Mercurial > p > roundup > code
view test/test_memorydb.py @ 6375:c4371ec7d1c0
Call verifyPassword even if user does not exist.
Address timing attack caused by not doing the password check if the
user doesn't exist. Can expose valid usernames. Really only useful for
a tracker that doesn't allow anonymous access to issues. Issues
usually show usernames as part of the message display.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Tue, 06 Apr 2021 22:51:55 -0400 |
| parents | 7f00fc5958ca |
| children | 044dcf3608a2 |
line wrap: on
line source
import unittest, os, shutil, time from roundup import hyperdb from .db_test_base import DBTest, ROTest, SchemaTest, config, setupSchema from roundup.test import memorydb class memorydbOpener: module = memorydb def nuke_database(self): # really kill it memorydb.db_nuke('') self.db = None db = None def open_database(self, user='admin'): if self.db: self.db.close() self.db = self.module.Database(config, user) return self.db def setUp(self): self.open_database() setupSchema(self.db, 1, self.module) def tearDown(self): if self.db is not None: self.db.close() self.db = None self.nuke_database() # nuke and re-create db for restore def nukeAndCreate(self): self.db.close() self.nuke_database() self.db = self.module.Database(config, 'admin') setupSchema(self.db, 0, self.module) class memorydbDBTest(memorydbOpener, DBTest, unittest.TestCase): pass class memorydbROTest(memorydbOpener, ROTest, unittest.TestCase): def setUp(self): self.db = self.module.Database(config) setupSchema(self.db, 0, self.module) class memorydbSchemaTest(memorydbOpener, SchemaTest, unittest.TestCase): pass from .session_common import SessionTest class memorydbSessionTest(memorydbOpener, SessionTest, unittest.TestCase): def setUp(self): self.db = self.module.Database(config, 'admin') setupSchema(self.db, 1, self.module) self.sessions = self.db.sessions # vim: set filetype=python ts=4 sw=4 et si