diff options
| author | Luke Plant <L.Plant.98@cantab.net> | 2011-03-15 20:37:09 +0000 |
|---|---|---|
| committer | Luke Plant <L.Plant.98@cantab.net> | 2011-03-15 20:37:09 +0000 |
| commit | 243d0bec1954ad7fab44625f1440a8ce580df26c (patch) | |
| tree | c469d617bbbe96d9c23a4f892143256298db97db /tests | |
| parent | ad4118be443266685cfc7ab2d59794e0692bc944 (diff) | |
Fixed #15617 - CSRF referer checking too strict
Thanks to adam for the report.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15840 bcc190cf-cafb-0310-a4f2-bffc1f526a37
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/regressiontests/csrf_tests/tests.py | 13 | ||||
| -rw-r--r-- | tests/regressiontests/utils/http.py | 23 | ||||
| -rw-r--r-- | tests/regressiontests/utils/tests.py | 1 |
3 files changed, 37 insertions, 0 deletions
diff --git a/tests/regressiontests/csrf_tests/tests.py b/tests/regressiontests/csrf_tests/tests.py index 396f98f419..d75adc917b 100644 --- a/tests/regressiontests/csrf_tests/tests.py +++ b/tests/regressiontests/csrf_tests/tests.py @@ -382,3 +382,16 @@ class CsrfMiddlewareTest(TestCase): req.META['HTTP_REFERER'] = 'https://www.example.com/somepage' req2 = CsrfViewMiddleware().process_view(req, post_form_view, (), {}) self.assertEqual(None, req2) + + def test_https_good_referer_2(self): + """ + Test that a POST HTTPS request with a good referer is accepted + where the referer contains no trailing slash + """ + # See ticket #15617 + req = self._get_POST_request_with_token() + req._is_secure = True + req.META['HTTP_HOST'] = 'www.example.com' + req.META['HTTP_REFERER'] = 'https://www.example.com' + req2 = CsrfViewMiddleware().process_view(req, post_form_view, (), {}) + self.assertEqual(None, req2) diff --git a/tests/regressiontests/utils/http.py b/tests/regressiontests/utils/http.py new file mode 100644 index 0000000000..83a4a7f54d --- /dev/null +++ b/tests/regressiontests/utils/http.py @@ -0,0 +1,23 @@ +from django.utils import http +from django.utils import unittest + +class TestUtilsHttp(unittest.TestCase): + + def test_same_origin_true(self): + # Identical + self.assertTrue(http.same_origin('http://foo.com/', 'http://foo.com/')) + # One with trailing slash - see #15617 + self.assertTrue(http.same_origin('http://foo.com', 'http://foo.com/')) + self.assertTrue(http.same_origin('http://foo.com/', 'http://foo.com')) + # With port + self.assertTrue(http.same_origin('https://foo.com:8000', 'https://foo.com:8000/')) + + def test_same_origin_false(self): + # Different scheme + self.assertFalse(http.same_origin('http://foo.com', 'https://foo.com')) + # Different host + self.assertFalse(http.same_origin('http://foo.com', 'http://goo.com')) + # Different host again + self.assertFalse(http.same_origin('http://foo.com', 'http://foo.com.evil.com')) + # Different port + self.assertFalse(http.same_origin('http://foo.com:8000', 'http://foo.com:8001')) diff --git a/tests/regressiontests/utils/tests.py b/tests/regressiontests/utils/tests.py index 6d3bbfa86c..5c4c0602e8 100644 --- a/tests/regressiontests/utils/tests.py +++ b/tests/regressiontests/utils/tests.py @@ -7,6 +7,7 @@ from feedgenerator import * from module_loading import * from termcolors import * from html import * +from http import * from checksums import * from text import * from simplelazyobject import * |
