From 64d2396e83aedba3fcc84ca40f23fbd22f0b9b5b Mon Sep 17 00:00:00 2001 From: Tom Hacohen Date: Fri, 4 Jan 2019 02:21:55 +0000 Subject: [2.1.x] Fixed #30070, CVE-2019-3498 -- Fixed content spoofing possiblity in the default 404 page. Co-Authored-By: Tim Graham Backport of 1ecc0a395be721e987e8e9fdfadde952b6dee1c7 from master. --- tests/handlers/tests.py | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'tests') diff --git a/tests/handlers/tests.py b/tests/handlers/tests.py index 175a892618..54596a4f72 100644 --- a/tests/handlers/tests.py +++ b/tests/handlers/tests.py @@ -5,6 +5,7 @@ from django.db import close_old_connections, connection from django.test import ( RequestFactory, SimpleTestCase, TransactionTestCase, override_settings, ) +from django.utils.version import PY37 class HandlerTests(SimpleTestCase): @@ -160,16 +161,17 @@ class HandlerRequestTests(SimpleTestCase): def test_invalid_urls(self): response = self.client.get('~%A9helloworld') - self.assertContains(response, '~%A9helloworld', status_code=404) + self.assertEqual(response.status_code, 404) + self.assertEqual(response.context['request_path'], '/~%25A9helloworld' if PY37 else '/%7E%25A9helloworld') response = self.client.get('d%aao%aaw%aan%aal%aao%aaa%aad%aa/') - self.assertContains(response, 'd%AAo%AAw%AAn%AAl%AAo%AAa%AAd%AA', status_code=404) + self.assertEqual(response.context['request_path'], '/d%25AAo%25AAw%25AAn%25AAl%25AAo%25AAa%25AAd%25AA') response = self.client.get('/%E2%99%E2%99%A5/') - self.assertContains(response, '%E2%99\u2665', status_code=404) + self.assertEqual(response.context['request_path'], '/%25E2%2599%E2%99%A5/') response = self.client.get('/%E2%98%8E%E2%A9%E2%99%A5/') - self.assertContains(response, '\u260e%E2%A9\u2665', status_code=404) + self.assertEqual(response.context['request_path'], '/%E2%98%8E%25E2%25A9%E2%99%A5/') def test_environ_path_info_type(self): environ = RequestFactory().get('/%E2%A8%87%87%A5%E2%A8%A0').environ -- cgit v1.3