Ejemplo n.º 1
0
    def testCSRF(self):
        """ test csrf protection """

        # for this test, we need a bit more serious request simulation
        from ZPublisher.HTTPRequest import HTTPRequest
        from ZPublisher.HTTPResponse import HTTPResponse

        environ = {}
        environ.setdefault("SERVER_NAME", "foo")
        environ.setdefault("SERVER_PORT", "80")
        environ.setdefault("REQUEST_METHOD", "POST")
        request = HTTPRequest(sys.stdin, environ, HTTPResponse(stdout=sys.stdout))

        request.form = {"topic": "test subject", "replyto": "*****@*****.**", "comments": "test comments"}

        self.ff1.checkAuthenticator = True

        self.assertRaises(zExceptions.Forbidden, self.ff1.fgvalidate, request)

        # with authenticator... no error
        tag = AuthenticatorView("context", "request").authenticator()
        token = tag.split('"')[5]
        request.form["_authenticator"] = token
        errors = self.ff1.fgvalidate(REQUEST=request)
        self.assertEqual(errors, {})

        # sneaky GET request
        environ["REQUEST_METHOD"] = "GET"
        request = HTTPRequest(sys.stdin, environ, HTTPResponse(stdout=sys.stdout))
        self.assertRaises(zExceptions.Forbidden, self.ff1.fgvalidate, request)

        # bad authenticator
        request.form["_authenticator"] = "inauthentic"
        request = HTTPRequest(sys.stdin, environ, HTTPResponse(stdout=sys.stdout))
        self.assertRaises(zExceptions.Forbidden, self.ff1.fgvalidate, request)
Ejemplo n.º 2
0
def FakeRequest(method='GET', add_auth=False, **kwargs):
    environ = {}
    environ.setdefault('SERVER_NAME', 'foo')
    environ.setdefault('SERVER_PORT', '80')
    environ.setdefault('REQUEST_METHOD', method)
    request = HTTPRequest(sys.stdin, environ, HTTPResponse(stdout=StringIO()))
    request.form = kwargs
    if add_auth:
        request.form['_authenticator'] = plone.protect.createToken()
    return request
Ejemplo n.º 3
0
def FakeRequest(method='GET', add_auth=False, **kwargs):
    environ = {}
    environ.setdefault('SERVER_NAME', 'foo')
    environ.setdefault('SERVER_PORT', '80')
    environ.setdefault('REQUEST_METHOD', method)
    request = HTTPRequest(sys.stdin,
                          environ,
                          HTTPResponse(stdout=StringIO()))
    request.form = kwargs
    if add_auth:
        request.form['_authenticator'] = plone.protect.createToken()
    return request
Ejemplo n.º 4
0
def FakeRequest(method="GET", add_auth=False, **kwargs):
    environ = {}
    environ.setdefault("SERVER_NAME", "foo")
    environ.setdefault("SERVER_PORT", "80")
    environ.setdefault("REQUEST_METHOD", method)
    if api.env.plone_version() < "5.2":
        # manually set stdout for Plone < 5.2
        request = HTTPRequest(sys.stdin, environ,
                              HTTPResponse(stdout=BytesIO()))
    else:
        request = HTTPRequest(sys.stdin, environ, HTTPResponse())
    request.form = kwargs
    if add_auth:
        request.form["_authenticator"] = plone.protect.createToken()
    return request
    def testCSRF(self):
        """ test csrf protection """

        # for this test, we need a bit more serious request simulation
        from ZPublisher.HTTPRequest import HTTPRequest
        from ZPublisher.HTTPResponse import HTTPResponse
        environ = {}
        environ.setdefault('SERVER_NAME', 'foo')
        environ.setdefault('SERVER_PORT', '80')
        environ.setdefault('REQUEST_METHOD', 'POST')
        request = HTTPRequest(sys.stdin,
                              environ,
                              HTTPResponse(stdout=sys.stdout))

        request.form = {
            'topic': 'test subject',
            'replyto': '*****@*****.**',
            'comments': 'test comments',
        }

        self.ff1.CSRFProtection = True

        self.assertRaises(zExceptions.Forbidden, self.ff1.fgvalidate, request)

        # with authenticator... no error
        tag = AuthenticatorView('context', 'request').authenticator()
        token = tag.split('"')[5]
        request.form['_authenticator'] = token
        errors = self.ff1.fgvalidate(REQUEST=request)
        self.assertEqual(errors, {})

        # sneaky GET request
        environ['REQUEST_METHOD'] = 'GET'
        request = HTTPRequest(sys.stdin,
                              environ,
                              HTTPResponse(stdout=sys.stdout))
        self.assertRaises(zExceptions.Forbidden, self.ff1.fgvalidate, request)

        # bad authenticator
        request.form['_authenticator'] = 'inauthentic'
        request = HTTPRequest(sys.stdin,
                              environ,
                              HTTPResponse(stdout=sys.stdout))
        self.assertRaises(zExceptions.Forbidden, self.ff1.fgvalidate, request)
Ejemplo n.º 6
0
    def testCSRF(self):
        """ test csrf protection """

        # for this test, we need a bit more serious request simulation
        from ZPublisher.HTTPRequest import HTTPRequest
        from ZPublisher.HTTPResponse import HTTPResponse
        environ = {}
        environ.setdefault('SERVER_NAME', 'foo')
        environ.setdefault('SERVER_PORT', '80')
        environ.setdefault('REQUEST_METHOD',  'POST')
        request = HTTPRequest(sys.stdin,
                    environ,
                    HTTPResponse(stdout=sys.stdout))

        request.form = \
             {'topic':'test subject',
              'replyto':'*****@*****.**',
              'comments':'test comments'}

        self.ff1.checkAuthenticator = True

        self.assertRaises(zExceptions.Forbidden, self.ff1.fgvalidate, request)

        # with authenticator... no error
        tag = AuthenticatorView('context', 'request').authenticator()
        token = tag.split('"')[5]
        request.form['_authenticator'] = token
        errors = self.ff1.fgvalidate(REQUEST=request)
        self.assertEqual( errors, {} )

        # sneaky GET request
        environ['REQUEST_METHOD'] = 'GET'
        request = HTTPRequest(sys.stdin,
                    environ,
                    HTTPResponse(stdout=sys.stdout))
        self.assertRaises(zExceptions.Forbidden, self.ff1.fgvalidate, request)

        # bad authenticator
        request.form['_authenticator'] = 'inauthentic'
        request = HTTPRequest(sys.stdin,
                    environ,
                    HTTPResponse(stdout=sys.stdout))
        self.assertRaises(zExceptions.Forbidden, self.ff1.fgvalidate, request)