summaryrefslogtreecommitdiff
path: root/tests
diff options
context:
space:
mode:
authorCarl Meyer <carl@oddbird.net>2013-02-11 21:54:53 -0700
committerCarl Meyer <carl@oddbird.net>2013-02-19 11:23:30 -0700
commitc6d69c12ea7ee9ad35abc7dbf95e00d624d0df5d (patch)
treecdf16eb8f2b43d84be76ef61a2a5c890aa9bfc38 /tests
parentd51fb74360b94f2a856573174f8aae3cd905dd35 (diff)
Restrict the XML deserializer to prevent network and entity-expansion DoS attacks.
This is a security fix. Disclosure and advisory coming shortly.
Diffstat (limited to 'tests')
-rw-r--r--tests/regressiontests/serializers_regress/tests.py15
1 files changed, 15 insertions, 0 deletions
diff --git a/tests/regressiontests/serializers_regress/tests.py b/tests/regressiontests/serializers_regress/tests.py
index 67aec08af2..e586d76e7f 100644
--- a/tests/regressiontests/serializers_regress/tests.py
+++ b/tests/regressiontests/serializers_regress/tests.py
@@ -10,6 +10,7 @@ from __future__ import absolute_import, unicode_literals
import datetime
import decimal
+from django.core.serializers.xml_serializer import DTDForbidden
try:
import yaml
@@ -514,3 +515,17 @@ for format in serializers.get_serializer_formats():
if format != 'python':
setattr(SerializerTests, 'test_' + format + '_serializer_stream', curry(streamTest, format))
+
+class XmlDeserializerSecurityTests(TestCase):
+
+ def test_no_dtd(self):
+ """
+ The XML deserializer shouldn't allow a DTD.
+
+ This is the most straightforward way to prevent all entity definitions
+ and avoid both external entities and entity-expansion attacks.
+
+ """
+ xml = '<?xml version="1.0" standalone="no"?><!DOCTYPE example SYSTEM "http://example.com/example.dtd">'
+ with self.assertRaises(DTDForbidden):
+ next(serializers.deserialize('xml', xml))