diff options
| author | Andreas Hug <andreas.hug@moccu.com> | 2018-07-24 16:18:17 -0400 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2018-08-01 09:28:42 -0400 |
| commit | a656a681272f8f3734b6eb38e9a88aa0d91806f1 (patch) | |
| tree | 84b5b88a03bbee88e8a72912d5bfe29d6ccea7d2 /tests | |
| parent | 7dbe7aa0b6f9d006800375cf5d8b71416869ce91 (diff) | |
| download | django-a656a681272f8f3734b6eb38e9a88aa0d91806f1.tar.gz | |
Fixed CVE-2018-14574 -- Fixed open redirect possibility in CommonMiddleware.
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/middleware/tests.py | 19 | ||||
| -rw-r--r-- | tests/middleware/urls.py | 2 | ||||
| -rw-r--r-- | tests/utils_tests/test_http.py | 19 |
3 files changed, 36 insertions, 4 deletions
diff --git a/tests/middleware/tests.py b/tests/middleware/tests.py index f3c8b9ca06..88e33348e6 100644 --- a/tests/middleware/tests.py +++ b/tests/middleware/tests.py @@ -130,6 +130,25 @@ class CommonMiddlewareTest(SimpleTestCase): self.assertEqual(r.status_code, 301) self.assertEqual(r.url, '/needsquoting%23/') + @override_settings(APPEND_SLASH=True) + def test_append_slash_leading_slashes(self): + """ + Paths starting with two slashes are escaped to prevent open redirects. + If there's a URL pattern that allows paths to start with two slashes, a + request with path //evil.com must not redirect to //evil.com/ (appended + slash) which is a schemaless absolute URL. The browser would navigate + to evil.com/. + """ + # Use 4 slashes because of RequestFactory behavior. + request = self.rf.get('////evil.com/security') + response = HttpResponseNotFound() + r = CommonMiddleware().process_request(request) + self.assertEqual(r.status_code, 301) + self.assertEqual(r.url, '/%2Fevil.com/security/') + r = CommonMiddleware().process_response(request, response) + self.assertEqual(r.status_code, 301) + self.assertEqual(r.url, '/%2Fevil.com/security/') + @override_settings(APPEND_SLASH=False, PREPEND_WWW=True) def test_prepend_www(self): request = self.rf.get('/path/') diff --git a/tests/middleware/urls.py b/tests/middleware/urls.py index 8c6621d059..d623e7d6af 100644 --- a/tests/middleware/urls.py +++ b/tests/middleware/urls.py @@ -6,4 +6,6 @@ urlpatterns = [ url(r'^noslash$', views.empty_view), url(r'^slash/$', views.empty_view), url(r'^needsquoting#/$', views.empty_view), + # Accepts paths with two leading slashes. + url(r'^(.+)/security/$', views.empty_view), ] diff --git a/tests/utils_tests/test_http.py b/tests/utils_tests/test_http.py index 05b43c814f..1cbb0d96bf 100644 --- a/tests/utils_tests/test_http.py +++ b/tests/utils_tests/test_http.py @@ -5,10 +5,10 @@ from django.test import SimpleTestCase, ignore_warnings from django.utils.datastructures import MultiValueDict from django.utils.deprecation import RemovedInDjango30Warning from django.utils.http import ( - base36_to_int, cookie_date, http_date, int_to_base36, is_safe_url, - is_same_domain, parse_etags, parse_http_date, quote_etag, urlencode, - urlquote, urlquote_plus, urlsafe_base64_decode, urlsafe_base64_encode, - urlunquote, urlunquote_plus, + base36_to_int, cookie_date, escape_leading_slashes, http_date, + int_to_base36, is_safe_url, is_same_domain, parse_etags, parse_http_date, + quote_etag, urlencode, urlquote, urlquote_plus, urlsafe_base64_decode, + urlsafe_base64_encode, urlunquote, urlunquote_plus, ) @@ -275,3 +275,14 @@ class HttpDateProcessingTests(unittest.TestCase): def test_parsing_asctime(self): parsed = parse_http_date('Sun Nov 6 08:49:37 1994') self.assertEqual(datetime.utcfromtimestamp(parsed), datetime(1994, 11, 6, 8, 49, 37)) + + +class EscapeLeadingSlashesTests(unittest.TestCase): + def test(self): + tests = ( + ('//example.com', '/%2Fexample.com'), + ('//', '/%2F'), + ) + for url, expected in tests: + with self.subTest(url=url): + self.assertEqual(escape_leading_slashes(url), expected) |