mirror of
https://github.com/django/django.git
synced 2025-08-03 10:34:04 +00:00
Refs #27804 -- Used subTest() in several tests.
This commit is contained in:
Bruno Alla
Tim Graham
parent
91b2bc3e70
commit
6092ea8fa6
19 changed files with 324 additions and 262 deletions
|
|
@ -108,10 +108,11 @@ class AuthViewNamedURLTests(AuthViewsTestCase):
|
|||
('password_reset_complete', [], {}),
|
||||
]
|
||||
for name, args, kwargs in expected_named_urls:
|
||||
try:
|
||||
reverse(name, args=args, kwargs=kwargs)
|
||||
except NoReverseMatch:
|
||||
self.fail("Reversal of url named '%s' failed with NoReverseMatch" % name)
|
||||
with self.subTest(name=name):
|
||||
try:
|
||||
reverse(name, args=args, kwargs=kwargs)
|
||||
except NoReverseMatch:
|
||||
self.fail("Reversal of url named '%s' failed with NoReverseMatch" % name)
|
||||
|
||||
|
||||
class PasswordResetTest(AuthViewsTestCase):
|
||||
|
|
@ -559,48 +560,54 @@ class LoginTest(AuthViewsTestCase):
|
|||
def test_security_check(self):
|
||||
login_url = reverse('login')
|
||||
|
||||
# Those URLs should not pass the security check
|
||||
for bad_url in ('http://example.com',
|
||||
'http:///example.com',
|
||||
'https://example.com',
|
||||
'ftp://example.com',
|
||||
'///example.com',
|
||||
'//example.com',
|
||||
'javascript:alert("XSS")'):
|
||||
# These URLs should not pass the security check.
|
||||
bad_urls = (
|
||||
'http://example.com',
|
||||
'http:///example.com',
|
||||
'https://example.com',
|
||||
'ftp://example.com',
|
||||
'///example.com',
|
||||
'//example.com',
|
||||
'javascript:alert("XSS")',
|
||||
)
|
||||
for bad_url in bad_urls:
|
||||
with self.subTest(bad_url=bad_url):
|
||||
nasty_url = '%(url)s?%(next)s=%(bad_url)s' % {
|
||||
'url': login_url,
|
||||
'next': REDIRECT_FIELD_NAME,
|
||||
'bad_url': quote(bad_url),
|
||||
}
|
||||
response = self.client.post(nasty_url, {
|
||||
'username': 'testclient',
|
||||
'password': 'password',
|
||||
})
|
||||
self.assertEqual(response.status_code, 302)
|
||||
self.assertNotIn(bad_url, response.url, '%s should be blocked' % bad_url)
|
||||
|
||||
nasty_url = '%(url)s?%(next)s=%(bad_url)s' % {
|
||||
'url': login_url,
|
||||
'next': REDIRECT_FIELD_NAME,
|
||||
'bad_url': quote(bad_url),
|
||||
}
|
||||
response = self.client.post(nasty_url, {
|
||||
'username': 'testclient',
|
||||
'password': 'password',
|
||||
})
|
||||
self.assertEqual(response.status_code, 302)
|
||||
self.assertNotIn(bad_url, response.url,
|
||||
"%s should be blocked" % bad_url)
|
||||
|
||||
# These URLs *should* still pass the security check
|
||||
for good_url in ('/view/?param=http://example.com',
|
||||
'/view/?param=https://example.com',
|
||||
'/view?param=ftp://example.com',
|
||||
'view/?param=//example.com',
|
||||
'https://testserver/',
|
||||
'HTTPS://testserver/',
|
||||
'//testserver/',
|
||||
'/url%20with%20spaces/'): # see ticket #12534
|
||||
safe_url = '%(url)s?%(next)s=%(good_url)s' % {
|
||||
'url': login_url,
|
||||
'next': REDIRECT_FIELD_NAME,
|
||||
'good_url': quote(good_url),
|
||||
}
|
||||
response = self.client.post(safe_url, {
|
||||
'username': 'testclient',
|
||||
'password': 'password',
|
||||
})
|
||||
self.assertEqual(response.status_code, 302)
|
||||
self.assertIn(good_url, response.url, "%s should be allowed" % good_url)
