Mercurial > p > roundup > code
comparison test/test_cgi.py @ 8062:28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
Directions for fixing:
* `CVE-2024-39124`_ - :ref:`classhelpers (_generic.help.html) are
vulnerable to an XSS attack. <CVE-2024-39124>` Requires fixing
tracker homes.
* `CVE-2024-39125`_ - :ref:`if Referer header is set to a script
tag, it will be executed. <CVE-2024-39125>` Fixed in release 2.4.0,
directions available for fixing in prior versions.
* `CVE-2024-39126`_ - :ref:`PDF, XML and SVG files downloaded from
an issue can contain embedded JavaScript which is
executed. <CVE-2024-39126>` Fixed in release 2.4.0, directions
available for fixing in prior versions.
prior to 2.4.0 release this weekend that fixes the last two CVE's.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Tue, 09 Jul 2024 09:07:09 -0400 |
| parents | 470616e64414 |
| children | e44b65651012 |
comparison
equal
deleted
inserted
replaced
| 8061:b1d384d23cdb | 8062:28aa76443f58 |
|---|---|
| 976 cl.main() | 976 cl.main() |
| 977 self.db = cl.db # to close new db handle from main() at tearDown | 977 self.db = cl.db # to close new db handle from main() at tearDown |
| 978 self.assertFalse('HTTP_PROXY' in cl.env) | 978 self.assertFalse('HTTP_PROXY' in cl.env) |
| 979 self.assertFalse('HTTP_PROXY' in os.environ) | 979 self.assertFalse('HTTP_PROXY' in os.environ) |
| 980 | 980 |
| 981 def testCsrfProtection(self): | 981 def testCsrfProtectionHtml(self): |
| 982 # need to set SENDMAILDEBUG to prevent | 982 # need to set SENDMAILDEBUG to prevent |
| 983 # downstream issue when email is sent on successful | 983 # downstream issue when email is sent on successful |
| 984 # issue creation. Also delete the file afterwards | 984 # issue creation. Also delete the file afterwards |
| 985 # just to make sure that some other test looking for | 985 # just to make sure that some other test looking for |
| 986 # SENDMAILDEBUG won't trip over ours. | 986 # SENDMAILDEBUG won't trip over ours. |
| 1056 print("result of subtest 2:", out[0]) | 1056 print("result of subtest 2:", out[0]) |
| 1057 self.assertEqual(match_at, 0) | 1057 self.assertEqual(match_at, 0) |
| 1058 del(cl.env['HTTP_REFERER']) | 1058 del(cl.env['HTTP_REFERER']) |
| 1059 del(out[0]) | 1059 del(out[0]) |
| 1060 | 1060 |
| 1061 # verify that HTTP_REFERER does not result in an XSS reflection | |
| 1062 cl.env['HTTP_REFERER'] = '<script>alert(1)</script>' | |
| 1063 cl.main() | |
| 1064 match_at=out[0].find('<script>') | |
| 1065 match_encoded_at=out[0].find('<script>') | |
| 1066 print("\n\nresult of subtest 2a:", out[0]) | |
| 1067 self.assertEqual(match_at, -1) # must not find unencoded script tag | |
| 1068 self.assertEqual(match_encoded_at, 53) # must find encoded script tag | |
| 1069 del(cl.env['HTTP_REFERER']) | |
| 1070 del(out[0]) | |
| 1071 | |
| 1061 cl.env['HTTP_ORIGIN'] = 'http://whoami.com' | 1072 cl.env['HTTP_ORIGIN'] = 'http://whoami.com' |
| 1062 cl.main() | 1073 cl.main() |
| 1063 match_at=out[0].find('Redirecting to <a href="http://whoami.com/path/issue1?@ok_message') | 1074 match_at=out[0].find('Redirecting to <a href="http://whoami.com/path/issue1?@ok_message') |
| 1064 print("result of subtest 3:", out[0]) | 1075 print("result of subtest 3:", out[0]) |
| 1065 self.assertEqual(match_at, 0) | 1076 self.assertEqual(match_at, 0) |