diff options
| author | Preston Timmons <prestontimmons@gmail.com> | 2015-02-21 13:10:21 -0600 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2015-02-24 09:09:52 -0500 |
| commit | cdb73ec8cd5b072388e2af562ff8d010a1f1d91f (patch) | |
| tree | d40c9c5ed2e9367522d2506060768969091d71ec /tests/template_tests/syntax_tests/test_ssi.py | |
| parent | 210bf24ddbbd0ac7975507d7a2c8e3deeb5394b5 (diff) | |
[1.8.x] Moved ssi tests into syntax_tests/test_ssi.py.
Backport of 441a47e1efd46001ca454b80e0d5f8c5ea4e235b from master
Diffstat (limited to 'tests/template_tests/syntax_tests/test_ssi.py')
| -rw-r--r-- | tests/template_tests/syntax_tests/test_ssi.py | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/tests/template_tests/syntax_tests/test_ssi.py b/tests/template_tests/syntax_tests/test_ssi.py index e52931d19b..c650889020 100644 --- a/tests/template_tests/syntax_tests/test_ssi.py +++ b/tests/template_tests/syntax_tests/test_ssi.py @@ -2,6 +2,7 @@ from __future__ import unicode_literals import os +from django.template import Context, Engine from django.test import SimpleTestCase, ignore_warnings from django.utils.deprecation import ( RemovedInDjango19Warning, RemovedInDjango20Warning, @@ -82,3 +83,34 @@ class SsiTagTests(SimpleTestCase): output = self.engine.render_to_string('ssi09', {'test': 'Look ma! It parsed!'}) self.assertEqual(output, 'This is for testing an ssi include ' 'with spaces in its name. Look ma! It parsed!\n') + + +@ignore_warnings(category=RemovedInDjango20Warning) +class SSISecurityTests(SimpleTestCase): + + def setUp(self): + self.ssi_dir = os.path.join(ROOT, "templates", "first") + self.engine = Engine(allowed_include_roots=(self.ssi_dir,)) + + def render_ssi(self, path): + # the path must exist for the test to be reliable + self.assertTrue(os.path.exists(path)) + return self.engine.from_string('{%% ssi "%s" %%}' % path).render(Context({})) + + def test_allowed_paths(self): + acceptable_path = os.path.join(self.ssi_dir, "..", "first", "test.html") + self.assertEqual(self.render_ssi(acceptable_path), 'First template\n') + + def test_relative_include_exploit(self): + """ + May not bypass allowed_include_roots with relative paths + + e.g. if allowed_include_roots = ("/var/www",), it should not be + possible to do {% ssi "/var/www/../../etc/passwd" %} + """ + disallowed_paths = [ + os.path.join(self.ssi_dir, "..", "ssi_include.html"), + os.path.join(self.ssi_dir, "..", "second", "test.html"), + ] + for disallowed_path in disallowed_paths: + self.assertEqual(self.render_ssi(disallowed_path), '') |