diff options
author | Carlton Gibson <carlton.gibson@noumenal.es> | 2019-05-23 12:06:34 +0200 |
---|---|---|
committer | Carlton Gibson <carlton.gibson@noumenal.es> | 2019-06-03 11:36:12 +0200 |
commit | deeba6d92006999fee9adfbd8be79bf0a59e8008 (patch) | |
tree | c77fd6fb553aa154ffe78d9cf748bdef6d80e6e1 /tests/admin_widgets | |
parent | 98c0fe19ee2cba9726708ac9336e1dc0d43cca69 (diff) | |
download | django-deeba6d92006999fee9adfbd8be79bf0a59e8008.tar.gz |
Fixed CVE-2019-12308 -- Made AdminURLFieldWidget validate URL before rendering clickable link.
Diffstat (limited to 'tests/admin_widgets')
-rw-r--r-- | tests/admin_widgets/tests.py | 23 |
1 files changed, 15 insertions, 8 deletions
diff --git a/tests/admin_widgets/tests.py b/tests/admin_widgets/tests.py index a7335f8f69..18475658c9 100644 --- a/tests/admin_widgets/tests.py +++ b/tests/admin_widgets/tests.py @@ -333,6 +333,13 @@ class AdminSplitDateTimeWidgetTest(SimpleTestCase): class AdminURLWidgetTest(SimpleTestCase): + def test_get_context_validates_url(self): + w = widgets.AdminURLFieldWidget() + for invalid in ['', '/not/a/full/url/', 'javascript:alert("Danger XSS!")']: + with self.subTest(url=invalid): + self.assertFalse(w.get_context('name', invalid, {})['url_valid']) + self.assertTrue(w.get_context('name', 'http://example.com', {})['url_valid']) + def test_render(self): w = widgets.AdminURLFieldWidget() self.assertHTMLEqual( @@ -366,31 +373,31 @@ class AdminURLWidgetTest(SimpleTestCase): VALUE_RE = re.compile('value="([^"]+)"') TEXT_RE = re.compile('<a[^>]+>([^>]+)</a>') w = widgets.AdminURLFieldWidget() - output = w.render('test', 'http://example.com/<sometag>some text</sometag>') + output = w.render('test', 'http://example.com/<sometag>some-text</sometag>') self.assertEqual( HREF_RE.search(output).groups()[0], - 'http://example.com/%3Csometag%3Esome%20text%3C/sometag%3E', + 'http://example.com/%3Csometag%3Esome-text%3C/sometag%3E', ) self.assertEqual( TEXT_RE.search(output).groups()[0], - 'http://example.com/<sometag>some text</sometag>', + 'http://example.com/<sometag>some-text</sometag>', ) self.assertEqual( VALUE_RE.search(output).groups()[0], - 'http://example.com/<sometag>some text</sometag>', + 'http://example.com/<sometag>some-text</sometag>', ) - output = w.render('test', 'http://example-äüö.com/<sometag>some text</sometag>') + output = w.render('test', 'http://example-äüö.com/<sometag>some-text</sometag>') self.assertEqual( HREF_RE.search(output).groups()[0], - 'http://xn--example--7za4pnc.com/%3Csometag%3Esome%20text%3C/sometag%3E', + 'http://xn--example--7za4pnc.com/%3Csometag%3Esome-text%3C/sometag%3E', ) self.assertEqual( TEXT_RE.search(output).groups()[0], - 'http://example-äüö.com/<sometag>some text</sometag>', + 'http://example-äüö.com/<sometag>some-text</sometag>', ) self.assertEqual( VALUE_RE.search(output).groups()[0], - 'http://example-äüö.com/<sometag>some text</sometag>', + 'http://example-äüö.com/<sometag>some-text</sometag>', ) output = w.render('test', 'http://www.example.com/%C3%A4"><script>alert("XSS!")</script>"') self.assertEqual( |