Mercurial > p > roundup > code
diff test/test_cgi.py @ 8062:28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
Directions for fixing:
* `CVE-2024-39124`_ - :ref:`classhelpers (_generic.help.html) are
vulnerable to an XSS attack. <CVE-2024-39124>` Requires fixing
tracker homes.
* `CVE-2024-39125`_ - :ref:`if Referer header is set to a script
tag, it will be executed. <CVE-2024-39125>` Fixed in release 2.4.0,
directions available for fixing in prior versions.
* `CVE-2024-39126`_ - :ref:`PDF, XML and SVG files downloaded from
an issue can contain embedded JavaScript which is
executed. <CVE-2024-39126>` Fixed in release 2.4.0, directions
available for fixing in prior versions.
prior to 2.4.0 release this weekend that fixes the last two CVE's.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Tue, 09 Jul 2024 09:07:09 -0400 |
| parents | 470616e64414 |
| children | e44b65651012 |
line wrap: on
line diff
--- a/test/test_cgi.py Mon Jul 08 13:04:05 2024 -0400 +++ b/test/test_cgi.py Tue Jul 09 09:07:09 2024 -0400 @@ -978,7 +978,7 @@ self.assertFalse('HTTP_PROXY' in cl.env) self.assertFalse('HTTP_PROXY' in os.environ) - def testCsrfProtection(self): + def testCsrfProtectionHtml(self): # need to set SENDMAILDEBUG to prevent # downstream issue when email is sent on successful # issue creation. Also delete the file afterwards @@ -1058,6 +1058,17 @@ del(cl.env['HTTP_REFERER']) del(out[0]) + # verify that HTTP_REFERER does not result in an XSS reflection + cl.env['HTTP_REFERER'] = '<script>alert(1)</script>' + cl.main() + match_at=out[0].find('<script>') + match_encoded_at=out[0].find('<script>') + print("\n\nresult of subtest 2a:", out[0]) + self.assertEqual(match_at, -1) # must not find unencoded script tag + self.assertEqual(match_encoded_at, 53) # must find encoded script tag + del(cl.env['HTTP_REFERER']) + del(out[0]) + cl.env['HTTP_ORIGIN'] = 'http://whoami.com' cl.main() match_at=out[0].find('Redirecting to <a href="http://whoami.com/path/issue1?@ok_message')