diff options
| author | Carl Meyer <carl@oddbird.net> | 2013-02-11 21:54:53 -0700 |
|---|---|---|
| committer | Carl Meyer <carl@oddbird.net> | 2013-02-19 11:23:30 -0700 |
| commit | c6d69c12ea7ee9ad35abc7dbf95e00d624d0df5d (patch) | |
| tree | cdf16eb8f2b43d84be76ef61a2a5c890aa9bfc38 /tests | |
| parent | d51fb74360b94f2a856573174f8aae3cd905dd35 (diff) | |
Restrict the XML deserializer to prevent network and entity-expansion DoS attacks.
This is a security fix. Disclosure and advisory coming shortly.
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/regressiontests/serializers_regress/tests.py | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/tests/regressiontests/serializers_regress/tests.py b/tests/regressiontests/serializers_regress/tests.py index 67aec08af2..e586d76e7f 100644 --- a/tests/regressiontests/serializers_regress/tests.py +++ b/tests/regressiontests/serializers_regress/tests.py @@ -10,6 +10,7 @@ from __future__ import absolute_import, unicode_literals import datetime import decimal +from django.core.serializers.xml_serializer import DTDForbidden try: import yaml @@ -514,3 +515,17 @@ for format in serializers.get_serializer_formats(): if format != 'python': setattr(SerializerTests, 'test_' + format + '_serializer_stream', curry(streamTest, format)) + +class XmlDeserializerSecurityTests(TestCase): + + def test_no_dtd(self): + """ + The XML deserializer shouldn't allow a DTD. + + This is the most straightforward way to prevent all entity definitions + and avoid both external entities and entity-expansion attacks. + + """ + xml = '<?xml version="1.0" standalone="no"?><!DOCTYPE example SYSTEM "http://example.com/example.dtd">' + with self.assertRaises(DTDForbidden): + next(serializers.deserialize('xml', xml)) |
