summaryrefslogtreecommitdiff
path: root/tests
diff options
context:
space:
mode:
authorFlorian Apolloner <florian@apolloner.eu>2012-07-30 22:01:50 +0200
committerFlorian Apolloner <florian@apolloner.eu>2012-07-30 22:01:50 +0200
commit4129201c3e0fa057c198bdefcb34686a23b4a93c (patch)
tree58560ce54b9a1019a5ca67667bb1e87e051fc161 /tests
parentb1d463468694f2e91fde67221b7996e9c52a9720 (diff)
Fixed a security issue in http redirects. Disclosure and new release forthcoming.
Diffstat (limited to 'tests')
-rw-r--r--tests/regressiontests/httpwrappers/tests.py19
1 files changed, 17 insertions, 2 deletions
diff --git a/tests/regressiontests/httpwrappers/tests.py b/tests/regressiontests/httpwrappers/tests.py
index 9b599db6d0..0f61c2d840 100644
--- a/tests/regressiontests/httpwrappers/tests.py
+++ b/tests/regressiontests/httpwrappers/tests.py
@@ -4,8 +4,11 @@ from __future__ import unicode_literals
import copy
import pickle
-from django.http import (QueryDict, HttpResponse, SimpleCookie, BadHeaderError,
- parse_cookie)
+from django.core.exceptions import SuspiciousOperation
+from django.http import (QueryDict, HttpResponse, HttpResponseRedirect,
+ HttpResponsePermanentRedirect,
+ SimpleCookie, BadHeaderError,
+ parse_cookie)
from django.utils import unittest
@@ -309,6 +312,18 @@ class HttpResponseTests(unittest.TestCase):
r = HttpResponse(['abc'])
self.assertRaises(Exception, r.write, 'def')
+ def test_unsafe_redirect(self):
+ bad_urls = [
+ 'data:text/html,<script>window.alert("xss")</script>',
+ 'mailto:test@example.com',
+ 'file:///etc/passwd',
+ ]
+ for url in bad_urls:
+ self.assertRaises(SuspiciousOperation,
+ HttpResponseRedirect, url)
+ self.assertRaises(SuspiciousOperation,
+ HttpResponsePermanentRedirect, url)
+
class CookieTests(unittest.TestCase):
def test_encode(self):