/core/checks/security/csrf.py @@ -37,7 +37,7 @@ def check_csrf_cookie_secure(app_configs, **kwargs): passed_check = ( settings.CSRF_USE_SESSIONS or not _csrf_middleware() - or settings.CSRF_COOKIE_SECURE + or settings.CSRF_COOKIE_SECURE is True ) return [] if passed_check else [W016] diff --git a/django/core/checks/security/sessions.py b/django/core/checks/security/sessions.py index 7c251c06016..f317d09f731 100644 --- a/django/core/checks/security/sessions.py +++ b/django/core/checks/security/sessions.py @@ -65,27 +65,29 @@ W015 = Warning( @register(Tags.security, deploy=True) def check_session_cookie_secure(app_configs, **kwargs): + if settings.SESSION_COOKIE_SECURE is True: + return [] errors = [] - if not settings.SESSION_COOKIE_SECURE: - if _session_app(): - errors.append(W010) - if _session_middleware(): - errors.append(W011) - if len(errors) > 1: - errors = [W012] + if _session_app(): + errors.append(W010) + if _session_middleware(): + errors.append(W011) + if len(errors) > 1: + errors = [W012] return errors @register(Tags.security, deploy=True) def check_session_cookie_httponly(app_configs, **kwargs): + if settings.SESSION_COOKIE_HTTPONLY is True: + return [] errors = [] - if not settings.SESSION_COOKIE_HTTPONLY: - if _session_app(): - errors.append(W013) - if _session_middleware(): - errors.append(W014) - if len(errors) > 1: - errors = [W015] + if _session_app(): + errors.append(W013) + if _session_middleware(): + errors.append(W014) + if len(errors) > 1: + errors = [W015] return errors diff --git a/tests/check_framework/test_security.py b/tests/check_framework/test_security.py index d025c4d92cc..3e20f35f01f 100644 --- a/tests/check_framework/test_security.py +++ b/tests/check_framework/test_security.py @@ -19,6 +19,15 @@ class CheckSessionCookieSecureTest(SimpleTestCase): """ self.assertEqual(sessions.check_session_cookie_secure(None), [sessions.W010]) + @override_settings( + SESSION_COOKIE_SECURE="1", + INSTALLED_APPS=["django.contrib.sessions"], + MIDDLEWARE=[], + ) + def test_session_cookie_secure_with_installed_app_truthy(self): + """SESSION_COOKIE_SECURE must be boolean.""" + self.assertEqual(sessions.check_session_cookie_secure(None), [sessions.W010]) + @override_settings( SESSION_COOKIE_SECURE=False, INSTALLED_APPS=[], @@ -69,6 +78,15 @@ class CheckSessionCookieHttpOnlyTest(SimpleTestCase): """ self.assertEqual(sessions.check_session_cookie_httponly(None), [sessions.W013]) + @override_settings( + SESSION_COOKIE_HTTPONLY="1", + INSTALLED_APPS=["django.contrib.sessions"], + MIDDLEWARE=[], + ) + def test_session_cookie_httponly_with_installed_app_truthy(self): + """SESSION_COOKIE_HTTPONLY must be boolean.""" + self.assertEqual(sessions.check_session_cookie_httponly(None), [sessions.W013]) + @override_settings( SESSION_COOKIE_HTTPONLY=False, INSTALLED_APPS=[], @@ -131,6 +149,14 @@ class CheckCSRFCookieSecureTest(SimpleTestCase): """ self.assertEqual(csrf.check_csrf_cookie_secure(None), [csrf.W016]) + @override_settings( + MIDDLEWARE=["django.middleware.csrf.CsrfViewMiddleware"], + CSRF_COOKIE_SECURE="1", + ) + def test_with_csrf_cookie_secure_truthy(self): + """CSRF_COOKIE_SECURE must be boolean.""" + self.assertEqual(csrf.check_csrf_cookie_secure(None), [csrf.W016]) + @override_settings( MIDDLEWARE=["django.middleware.csrf.CsrfViewMiddleware"], CSRF_USE_SESSIONS=True,