def testCSRF(self):
""" test csrf protection """
# for this test, we need a bit more serious request simulation
from ZPublisher.HTTPRequest import HTTPRequest
from ZPublisher.HTTPResponse import HTTPResponse
environ = {}
environ.setdefault("SERVER_NAME", "foo")
environ.setdefault("SERVER_PORT", "80")
environ.setdefault("REQUEST_METHOD", "POST")
request = HTTPRequest(sys.stdin, environ, HTTPResponse(stdout=sys.stdout))
request.form = {"topic": "test subject", "replyto": "*****@*****.**", "comments": "test comments"}
self.ff1.checkAuthenticator = True
self.assertRaises(zExceptions.Forbidden, self.ff1.fgvalidate, request)
# with authenticator... no error
tag = AuthenticatorView("context", "request").authenticator()
token = tag.split('"')[5]
request.form["_authenticator"] = token
errors = self.ff1.fgvalidate(REQUEST=request)
self.assertEqual(errors, {})
# sneaky GET request
environ["REQUEST_METHOD"] = "GET"
request = HTTPRequest(sys.stdin, environ, HTTPResponse(stdout=sys.stdout))
self.assertRaises(zExceptions.Forbidden, self.ff1.fgvalidate, request)
# bad authenticator
request.form["_authenticator"] = "inauthentic"
request = HTTPRequest(sys.stdin, environ, HTTPResponse(stdout=sys.stdout))
self.assertRaises(zExceptions.Forbidden, self.ff1.fgvalidate, request)
def testCSRF(self):
""" test CSRF check on data clear """
# create a saver and add a record
self.ff1.invokeFactory('FormSaveDataAdapter', 'saver')
saver = self.ff1.saver
self.ff1.setActionAdapter( ('saver',) )
request = FakeRequest(topic = 'test subject', replyto='*****@*****.**', comments='test comments')
errors = self.ff1.fgvalidate(REQUEST=request)
self.assertEqual( errors, {} )
# for the rest of this test, we need a bit more serious request simulation
environ = {}
environ.setdefault('SERVER_NAME', 'foo')
environ.setdefault('SERVER_PORT', '80')
environ.setdefault('REQUEST_METHOD', 'POST')
request = HTTPRequest(sys.stdin,
environ,
HTTPResponse(stdout=sys.stdout))
# clearSavedFormInput is part of the API, so it should work if there's no
# request
saver.clearSavedFormInput()
# But, if this is from a form, we should need a valid authenticator
request.form = {'clearSavedFormInput':'1',}
self.assertRaises(zExceptions.Forbidden, saver.clearSavedFormInput, **{'request':request})
# with authenticator... no error
tag = AuthenticatorView('context', 'request').authenticator()
token = tag.split('"')[5]
request.form['_authenticator'] = token
saver.clearSavedFormInput(request=request)
def checkAuthenticator(self, path, query='', status=200):
credentials = '%s:%s' % (ptc.default_user, ptc.default_password)
path = '/' + self.portal.absolute_url(relative=True) + path
data = StringIO(query)
# without authenticator...
response = self.publish(path=path, basic=credentials, env={},
request_method='POST', stdin=data)
self.assertEqual(response.getStatus(), 403)
# with authenticator...
tag = AuthenticatorView('context', 'request').authenticator()
token = tag.split('"')[5]
data = StringIO(query + '&_authenticator=%s' % token)
response = self.publish(path=path, basic=credentials, env={},
request_method='POST', stdin=data)
self.assertEqual(response.getStatus(), status)
def checkAuthenticator(self, path, query='', status=200):
credentials = '%s:%s' % (TEST_USER_NAME, TEST_USER_PASSWORD)
path = '/' + self.portal.absolute_url(relative=True) + path
data = StringIO(query)
# without authenticator...
response = self.publish(path=path, basic=credentials, env={},
request_method='POST', stdin=data)
self.assertEqual(response.getStatus(), 403)
