diff options
author | Tim Graham <timograham@gmail.com> | 2014-04-20 13:12:43 -0400 |
---|---|---|
committer | Tim Graham <timograham@gmail.com> | 2014-04-21 18:11:26 -0400 |
commit | 8b93b31487d6d3b0fcbbd0498991ea0db9088054 (patch) | |
tree | f71dd0182039fe8c7bbdc04c0c0eda8d1c3b2eb4 /tests/urlpatterns_reverse | |
parent | ab90c4707bc8c813962658350b2e6c13ea0b4711 (diff) | |
download | django-8b93b31487d6d3b0fcbbd0498991ea0db9088054.tar.gz |
Fixed a remote code execution vulnerabilty in URL reversing.
Thanks Benjamin Bach for the report and initial patch.
This is a security fix; disclosure to follow shortly.
Diffstat (limited to 'tests/urlpatterns_reverse')
-rw-r--r-- | tests/urlpatterns_reverse/nonimported_module.py | 3 | ||||
-rw-r--r-- | tests/urlpatterns_reverse/tests.py | 21 | ||||
-rw-r--r-- | tests/urlpatterns_reverse/urls.py | 1 | ||||
-rw-r--r-- | tests/urlpatterns_reverse/views.py | 4 |
4 files changed, 29 insertions, 0 deletions
diff --git a/tests/urlpatterns_reverse/nonimported_module.py b/tests/urlpatterns_reverse/nonimported_module.py new file mode 100644 index 0000000000..df046333d3 --- /dev/null +++ b/tests/urlpatterns_reverse/nonimported_module.py @@ -0,0 +1,3 @@ +def view(request): + """Stub view""" + pass diff --git a/tests/urlpatterns_reverse/tests.py b/tests/urlpatterns_reverse/tests.py index d2c4079fda..7c1501a7d3 100644 --- a/tests/urlpatterns_reverse/tests.py +++ b/tests/urlpatterns_reverse/tests.py @@ -1,8 +1,10 @@ +# -*- coding: utf-8 -*- """ Unit tests for reverse URL lookups. """ from __future__ import unicode_literals +import sys import unittest from django.contrib.auth.models import User @@ -356,6 +358,25 @@ class ReverseShortcutTests(TestCase): self.assertEqual(res.url, '/foo/') res = redirect('http://example.com/') self.assertEqual(res.url, 'http://example.com/') + # Assert that we can redirect using UTF-8 strings + res = redirect('/æøå/abc/') + self.assertEqual(res.url, '/%C3%A6%C3%B8%C3%A5/abc/') + # Assert that no imports are attempted when dealing with a relative path + # (previously, the below would resolve in a UnicodeEncodeError from __import__ ) + res = redirect('/æøå.abc/') + self.assertEqual(res.url, '/%C3%A6%C3%B8%C3%A5.abc/') + res = redirect('os.path') + self.assertEqual(res.url, 'os.path') + + def test_no_illegal_imports(self): + # modules that are not listed in urlpatterns should not be importable + redirect("urlpatterns_reverse.nonimported_module.view") + self.assertNotIn("urlpatterns_reverse.nonimported_module", sys.modules) + + def test_reverse_by_path_nested(self): + # Views that are added to urlpatterns using include() should be + # reversable by doted path. + self.assertEqual(reverse('urlpatterns_reverse.views.nested_view'), '/includes/nested_path/') def test_redirect_view_object(self): from .views import absolute_kwargs_view diff --git a/tests/urlpatterns_reverse/urls.py b/tests/urlpatterns_reverse/urls.py index 3e5b53975a..d7dd6b6b09 100644 --- a/tests/urlpatterns_reverse/urls.py +++ b/tests/urlpatterns_reverse/urls.py @@ -7,6 +7,7 @@ from .views import empty_view, absolute_kwargs_view other_patterns = [ url(r'non_path_include/$', empty_view, name='non_path_include'), + url(r'nested_path/$', 'urlpatterns_reverse.views.nested_view'), ] # test deprecated patterns() function. convert to list of urls() in Django 2.0 diff --git a/tests/urlpatterns_reverse/views.py b/tests/urlpatterns_reverse/views.py index f23b4bf257..610feb8451 100644 --- a/tests/urlpatterns_reverse/views.py +++ b/tests/urlpatterns_reverse/views.py @@ -21,6 +21,10 @@ def defaults_view(request, arg1, arg2): pass +def nested_view(request): + pass + + def erroneous_view(request): import non_existent # NOQA |