def testCSRF(self):
""" test csrf protection """
# for this test, we need a bit more serious request simulation
from ZPublisher.HTTPRequest import HTTPRequest
from ZPublisher.HTTPResponse import HTTPResponse
environ = {}
environ.setdefault("SERVER_NAME", "foo")
environ.setdefault("SERVER_PORT", "80")
environ.setdefault("REQUEST_METHOD", "POST")
request = HTTPRequest(sys.stdin, environ, HTTPResponse(stdout=sys.stdout))
request.form = {"topic": "test subject", "replyto": "*****@*****.**", "comments": "test comments"}
self.ff1.checkAuthenticator = True
self.assertRaises(zExceptions.Forbidden, self.ff1.fgvalidate, request)
# with authenticator... no error
tag = AuthenticatorView("context", "request").authenticator()
token = tag.split('"')[5]
request.form["_authenticator"] = token
errors = self.ff1.fgvalidate(REQUEST=request)
self.assertEqual(errors, {})
# sneaky GET request
environ["REQUEST_METHOD"] = "GET"
request = HTTPRequest(sys.stdin, environ, HTTPResponse(stdout=sys.stdout))
self.assertRaises(zExceptions.Forbidden, self.ff1.fgvalidate, request)
# bad authenticator
request.form["_authenticator"] = "inauthentic"
request = HTTPRequest(sys.stdin, environ, HTTPResponse(stdout=sys.stdout))
self.assertRaises(zExceptions.Forbidden, self.ff1.fgvalidate, request)
def FakeRequest(method='GET', add_auth=False, **kwargs):
environ = {}
environ.setdefault('SERVER_NAME', 'foo')
environ.setdefault('SERVER_PORT', '80')
environ.setdefault('REQUEST_METHOD', method)
request = HTTPRequest(sys.stdin, environ, HTTPResponse(stdout=StringIO()))
request.form = kwargs
if add_auth:
request.form['_authenticator'] = plone.protect.createToken()
return request
def FakeRequest(method='GET', add_auth=False, **kwargs):
environ = {}
environ.setdefault('SERVER_NAME', 'foo')
environ.setdefault('SERVER_PORT', '80')
environ.setdefault('REQUEST_METHOD', method)
request = HTTPRequest(sys.stdin,
environ,
HTTPResponse(stdout=StringIO()))
request.form = kwargs
if add_auth:
request.form['_authenticator'] = plone.protect.createToken()
return request
def FakeRequest(method="GET", add_auth=False, **kwargs):
environ = {}
environ.setdefault("SERVER_NAME", "foo")
environ.setdefault("SERVER_PORT", "80")
environ.setdefault("REQUEST_METHOD", method)
if api.env.plone_version() < "5.2":
# manually set stdout for Plone < 5.2
request = HTTPRequest(sys.stdin, environ,
HTTPResponse(stdout=BytesIO()))
else:
request = HTTPRequest(sys.stdin, environ, HTTPResponse())
request.form = kwargs
if add_auth:
request.form["_authenticator"] = plone.protect.createToken()
return request
def testCSRF(self):
""" test csrf protection """
# for this test, we need a bit more serious request simulation
from ZPublisher.HTTPRequest import HTTPRequest
from ZPublisher.HTTPResponse import HTTPResponse
environ = {}
environ.setdefault('SERVER_NAME', 'foo')
environ.setdefault('SERVER_PORT', '80')
environ.setdefault('REQUEST_METHOD', 'POST')
request = HTTPRequest(sys.stdin,
environ,
HTTPResponse(stdout=sys.stdout))
request.form = {
'topic': 'test subject',
'replyto': '*****@*****.**',
'comments': 'test comments',
}
self.ff1.CSRFProtection = True
self.assertRaises(zExceptions.Forbidden, self.ff1.fgvalidate, request)
# with authenticator... no error
tag = AuthenticatorView('context', 'request').authenticator()
token = tag.split('"')[5]
request.form['_authenticator'] = token
errors = self.ff1.fgvalidate(REQUEST=request)
self.assertEqual(errors, {})
# sneaky GET request
environ['REQUEST_METHOD'] = 'GET'
request = HTTPRequest(sys.stdin,
environ,
HTTPResponse(stdout=sys.stdout))
self.assertRaises(zExceptions.Forbidden, self.ff1.fgvalidate, request)
# bad authenticator
request.form['_authenticator'] = 'inauthentic'
request = HTTPRequest(sys.stdin,
environ,
HTTPResponse(stdout=sys.stdout))
self.assertRaises(zExceptions.Forbidden, self.ff1.fgvalidate, request)
def testCSRF(self):
""" test csrf protection """
# for this test, we need a bit more serious request simulation
from ZPublisher.HTTPRequest import HTTPRequest
from ZPublisher.HTTPResponse import HTTPResponse
environ = {}
environ.setdefault('SERVER_NAME', 'foo')
environ.setdefault('SERVER_PORT', '80')
environ.setdefault('REQUEST_METHOD', 'POST')
request = HTTPRequest(sys.stdin,
environ,
HTTPResponse(stdout=sys.stdout))
request.form = \
{'topic':'test subject',
'replyto':'*****@*****.**',
'comments':'test comments'}
self.ff1.checkAuthenticator = True
self.assertRaises(zExceptions.Forbidden, self.ff1.fgvalidate, request)
# with authenticator... no error
tag = AuthenticatorView('context', 'request').authenticator()
token = tag.split('"')[5]
request.form['_authenticator'] = token
errors = self.ff1.fgvalidate(REQUEST=request)
self.assertEqual( errors, {} )
# sneaky GET request
environ['REQUEST_METHOD'] = 'GET'
request = HTTPRequest(sys.stdin,
environ,
HTTPResponse(stdout=sys.stdout))
self.assertRaises(zExceptions.Forbidden, self.ff1.fgvalidate, request)
# bad authenticator
request.form['_authenticator'] = 'inauthentic'
request = HTTPRequest(sys.stdin,
environ,
HTTPResponse(stdout=sys.stdout))
self.assertRaises(zExceptions.Forbidden, self.ff1.fgvalidate, request)
