blinkster: comparison web/lib/django/contrib/auth/tests/views.py

equal deleted inserted replaced

-:b758351d191f
+:cc9b7e14412b
 import os
 import re
+import urllib
 from django.conf import settings
-from django.contrib.auth import SESSION_KEY
+from django.contrib.auth import SESSION_KEY, REDIRECT_FIELD_NAME
 from django.contrib.auth.forms import AuthenticationForm
 from django.contrib.sites.models import Site, RequestSite
 from django.contrib.auth.models import User
 from django.test import TestCase
 from django.core import mail
 settings.LANGUAGE_CODE = self.old_LANGUAGE_CODE
 settings.TEMPLATE_DIRS = self.old_TEMPLATE_DIRS
 class PasswordResetTest(AuthViewsTestCase):
-def setUp(self):
-self.old_LANGUAGES = settings.LANGUAGES
-self.old_LANGUAGE_CODE = settings.LANGUAGE_CODE
-settings.LANGUAGES = (('en', 'English'),)
-settings.LANGUAGE_CODE = 'en'
-def tearDown(self):
-settings.LANGUAGES = self.old_LANGUAGES
-settings.LANGUAGE_CODE = self.old_LANGUAGE_CODE
 def test_email_not_found(self):
 "Error is raised if the provided email address isn't currently registered"
 response = self.client.get('/password_reset/')
 self.assertEquals(response.status_code, 200)
 response = self.client.post('/password_reset/', {'email': 'not_a_real_email@email.com'})
 site = Site.objects.get_current()
 self.assertEquals(response.context['site'], site)
 self.assertEquals(response.context['site_name'], site.name)
 self.assert_(isinstance(response.context['form'], AuthenticationForm),
 'Login form is not an AuthenticationForm')
+def test_security_check(self, password='password'):
+login_url = reverse('django.contrib.auth.views.login')
+# Those URLs should not pass the security check
+for bad_url in ('http://example.com',
+'https://example.com',
+'ftp://exampel.com',
+'//example.com'):
+nasty_url = '%(url)s?%(next)s=%(bad_url)s' % {
+'url': login_url,
+'next': REDIRECT_FIELD_NAME,
+'bad_url': urllib.quote(bad_url)
+}
+response = self.client.post(nasty_url, {
+'username': 'testclient',
+'password': password,
+}
+)
+self.assertEquals(response.status_code, 302)
+self.assertFalse(bad_url in response['Location'], "%s should be blocked" % bad_url)
+# Now, these URLs have an other URL as a GET parameter and therefore
+# should be allowed
+for url_ in ('http://example.com', 'https://example.com',
+'ftp://exampel.com',  '//example.com'):
+safe_url = '%(url)s?%(next)s=/view/?param=%(safe_param)s' % {
+'url': login_url,
+'next': REDIRECT_FIELD_NAME,
+'safe_param': urllib.quote(url_)
+}
+response = self.client.post(safe_url, {
+'username': 'testclient',
+'password': password,
+}
+)
+self.assertEquals(response.status_code, 302)
+self.assertTrue('/view/?param=%s' % url_ in response['Location'], "/view/?param=%s should be allowed" % url_)
 class LogoutTest(AuthViewsTestCase):
 urls = 'django.contrib.auth.tests.urls'
 def login(self, password='password'):

changeset 29	cc9b7e14412b
parent 0	0d40e90630ef