summaryrefslogtreecommitdiff
path: root/tests
diff options
context:
space:
mode:
Diffstat (limited to 'tests')
-rw-r--r--tests/regressiontests/serializers_regress/tests.py15
1 files changed, 15 insertions, 0 deletions
diff --git a/tests/regressiontests/serializers_regress/tests.py b/tests/regressiontests/serializers_regress/tests.py
index 67aec08af2..e586d76e7f 100644
--- a/tests/regressiontests/serializers_regress/tests.py
+++ b/tests/regressiontests/serializers_regress/tests.py
@@ -10,6 +10,7 @@ from __future__ import absolute_import, unicode_literals
import datetime
import decimal
+from django.core.serializers.xml_serializer import DTDForbidden
try:
import yaml
@@ -514,3 +515,17 @@ for format in serializers.get_serializer_formats():
if format != 'python':
setattr(SerializerTests, 'test_' + format + '_serializer_stream', curry(streamTest, format))
+
+class XmlDeserializerSecurityTests(TestCase):
+
+ def test_no_dtd(self):
+ """
+ The XML deserializer shouldn't allow a DTD.
+
+ This is the most straightforward way to prevent all entity definitions
+ and avoid both external entities and entity-expansion attacks.
+
+ """
+ xml = '<?xml version="1.0" standalone="no"?><!DOCTYPE example SYSTEM "http://example.com/example.dtd">'
+ with self.assertRaises(DTDForbidden):
+ next(serializers.deserialize('xml', xml))