Mercurial > p > roundup > code
comparison test/test_cgi.py @ 5629:8e3df461d316 maint-1.6
issue2551023: Fix CSRF headers for use with wsgi and cgi. The
env variable array used - separators rather than _. Compare:
HTTP_X-REQUESTED-WITH to HTTP_X_REQUESTED_WITH. The last is
correct. Also fix roundup-server to produce the latter form. (Patch
by Cédric Krier)
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Wed, 27 Feb 2019 21:47:39 -0500 |
| parents | 351763d6400a |
| children |
comparison
equal
deleted
inserted
replaced
| 5628:64ceb9c14b28 | 5629:8e3df461d316 |
|---|---|
| 886 print "result of subtest 3:", out[0] | 886 print "result of subtest 3:", out[0] |
| 887 self.assertEqual(match_at, 0) | 887 self.assertEqual(match_at, 0) |
| 888 del(cl.env['HTTP_ORIGIN']) | 888 del(cl.env['HTTP_ORIGIN']) |
| 889 del(out[0]) | 889 del(out[0]) |
| 890 | 890 |
| 891 cl.env['HTTP_X-FORWARDED-HOST'] = 'whoami.com' | 891 cl.env['HTTP_X_FORWARDED_HOST'] = 'whoami.com' |
| 892 # if there is an X-FORWARDED-HOST header it is used and | 892 # if there is an X-FORWARDED-HOST header it is used and |
| 893 # HOST header is ignored. X-FORWARDED-HOST should only be | 893 # HOST header is ignored. X-FORWARDED-HOST should only be |
| 894 # passed/set by a proxy. In this case the HOST header is | 894 # passed/set by a proxy. In this case the HOST header is |
| 895 # the proxy's name for the web server and not the name | 895 # the proxy's name for the web server and not the name |
| 896 # thatis exposed to the world. | 896 # thatis exposed to the world. |
| 897 cl.env['HTTP_HOST'] = 'frontend1.whoami.net' | 897 cl.env['HTTP_HOST'] = 'frontend1.whoami.net' |
| 898 cl.inner_main() | 898 cl.inner_main() |
| 899 match_at=out[0].find('Redirecting to <a href="http://whoami.com/path/issue1?@ok_message') | 899 match_at=out[0].find('Redirecting to <a href="http://whoami.com/path/issue1?@ok_message') |
| 900 print "result of subtest 4:", out[0] | 900 print "result of subtest 4:", out[0] |
| 901 self.assertNotEqual(match_at, -1) | 901 self.assertNotEqual(match_at, -1) |
| 902 del(cl.env['HTTP_X-FORWARDED-HOST']) | 902 del(cl.env['HTTP_X_FORWARDED_HOST']) |
| 903 del(cl.env['HTTP_HOST']) | 903 del(cl.env['HTTP_HOST']) |
| 904 del(out[0]) | 904 del(out[0]) |
| 905 | 905 |
| 906 cl.env['HTTP_HOST'] = 'whoami.com' | 906 cl.env['HTTP_HOST'] = 'whoami.com' |
| 907 cl.inner_main() | 907 cl.inner_main() |
| 910 self.assertEqual(match_at, 0) | 910 self.assertEqual(match_at, 0) |
| 911 del(cl.env['HTTP_HOST']) | 911 del(cl.env['HTTP_HOST']) |
| 912 del(out[0]) | 912 del(out[0]) |
| 913 | 913 |
| 914 # try failing headers | 914 # try failing headers |
| 915 cl.env['HTTP_X-FORWARDED-HOST'] = 'whoami.net' | 915 cl.env['HTTP_X_FORWARDED_HOST'] = 'whoami.net' |
| 916 # this raises an error as the header check passes and | 916 # this raises an error as the header check passes and |
| 917 # it did the edit and tries to send mail. | 917 # it did the edit and tries to send mail. |
