diff options
Diffstat (limited to 'tests/regressiontests/file_uploads/tests.py')
| -rw-r--r-- | tests/regressiontests/file_uploads/tests.py | 76 |
1 files changed, 61 insertions, 15 deletions
diff --git a/tests/regressiontests/file_uploads/tests.py b/tests/regressiontests/file_uploads/tests.py index d2b581686f..dd6b7c4181 100644 --- a/tests/regressiontests/file_uploads/tests.py +++ b/tests/regressiontests/file_uploads/tests.py @@ -1,8 +1,15 @@ import os -import sha -import tempfile +import errno +import shutil +import unittest + +from django.core.files import temp as tempfile +from django.core.files.uploadedfile import SimpleUploadedFile from django.test import TestCase, client from django.utils import simplejson +from django.utils.hashcompat import sha_constructor + +from models import FileModel, UPLOAD_ROOT, UPLOAD_TO class FileUploadTests(TestCase): def test_simple_upload(self): @@ -15,7 +22,7 @@ class FileUploadTests(TestCase): def test_large_upload(self): tdir = tempfile.gettempdir() - + file1 = tempfile.NamedTemporaryFile(suffix=".file1", dir=tdir) file1.write('a' * (2 ** 21)) file1.seek(0) @@ -38,10 +45,10 @@ class FileUploadTests(TestCase): for key in post_data.keys(): try: - post_data[key + '_hash'] = sha.new(post_data[key].read()).hexdigest() + post_data[key + '_hash'] = sha_constructor(post_data[key].read()).hexdigest() post_data[key].seek(0) except AttributeError: - post_data[key + '_hash'] = sha.new(post_data[key]).hexdigest() + post_data[key + '_hash'] = sha_constructor(post_data[key]).hexdigest() response = self.client.post('/file_uploads/verify/', post_data) @@ -51,11 +58,11 @@ class FileUploadTests(TestCase): pass self.assertEqual(response.status_code, 200) - + def test_dangerous_file_names(self): """Uploaded file names should be sanitized before ever reaching the view.""" # This test simulates possible directory traversal attacks by a - # malicious uploader We have to do some monkeybusiness here to construct + # malicious uploader We have to do some monkeybusiness here to construct # a malicious payload with an invalid file name (containing os.sep or # os.pardir). This similar to what an attacker would need to do when # trying such an attack. @@ -72,7 +79,7 @@ class FileUploadTests(TestCase): "..\\..\\hax0rd.txt", # Relative path, win-style. "../..\\hax0rd.txt" # Relative path, mixed. ] - + payload = [] for i, name in enumerate(scary_file_names): payload.extend([ @@ -86,7 +93,7 @@ class FileUploadTests(TestCase): '--' + client.BOUNDARY + '--', '', ]) - + payload = "\r\n".join(payload) r = { 'CONTENT_LENGTH': len(payload), @@ -102,7 +109,7 @@ class FileUploadTests(TestCase): for i, name in enumerate(scary_file_names): got = recieved["file%s" % i] self.assertEqual(got, "hax0rd.txt") - + def test_filename_overflow(self): """File names over 256 characters (dangerous on some platforms) get fixed up.""" name = "%s.txt" % ("f"*500) @@ -124,26 +131,26 @@ class FileUploadTests(TestCase): } got = simplejson.loads(self.client.request(**r).content) self.assert_(len(got['file']) < 256, "Got a long file name (%s characters)." % len(got['file'])) - + def test_custom_upload_handler(self): - # A small file (under the 5M quota) + # A small file (under the 5M quota) smallfile = tempfile.NamedTemporaryFile() smallfile.write('a' * (2 ** 21)) # A big file (over the quota) bigfile = tempfile.NamedTemporaryFile() bigfile.write('a' * (10 * 2 ** 20)) - + # Small file posting should work. response = self.client.post('/file_uploads/quota/', {'f': open(smallfile.name)}) got = simplejson.loads(response.content) self.assert_('f' in got) - + # Large files don't go through. response = self.client.post("/file_uploads/quota/", {'f': open(bigfile.name)}) got = simplejson.loads(response.content) self.assert_('f' not in got) - + def test_broken_custom_upload_handler(self): f = tempfile.NamedTemporaryFile() f.write('a' * (2 ** 21)) @@ -179,3 +186,42 @@ class FileUploadTests(TestCase): self.assertEqual(got.get('file1'), 1) self.assertEqual(got.get('file2'), 2) + +class DirectoryCreationTests(unittest.TestCase): + """ + Tests for error handling during directory creation + via _save_FIELD_file (ticket #6450) + """ + def setUp(self): + self.obj = FileModel() + if not os.path.isdir(UPLOAD_ROOT): + os.makedirs(UPLOAD_ROOT) + + def tearDown(self): + os.chmod(UPLOAD_ROOT, 0700) + shutil.rmtree(UPLOAD_ROOT) + + def test_readonly_root(self): + """Permission errors are not swallowed""" + os.chmod(UPLOAD_ROOT, 0500) + try: + self.obj.save_testfile_file('foo.txt', SimpleUploadedFile('foo.txt', 'x')) + except OSError, err: + self.assertEquals(err.errno, errno.EACCES) + except: + self.fail("OSError [Errno %s] not raised" % errno.EACCES) + + def test_not_a_directory(self): + """The correct IOError is raised when the upload directory name exists but isn't a directory""" + # Create a file with the upload directory name + fd = open(UPLOAD_TO, 'w') + fd.close() + try: + self.obj.save_testfile_file('foo.txt', SimpleUploadedFile('foo.txt', 'x')) + except IOError, err: + # The test needs to be done on a specific string as IOError + # is raised even without the patch (just not early enough) + self.assertEquals(err.args[0], + "%s exists and is not a directory" % UPLOAD_TO) + except: + self.fail("IOError not raised") |