Ticket #15797: cookie_domain_validation.diff

File cookie_domain_validation.diff, 5.0 KB (added by estebistec, 4 years ago)

Patch to settings class, tests, and documentation

  • docs/topics/http/sessions.txt

     
    435435
    436436The domain to use for session cookies. Set this to a string such as
    437437``".lawrence.com"`` (note the leading dot!) for cross-domain cookies, or use
    438 ``None`` for a standard domain cookie.
     438``None`` for a standard domain cookie. It should also have sufficient dots
     439(``.``) to ensure it will be valid and sent to the server by browsers. So
     440``".example.com"`` or ``"example.com"`` are good but avoid ``".localhost"`` or
     441``"localhost"``.
    439442
    440443SESSION_COOKIE_HTTPONLY
    441444-----------------------
  • docs/ref/settings.txt

     
    322322allowing cross-subdomain requests to be exluded from the normal cross site
    323323request forgery protection.  It should be set to a string such as
    324324``".lawrence.com"`` to allow a POST request from a form on one subdomain to be
    325 accepted by accepted by a view served from another subdomain.
     325accepted by accepted by a view served from another subdomain. It should also
     326have sufficient dots (``.``) to ensure it will be valid and sent to the server
     327by browsers. So ``".example.com"`` or ``"example.com"`` are good but avoid
     328``".localhost"`` or ``"localhost"``.
    326329
    327330.. setting:: CSRF_COOKIE_NAME
    328331
     
    14801483
    14811484The domain to use for session cookies. Set this to a string such as
    14821485``".lawrence.com"`` for cross-domain cookies, or use ``None`` for a standard
    1483 domain cookie. See the :doc:`/topics/http/sessions`.
     1486domain cookie. It should also have sufficient dots (``.``) to ensure it will be
     1487valid and sent to the server by browsers. So ``".example.com"`` or
     1488``"example.com"`` are good but avoid ``".localhost"`` or ``"localhost"``. See
     1489the :doc:`/topics/http/sessions`.
    14841490
    14851491.. setting:: SESSION_COOKIE_HTTPONLY
    14861492
  • django/conf/__init__.py

     
    1212import warnings
    1313
    1414from django.conf import global_settings
     15from django.core.exceptions import ImproperlyConfigured
    1516from django.utils.functional import LazyObject
    1617from django.utils import importlib
    1718
     
    7071        if name in ("MEDIA_URL", "STATIC_URL") and value and not value.endswith('/'):
    7172            warnings.warn('If set, %s must end with a slash' % name,
    7273                          DeprecationWarning)
     74        if name in ("CSRF_COOKIE_DOMAIN", "SESSION_COOKIE_DOMAIN"):
     75            if value is not None:
     76                if (value.startswith('.') and value.count('.') < 2 or
     77                    '.' not in value):
     78                    raise ImproperlyConfigured('If set, %s should contain '
     79                            'sufficient dots (.), e.g., ".example.com" or '
     80                            '"example.com"' % name)
    7381        object.__setattr__(self, name, value)
    7482
    7583
  • tests/regressiontests/settings_tests/tests.py

     
    11from django.conf import settings
    22from django.utils import unittest
    33from django.conf import settings, UserSettingsHolder, global_settings
     4from django.core.exceptions import ImproperlyConfigured
    45
    56
    67class SettingsTests(unittest.TestCase):
     
    7677        self.settings_module.MEDIA_URL = 'http://media.foo.com/stupid//'
    7778        self.assertEqual('http://media.foo.com/stupid//',
    7879                         self.settings_module.MEDIA_URL)
     80
     81
     82class CookieDomainTests(unittest.TestCase):
     83    setting_names = ('CSRF_COOKIE_DOMAIN', 'SESSION_COOKIE_DOMAIN')
     84
     85    def test_none(self):
     86        for setting_name in self.setting_names:
     87            setattr(settings, setting_name, None)
     88
     89    def test_empty(self):
     90        for setting_name in self.setting_names:
     91            self.assertRaises(ImproperlyConfigured, setattr, settings,
     92                              setting_name, '')
     93
     94    def test_startswith_dot_too_few(self):
     95        for setting_name in self.setting_names:
     96            self.assertRaises(ImproperlyConfigured, setattr, settings,
     97                              setting_name, '.localhost')
     98
     99    def test_startswith_dot_sufficient_dots(self):
     100        for setting_name in self.setting_names:
     101            setattr(settings, setting_name, '.example.com')
     102
     103    def test_not_startswith_dot_too_few(self):
     104        for setting_name in self.setting_names:
     105            self.assertRaises(ImproperlyConfigured, setattr, settings,
     106                              setting_name, 'localhost')
     107
     108    def test_not_startswith_dot_sufficient_dots(self):
     109        for setting_name in self.setting_names:
     110            setattr(settings, setting_name, 'example.com')
     111
Back to Top