[Django] #28155: Security system checks do not ignore MIDDLEWARE_CLASSES when MIDDLEWARE is defined

7 views

Skip to first unread message

Django

unread,

Apr 29, 2017, 1:38:18 PM4/29/17

to django-...@googlegroups.com

#28155: Security system checks do not ignore MIDDLEWARE_CLASSES when MIDDLEWARE is
defined
------------------------------------------------+------------------------
Reporter: Pritam Baral | Owner: nobody
Type: Bug | Status: new
Component: Core (System checks) | Version: 1.11
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 1
UI/UX: 0 |
------------------------------------------------+------------------------
`1_10.W001` says "Since you've set MIDDLEWARE, the value of
MIDDLEWARE_CLASSES is ignored"

But security system checks for session and csrf middleware check for
`MIDDLEWARE_CLASSES` first and only if that fails do they check for
`MIDDLEWARE`, contrary to what the compatibility system checks say.

The issue is compounded by the fact that `global_settings.py` defines
`MIDDLEWARE_CLASSES` to contain two middlewares (one of which is csrf). So
to disable csrf, one not only has to define `MIDDLEWARE` without including
the csrf middleware in it, one also has to override and set
`MIDDLEWARE_CLASSES = []`. At which point, the compatibility system check
`1_10.W001` fires up.

--
Ticket URL: <https://code.djangoproject.com/ticket/28155>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

Django

unread,

Apr 29, 2017, 2:03:37 PM4/29/17

to django-...@googlegroups.com

#28155: Security system checks do not ignore MIDDLEWARE_CLASSES when MIDDLEWARE is
defined

--------------------------------------+------------------------------------

Reporter: Pritam Baral | Owner: nobody

Type: Bug | Status: closed
Component: Core (System checks) | Version: 1.10
Severity: Normal | Resolution: wontfix
Keywords: | Triage Stage: Accepted

Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0

--------------------------------------+------------------------------------
Changes (by Simon Charette):

* status: new => closed
* version: 1.11 => 1.10
* resolution: => wontfix
* stage: Unreviewed => Accepted

Comment:

Thank you for taking the time to report this issue but I'll mark this
ticket as ''wontfix'' for the following reasons.

The bug has been present since 1.10's introduction of
`settings.MIDDLEWARE` and at this point the 1.10 branch only receives
security fixes, 1.11 only fixes for major functionality bugs in new
features of the latest stable release and the master branch removed all
references to `settings.MIDDLEWARE_CLASSES`.

Since this bug can be easily worked around by silencing `1_10.W001` and
that disabling CSRF protection is uncommon and discouraged I don't think
it warrants a backport to 1.11.