summaryrefslogtreecommitdiff
path: root/tests/utils_tests
diff options
context:
space:
mode:
authorErik Romijn <eromijn@solidlinks.nl>2014-05-12 09:38:05 -0400
committerFlorian Apolloner <florian@apolloner.eu>2014-05-14 10:15:06 +0200
commit601107524523bca02376a0ddc1a06c6fdb8f22f3 (patch)
tree5b184e0c335e36e6ac937a3914e9aa30aa3a8075 /tests/utils_tests
parent1abcf3a808b35abae5d425ed4d44cb6e886dc769 (diff)
[1.6.x] Added additional checks in is_safe_url to account for flexible parsing.
This is a security fix. Disclosure following shortly.
Diffstat (limited to 'tests/utils_tests')
-rw-r--r--tests/utils_tests/test_http.py29
1 files changed, 29 insertions, 0 deletions
diff --git a/tests/utils_tests/test_http.py b/tests/utils_tests/test_http.py
index 3da279d4a2..83dcd7c66a 100644
--- a/tests/utils_tests/test_http.py
+++ b/tests/utils_tests/test_http.py
@@ -91,6 +91,35 @@ class TestUtilsHttp(unittest.TestCase):
self.assertEqual(http.int_to_base36(n), b36)
self.assertEqual(http.base36_to_int(b36), n)
+ def test_is_safe_url(self):
+ for bad_url in ('http://example.com',
+ 'http:///example.com',
+ 'https://example.com',
+ 'ftp://exampel.com',
+ r'\\example.com',
+ r'\\\example.com',
+ r'/\\/example.com',
+ r'\\\example.com',
+ r'\\example.com',
+ r'\\//example.com',
+ r'/\/example.com',
+ r'\/example.com',
+ r'/\example.com',
+ 'http:///example.com',
+ 'http:/\//example.com',
+ 'http:\/example.com',
+ 'http:/\example.com',
+ 'javascript:alert("XSS")'):
+ self.assertFalse(http.is_safe_url(bad_url, host='testserver'), "%s should be blocked" % bad_url)
+ for good_url in ('/view/?param=http://example.com',
+ '/view/?param=https://example.com',
+ '/view?param=ftp://exampel.com',
+ 'view/?param=//example.com',
+ 'https://testserver/',
+ 'HTTPS://testserver/',
+ '//testserver/',
+ '/url%20with%20spaces/'):
+ self.assertTrue(http.is_safe_url(good_url, host='testserver'), "%s should be allowed" % good_url)
class ETagProcessingTests(unittest.TestCase):
def testParsing(self):