diff options
| author | Florian Apolloner <florian@apolloner.eu> | 2012-07-30 22:01:50 +0200 |
|---|---|---|
| committer | Florian Apolloner <florian@apolloner.eu> | 2012-07-30 22:01:50 +0200 |
| commit | 4129201c3e0fa057c198bdefcb34686a23b4a93c (patch) | |
| tree | 58560ce54b9a1019a5ca67667bb1e87e051fc161 /tests | |
| parent | b1d463468694f2e91fde67221b7996e9c52a9720 (diff) | |
Fixed a security issue in http redirects. Disclosure and new release forthcoming.
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/regressiontests/httpwrappers/tests.py | 19 |
1 files changed, 17 insertions, 2 deletions
diff --git a/tests/regressiontests/httpwrappers/tests.py b/tests/regressiontests/httpwrappers/tests.py index 9b599db6d0..0f61c2d840 100644 --- a/tests/regressiontests/httpwrappers/tests.py +++ b/tests/regressiontests/httpwrappers/tests.py @@ -4,8 +4,11 @@ from __future__ import unicode_literals import copy import pickle -from django.http import (QueryDict, HttpResponse, SimpleCookie, BadHeaderError, - parse_cookie) +from django.core.exceptions import SuspiciousOperation +from django.http import (QueryDict, HttpResponse, HttpResponseRedirect, + HttpResponsePermanentRedirect, + SimpleCookie, BadHeaderError, + parse_cookie) from django.utils import unittest @@ -309,6 +312,18 @@ class HttpResponseTests(unittest.TestCase): r = HttpResponse(['abc']) self.assertRaises(Exception, r.write, 'def') + def test_unsafe_redirect(self): + bad_urls = [ + 'data:text/html,<script>window.alert("xss")</script>', + 'mailto:test@example.com', + 'file:///etc/passwd', + ] + for url in bad_urls: + self.assertRaises(SuspiciousOperation, + HttpResponseRedirect, url) + self.assertRaises(SuspiciousOperation, + HttpResponsePermanentRedirect, url) + class CookieTests(unittest.TestCase): def test_encode(self): |
