diff options
Diffstat (limited to 'tests/regressiontests/requests/tests.py')
| -rw-r--r-- | tests/regressiontests/requests/tests.py | 232 |
1 files changed, 110 insertions, 122 deletions
diff --git a/tests/regressiontests/requests/tests.py b/tests/regressiontests/requests/tests.py index 2ec478a201..9a3197a06a 100644 --- a/tests/regressiontests/requests/tests.py +++ b/tests/regressiontests/requests/tests.py @@ -5,12 +5,11 @@ import warnings from datetime import datetime, timedelta from io import BytesIO -from django.conf import settings from django.core.exceptions import SuspiciousOperation from django.core.handlers.wsgi import WSGIRequest, LimitedStream from django.http import HttpRequest, HttpResponse, parse_cookie, build_request_repr, UnreadablePostError from django.test.client import FakePayload -from django.test.utils import str_prefix +from django.test.utils import override_settings, str_prefix from django.utils import unittest from django.utils.http import cookie_date from django.utils.timezone import utc @@ -70,157 +69,146 @@ class RequestsTests(unittest.TestCase): self.assertEqual(request.build_absolute_uri(location="/path/with:colons"), 'http://www.example.com/path/with:colons') + @override_settings(USE_X_FORWARDED_HOST=False) def test_http_get_host(self): - old_USE_X_FORWARDED_HOST = settings.USE_X_FORWARDED_HOST - try: - settings.USE_X_FORWARDED_HOST = False + # Check if X_FORWARDED_HOST is provided. + request = HttpRequest() + request.META = { + 'HTTP_X_FORWARDED_HOST': 'forward.com', + 'HTTP_HOST': 'example.com', + 'SERVER_NAME': 'internal.com', + 'SERVER_PORT': 80, + } + # X_FORWARDED_HOST is ignored. + self.assertEqual(request.get_host(), 'example.com') - # Check if X_FORWARDED_HOST is provided. - request = HttpRequest() - request.META = { - 'HTTP_X_FORWARDED_HOST': 'forward.com', - 'HTTP_HOST': 'example.com', - 'SERVER_NAME': 'internal.com', - 'SERVER_PORT': 80, - } - # X_FORWARDED_HOST is ignored. - self.assertEqual(request.get_host(), 'example.com') + # Check if X_FORWARDED_HOST isn't provided. + request = HttpRequest() + request.META = { + 'HTTP_HOST': 'example.com', + 'SERVER_NAME': 'internal.com', + 'SERVER_PORT': 80, + } + self.assertEqual(request.get_host(), 'example.com') - # Check if X_FORWARDED_HOST isn't provided. - request = HttpRequest() - request.META = { - 'HTTP_HOST': 'example.com', - 'SERVER_NAME': 'internal.com', - 'SERVER_PORT': 80, - } - self.assertEqual(request.get_host(), 'example.com') + # Check if HTTP_HOST isn't provided. + request = HttpRequest() + request.META = { + 'SERVER_NAME': 'internal.com', + 'SERVER_PORT': 80, + } + self.assertEqual(request.get_host(), 'internal.com') - # Check if HTTP_HOST isn't provided. - request = HttpRequest() - request.META = { - 'SERVER_NAME': 'internal.com', - 'SERVER_PORT': 80, - } - self.assertEqual(request.get_host(), 'internal.com') + # Check if HTTP_HOST isn't provided, and we're on a nonstandard port + request = HttpRequest() + request.META = { + 'SERVER_NAME': 'internal.com', + 'SERVER_PORT': 8042, + } + self.assertEqual(request.get_host(), 'internal.com:8042') + + # Poisoned host headers are rejected as suspicious + legit_hosts = [ + 'example.com', + 'example.com:80', + '12.34.56.78', + '12.34.56.78:443', + '[2001:19f0:feee::dead:beef:cafe]', + '[2001:19f0:feee::dead:beef:cafe]:8080', + ] - # Check if HTTP_HOST isn't provided, and we're on a nonstandard port + poisoned_hosts = [ + 'example.com@evil.tld', + 'example.com:dr.frankenstein@evil.tld', + 'example.com:someone@somestie.com:80', + 'example.com:80/badpath' + ] + + for host in legit_hosts: request = HttpRequest() request.META = { - 'SERVER_NAME': 'internal.com', - 'SERVER_PORT': 8042, + 'HTTP_HOST': host, } - self.assertEqual(request.get_host(), 'internal.com:8042') - - # Poisoned host headers are rejected as suspicious - legit_hosts = [ - 'example.com', - 'example.com:80', - '12.34.56.78', - '12.34.56.78:443', - '[2001:19f0:feee::dead:beef:cafe]', - '[2001:19f0:feee::dead:beef:cafe]:8080', - ] + request.get_host() - poisoned_hosts = [ - 'example.com@evil.tld', - 