Mercurial > p > roundup > code
view test/test_token.py @ 8062:28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
Directions for fixing:
* `CVE-2024-39124`_ - :ref:`classhelpers (_generic.help.html) are
vulnerable to an XSS attack. <CVE-2024-39124>` Requires fixing
tracker homes.
* `CVE-2024-39125`_ - :ref:`if Referer header is set to a script
tag, it will be executed. <CVE-2024-39125>` Fixed in release 2.4.0,
directions available for fixing in prior versions.
* `CVE-2024-39126`_ - :ref:`PDF, XML and SVG files downloaded from
an issue can contain embedded JavaScript which is
executed. <CVE-2024-39126>` Fixed in release 2.4.0, directions
available for fixing in prior versions.
prior to 2.4.0 release this weekend that fixes the last two CVE's.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Tue, 09 Jul 2024 09:07:09 -0400 |
| parents | 9a74dfeb8620 |
| children |
line wrap: on
line source
# # Copyright (c) 2001 Richard Jones # This module is free software, and you may redistribute it and/or modify # under the same terms as Python, so long as this copyright message and # disclaimer are retained in their original form. # # This module is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. import unittest, time from roundup.token_r import token_split class TokenTestCase(unittest.TestCase): def testValid(self): l = token_split('hello world') self.assertEqual(l, ['hello', 'world']) def testIgnoreExtraSpace(self): l = token_split('hello world ') self.assertEqual(l, ['hello', 'world']) def testQuoting(self): l = token_split('"hello world"') self.assertEqual(l, ['hello world']) l = token_split("'hello world'") self.assertEqual(l, ['hello world']) def testEmbedQuote(self): l = token_split(r'Roch\'e Compaan') self.assertEqual(l, ["Roch'e", "Compaan"]) l = token_split('address="1 2 3"') self.assertEqual(l, ['address=1 2 3']) def testEmbedEscapeQuote(self): l = token_split(r'"Roch\'e Compaan"') self.assertEqual(l, ["Roch'e Compaan"]) l = token_split(r'"Roch\"e Compaan"') self.assertEqual(l, ['Roch"e Compaan']) l = token_split(r'sql "COLLATE = \"utf8mb4_unicode_ci\";"') self.assertEqual(l, ["sql", 'COLLATE = "utf8mb4_unicode_ci";']) l = token_split(r'''sql 'COLLATE = "utf8mb4_unicode_ci";' ''') self.assertEqual(l, ["sql", 'COLLATE = "utf8mb4_unicode_ci";']) l = token_split(r'''sql 'COLLATE = \"utf8mb4_unicode_ci\";' ''') self.assertEqual(l, ["sql", 'COLLATE = "utf8mb4_unicode_ci";']) l = token_split(r'''sql 'COLLATE = \'utf8mb4_unicode_ci\';' ''') self.assertEqual(l, ["sql", "COLLATE = 'utf8mb4_unicode_ci';"]) l = token_split(r'''sql 'new\nline\rneed \ttab' ''') self.assertEqual(l, ["sql", "new\nline\rneed \ttab"]) def testEscaping(self): l = token_split('"Roch\'e" Compaan') self.assertEqual(l, ["Roch'e", "Compaan"]) l = token_split(r'hello\ world') self.assertEqual(l, ['hello world']) l = token_split(r'\\') self.assertEqual(l, ['\\']) l = token_split(r'\n') self.assertEqual(l, ['\n']) l = token_split(r'\r') self.assertEqual(l, ['\r']) l = token_split(r'\t') self.assertEqual(l, ['\t']) def testBadQuote(self): self.assertRaises(ValueError, token_split, '"hello world') self.assertRaises(ValueError, token_split, "Roch'e Compaan") # vim: set filetype=python ts=4 sw=4 et si