diff options
| author | Honza Král <honza.kral@gmail.com> | 2009-10-12 10:16:17 +0000 |
|---|---|---|
| committer | Honza Král <honza.kral@gmail.com> | 2009-10-12 10:16:17 +0000 |
| commit | dfe495fbe8e360ee3b3cd8b29e55ee19d86fc9d2 (patch) | |
| tree | 16bccad252c6fd2b00e734f275594ae159596e70 /tests/regressiontests/forms/fields.py | |
| parent | 83a3588ff712d5fe44e9692f5cb6a1d020f3ab2f (diff) | |
[soc2009/model-validation] Merged to trunk at r11603
SECURITY ALERT: Corrected regular expressions for URL and email fields.
git-svn-id: http://code.djangoproject.com/svn/django/branches/soc2009/model-validation@11617 bcc190cf-cafb-0310-a4f2-bffc1f526a37
Diffstat (limited to 'tests/regressiontests/forms/fields.py')
| -rw-r--r-- | tests/regressiontests/forms/fields.py | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/tests/regressiontests/forms/fields.py b/tests/regressiontests/forms/fields.py index 2efe72d02c..b02b4612a2 100644 --- a/tests/regressiontests/forms/fields.py +++ b/tests/regressiontests/forms/fields.py @@ -381,6 +381,17 @@ class TestFields(TestCase): self.assertEqual(u'example@valid-----hyphens.com', f.clean('example@valid-----hyphens.com')) self.assertEqual(u'example@valid-with-hyphens.com', f.clean('example@valid-with-hyphens.com')) + def test_email_regexp_for_performance(self): + f = EmailField() + # Check for runaway regex security problem. This will take for-freeking-ever + # if the security fix isn't in place. + self.assertRaisesErrorWithMessage( + ValidationError, + "[u'Enter a valid e-mail address.']", + f.clean, + 'viewx3dtextx26qx3d@yahoo.comx26latlngx3d15854521645943074058' + ) + def test_emailfield_33(self): f = EmailField(required=False) self.assertEqual(u'', f.clean('')) @@ -431,6 +442,7 @@ class TestFields(TestCase): self.assertRaisesErrorWithMessage(ValidationError, "[u'This field is required.']", f.clean, None) self.assertEqual(u'http://localhost/', f.clean('http://localhost')) self.assertEqual(u'http://example.com/', f.clean('http://example.com')) + self.assertEqual(u'http://example.com./', f.clean('http://example.com.')) self.assertEqual(u'http://www.example.com/', f.clean('http://www.example.com')) self.assertEqual(u'http://www.example.com:8000/test', f.clean('http://www.example.com:8000/test')) self.assertEqual(u'http://valid-with-hyphens.com/', f.clean('valid-with-hyphens.com')) @@ -441,6 +453,8 @@ class TestFields(TestCase): self.assertRaisesErrorWithMessage(ValidationError, "[u'Enter a valid URL.']", f.clean, 'http://') self.assertRaisesErrorWithMessage(ValidationError, "[u'Enter a valid URL.']", f.clean, 'http://example') self.assertRaisesErrorWithMessage(ValidationError, "[u'Enter a valid URL.']", f.clean, 'http://example.') + self.assertRaisesErrorWithMessage(ValidationError, "[u'Enter a valid URL.']", f.clean, 'com.') + self.assertRaisesErrorWithMessage(ValidationError, "[u'Enter a valid URL.']", f.clean, '.') self.assertRaisesErrorWithMessage(ValidationError, "[u'Enter a valid URL.']", f.clean, 'http://.com') self.assertRaisesErrorWithMessage(ValidationError, "[u'Enter a valid URL.']", f.clean, 'http://invalid-.com') self.assertRaisesErrorWithMessage(ValidationError, "[u'Enter a valid URL.']", f.clean, 'http://-invalid.com') @@ -448,6 +462,15 @@ class TestFields(TestCase): self.assertRaisesErrorWithMessage(ValidationError, "[u'Enter a valid URL.']", f.clean, 'http://inv-.-alid.com') self.assertEqual(u'http://valid-----hyphens.com/', f.clean('http://valid-----hyphens.com')) + def test_url_regexp_for_performance(self): + f = URLField() + # hangs "forever" if catastrophic backtracking in ticket:#11198 not fixed + self.assertRaisesErrorWithMessage(ValidationError, "[u'Enter a valid URL.']", f.clean, 'http://%s' % ("X"*200,)) + + # a second test, to make sure the problem is really addressed, even on + # domains that don't fail the domain label length check in the regex + self.assertRaisesErrorWithMessage(ValidationError, "[u'Enter a valid URL.']", f.clean, 'http://%s' % ("X"*60,)) + def test_urlfield_38(self): f = URLField(required=False) self.assertEqual(u'', f.clean('')) |