# with authenticator...
tag = AuthenticatorView('context', 'request').authenticator()
token = tag.split('"')[5]
data = StringIO(query + '&_authenticator=%s' % token)
response = self.publish(path=path, basic=credentials, env={},
request_method='POST', stdin=data)
self.assertEqual(response.getStatus(), status)
def testCSRF(self):
""" test csrf protection """
# for this test, we need a bit more serious request simulation
from ZPublisher.HTTPRequest import HTTPRequest
from ZPublisher.HTTPResponse import HTTPResponse
environ = {}
environ.setdefault('SERVER_NAME', 'foo')
environ.setdefault('SERVER_PORT', '80')
environ.setdefault('REQUEST_METHOD', 'POST')
request = HTTPRequest(sys.stdin,
environ,
HTTPResponse(stdout=sys.stdout))
request.form = {
'topic': 'test subject',
'replyto': '*****@*****.**',
'comments': 'test comments',
}
self.ff1.CSRFProtection = True
self.assertRaises(zExceptions.Forbidden, self.ff1.fgvalidate, request)
# with authenticator... no error
tag = AuthenticatorView('context', 'request').authenticator()
token = tag.split('"')[5]
request.form['_authenticator'] = token
errors = self.ff1.fgvalidate(REQUEST=request)
self.assertEqual(errors, {})
# sneaky GET request
environ['REQUEST_METHOD'] = 'GET'
request = HTTPRequest(sys.stdin,
environ,
HTTPResponse(stdout=sys.stdout))
self.assertRaises(zExceptions.Forbidden, self.ff1.fgvalidate, request)
# bad authenticator
request.form['_authenticator'] = 'inauthentic'
request = HTTPRequest(sys.stdin,
environ,
HTTPResponse(stdout=sys.stdout))
self.assertRaises(zExceptions.Forbidden, self.ff1.fgvalidate, request)
def testCSRF(self):
""" test csrf protection """
# for this test, we need a bit more serious request simulation
from ZPublisher.HTTPRequest import HTTPRequest
from ZPublisher.HTTPResponse import HTTPResponse
environ = {}
environ.setdefault('SERVER_NAME', 'foo')
environ.setdefault('SERVER_PORT', '80')
environ.setdefault('REQUEST_METHOD', 'POST')
request = HTTPRequest(sys.stdin,
environ,
HTTPResponse(stdout=sys.stdout))
request.form = \
{'topic':'test subject',
'replyto':'*****@*****.**',
'comments':'test comments'}
self.ff1.checkAuthenticator = True
self.assertRaises(zExceptions.Forbidden, self.ff1.fgvalidate, request)
# with authenticator... no error
tag = AuthenticatorView('context', 'request').authenticator()
token = tag.split('"')[5]
request.form['_authenticator'] = token
errors = self.ff1.fgvalidate(REQUEST=request)
self.assertEqual( errors, {} )
# sneaky GET request
environ['REQUEST_METHOD'] = 'GET'
request = HTTPRequest(sys.stdin,
environ,
HTTPResponse(stdout=sys.stdout))
self.assertRaises(zExceptions.Forbidden, self.ff1.fgvalidate, request)
# bad authenticator
request.form['_authenticator'] = 'inauthentic'
request = HTTPRequest(sys.stdin,
environ,
HTTPResponse(stdout=sys.stdout))
self.assertRaises(zExceptions.Forbidden, self.ff1.fgvalidate, request)
def testCSRF(self):
""" test CSRF check on data clear """
# create a saver and add a record
self.ff1.invokeFactory('FormSaveDataAdapter', 'saver')
saver = self.ff1.saver
self.ff1.setActionAdapter(('saver', ))
request = FakeRequest(topic='test subject',
replyto='*****@*****.**',
comments='test comments')
errors = self.ff1.fgvalidate(REQUEST=request)
self.assertEqual(errors, {})
# for the rest of this test, we need a bit more serious request simulation
environ = {}
environ.setdefault('SERVER_NAME', 'foo')
environ.setdefault('SERVER_PORT', '80')
environ.setdefault('REQUEST_METHOD', 'POST')
request = HTTPRequest(sys.stdin, environ,
HTTPResponse(stdout=sys.stdout))
# clearSavedFormInput is part of the API, so it should work if there's no
# request
saver.clearSavedFormInput()
# But, if this is from a form, we should need a valid authenticator
request.form = {
'clearSavedFormInput': '1',
}
self.assertRaises(zExceptions.Forbidden, saver.clearSavedFormInput,
**{'request': request})
# with authenticator... no error
tag = AuthenticatorView('context', 'request').authenticator()
token = tag.split('"')[5]
request.form['_authenticator'] = token
saver.clearSavedFormInput(request=request)
