From 4352a50871e239ebcdf64eee6f0b88e714015c1b Mon Sep 17 00:00:00 2001 From: Tim Graham Date: Sun, 20 Apr 2014 13:31:53 -0400 Subject: [1.6.x] Fixed a remote code execution vulnerabilty in URL reversing. Thanks Benjamin Bach for the report and initial patch. This is a security fix; disclosure to follow shortly. Backport of 8b93b31487d6d3b0fcbbd0498991ea0db9088054 from master --- tests/urlpatterns_reverse/nonimported_module.py | 3 +++ tests/urlpatterns_reverse/tests.py | 23 ++++++++++++++++++++++- tests/urlpatterns_reverse/urls.py | 1 + tests/urlpatterns_reverse/views.py | 4 ++++ 4 files changed, 30 insertions(+), 1 deletion(-) create mode 100644 tests/urlpatterns_reverse/nonimported_module.py (limited to 'tests/urlpatterns_reverse') diff --git a/tests/urlpatterns_reverse/nonimported_module.py b/tests/urlpatterns_reverse/nonimported_module.py new file mode 100644 index 0000000000..df046333d3 --- /dev/null +++ b/tests/urlpatterns_reverse/nonimported_module.py @@ -0,0 +1,3 @@ +def view(request): + """Stub view""" + pass diff --git a/tests/urlpatterns_reverse/tests.py b/tests/urlpatterns_reverse/tests.py index 3962f69288..249acc1e37 100644 --- a/tests/urlpatterns_reverse/tests.py +++ b/tests/urlpatterns_reverse/tests.py @@ -1,8 +1,11 @@ +# -*- coding: utf-8 -*- """ Unit tests for reverse URL lookups. """ from __future__ import absolute_import, unicode_literals +import sys + from django.conf import settings from django.contrib.auth.models import User from django.core.exceptions import ImproperlyConfigured, ViewDoesNotExist @@ -313,6 +316,25 @@ class ReverseShortcutTests(TestCase): self.assertEqual(res.url, '/foo/') res = redirect('http://example.com/') self.assertEqual(res.url, 'http://example.com/') + # Assert that we can redirect using UTF-8 strings + res = redirect('/æøå/abc/') + self.assertEqual(res.url, '/%C3%A6%C3%B8%C3%A5/abc/') + # Assert that no imports are attempted when dealing with a relative path + # (previously, the below would resolve in a UnicodeEncodeError from __import__ ) + res = redirect('/æøå.abc/') + self.assertEqual(res.url, '/%C3%A6%C3%B8%C3%A5.abc/') + res = redirect('os.path') + self.assertEqual(res.url, 'os.path') + + def test_no_illegal_imports(self): + # modules that are not listed in urlpatterns should not be importable + redirect("urlpatterns_reverse.nonimported_module.view") + self.assertNotIn("urlpatterns_reverse.nonimported_module", sys.modules) + + def test_reverse_by_path_nested(self): + # Views that are added to urlpatterns using include() should be + # reversable by doted path. + self.assertEqual(reverse('urlpatterns_reverse.views.nested_view'), '/includes/nested_path/') def test_redirect_view_object(self): from .views import absolute_kwargs_view @@ -641,4 +663,3 @@ class ViewLoadingTests(TestCase): # swallow it. self.assertRaises(AttributeError, get_callable, 'urlpatterns_reverse.views_broken.i_am_broken') - diff --git a/tests/urlpatterns_reverse/urls.py b/tests/urlpatterns_reverse/urls.py index 1dbc8d889f..0412f258ac 100644 --- a/tests/urlpatterns_reverse/urls.py +++ b/tests/urlpatterns_reverse/urls.py @@ -7,6 +7,7 @@ from .views import empty_view, absolute_kwargs_view other_patterns = patterns('', url(r'non_path_include/$', empty_view, name='non_path_include'), + url(r'nested_path/$', 'urlpatterns_reverse.views.nested_view'), ) urlpatterns = patterns('', diff --git a/tests/urlpatterns_reverse/views.py b/tests/urlpatterns_reverse/views.py index 88d169a118..f8148e1f3e 100644 --- a/tests/urlpatterns_reverse/views.py +++ b/tests/urlpatterns_reverse/views.py @@ -16,6 +16,10 @@ def absolute_kwargs_view(request, arg1=1, arg2=2): def defaults_view(request, arg1, arg2): pass +def nested_view(request): + pass + + def erroneous_view(request): import non_existent -- cgit v1.3