Mercurial > p > roundup > code
comparison test/test_cgi.py @ 4851:24b8011cd2dc
Fix XSS in issue2550817
Note that the code that triggers that particular bug is no longer in
roundup core. But the change to the templates we suggest is a *lot*
safer as it always escapes the error and ok messages now.
If you are upgrading: you *MUST* read doc/upgrading.txt and do the
necessary changes to your templates, the escaping now happens in the
template and not in the roundup code. So if you don't make the necessary
changes *you are vulnerable*.
| author | Ralf Schlatterbeck <rsc@runtux.com> |
|---|---|
| date | Fri, 20 Dec 2013 18:24:10 +0100 |
| parents | dad18ee491a9 |
| children | ca692423e401 |
comparison
equal
deleted
inserted
replaced
| 4850:6998ad77841e | 4851:24b8011cd2dc |
|---|---|
| 41 return form | 41 return form |
| 42 | 42 |
| 43 cm = client.clean_message | 43 cm = client.clean_message |
| 44 class MessageTestCase(unittest.TestCase): | 44 class MessageTestCase(unittest.TestCase): |
| 45 # Note: We used to allow some html tags in error message. Now *only* | 45 # Note: We used to allow some html tags in error message. Now *only* |
| 46 # newlines are allowed which are translated to <br />. | 46 # newlines are allowed and messages are split at newlines. |
| 47 # All other tags are escaped. | 47 # Note that tags are no longer escaped, see doc/upgrading.txt for |
| 48 # the changes needed in the templates (Migrating from 1.5.0 to 1.5.1) | |
| 48 def testCleanMessageOK(self): | 49 def testCleanMessageOK(self): |
| 49 self.assertEqual(cm('a\nb'), 'a<br />\nb') | 50 self.assertEqual(cm('a'), ['a']) |
| 50 self.assertEqual(cm('a\nb\nc\n'), 'a<br />\nb<br />\nc<br />\n') | 51 self.assertEqual(cm('a\nb'), ['a','b']) |
| 51 | 52 self.assertEqual(cm('a\nb\nc\n'), ['a','b','c','']) |
| 52 def testCleanMessageBAD(self): | |
| 53 self.assertEqual(cm('<script>x</script>'), | |
| 54 '<script>x</script>') | |
| 55 self.assertEqual(cm('<iframe>x</iframe>'), | |
| 56 '<iframe>x</iframe>') | |
| 57 self.assertEqual(cm('<<script >>alert(42);5<</script >>'), | |
| 58 '<<script >>alert(42);5<</script >>') | |
| 59 self.assertEqual(cm('<a href="y">x</a>'), | |
| 60 '<a href="y">x</a>') | |
| 61 self.assertEqual(cm('<A HREF="y">x</A>'), | |
| 62 '<A HREF="y">x</A>') | |
| 63 self.assertEqual(cm('<br>x<br />'), '<br>x<br />') | |
| 64 self.assertEqual(cm('<i>x</i>'), '<i>x</i>') | |
| 65 self.assertEqual(cm('<b>x</b>'), '<b>x</b>') | |
| 66 self.assertEqual(cm('<BR>x<BR />'), '<BR>x<BR />') | |
| 67 self.assertEqual(cm('<I>x</I>'), '<I>x</I>') | |
| 68 self.assertEqual(cm('<B>x</B>'), '<B>x</B>') | |
| 69 | 53 |
| 70 class FormTestCase(unittest.TestCase): | 54 class FormTestCase(unittest.TestCase): |
| 71 def setUp(self): | 55 def setUp(self): |
| 72 self.dirname = '_test_cgi_form' | 56 self.dirname = '_test_cgi_form' |
| 73 # set up and open a tracker | 57 # set up and open a tracker |