Mercurial > p > roundup > code
comparison test/test_cgi.py @ 5624:b3618882f906
issue2551023: Fix CSRF headers for use with wsgi and cgi. The
env variable array used - separators rather than _. Compare:
HTTP_X-REQUESTED-WITH to HTTP_X_REQUESTED_WITH. The last is
correct. Also fix roundup-server to produce the latter form. (Patch
by Cédric Krier)
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Wed, 27 Feb 2019 21:47:39 -0500 |
| parents | be99aa02c616 |
| children | f8893e1cde0d |
comparison
equal
deleted
inserted
replaced
| 5623:1c4adab65faf | 5624:b3618882f906 |
|---|---|
| 902 print("result of subtest 3:", out[0]) | 902 print("result of subtest 3:", out[0]) |
| 903 self.assertEqual(match_at, 0) | 903 self.assertEqual(match_at, 0) |
| 904 del(cl.env['HTTP_ORIGIN']) | 904 del(cl.env['HTTP_ORIGIN']) |
| 905 del(out[0]) | 905 del(out[0]) |
| 906 | 906 |
| 907 cl.env['HTTP_X-FORWARDED-HOST'] = 'whoami.com' | 907 cl.env['HTTP_X_FORWARDED_HOST'] = 'whoami.com' |
| 908 # if there is an X-FORWARDED-HOST header it is used and | 908 # if there is an X-FORWARDED-HOST header it is used and |
| 909 # HOST header is ignored. X-FORWARDED-HOST should only be | 909 # HOST header is ignored. X-FORWARDED-HOST should only be |
| 910 # passed/set by a proxy. In this case the HOST header is | 910 # passed/set by a proxy. In this case the HOST header is |
| 911 # the proxy's name for the web server and not the name | 911 # the proxy's name for the web server and not the name |
| 912 # thatis exposed to the world. | 912 # thatis exposed to the world. |
| 913 cl.env['HTTP_HOST'] = 'frontend1.whoami.net' | 913 cl.env['HTTP_HOST'] = 'frontend1.whoami.net' |
| 914 cl.inner_main() | 914 cl.inner_main() |
| 915 match_at=out[0].find('Redirecting to <a href="http://whoami.com/path/issue1?@ok_message') | 915 match_at=out[0].find('Redirecting to <a href="http://whoami.com/path/issue1?@ok_message') |
| 916 print("result of subtest 4:", out[0]) | 916 print("result of subtest 4:", out[0]) |
| 917 self.assertNotEqual(match_at, -1) | 917 self.assertNotEqual(match_at, -1) |
| 918 del(cl.env['HTTP_X-FORWARDED-HOST']) | 918 del(cl.env['HTTP_X_FORWARDED_HOST']) |
| 919 del(cl.env['HTTP_HOST']) | 919 del(cl.env['HTTP_HOST']) |
| 920 del(out[0]) | 920 del(out[0]) |
| 921 | 921 |
| 922 cl.env['HTTP_HOST'] = 'whoami.com' | 922 cl.env['HTTP_HOST'] = 'whoami.com' |
| 923 cl.inner_main() | 923 cl.inner_main() |
| 926 self.assertEqual(match_at, 0) | 926 self.assertEqual(match_at, 0) |
| 927 del(cl.env['HTTP_HOST']) | 927 del(cl.env['HTTP_HOST']) |
| 928 del(out[0]) | 928 del(out[0]) |
| 929 | 929 |
| 930 # try failing headers | 930 # try failing headers |
| 931 cl.env['HTTP_X-FORWARDED-HOST'] = 'whoami.net' | 931 cl.env['HTTP_X_FORWARDED_HOST'] = 'whoami.net' |
| 932 # this raises an error as the header check passes and | 932 # this raises an error as the header check passes and |
