summaryrefslogtreecommitdiff
path: root/tests
diff options
context:
space:
mode:
authorFlorian Apolloner <florian@apolloner.eu>2012-07-30 22:03:09 +0200
committerFlorian Apolloner <florian@apolloner.eu>2012-07-30 22:03:33 +0200
commite34685034b60be1112160e76091e5aee60149fa1 (patch)
treeb2c97dcfeba7835135b60165fb2567586067c3b6 /tests
parentc14f325c4eef628bc7bfd8873c3a72aeb0219141 (diff)
[1.4.x] Fixed a security issue in http redirects. Disclosure and new release forthcoming.
Backport of 4129201c3e0fa057c198bdefcb34686a23b4a93c from master.
Diffstat (limited to 'tests')
-rw-r--r--tests/regressiontests/httpwrappers/tests.py19
1 files changed, 17 insertions, 2 deletions
diff --git a/tests/regressiontests/httpwrappers/tests.py b/tests/regressiontests/httpwrappers/tests.py
index 7513c46a8f..9a7c4ba1f5 100644
--- a/tests/regressiontests/httpwrappers/tests.py
+++ b/tests/regressiontests/httpwrappers/tests.py
@@ -1,8 +1,11 @@
import copy
import pickle
-from django.http import (QueryDict, HttpResponse, SimpleCookie, BadHeaderError,
- parse_cookie)
+from django.core.exceptions import SuspiciousOperation
+from django.http import (QueryDict, HttpResponse, HttpResponseRedirect,
+ HttpResponsePermanentRedirect,
+ SimpleCookie, BadHeaderError,
+ parse_cookie)
from django.utils import unittest
@@ -296,6 +299,18 @@ class HttpResponseTests(unittest.TestCase):
self.assertRaises(UnicodeEncodeError,
getattr, r, 'content')
+ def test_unsafe_redirect(self):
+ bad_urls = [
+ 'data:text/html,<script>window.alert("xss")</script>',
+ 'mailto:test@example.com',
+ 'file:///etc/passwd',
+ ]
+ for url in bad_urls:
+ self.assertRaises(SuspiciousOperation,
+ HttpResponseRedirect, url)
+ self.assertRaises(SuspiciousOperation,
+ HttpResponsePermanentRedirect, url)
+
class CookieTests(unittest.TestCase):
def test_encode(self):
"""
generated by cgit v1.3 (git 2.53.0) at 2026-05-01 23:00:19 +0000