summaryrefslogtreecommitdiff
path: root/tests/middleware/tests.py
diff options
context:
space:
mode:
Diffstat (limited to 'tests/middleware/tests.py')
-rw-r--r--tests/middleware/tests.py19
1 files changed, 19 insertions, 0 deletions
diff --git a/tests/middleware/tests.py b/tests/middleware/tests.py
index f3c8b9ca06..88e33348e6 100644
--- a/tests/middleware/tests.py
+++ b/tests/middleware/tests.py
@@ -130,6 +130,25 @@ class CommonMiddlewareTest(SimpleTestCase):
self.assertEqual(r.status_code, 301)
self.assertEqual(r.url, '/needsquoting%23/')
+ @override_settings(APPEND_SLASH=True)
+ def test_append_slash_leading_slashes(self):
+ """
+ Paths starting with two slashes are escaped to prevent open redirects.
+ If there's a URL pattern that allows paths to start with two slashes, a
+ request with path //evil.com must not redirect to //evil.com/ (appended
+ slash) which is a schemaless absolute URL. The browser would navigate
+ to evil.com/.
+ """
+ # Use 4 slashes because of RequestFactory behavior.
+ request = self.rf.get('////evil.com/security')
+ response = HttpResponseNotFound()
+ r = CommonMiddleware().process_request(request)
+ self.assertEqual(r.status_code, 301)
+ self.assertEqual(r.url, '/%2Fevil.com/security/')
+ r = CommonMiddleware().process_response(request, response)
+ self.assertEqual(r.status_code, 301)
+ self.assertEqual(r.url, '/%2Fevil.com/security/')
+
@override_settings(APPEND_SLASH=False, PREPEND_WWW=True)
def test_prepend_www(self):
request = self.rf.get('/path/')
generated by cgit v1.3 (git 2.53.0) at 2026-05-02 02:39:16 +0000