diff options
| author | Erik Romijn <eromijn@solidlinks.nl> | 2014-05-12 07:38:39 -0400 |
|---|---|---|
| committer | Florian Apolloner <florian@apolloner.eu> | 2014-05-14 10:19:48 +0200 |
| commit | 255449c1ee61c14778658caae8c430fa4d76afd6 (patch) | |
| tree | 9c1a2b5deccc1af3961c77ecf27f41ffeb494c33 /tests | |
| parent | 3800f63721f6fc1c940abfb10fe21257dcf13521 (diff) | |
Added additional checks in is_safe_url to account for flexible parsing.
This is a security fix. Disclosure following shortly.
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/utils_tests/test_http.py | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/tests/utils_tests/test_http.py b/tests/utils_tests/test_http.py index edd0fde44f..eec439a11c 100644 --- a/tests/utils_tests/test_http.py +++ b/tests/utils_tests/test_http.py @@ -89,6 +89,36 @@ class TestUtilsHttp(unittest.TestCase): self.assertEqual(http.int_to_base36(n), b36) self.assertEqual(http.base36_to_int(b36), n) + def test_is_safe_url(self): + for bad_url in ('http://example.com', + 'http:///example.com', + 'https://example.com', + 'ftp://exampel.com', + r'\\example.com', + r'\\\example.com', + r'/\\/example.com', + r'\\\example.com', + r'\\example.com', + r'\\//example.com', + r'/\/example.com', + r'\/example.com', + r'/\example.com', + 'http:///example.com', + 'http:/\//example.com', + 'http:\/example.com', + 'http:/\example.com', + 'javascript:alert("XSS")'): + self.assertFalse(http.is_safe_url(bad_url, host='testserver'), "%s should be blocked" % bad_url) + for good_url in ('/view/?param=http://example.com', + '/view/?param=https://example.com', + '/view?param=ftp://exampel.com', + 'view/?param=//example.com', + 'https://testserver/', + 'HTTPS://testserver/', + '//testserver/', + '/url%20with%20spaces/'): + self.assertTrue(http.is_safe_url(good_url, host='testserver'), "%s should be allowed" % good_url) + class ETagProcessingTests(unittest.TestCase): def testParsing(self): |
