diff options
| author | John-Mark Bell <jmb@pexip.com> | 2016-03-07 12:06:46 +0000 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2016-03-07 13:22:11 -0500 |
| commit | 809eb5ddeeca388b2a1d339f7d5ee1f29119ecea (patch) | |
| tree | 772adf7d61f75f9c03c06392ed6d199f019f203a /tests | |
| parent | 4702c1ac98b284cacffcf5fbb0db9b85f0c2f8ba (diff) | |
[1.9.x] Fixed #26325 -- Made MultiPartParser ignore filenames that normalize to an empty string.
Backport of 4b129ac81f4fa38004950d0b307f81d1e9b44af8 from master
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/file_uploads/tests.py | 35 |
1 files changed, 35 insertions, 0 deletions
diff --git a/tests/file_uploads/tests.py b/tests/file_uploads/tests.py index ccecfce5c1..09c2c41c88 100644 --- a/tests/file_uploads/tests.py +++ b/tests/file_uploads/tests.py @@ -179,6 +179,41 @@ class FileUploadTests(TestCase): response = self.client.request(**r) self.assertEqual(response.status_code, 200) + def test_blank_filenames(self): + """ + Receiving file upload when filename is blank (before and after + sanitization) should be okay. + """ + # The second value is normalized to an empty name by + # MultiPartParser.IE_sanitize() + filenames = ['', 'C:\\Windows\\'] + + payload = client.FakePayload() + for i, name in enumerate(filenames): + payload.write('\r\n'.join([ + '--' + client.BOUNDARY, + 'Content-Disposition: form-data; name="file%s"; filename="%s"' % (i, name), + 'Content-Type: application/octet-stream', + '', + 'You got pwnd.\r\n' + ])) + payload.write('\r\n--' + client.BOUNDARY + '--\r\n') + + r = { + 'CONTENT_LENGTH': len(payload), + 'CONTENT_TYPE': client.MULTIPART_CONTENT, + 'PATH_INFO': '/echo/', + 'REQUEST_METHOD': 'POST', + 'wsgi.input': payload, + } + response = self.client.request(**r) + self.assertEqual(response.status_code, 200) + + # Empty filenames should be ignored + received = json.loads(response.content.decode('utf-8')) + for i, name in enumerate(filenames): + self.assertIsNone(received.get('file%s' % i)) + def test_dangerous_file_names(self): """Uploaded file names should be sanitized before ever reaching the view.""" # This test simulates possible directory traversal attacks by a |
