Mercurial > p > roundup > code
view test/test_instance.py @ 8062:28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
Directions for fixing:
* `CVE-2024-39124`_ - :ref:`classhelpers (_generic.help.html) are
vulnerable to an XSS attack. <CVE-2024-39124>` Requires fixing
tracker homes.
* `CVE-2024-39125`_ - :ref:`if Referer header is set to a script
tag, it will be executed. <CVE-2024-39125>` Fixed in release 2.4.0,
directions available for fixing in prior versions.
* `CVE-2024-39126`_ - :ref:`PDF, XML and SVG files downloaded from
an issue can contain embedded JavaScript which is
executed. <CVE-2024-39126>` Fixed in release 2.4.0, directions
available for fixing in prior versions.
prior to 2.4.0 release this weekend that fixes the last two CVE's.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Tue, 09 Jul 2024 09:07:09 -0400 |
| parents | 778a9f455067 |
| children | 9c3ec0a5c7fc |
line wrap: on
line source
# # Copyright (C) 2020 John Rouillard # All rights reserved. # For license terms see the file COPYING.txt. # from __future__ import print_function import unittest, os, shutil, errno, sys, difflib from roundup import instance from roundup.instance import TrackerError try: # python2 import pathlib2 as pathlib except ImportError: # python3 import pathlib from . import db_test_base class InstanceTest(unittest.TestCase): backend = 'anydbm' def setUp(self): self.dirname = '_test_instance' # set up and open a tracker self.instance = db_test_base.setupTracker(self.dirname, self.backend) # open the database self.db = self.instance.open('admin') self.db.commit() self.db.close() def tearDown(self): if self.db: self.db.close() try: shutil.rmtree(self.dirname) except OSError as error: if error.errno not in (errno.ENOENT, errno.ESRCH): raise def testOpenOldStyle(self): pathlib.Path(os.path.join(self.dirname, "dbinit.py")).touch() # no longer support old style tracker configs self.assertRaises(TrackerError, instance.open, self.dirname)