diff options
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/admin_scripts/tests.py | 15 | ||||
| -rw-r--r-- | tests/admin_scripts/urls.py | 6 | ||||
| -rw-r--r-- | tests/admin_scripts/views.py | 17 |
3 files changed, 38 insertions, 0 deletions
diff --git a/tests/admin_scripts/tests.py b/tests/admin_scripts/tests.py index 819ba931d6..3eb7b97c99 100644 --- a/tests/admin_scripts/tests.py +++ b/tests/admin_scripts/tests.py @@ -2778,6 +2778,21 @@ class StartProject(LiveServerTestCase, AdminScriptTestCase): self.assertTrue(os.path.isdir(testproject_dir)) self.assertTrue(os.path.exists(os.path.join(testproject_dir, "run.py"))) + def test_custom_project_template_from_tarball_by_url_bad_filename(self): + """ + The startproject management command will raise SuspiciousFileOperation + on an ill-formed remote template archive filename. + """ + template_url = "%s/bad_template_filename.tgz" % self.live_server_url + + args = ["startproject", "--template", template_url, "urltestproject"] + + out, err = self.run_django_admin(args) + self.assertOutput( + err, + "is located outside of the base path component", + ) + def test_custom_project_template_from_tarball_by_url_django_user_agent(self): user_agent = None diff --git a/tests/admin_scripts/urls.py b/tests/admin_scripts/urls.py index a6cc7fe1b5..3e7aa063d3 100644 --- a/tests/admin_scripts/urls.py +++ b/tests/admin_scripts/urls.py @@ -3,6 +3,8 @@ import os from django.urls import path from django.views.static import serve +from . import views + here = os.path.dirname(__file__) urlpatterns = [ @@ -11,4 +13,8 @@ urlpatterns = [ serve, {"document_root": os.path.join(here, "custom_templates")}, ), + path( + "bad_template_filename.tgz", + views.template_bad_filename, + ), ] diff --git a/tests/admin_scripts/views.py b/tests/admin_scripts/views.py new file mode 100644 index 0000000000..d57803659d --- /dev/null +++ b/tests/admin_scripts/views.py @@ -0,0 +1,17 @@ +from pathlib import Path + +from django.http import FileResponse + + +def template_bad_filename(request): + content = Path(__file__).parent / "custom_templates" / "project_template.tgz" + f = open(content, "rb") + filename = "/nonexistent/archive.tgz" + response = FileResponse( + f, + as_attachment=True, + filename=filename, + ) + # Force the filename to have a slash at the beginning. + response["Content-Disposition"] = f'attachment; filename="{filename}"' + return response |