'example.com:dr.frankenstein@evil.tld', - 'example.com:someone@somestie.com:80', - 'example.com:80/badpath' - ] - - for host in legit_hosts: + for host in poisoned_hosts: + with self.assertRaises(SuspiciousOperation): request = HttpRequest() request.META = { 'HTTP_HOST': host, } request.get_host() - for host in poisoned_hosts: - with self.assertRaises(SuspiciousOperation): - request = HttpRequest() - request.META = { - 'HTTP_HOST': host, - } - request.get_host() + @override_settings(USE_X_FORWARDED_HOST=True) + def test_http_get_host_with_x_forwarded_host(self): + # Check if X_FORWARDED_HOST is provided. + request = HttpRequest() + request.META = { + 'HTTP_X_FORWARDED_HOST': 'forward.com', + 'HTTP_HOST': 'example.com', + 'SERVER_NAME': 'internal.com', + 'SERVER_PORT': 80, + } + # X_FORWARDED_HOST is obeyed. + self.assertEqual(request.get_host(), 'forward.com') - finally: - settings.USE_X_FORWARDED_HOST = old_USE_X_FORWARDED_HOST + # Check if X_FORWARDED_HOST isn't provided. + request = HttpRequest() + request.META = { + 'HTTP_HOST': 'example.com', + 'SERVER_NAME': 'internal.com', + 'SERVER_PORT': 80, + } + self.assertEqual(request.get_host(), 'example.com') - def test_http_get_host_with_x_forwarded_host(self): - old_USE_X_FORWARDED_HOST = settings.USE_X_FORWARDED_HOST - try: - settings.USE_X_FORWARDED_HOST = True + # Check if HTTP_HOST isn't provided. + request = HttpRequest() + request.META = { + 'SERVER_NAME': 'internal.com', + 'SERVER_PORT': 80, + } + self.assertEqual(request.get_host(), 'internal.com') - # Check if X_FORWARDED_HOST is provided. - request = HttpRequest() - request.META = { - 'HTTP_X_FORWARDED_HOST': 'forward.com', - 'HTTP_HOST': 'example.com', - 'SERVER_NAME': 'internal.com', - 'SERVER_PORT': 80, - } - # X_FORWARDED_HOST is obeyed. - self.assertEqual(request.get_host(), 'forward.com') + # Check if HTTP_HOST isn't provided, and we're on a nonstandard port + request = HttpRequest() + request.META = { + 'SERVER_NAME': 'internal.com', + 'SERVER_PORT': 8042, + } + self.assertEqual(request.get_host(), 'internal.com:8042') - # Check if X_FORWARDED_HOST isn't provided. - request = HttpRequest() - request.META = { - 'HTTP_HOST': 'example.com', - 'SERVER_NAME': 'internal.com', - 'SERVER_PORT': 80, - } - self.assertEqual(request.get_host(), 'example.com') + # Poisoned host headers are rejected as suspicious + legit_hosts = [ + 'example.com', + 'example.com:80', + '12.34.56.78', + '12.34.56.78:443', + '[2001:19f0:feee::dead:beef:cafe]', + '[2001:19f0:feee::dead:beef:cafe]:8080', + ] - # Check if HTTP_HOST isn't provided. - request = HttpRequest() - request.META = { - 'SERVER_NAME': 'internal.com', - 'SERVER_PORT': 80, - } - self.assertEqual(request.get_host(), 'internal.com') + poisoned_hosts = [ + 'example.com@evil.tld', + 'example.com:dr.frankenstein@evil.tld', + 'example.com:dr.frankenstein@evil.tld:80', + 'example.com:80/badpath' + ] - # Check if HTTP_HOST isn't provided, and we're on a nonstandard port + for host in legit_hosts: request = HttpRequest() request.META = { - 'SERVER_NAME': 'internal.com', - 'SERVER_PORT': 8042, + 'HTTP_HOST': host, } - self.assertEqual(request.get_host(), 'internal.com:8042') - - # Poisoned host headers are rejected as suspicious - legit_hosts = [ - 'example.com', - 'example.com:80', - '12.34.56.78', - '12.34.56.78:443', - '[2001:19f0:feee::dead:beef:cafe]', - '[2001:19f0:feee::dead:beef:cafe]:8080', - ] + request.get_host() - poisoned_hosts = [ - 'example.com@evil.tld', - 'example.com:dr.frankenstein@evil.tld', - 'example.com:dr.frankenstein@evil.tld:80', - 'example.com:80/badpath' - ] - - for host in legit_hosts: + for host in poisoned_hosts: + with self.assertRaises(SuspiciousOperation): request = HttpRequest() request.META = { 'HTTP_HOST': host, } request.get_host() - for host in poisoned_hosts: - with self.assertRaises(SuspiciousOperation): - request = HttpRequest() - request.META = { - 'HTTP_HOST': host, - } - request.get_host() - - finally: - settings.USE_X_FORWARDED_HOST = old_USE_X_FORWARDED_HOST def test_near_expiration(self): "Cookie will expire when an near expiration time is provided" |