| 933 # it did the edit and tries to send mail. | 933 # it did the edit and tries to send mail. |
| 934 cl.inner_main() | 934 cl.inner_main() |
| 935 match_at=out[0].find('Invalid X-FORWARDED-HOST whoami.net') | 935 match_at=out[0].find('Invalid X-FORWARDED-HOST whoami.net') |
| 936 print("result of subtest 6:", out[0]) | 936 print("result of subtest 6:", out[0]) |
| 937 self.assertNotEqual(match_at, -1) | 937 self.assertNotEqual(match_at, -1) |
| 938 del(cl.env['HTTP_X-FORWARDED-HOST']) | 938 del(cl.env['HTTP_X_FORWARDED_HOST']) |
| 939 del(out[0]) | 939 del(out[0]) |
| 940 | 940 |
| 941 # header checks succeed | 941 # header checks succeed |
| 942 # check nonce handling. | 942 # check nonce handling. |
| 943 cl.env['HTTP_REFERER'] = 'http://whoami.com/path/' | 943 cl.env['HTTP_REFERER'] = 'http://whoami.com/path/' |
| 1045 {'REQUEST_METHOD':'POST', | 1045 {'REQUEST_METHOD':'POST', |
| 1046 'PATH_INFO':'xmlrpc', | 1046 'PATH_INFO':'xmlrpc', |
| 1047 'CONTENT_TYPE': 'text/plain', | 1047 'CONTENT_TYPE': 'text/plain', |
| 1048 'HTTP_AUTHORIZATION': 'Basic YWRtaW46YWRtaW4=', | 1048 'HTTP_AUTHORIZATION': 'Basic YWRtaW46YWRtaW4=', |
| 1049 'HTTP_REFERER': 'http://whoami.com/path/', | 1049 'HTTP_REFERER': 'http://whoami.com/path/', |
| 1050 'HTTP_X-REQUESTED-WITH': "XMLHttpRequest" | 1050 'HTTP_X_REQUESTED_WITH': "XMLHttpRequest" |
| 1051 }, form) | 1051 }, form) |
| 1052 cl.db = self.db | 1052 cl.db = self.db |
| 1053 cl.base = 'http://whoami.com/path/' | 1053 cl.base = 'http://whoami.com/path/' |
| 1054 cl._socket_op = lambda *x : True | 1054 cl._socket_op = lambda *x : True |
| 1055 cl._error_message = [] | 1055 cl._error_message = [] |
| 1073 print(out) | 1073 print(out) |
| 1074 self.assertEqual(out[0], answer) | 1074 self.assertEqual(out[0], answer) |
| 1075 del(out[0]) | 1075 del(out[0]) |
| 1076 | 1076 |
| 1077 # remove the X-REQUESTED-WITH header and get an xmlrpc fault returned | 1077 # remove the X-REQUESTED-WITH header and get an xmlrpc fault returned |
| 1078 del(cl.env['HTTP_X-REQUESTED-WITH']) | 1078 del(cl.env['HTTP_X_REQUESTED_WITH']) |
| 1079 cl.handle_xmlrpc() | 1079 cl.handle_xmlrpc() |
| 1080 frag_faultCode = "<member>\n<name>faultCode</name>\n<value><int>1</int></value>\n</member>\n" | 1080 frag_faultCode = "<member>\n<name>faultCode</name>\n<value><int>1</int></value>\n</member>\n" |
| 1081 frag_faultString = "<member>\n<name>faultString</name>\n<value><string><class 'roundup.exceptions.UsageError'>:Required Header Missing</string></value>\n</member>\n" | 1081 frag_faultString = "<member>\n<name>faultString</name>\n<value><string><class 'roundup.exceptions.UsageError'>:Required Header Missing</string></value>\n</member>\n" |
| 1082 output_fragments = ["<?xml version='1.0'?>\n", | 1082 output_fragments = ["<?xml version='1.0'?>\n", |
| 1083 "<methodResponse>\n", | 1083 "<methodResponse>\n", |