|
||||
# These URLs should pass the security check.
|
||||
good_urls = (
|
||||
'/view/?param=http://example.com',
|
||||
'/view/?param=https://example.com',
|
||||
'/view?param=ftp://example.com',
|
||||
'view/?param=//example.com',
|
||||
'https://testserver/',
|
||||
'HTTPS://testserver/',
|
||||
'//testserver/',
|
||||
'/url%20with%20spaces/',
|
||||
)
|
||||
for good_url in good_urls:
|
||||
with self.subTest(good_url=good_url):
|
||||
safe_url = '%(url)s?%(next)s=%(good_url)s' % {
|
||||
'url': login_url,
|
||||
'next': REDIRECT_FIELD_NAME,
|
||||
'good_url': quote(good_url),
|
||||
}
|
||||
response = self.client.post(safe_url, {
|
||||
'username': 'testclient',
|
||||
'password': 'password',
|
||||
})
|
||||
self.assertEqual(response.status_code, 302)
|
||||
self.assertIn(good_url, response.url, '%s should be allowed' % good_url)
|
||||
|
||||
def test_security_check_https(self):
|
||||
login_url = reverse('login')
|
||||
|
|
@ -988,45 +995,52 @@ class LogoutTest(AuthViewsTestCase):
|
|||
def test_security_check(self):
|
||||
logout_url = reverse('logout')
|
||||
|
||||
# Those URLs should not pass the security check
|
||||
for bad_url in ('http://example.com',
|
||||
'http:///example.com',
|
||||
'https://example.com',
|
||||
'ftp://example.com',
|
||||
'///example.com',
|
||||
'//example.com',
|
||||
'javascript:alert("XSS")'):
|
||||
nasty_url = '%(url)s?%(next)s=%(bad_url)s' % {
|
||||
'url': logout_url,
|
||||
'next': REDIRECT_FIELD_NAME,
|
||||
'bad_url': quote(bad_url),
|
||||
}
|
||||
self.login()
|
||||
response = self.client.get(nasty_url)
|
||||
self.assertEqual(response.status_code, 302)
|
||||
self.assertNotIn(bad_url, response.url,
|
||||
"%s should be blocked" % bad_url)
|
||||
self.confirm_logged_out()
|
||||
# These URLs should not pass the security check.
|
||||
bad_urls = (
|
||||
'http://example.com',
|
||||
'http:///example.com',
|
||||
'https://example.com',
|
||||
'ftp://example.com',
|
||||
'///example.com',
|
||||
'//example.com',
|
||||
'javascript:alert("XSS")',
|
||||
)
|
||||
for bad_url in bad_urls:
|
||||
with self.subTest(bad_url=bad_url):
|
||||
nasty_url = '%(url)s?%(next)s=%(bad_url)s' % {
|
||||
'url': logout_url,
|
||||
'next': REDIRECT_FIELD_NAME,
|
||||
'bad_url': quote(bad_url),
|
||||
}
|
||||
self.login()
|
||||
response = self.client.get(nasty_url)
|
||||
self.assertEqual(response.status_code, 302)
|
||||
self.assertNotIn(bad_url, response.url, '%s should be blocked' % bad_url)
|
||||
self.confirm_logged_out()
|
||||
|
||||
# These URLs *should* still pass the security check
|
||||
for good_url in ('/view/?param=http://example.com',
|
||||
'/view/?param=https://example.com',
|
||||
'/view?param=ftp://example.com',
|
||||
'view/?param=//example.com',
|
||||
'https://testserver/',
|
||||
'HTTPS://testserver/',
|
||||
'//testserver/',
|
||||
'/url%20with%20spaces/'): # see ticket #12534
|
||||
safe_url = '%(url)s?%(next)s=%(good_url)s' % {
|
||||
'url': logout_url,
|
||||
'next': REDIRECT_FIELD_NAME,
|
||||
'good_url': quote(good_url),
|
||||
}
|
||||
self.login()
|
||||
response = self.client.get(safe_url)
|
||||
self.assertEqual(response.status_code, 302)
|
||||
self.assertIn(good_url, response.url, "%s should be allowed" % good_url)
|
||||
self.confirm_logged_out()
|
||||
# These URLs should pass the security check.
|
||||
good_urls = (
|
||||
'/view/?param=http://example.com',
|
||||
'/view/?param=https://example.com',
|
||||
'/view?param=ftp://example.com',
|
||||
'view/?param=//example.com',
|
||||
'https://testserver/',
|
||||
'HTTPS://testserver/',
|
||||
'//testserver/',
|
||||
'/url%20with%20spaces/',
|
||||
)
|
||||
for good_url in good_urls:
|
||||
with self.subTest(good_url=good_url):
|
||||
safe_url = '%(url)s?%(next)s=%(good_url)s' % {
|
||||
'url': logout_url,
|
||||
'next': REDIRECT_FIELD_NAME,
|
||||
'good_url': quote(good_url),
|
||||
}
|
||||
self.login()
|
||||
response = self.client.get(safe_url)
|
||||
self.assertEqual(response.status_code, 302)
|
||||
self.assertIn(good_url, response.url, '%s should be allowed' % good_url)
|
||||
self.confirm_logged_out()
|
||||
|
||||
def test_security_check_https(self):
|
||||
logout_url = reverse('logout')
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue