Mercurial > p > roundup > code
view test/test_pythonexpr.py @ 6375:c4371ec7d1c0
Call verifyPassword even if user does not exist.
Address timing attack caused by not doing the password check if the
user doesn't exist. Can expose valid usernames. Really only useful for
a tracker that doesn't allow anonymous access to issues. Issues
usually show usernames as part of the message display.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Tue, 06 Apr 2021 22:51:55 -0400 |
| parents | e70885fe72a4 |
| children |
line wrap: on
line source
""" In Python 3, sometimes TAL "python:" expressions that refer to variables but not all variables are recognized. That is in Python 2.7 all variables used in a TAL "python:" expression are recognized as references. In Python 3.5 (perhaps earlier), some TAL "python:" expressions refer to variables but the reference generates an error like this: <class 'NameError'>: name 'some_tal_variable' is not defined even when the variable is defined. Output after this message lists the variable and its value. """ import unittest from roundup.cgi.PageTemplates.PythonExpr import PythonExpr as PythonExprClass class ExprTest(unittest.TestCase): def testExpr(self): expr = '[x for x in context.assignedto ' \ 'if x.realname not in user_realnames]' pe = PythonExprClass('test', expr, None) # Looking at the expression, only context and user_realnames are # external variables. The names assignedto and realname are members, # and x is local. required_names = ['context', 'user_realnames'] got_names = pe._f_varnames for required_name in required_names: self.assertIn(required_name, got_names)