| 918 cl.inner_main() | 918 cl.inner_main() |
| 919 match_at=out[0].find('Invalid X-FORWARDED-HOST whoami.net') | 919 match_at=out[0].find('Invalid X-FORWARDED-HOST whoami.net') |
| 920 print "result of subtest 6:", out[0] | 920 print "result of subtest 6:", out[0] |
| 921 self.assertNotEqual(match_at, -1) | 921 self.assertNotEqual(match_at, -1) |
| 922 del(cl.env['HTTP_X-FORWARDED-HOST']) | 922 del(cl.env['HTTP_X_FORWARDED_HOST']) |
| 923 del(out[0]) | 923 del(out[0]) |
| 924 | 924 |
| 925 # header checks succeed | 925 # header checks succeed |
| 926 # check nonce handling. | 926 # check nonce handling. |
| 927 cl.env['HTTP_REFERER'] = 'http://whoami.com/path/' | 927 cl.env['HTTP_REFERER'] = 'http://whoami.com/path/' |
| 1029 {'REQUEST_METHOD':'POST', | 1029 {'REQUEST_METHOD':'POST', |
| 1030 'PATH_INFO':'xmlrpc', | 1030 'PATH_INFO':'xmlrpc', |
| 1031 'CONTENT_TYPE': 'text/plain', | 1031 'CONTENT_TYPE': 'text/plain', |
| 1032 'HTTP_AUTHORIZATION': 'Basic YWRtaW46YWRtaW4=', | 1032 'HTTP_AUTHORIZATION': 'Basic YWRtaW46YWRtaW4=', |
| 1033 'HTTP_REFERER': 'http://whoami.com/path/', | 1033 'HTTP_REFERER': 'http://whoami.com/path/', |
| 1034 'HTTP_X-REQUESTED-WITH': "XMLHttpRequest" | 1034 'HTTP_X_REQUESTED_WITH': "XMLHttpRequest" |
| 1035 }, form) | 1035 }, form) |
| 1036 cl.db = self.db | 1036 cl.db = self.db |
| 1037 cl.base = 'http://whoami.com/path/' | 1037 cl.base = 'http://whoami.com/path/' |
| 1038 cl._socket_op = lambda *x : True | 1038 cl._socket_op = lambda *x : True |
| 1039 cl._error_message = [] | 1039 cl._error_message = [] |
| 1057 print out | 1057 print out |
| 1058 self.assertEqual(out[0], answer) | 1058 self.assertEqual(out[0], answer) |
| 1059 del(out[0]) | 1059 del(out[0]) |
| 1060 | 1060 |
| 1061 # remove the X-REQUESTED-WITH header and get an xmlrpc fault returned | 1061 # remove the X-REQUESTED-WITH header and get an xmlrpc fault returned |
| 1062 del(cl.env['HTTP_X-REQUESTED-WITH']) | 1062 del(cl.env['HTTP_X_REQUESTED_WITH']) |
| 1063 cl.handle_xmlrpc() | 1063 cl.handle_xmlrpc() |
| 1064 output="<?xml version='1.0'?>\n<methodResponse>\n<fault>\n<value><struct>\n<member>\n<name>faultCode</name>\n<value><int>1</int></value>\n</member>\n<member>\n<name>faultString</name>\n<value><string><class 'roundup.exceptions.UsageError'>:Required Header Missing</string></value>\n</member>\n</struct></value>\n</fault>\n</methodResponse>\n" | 1064 output="<?xml version='1.0'?>\n<methodResponse>\n<fault>\n<value><struct>\n<member>\n<name>faultCode</name>\n<value><int>1</int></value>\n</member>\n<member>\n<name>faultString</name>\n<value><string><class 'roundup.exceptions.UsageError'>:Required Header Missing</string></value>\n</member>\n</struct></value>\n</fault>\n</methodResponse>\n" |
| 1065 print out[0] | 1065 print out[0] |
| 1066 self.assertEqual(output,out[0]) | 1066 self.assertEqual(output,out[0]) |
| 1067 del(out[0]) | 1067 del(out[0]) |