diff options
author | Matt Robenolt <matt@ydekproductions.com> | 2015-03-17 02:52:55 -0700 |
---|---|---|
committer | Tim Graham <timograham@gmail.com> | 2015-09-16 12:21:50 -0400 |
commit | b0c56b895fd2694d7f5d4595bdbbc41916607f45 (patch) | |
tree | 4ac4ef6e9e3cc89263f99ef76321ca88b2968a1c /tests/utils_tests/test_http.py | |
parent | 535809e12161d28dacaf5161436fc05a9bb064aa (diff) | |
download | django-b0c56b895fd2694d7f5d4595bdbbc41916607f45.tar.gz |
Fixed #24496 -- Added CSRF Referer checking against CSRF_COOKIE_DOMAIN.
Thanks Seth Gottlieb for help with the documentation and
Carl Meyer and Joshua Kehn for reviews.
Diffstat (limited to 'tests/utils_tests/test_http.py')
-rw-r--r-- | tests/utils_tests/test_http.py | 44 |
1 files changed, 19 insertions, 25 deletions
diff --git a/tests/utils_tests/test_http.py b/tests/utils_tests/test_http.py index 74c6905294..baa126d423 100644 --- a/tests/utils_tests/test_http.py +++ b/tests/utils_tests/test_http.py @@ -10,31 +10,6 @@ from django.utils.datastructures import MultiValueDict class TestUtilsHttp(unittest.TestCase): - def test_same_origin_true(self): - # Identical - self.assertTrue(http.same_origin('http://foo.com/', 'http://foo.com/')) - # One with trailing slash - see #15617 - self.assertTrue(http.same_origin('http://foo.com', 'http://foo.com/')) - self.assertTrue(http.same_origin('http://foo.com/', 'http://foo.com')) - # With port - self.assertTrue(http.same_origin('https://foo.com:8000', 'https://foo.com:8000/')) - # No port given but according to RFC6454 still the same origin - self.assertTrue(http.same_origin('http://foo.com', 'http://foo.com:80/')) - self.assertTrue(http.same_origin('https://foo.com', 'https://foo.com:443/')) - - def test_same_origin_false(self): - # Different scheme - self.assertFalse(http.same_origin('http://foo.com', 'https://foo.com')) - # Different host - self.assertFalse(http.same_origin('http://foo.com', 'http://goo.com')) - # Different host again - self.assertFalse(http.same_origin('http://foo.com', 'http://foo.com.evil.com')) - # Different port - self.assertFalse(http.same_origin('http://foo.com:8000', 'http://foo.com:8001')) - # No port given - self.assertFalse(http.same_origin('http://foo.com', 'http://foo.com:8000/')) - self.assertFalse(http.same_origin('https://foo.com', 'https://foo.com:8000/')) - def test_urlencode(self): # 2-tuples (the norm) result = http.urlencode((('a', 1), ('b', 2), ('c', 3))) @@ -157,6 +132,25 @@ class TestUtilsHttp(unittest.TestCase): http.urlunquote_plus('Paris+&+Orl%C3%A9ans'), 'Paris & Orl\xe9ans') + def test_is_same_domain_good(self): + for pair in ( + ('example.com', 'example.com'), + ('example.com', '.example.com'), + ('foo.example.com', '.example.com'), + ('example.com:8888', 'example.com:8888'), + ('example.com:8888', '.example.com:8888'), + ('foo.example.com:8888', '.example.com:8888'), + ): + self.assertTrue(http.is_same_domain(*pair)) + + def test_is_same_domain_bad(self): + for pair in ( + ('example2.com', 'example.com'), + ('foo.example.com', 'example.com'), + ('example.com:9999', 'example.com:8888'), + ): + self.assertFalse(http.is_same_domain(*pair)) + class ETagProcessingTests(unittest.TestCase): def test_parsing(self): |