Hello community, here is the log from the commit of package python-django for openSUSE:Factory checked in at 2012-06-26 17:22:23 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python-django (Old) and /work/SRC/openSUSE:Factory/.python-django.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-django", Maintainer is "r...@suse.com" Changes: -------- --- /work/SRC/openSUSE:Factory/python-django/python-django.changes 2012-03-27 08:57:38.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.python-django.new/python-django.changes 2012-06-26 17:22:27.000000000 +0200 @@ -1,0 +2,5 @@ +Tue Jun 19 11:27:33 UTC 2012 - sasc...@suse.de + +- Add patch to support CSRF_COOKIE_HTTPONLY config + +------------------------------------------------------------------- New: ---- Django-1.4-CSRF_COOKIE_HTTPONLY-support.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-django.spec ++++++ --- /var/tmp/diff_new_pack.ghdgTQ/_old 2012-06-26 17:22:28.000000000 +0200 +++ /var/tmp/diff_new_pack.ghdgTQ/_new 2012-06-26 17:22:28.000000000 +0200 @@ -27,6 +27,8 @@ Source1: python-django-rpmlintrc # PATCH-FIX-UPSTREAM Django-1.2-completion-only-for-bash.patch Patch1: Django-1.2-completion-only-for-bash.patch +# PATCH-FIX-UPSTREAM - see https://github.com/django/django/pull/150/files +Patch2: Django-1.4-CSRF_COOKIE_HTTPONLY-support.patch BuildRequires: python-devel Requires: python-xml BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -45,6 +47,7 @@ %prep %setup -q -n Django-%{version} %patch1 +%patch2 -p1 %build python setup.py build ++++++ Django-1.4-CSRF_COOKIE_HTTPONLY-support.patch ++++++ diff --git a/django/conf/global_settings.py b/django/conf/global_settings.py index 4711baa..244d1f2 100644 --- a/django/conf/global_settings.py +++ b/django/conf/global_settings.py @@ -531,6 +531,7 @@ CSRF_COOKIE_NAME = 'csrftoken' CSRF_COOKIE_DOMAIN = None CSRF_COOKIE_PATH = '/' CSRF_COOKIE_SECURE = False +CSRF_COOKIE_HTTPONLY = False ############ # MESSAGES # diff --git a/django/middleware/csrf.py b/django/middleware/csrf.py index fd8ff30..f977263 100644 --- a/django/middleware/csrf.py +++ b/django/middleware/csrf.py @@ -208,7 +208,8 @@ class CsrfViewMiddleware(object): max_age = 60 * 60 * 24 * 7 * 52, domain=settings.CSRF_COOKIE_DOMAIN, path=settings.CSRF_COOKIE_PATH, - secure=settings.CSRF_COOKIE_SECURE + secure=settings.CSRF_COOKIE_SECURE, + httponly=settings.CSRF_COOKIE_HTTPONLY ) # Content varies with the CSRF cookie, so set the Vary header. patch_vary_headers(response, ('Cookie',)) diff --git a/docs/ref/contrib/csrf.txt b/docs/ref/contrib/csrf.txt index 0ff9bd1..74584ad 100644 --- a/docs/ref/contrib/csrf.txt +++ b/docs/ref/contrib/csrf.txt @@ -482,6 +482,17 @@ Whether to use a secure cookie for the CSRF cookie. If this is set to ``True``, the cookie will be marked as "secure," which means browsers may ensure that the cookie is only sent under an HTTPS connection. +CSRF_COOKIE_HTTPONLY +------------------ + +.. versionadded:: 1.5 + +Default: ``False`` + +Whether to use HttpOnly flag on the CSRF cookie. If this is set to +``True``, client-side JavaScript will not to be able to access the +session cookie. + CSRF_FAILURE_VIEW ----------------- diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt index a1b76f6..56f5ddf 100644 --- a/docs/ref/settings.txt +++ b/docs/ref/settings.txt @@ -362,6 +362,19 @@ Whether to use a secure cookie for the CSRF cookie. If this is set to ``True``, the cookie will be marked as "secure," which means browsers may ensure that the cookie is only sent under an HTTPS connection. +.. setting:: CSRF_COOKIE_HTTPONLY + +CSRF_COOKIE_HTTPONLY +------------------ + +.. versionadded:: 1.5 + +Default: ``False`` + +Whether to use HttpOnly flag on the CSRF cookie. If this is set to +``True``, client-side JavaScript will not to be able to access the +session cookie. See :setting:`SESSION_COOKIE_HTTPONLY`. + .. setting:: CSRF_FAILURE_VIEW CSRF_FAILURE_VIEW diff --git a/tests/regressiontests/csrf_tests/tests.py b/tests/regressiontests/csrf_tests/tests.py index 2d9b4f7..093d127 100644 --- a/tests/regressiontests/csrf_tests/tests.py +++ b/tests/regressiontests/csrf_tests/tests.py @@ -100,7 +100,8 @@ class CsrfViewMiddlewareTest(TestCase): with self.settings(CSRF_COOKIE_NAME='myname', CSRF_COOKIE_DOMAIN='.example.com', CSRF_COOKIE_PATH='/test/', - CSRF_COOKIE_SECURE=True): + CSRF_COOKIE_SECURE=True, + CSRF_COOKIE_HTTPONLY=True): # token_view calls get_token() indirectly CsrfViewMiddleware().process_view(req, token_view, (), {}) resp = token_view(req) @@ -109,6 +110,7 @@ class CsrfViewMiddlewareTest(TestCase): self.assertNotEqual(csrf_cookie, False) self.assertEqual(csrf_cookie['domain'], '.example.com') self.assertEqual(csrf_cookie['secure'], True) + self.assertEqual(csrf_cookie['httponly'], True) self.assertEqual(csrf_cookie['path'], '/test/') self.assertTrue('Cookie' in resp2.get('Vary','')) -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org