plain 0.10.0__tar.gz → 0.12.0__tar.gz

{plain-0.10.0 → plain-0.12.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: plain
-Version: 0.10.0
+Version: 0.12.0
 Summary: A web framework for building products with Python.
 Author: Dave Gaeddert
 Author-email: dave.gaeddert@dropseed.dev

{plain-0.10.0 → plain-0.12.0}/plain/http/request.py

@@ -267,12 +267,12 @@ class HttpRequest:
 
     @property
     def scheme(self):
-        if settings.SECURE_PROXY_SSL_HEADER:
+        if settings.HTTPS_PROXY_HEADER:
             try:
-                header, secure_value = settings.SECURE_PROXY_SSL_HEADER
+                header, secure_value = settings.HTTPS_PROXY_HEADER
             except ValueError:
                 raise ImproperlyConfigured(
-                    "The SECURE_PROXY_SSL_HEADER setting must be a tuple containing "
+                    "The HTTPS_PROXY_HEADER setting must be a tuple containing "
                     "two values."
                 )
             header_value = self.META.get(header)

{plain-0.10.0 → plain-0.12.0}/plain/preflight/__init__.py

@@ -15,8 +15,7 @@ from .registry import register, run_checks
 
 # Import these to force registration of checks
 import plain.preflight.files  # NOQA isort:skip
-import plain.preflight.security.base  # NOQA isort:skip
-import plain.preflight.security.csrf  # NOQA isort:skip
+import plain.preflight.security  # NOQA isort:skip
 import plain.preflight.urls  # NOQA isort:skip
 
 

plain-0.10.0/plain/preflight/security/base.py → plain-0.12.0/plain/preflight/security.py

@@ -16,40 +16,6 @@ SECRET_KEY_WARNING_MSG = (
     f"vulnerable to attack."
 )
 
-# TODO
-W001 = Warning(
-    "You do not have 'plain.middleware.https.HttpsRedirectMiddleware' "
-    "in your MIDDLEWARE so the SECURE_HSTS_SECONDS, "
-    "SECURE_CONTENT_TYPE_NOSNIFF, SECURE_REFERRER_POLICY, "
-    "SECURE_CROSS_ORIGIN_OPENER_POLICY, and HTTPS_REDIRECT_ENABLED settings will "
-    "have no effect.",
-    id="security.W001",
-)
-
-W008 = Warning(
-    "Your HTTPS_REDIRECT_ENABLED setting is not set to True. "
-    "Unless your site should be available over both SSL and non-SSL "
-    "connections, you may want to either set this setting True "
-    "or configure a load balancer or reverse-proxy server "
-    "to redirect all connections to HTTPS.",
-    id="security.W008",
-)
-
-W009 = Warning(
-    SECRET_KEY_WARNING_MSG % "SECRET_KEY",
-    id="security.W009",
-)
-
-W018 = Warning(
-    "You should not have DEBUG set to True in deployment.",
-    id="security.W018",
-)
-
-W020 = Warning(
-    "ALLOWED_HOSTS must not be empty in deployment.",
-    id="security.W020",
-)
-
 W025 = Warning(SECRET_KEY_WARNING_MSG, id="security.W025")
 
 
@@ -69,7 +35,16 @@ def check_secret_key(package_configs, **kwargs):
         passed_check = False
     else:
         passed_check = _check_secret_key(secret_key)
-    return [] if passed_check else [W009]
+    return (
+        []
+        if passed_check
+        else [
+            Warning(
+                SECRET_KEY_WARNING_MSG % "SECRET_KEY",
+                id="security.W009",
+            )
+        ]
+    )
 
 
 @register(deploy=True)
@@ -91,9 +66,27 @@ def check_secret_key_fallbacks(package_configs, **kwargs):
 @register(deploy=True)
 def check_debug(package_configs, **kwargs):
     passed_check = not settings.DEBUG
-    return [] if passed_check else [W018]
+    return (
+        []
+        if passed_check
+        else [
+            Warning(
+                "You should not have DEBUG set to True in deployment.",
+                id="security.W018",
+            )
+        ]
+    )
 
