summaryrefslogtreecommitdiff
path: root/tests
diff options
context:
space:
mode:
authorAndreas Hug <andreas.hug@moccu.com>2018-07-24 16:18:17 -0400
committerTim Graham <timograham@gmail.com>2018-07-25 12:13:03 -0400
commitd6eaee092709aad477a9894598496c6deec532ff (patch)
tree1b0a5d386ed8b6915cd3507bc2665ded4f3beb3d /tests
parent4fd1f6702aaa9ca9b9918dbdb79546557a00d331 (diff)
[1.11.x] Fixed CVE-2018-14574 -- Fixed open redirect possibility in CommonMiddleware.
Diffstat (limited to 'tests')
-rw-r--r--tests/middleware/tests.py19
-rw-r--r--tests/middleware/urls.py2
-rw-r--r--tests/utils_tests/test_http.py10
3 files changed, 31 insertions, 0 deletions
diff --git a/tests/middleware/tests.py b/tests/middleware/tests.py
index 1d473ef558..d9d701f22a 100644
--- a/tests/middleware/tests.py
+++ b/tests/middleware/tests.py
@@ -137,6 +137,25 @@ class CommonMiddlewareTest(SimpleTestCase):
self.assertEqual(r.status_code, 301)
self.assertEqual(r.url, '/needsquoting%23/')
+ @override_settings(APPEND_SLASH=True)
+ def test_append_slash_leading_slashes(self):
+ """
+ Paths starting with two slashes are escaped to prevent open redirects.
+ If there's a URL pattern that allows paths to start with two slashes, a
+ request with path //evil.com must not redirect to //evil.com/ (appended
+ slash) which is a schemaless absolute URL. The browser would navigate
+ to evil.com/.
+ """
+ # Use 4 slashes because of RequestFactory behavior.
+ request = self.rf.get('////evil.com/security')
+ response = HttpResponseNotFound()
+ r = CommonMiddleware().process_request(request)
+ self.assertEqual(r.status_code, 301)
+ self.assertEqual(r.url, '/%2Fevil.com/security/')
+ r = CommonMiddleware().process_response(request, response)
+ self.assertEqual(r.status_code, 301)
+ self.assertEqual(r.url, '/%2Fevil.com/security/')
+
@override_settings(APPEND_SLASH=False, PREPEND_WWW=True)
def test_prepend_www(self):
request = self.rf.get('/path/')
diff --git a/tests/middleware/urls.py b/tests/middleware/urls.py
index 8c6621d059..d623e7d6af 100644
--- a/tests/middleware/urls.py
+++ b/tests/middleware/urls.py
@@ -6,4 +6,6 @@ urlpatterns = [
url(r'^noslash$', views.empty_view),
url(r'^slash/$', views.empty_view),
url(r'^needsquoting#/$', views.empty_view),
+ # Accepts paths with two leading slashes.
+ url(r'^(.+)/security/$', views.empty_view),
]
diff --git a/tests/utils_tests/test_http.py b/tests/utils_tests/test_http.py
index b435e33e44..d339e8a79c 100644
--- a/tests/utils_tests/test_http.py
+++ b/tests/utils_tests/test_http.py
@@ -248,3 +248,13 @@ class HttpDateProcessingTests(unittest.TestCase):
def test_parsing_asctime(self):
parsed = http.parse_http_date('Sun Nov 6 08:49:37 1994')
self.assertEqual(datetime.utcfromtimestamp(parsed), datetime(1994, 11, 6, 8, 49, 37))
+
+
+class EscapeLeadingSlashesTests(unittest.TestCase):
+ def test(self):
+ tests = (
+ ('//example.com', '/%2Fexample.com'),
+ ('//', '/%2F'),
+ )
+ for url, expected in tests:
+ self.assertEqual(http.escape_leading_slashes(url), expected)