diff options
author | John-Mark Bell <jmb@pexip.com> | 2016-03-07 12:06:46 +0000 |
---|---|---|
committer | Tim Graham <timograham@gmail.com> | 2016-03-07 13:19:39 -0500 |
commit | 4b129ac81f4fa38004950d0b307f81d1e9b44af8 (patch) | |
tree | 702fd5f42b611a8cb0e4647434d9607a4f76f000 /tests/file_uploads | |
parent | 75614f6d4c1a3fe779a75eb3e787452cccd1d814 (diff) | |
download | django-4b129ac81f4fa38004950d0b307f81d1e9b44af8.tar.gz |
Fixed #26325 -- Made MultiPartParser ignore filenames that normalize to an empty string.
Diffstat (limited to 'tests/file_uploads')
-rw-r--r-- | tests/file_uploads/tests.py | 35 |
1 files changed, 35 insertions, 0 deletions
diff --git a/tests/file_uploads/tests.py b/tests/file_uploads/tests.py index 976707f4b4..66bae79e0e 100644 --- a/tests/file_uploads/tests.py +++ b/tests/file_uploads/tests.py @@ -179,6 +179,41 @@ class FileUploadTests(TestCase): response = self.client.request(**r) self.assertEqual(response.status_code, 200) + def test_blank_filenames(self): + """ + Receiving file upload when filename is blank (before and after + sanitization) should be okay. + """ + # The second value is normalized to an empty name by + # MultiPartParser.IE_sanitize() + filenames = ['', 'C:\\Windows\\'] + + payload = client.FakePayload() + for i, name in enumerate(filenames): + payload.write('\r\n'.join([ + '--' + client.BOUNDARY, + 'Content-Disposition: form-data; name="file%s"; filename="%s"' % (i, name), + 'Content-Type: application/octet-stream', + '', + 'You got pwnd.\r\n' + ])) + payload.write('\r\n--' + client.BOUNDARY + '--\r\n') + + r = { + 'CONTENT_LENGTH': len(payload), + 'CONTENT_TYPE': client.MULTIPART_CONTENT, + 'PATH_INFO': '/echo/', + 'REQUEST_METHOD': 'POST', + 'wsgi.input': payload, + } + response = self.client.request(**r) + self.assertEqual(response.status_code, 200) + + # Empty filenames should be ignored + received = json.loads(response.content.decode('utf-8')) + for i, name in enumerate(filenames): + self.assertIsNone(received.get('file%s' % i)) + def test_dangerous_file_names(self): """Uploaded file names should be sanitized before ever reaching the view.""" # This test simulates possible directory traversal attacks by a |