diff options
| author | Tim Graham <timograham@gmail.com> | 2016-10-17 12:14:49 -0400 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2016-11-01 09:30:57 -0400 |
| commit | 7fe2d8d940fdddd1a02c4754008a27060c4a03e9 (patch) | |
| tree | a688aff3e3a2f9f53729b60aa40098c4b9981e9f /tests | |
| parent | da7910d4834726eca596af0a830762fa5fb2dfd9 (diff) | |
Fixed CVE-2016-9014 -- Validated Host header when DEBUG=True.
This is a security fix.
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/csrf_tests/tests.py | 2 | ||||
| -rw-r--r-- | tests/requests/tests.py | 29 |
2 files changed, 16 insertions, 15 deletions
diff --git a/tests/csrf_tests/tests.py b/tests/csrf_tests/tests.py index deac4539fe..6debb386be 100644 --- a/tests/csrf_tests/tests.py +++ b/tests/csrf_tests/tests.py @@ -386,7 +386,7 @@ class CsrfViewMiddlewareTest(SimpleTestCase): self.assertEqual(len(csrf_cookie.value), CSRF_TOKEN_LENGTH) self._check_token_present(resp, csrf_id=csrf_cookie.value) - @override_settings(DEBUG=True) + @override_settings(DEBUG=True, ALLOWED_HOSTS=['www.example.com']) def test_https_bad_referer(self): """ Test that a POST HTTPS request with a bad referer is rejected diff --git a/tests/requests/tests.py b/tests/requests/tests.py index 12f6341777..2581eada0b 100644 --- a/tests/requests/tests.py +++ b/tests/requests/tests.py @@ -779,21 +779,22 @@ class HostValidationTests(SimpleTestCase): self.assertEqual(request.get_port(), '8080') @override_settings(DEBUG=True, ALLOWED_HOSTS=[]) - def test_host_validation_disabled_in_debug_mode(self): - """If ALLOWED_HOSTS is empty and DEBUG is True, all hosts pass.""" - request = HttpRequest() - request.META = { - 'HTTP_HOST': 'example.com', - } - self.assertEqual(request.get_host(), 'example.com') + def test_host_validation_in_debug_mode(self): + """ + If ALLOWED_HOSTS is empty and DEBUG is True, variants of localhost are + allowed. + """ + valid_hosts = ['localhost', '127.0.0.1', '[::1]'] + for host in valid_hosts: + request = HttpRequest() + request.META = {'HTTP_HOST': host} + self.assertEqual(request.get_host(), host) - # Invalid hostnames would normally raise a SuspiciousOperation, - # but we have DEBUG=True, so this check is disabled. - request = HttpRequest() - request.META = { - 'HTTP_HOST': "invalid_hostname.com", - } - self.assertEqual(request.get_host(), "invalid_hostname.com") + # Other hostnames raise a SuspiciousOperation. + with self.assertRaises(SuspiciousOperation): + request = HttpRequest() + request.META = {'HTTP_HOST': 'example.com'} + request.get_host() @override_settings(ALLOWED_HOSTS=[]) def test_get_host_suggestion_of_allowed_host(self): |
