summaryrefslogtreecommitdiff
path: root/tests
diff options
context:
space:
mode:
authorMark Striemer <mstriemer@mozilla.com>2016-02-22 16:50:23 -0500
committerTim Graham <timograham@gmail.com>2016-03-01 11:38:49 -0500
commitfc6d147a63f89795dbcdecb0559256470fff4380 (patch)
treefa046fd6a8b3d199c5e27696c5cc0631043033f4 /tests
parent7e799217c5cf1ba365af41c801d5cfbadea18fa9 (diff)
[1.9.x] Fixed CVE-2016-2512 -- Prevented spoofing is_safe_url() with basic auth.
This is a security fix.
Diffstat (limited to 'tests')
-rw-r--r--tests/utils_tests/test_http.py12
1 files changed, 12 insertions, 0 deletions
diff --git a/tests/utils_tests/test_http.py b/tests/utils_tests/test_http.py
index 6051818958..ad9a1666c3 100644
--- a/tests/utils_tests/test_http.py
+++ b/tests/utils_tests/test_http.py
@@ -92,6 +92,11 @@ class TestUtilsHttp(unittest.TestCase):
'javascript:alert("XSS")',
'\njavascript:alert(x)',
'\x08//example.com',
+ r'http://otherserver\@example.com',
+ r'http:\\testserver\@example.com',
+ r'http://testserver\me:pass@example.com',
+ r'http://testserver\@example.com',
+ r'http:\\testserver\confirm\me@example.com',
'\n'):
self.assertFalse(http.is_safe_url(bad_url, host='testserver'), "%s should be blocked" % bad_url)
for good_url in ('/view/?param=http://example.com',
@@ -101,8 +106,15 @@ class TestUtilsHttp(unittest.TestCase):
'https://testserver/',
'HTTPS://testserver/',
'//testserver/',
+ 'http://testserver/confirm?email=me@example.com',
'/url%20with%20spaces/'):
self.assertTrue(http.is_safe_url(good_url, host='testserver'), "%s should be allowed" % good_url)
+ # Valid basic auth credentials are allowed.
+ self.assertTrue(http.is_safe_url(r'http://user:pass@testserver/', host='user:pass@testserver'))
+ # A path without host is allowed.
+ self.assertTrue(http.is_safe_url('/confirm/me@example.com'))
+ # Basic auth without host is not allowed.
+ self.assertFalse(http.is_safe_url(r'http://testserver\@example.com'))
def test_urlsafe_base64_roundtrip(self):
bytestring = b'foo'