mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-11-18 02:56:45 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

Fixed a security issue in http redirects. Disclosure and new release forthcoming.

Browse source
This commit is contained in:
Florian Apolloner 2012-07-30 22:01:50 +02:00
parent b1d4634686
commit 4129201c3e
2 changed files with 32 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

19
tests/regressiontests/httpwrappers/tests.py
View file

@ -4,8 +4,11 @@ from __future__ import unicode_literals
import copy
import pickle
from django.http import (QueryDict, HttpResponse, SimpleCookie, BadHeaderError,
parse_cookie)
from django.core.exceptions import SuspiciousOperation
from django.http import (QueryDict, HttpResponse, HttpResponseRedirect,
HttpResponsePermanentRedirect,
SimpleCookie, BadHeaderError,
parse_cookie)
from django.utils import unittest
@ -309,6 +312,18 @@ class HttpResponseTests(unittest.TestCase):
r = HttpResponse(['abc'])
self.assertRaises(Exception, r.write, 'def')
def test_unsafe_redirect(self):
bad_urls = [
'data:text/html,<script>window.alert("xss")</script>',
'mailto:test@example.com',
'file:///etc/passwd',
]
for url in bad_urls:
self.assertRaises(SuspiciousOperation,
HttpResponseRedirect, url)
self.assertRaises(SuspiciousOperation,
HttpResponsePermanentRedirect, url)
class CookieTests(unittest.TestCase):
def test_encode(self):