From 33e86b3488dbf29f5aeb38cf0ee6597190d33c59 Mon Sep 17 00:00:00 2001 From: Raphael Michel Date: Sat, 17 Dec 2016 15:59:48 +0100 Subject: [PATCH] Refs #16859 -- Disabled CSRF_COOKIE_* checks when using CSRF_USE_SESSIONS. --- django/core/checks/security/csrf.py | 2 ++ tests/check_framework/test_security.py | 22 ++++++++++++++++++++++ 2 files changed, 24 insertions(+) diff --git a/django/core/checks/security/csrf.py b/django/core/checks/security/csrf.py index b90308a016..1cd0ace56d 100644 --- a/django/core/checks/security/csrf.py +++ b/django/core/checks/security/csrf.py @@ -43,6 +43,7 @@ def check_csrf_middleware(app_configs, **kwargs): @register(Tags.security, deploy=True) def check_csrf_cookie_secure(app_configs, **kwargs): passed_check = ( + settings.CSRF_USE_SESSIONS or not _csrf_middleware() or settings.CSRF_COOKIE_SECURE ) @@ -52,6 +53,7 @@ def check_csrf_cookie_secure(app_configs, **kwargs): @register(Tags.security, deploy=True) def check_csrf_cookie_httponly(app_configs, **kwargs): passed_check = ( + settings.CSRF_USE_SESSIONS or not _csrf_middleware() or settings.CSRF_COOKIE_HTTPONLY ) diff --git a/tests/check_framework/test_security.py b/tests/check_framework/test_security.py index ebd1ffb0d3..1e6d2fac8b 100644 --- a/tests/check_framework/test_security.py +++ b/tests/check_framework/test_security.py @@ -166,6 +166,17 @@ class CheckCSRFCookieSecureTest(SimpleTestCase): """ self.assertEqual(self.func(None), [csrf.W016]) + @override_settings( + MIDDLEWARE=["django.middleware.csrf.CsrfViewMiddleware"], + CSRF_USE_SESSIONS=True, + CSRF_COOKIE_SECURE=False) + def test_use_sessions_with_csrf_cookie_secure_false(self): + """ + No warning if CSRF_COOKIE_SECURE isn't True while CSRF_USE_SESSIONS + is True. + """ + self.assertEqual(self.func(None), []) + @override_settings(MIDDLEWARE=[], MIDDLEWARE_CLASSES=[], CSRF_COOKIE_SECURE=False) def test_with_csrf_cookie_secure_false_no_middleware(self): """ @@ -197,6 +208,17 @@ class CheckCSRFCookieHttpOnlyTest(SimpleTestCase): """ self.assertEqual(self.func(None), [csrf.W017]) + @override_settings( + MIDDLEWARE=["django.middleware.csrf.CsrfViewMiddleware"], + CSRF_USE_SESSIONS=True, + CSRF_COOKIE_HTTPONLY=False) + def test_use_sessions_with_csrf_cookie_httponly_false(self): + """ + No warning if CSRF_COOKIE_HTTPONLY isn't True while CSRF_USE_SESSIONS + is True. + """ + self.assertEqual(self.func(None), []) + @override_settings(MIDDLEWARE=[], MIDDLEWARE_CLASSES=[], CSRF_COOKIE_HTTPONLY=False) def test_with_csrf_cookie_httponly_false_no_middleware(self): """