Mercurial > p > roundup > code
comparison test/test_cgi.py @ 5847:26cd8e8bbed3
Change microcopy for missing csrf to follow mismatched csrf. Fix tests.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Mon, 15 Jul 2019 20:59:12 -0400 |
| parents | bd6d41f21a5a |
| children | b40059d7036f |
comparison
equal
deleted
inserted
replaced
| 5846:fd015c4c6c23 | 5847:26cd8e8bbed3 |
|---|---|
| 956 cl.env['HTTP_REFERER'] = 'http://whoami.com/path/' | 956 cl.env['HTTP_REFERER'] = 'http://whoami.com/path/' |
| 957 | 957 |
| 958 # roundup will report a missing token. | 958 # roundup will report a missing token. |
| 959 cl.db.config['WEB_CSRF_ENFORCE_TOKEN'] = 'required' | 959 cl.db.config['WEB_CSRF_ENFORCE_TOKEN'] = 'required' |
| 960 cl.inner_main() | 960 cl.inner_main() |
| 961 match_at=out[0].find('<p>Csrf token is missing.</p>') | 961 match_at=out[0].find("<p>We can't validate your session (csrf failure). Re-enter any unsaved data and try again.</p>") |
| 962 print("result of subtest 6a:", out[0], match_at) | 962 print("result of subtest 6a:", out[0], match_at) |
| 963 self.assertEqual(match_at, 33) | 963 self.assertEqual(match_at, 33) |
| 964 del(out[0]) | 964 del(out[0]) |
| 965 cl.db.config['WEB_CSRF_ENFORCE_TOKEN'] = 'yes' | 965 cl.db.config['WEB_CSRF_ENFORCE_TOKEN'] = 'yes' |
| 966 | 966 |
| 969 form2.update({'@csrf': 'booogus'}) | 969 form2.update({'@csrf': 'booogus'}) |
| 970 # add a bogus csrf field to the form and rerun the inner_main | 970 # add a bogus csrf field to the form and rerun the inner_main |
| 971 cl.form = db_test_base.makeForm(form2) | 971 cl.form = db_test_base.makeForm(form2) |
| 972 | 972 |
| 973 cl.inner_main() | 973 cl.inner_main() |
| 974 match_at=out[0].find('Invalid csrf token found: booogus') | 974 match_at=out[0].find("We can't validate your session (csrf failure). Re-enter any unsaved data and try again.") |
| 975 print("result of subtest 7:", out[0]) | 975 print("result of subtest 7:", out[0]) |
| 976 self.assertEqual(match_at, 36) | 976 self.assertEqual(match_at, 36) |
| 977 del(out[0]) | 977 del(out[0]) |
| 978 | 978 |
| 979 form2 = copy.copy(form) | 979 form2 = copy.copy(form) |
| 997 del(out[0]) | 997 del(out[0]) |
| 998 | 998 |
| 999 # try a replay attack | 999 # try a replay attack |
| 1000 cl.inner_main() | 1000 cl.inner_main() |
| 1001 # This should fail as token was wiped by last run. | 1001 # This should fail as token was wiped by last run. |
| 1002 match_at=out[0].find('Invalid csrf token found: %s'%nonce) | 1002 match_at=out[0].find("We can't validate your session (csrf failure). Re-enter any unsaved data and try again.") |
| 1003 print("replay of csrf after post use", out[0]) | 1003 print("replay of csrf after post use", out[0]) |
| 1004 print("result of subtest 10:", out[0]) | 1004 print("result of subtest 10:", out[0]) |
| 1005 self.assertEqual(match_at, 36) | 1005 self.assertEqual(match_at, 36) |
| 1006 del(out[0]) | 1006 del(out[0]) |
| 1007 | 1007 |
| 1028 # change to post and should fail w/ invalid csrf | 1028 # change to post and should fail w/ invalid csrf |
| 1029 # since get deleted the token. | 1029 # since get deleted the token. |
| 1030 cl.env.update({'REQUEST_METHOD': 'POST'}) | 1030 cl.env.update({'REQUEST_METHOD': 'POST'}) |
| 1031 print(cl.env) | 1031 print(cl.env) |
| 1032 cl.inner_main() | 1032 cl.inner_main() |
| 1033 match_at=out[0].find('Invalid csrf token found: %s'%nonce) | 1033 match_at=out[0].find("We can't validate your session (csrf failure). Re-enter any unsaved data and try again.") |
| 1034 print("post failure after get", out[0]) | 1034 print("post failure after get", out[0]) |
| 1035 print("result of subtest 13:", out[0]) | 1035 print("result of subtest 13:", out[0]) |
| 1036 self.assertEqual(match_at, 36) | 1036 self.assertEqual(match_at, 36) |
| 1037 del(out[0]) | 1037 del(out[0]) |
| 1038 | 1038 |