 
 @register(deploy=True)
 def check_allowed_hosts(package_configs, **kwargs):
-    return [] if settings.ALLOWED_HOSTS else [W020]
+    return (
+        []
+        if settings.ALLOWED_HOSTS
+        else [
+            Warning(
+                "ALLOWED_HOSTS must not be empty in deployment.",
+                id="security.W020",
+            )
+        ]
+    )

{plain-0.10.0 → plain-0.12.0}/plain/runtime/global_settings.py

@@ -50,6 +50,20 @@ HTTPS_REDIRECT_ENABLED = True
 HTTPS_REDIRECT_EXEMPT = []
 HTTPS_REDIRECT_HOST = None
 
+# If your Plain app is behind a proxy that sets a header to specify secure
+# connections, AND that proxy ensures that user-submitted headers with the
+# same name are ignored (so that people can't spoof it), set this value to
+# a tuple of (header_name, header_value). For any requests that come in with
+# that header/value, request.is_https() will return True.
+# WARNING! Only set this if you fully understand what you're doing. Otherwise,
+# you may be opening yourself up to a security risk.
+HTTPS_PROXY_HEADER = None
+
+# Whether to use the X-Forwarded-Host and X-Forwarded-Port headers
+# when determining the host and port for the request.
+USE_X_FORWARDED_HOST = False
+USE_X_FORWARDED_PORT = False
+
 # A secret key for this particular Plain installation. Used in secret-key
 # hashing algorithms. Set this in your settings, or Plain will complain
 # loudly.
@@ -88,21 +102,9 @@ DATA_UPLOAD_MAX_NUMBER_FILES = 100
 # (i.e. "/tmp" on *nix systems).
 FILE_UPLOAD_TEMP_DIR = None
 
-USE_X_FORWARDED_HOST = False
-USE_X_FORWARDED_PORT = False
-
 # User-defined overrides for error views by status code
 HTTP_ERROR_VIEWS: dict[int] = {}
 
-# If your Plain app is behind a proxy that sets a header to specify secure
-# connections, AND that proxy ensures that user-submitted headers with the
-# same name are ignored (so that people can't spoof it), set this value to
-# a tuple of (header_name, header_value). For any requests that come in with
-# that header/value, request.is_https() will return True.
-# WARNING! Only set this if you fully understand what you're doing. Otherwise,
-# you may be opening yourself up to a security risk.
-SECURE_PROXY_SSL_HEADER = None
-
 ##############
 # MIDDLEWARE #
 ##############

{plain-0.10.0 → plain-0.12.0}/pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "plain"
-version = "0.10.0"
+version = "0.12.0"
 description = "A web framework for building products with Python."
 authors = ["Dave Gaeddert <dave.gaeddert@dropseed.dev>"]
 readme = "README.md"

plain-0.10.0/plain/preflight/security/csrf.py

@@ -1,36 +0,0 @@
-from plain.runtime import settings
-
-from .. import Warning, register
-
-W003 = Warning(
-    "You don't appear to be using Plain's built-in "
-    "cross-site request forgery protection via the middleware "
-    "('plain.csrf.middleware.CsrfViewMiddleware' is not in your "
-    "MIDDLEWARE). Enabling the middleware is the safest approach "
-    "to ensure you don't leave any holes.",
-    id="security.W003",
-)
-
-W016 = Warning(
-    "You have 'plain.csrf.middleware.CsrfViewMiddleware' in your "
-    "MIDDLEWARE, but you have not set CSRF_COOKIE_SECURE to True. "
-    "Using a secure-only CSRF cookie makes it more difficult for network "
-    "traffic sniffers to steal the CSRF token.",
-    id="security.W016",
-)
-
-
-def _csrf_middleware():
-    return "plain.csrf.middleware.CsrfViewMiddleware" in settings.MIDDLEWARE
-
-
-@register(deploy=True)
-def check_csrf_middleware(package_configs, **kwargs):
-    passed_check = _csrf_middleware()
-    return [] if passed_check else [W003]
-
-
-@register(deploy=True)
-def check_csrf_cookie_secure(package_configs, **kwargs):
-    passed_check = not _csrf_middleware() or settings.CSRF_COOKIE_SECURE is True
-    return [] if passed_check else [W016]