summaryrefslogtreecommitdiff
path: root/tests
diff options
context:
space:
mode:
authorTim Graham <timograham@gmail.com>2014-05-12 09:46:40 -0400
committerTim Graham <timograham@gmail.com>2014-05-12 09:46:40 -0400
commit7feb54bbae3f637ab3c4dd4831d4385964f574df (patch)
tree7d487cd00012b445029aa3e3737d8aa1effa31ce /tests
parent28e23306aa53bbbb8fb87db85f99d970b051026c (diff)
[1.4.x] Added additional checks in is_safe_url to account for flexible parsing.
This is a security fix. Disclosure following shortly.
Diffstat (limited to 'tests')
-rw-r--r--tests/regressiontests/utils/http.py30
1 files changed, 30 insertions, 0 deletions
diff --git a/tests/regressiontests/utils/http.py b/tests/regressiontests/utils/http.py
index 9e05a94118..802b3fa88d 100644
--- a/tests/regressiontests/utils/http.py
+++ b/tests/regressiontests/utils/http.py
@@ -78,3 +78,33 @@ class TestUtilsHttp(unittest.TestCase):
for n, b36 in [(0, '0'), (1, '1'), (42, '16'), (818469960, 'django')]:
self.assertEqual(http.int_to_base36(n), b36)
self.assertEqual(http.base36_to_int(b36), n)
+
+ def test_is_safe_url(self):
+ for bad_url in ('http://example.com',
+ 'http:///example.com',
+ 'https://example.com',
+ 'ftp://exampel.com',
+ r'\\example.com',
+ r'\\\example.com',
+ r'/\\/example.com',
+ r'\\\example.com',
+ r'\\example.com',
+ r'\\//example.com',
+ r'/\/example.com',
+ r'\/example.com',
+ r'/\example.com',
+ 'http:///example.com',
+ 'http:/\//example.com',
+ 'http:\/example.com',
+ 'http:/\example.com',
+ 'javascript:alert("XSS")'):
+ self.assertFalse(http.is_safe_url(bad_url, host='testserver'), "%s should be blocked" % bad_url)
+ for good_url in ('/view/?param=http://example.com',
+ '/view/?param=https://example.com',
+ '/view?param=ftp://exampel.com',
+ 'view/?param=//example.com',
+ 'https://testserver/',
+ 'HTTPS://testserver/',
+ '//testserver/',
+ '/url%20with%20spaces/'):
+ self.assertTrue(http.is_safe_url(good_url, host='testserver'), "%s should be allowed" % good_url)