diff options
| author | Mark Striemer <mstriemer@mozilla.com> | 2016-02-22 16:50:23 -0500 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2016-03-01 11:38:49 -0500 |
| commit | fc6d147a63f89795dbcdecb0559256470fff4380 (patch) | |
| tree | fa046fd6a8b3d199c5e27696c5cc0631043033f4 /tests | |
| parent | 7e799217c5cf1ba365af41c801d5cfbadea18fa9 (diff) | |
[1.9.x] Fixed CVE-2016-2512 -- Prevented spoofing is_safe_url() with basic auth.
This is a security fix.
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/utils_tests/test_http.py | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/tests/utils_tests/test_http.py b/tests/utils_tests/test_http.py index 6051818958..ad9a1666c3 100644 --- a/tests/utils_tests/test_http.py +++ b/tests/utils_tests/test_http.py @@ -92,6 +92,11 @@ class TestUtilsHttp(unittest.TestCase): 'javascript:alert("XSS")', '\njavascript:alert(x)', '\x08//example.com', + r'http://otherserver\@example.com', + r'http:\\testserver\@example.com', + r'http://testserver\me:pass@example.com', + r'http://testserver\@example.com', + r'http:\\testserver\confirm\me@example.com', '\n'): self.assertFalse(http.is_safe_url(bad_url, host='testserver'), "%s should be blocked" % bad_url) for good_url in ('/view/?param=http://example.com', @@ -101,8 +106,15 @@ class TestUtilsHttp(unittest.TestCase): 'https://testserver/', 'HTTPS://testserver/', '//testserver/', + 'http://testserver/confirm?email=me@example.com', '/url%20with%20spaces/'): self.assertTrue(http.is_safe_url(good_url, host='testserver'), "%s should be allowed" % good_url) + # Valid basic auth credentials are allowed. + self.assertTrue(http.is_safe_url(r'http://user:pass@testserver/', host='user:pass@testserver')) + # A path without host is allowed. + self.assertTrue(http.is_safe_url('/confirm/me@example.com')) + # Basic auth without host is not allowed. + self.assertFalse(http.is_safe_url(r'http://testserver\@example.com')) def test_urlsafe_base64_roundtrip(self): bytestring = b'foo' |
