Ejemplo n.º 1
0
    def test_process_request_replace_https_referer(self):
        post_middleware = CorsPostCsrfMiddleware()
        request = Mock(path='/')
        request.method = 'GET'
        request.is_secure = lambda: False
        request.META = {
            'HTTP_REFERER': 'http://foo.google.com/',
            'HTTP_HOST': 'foobar.com',
            'HTTP_ORIGIN': 'http://foo.google.com',
        }

        # test that we won't replace if the request is not secure
        with settings_override(CORS_URLS_REGEX='^.*$',
                               CORS_ORIGIN_REGEX_WHITELIST='.*google.*',
                               CORS_REPLACE_HTTPS_REFERER=True):
            response = self.middleware.process_request(request)
        self.assertIsNone(response)
        self.assertTrue('ORIGINAL_HTTP_REFERER' not in request.META)
        self.assertEquals(request.META['HTTP_REFERER'], 'http://foo.google.com/')

        request.is_secure = lambda: True
        request.META = {
            'HTTP_REFERER': 'https://foo.google.com/',
            'HTTP_HOST': 'foobar.com',
            'HTTP_ORIGIN': 'https://foo.google.com',
        }

        # test that we won't replace with the setting off
        with settings_override(CORS_URLS_REGEX='^.*$',
                               CORS_ORIGIN_REGEX_WHITELIST='.*google.*'):
            response = self.middleware.process_request(request)
        self.assertIsNone(response)
        self.assertTrue('ORIGINAL_HTTP_REFERER' not in request.META)
        self.assertEquals(request.META['HTTP_REFERER'], 'https://foo.google.com/')

        with settings_override(CORS_URLS_REGEX='^.*$',
                               CORS_ORIGIN_REGEX_WHITELIST='.*google.*',
                               CORS_REPLACE_HTTPS_REFERER=True):
            response = self.middleware.process_request(request)
        self.assertIsNone(response)
        self.assertEquals(request.META['ORIGINAL_HTTP_REFERER'], 'https://foo.google.com/')
        self.assertEquals(request.META['HTTP_REFERER'], 'https://foobar.com/')

        # make sure the replace code is idempotent
        with settings_override(CORS_URLS_REGEX='^.*$',
                               CORS_ORIGIN_REGEX_WHITELIST='.*google.*',
                               CORS_REPLACE_HTTPS_REFERER=True):
            response = self.middleware.process_view(request, None, None, None)
        self.assertIsNone(response)
        self.assertEquals(request.META['ORIGINAL_HTTP_REFERER'], 'https://foo.google.com/')
        self.assertEquals(request.META['HTTP_REFERER'], 'https://foobar.com/')

        with settings_override(CORS_URLS_REGEX='^.*$', CORS_REPLACE_HTTPS_REFERER=True):
            post_middleware.process_request(request)
        self.assertTrue('ORIGINAL_HTTP_REFERER' not in request.META)
        self.assertEquals(request.META['HTTP_REFERER'], 'https://foo.google.com/')

        with settings_override(CORS_URLS_REGEX='^.*$', CORS_REPLACE_HTTPS_REFERER=True):
            response = post_middleware.process_request(request)
        self.assertIsNone(response)
Ejemplo n.º 2
0
    def test_process_view_replace_https_referer(self):
        post_middleware = CorsPostCsrfMiddleware()
        request = Mock(path='/')
        request.method = 'GET'
        request.is_secure = lambda: True
        request.META = {
            'HTTP_REFERER': 'https://foo.google.com/',
            'HTTP_HOST': 'foobar.com',
            'HTTP_ORIGIN': 'https://foo.google.com',
        }
        with settings_override(CORS_URLS_REGEX='^.*$',
                               CORS_ORIGIN_REGEX_WHITELIST='.*google.*',
                               CORS_REPLACE_HTTPS_REFERER=True):
            response = self.middleware.process_view(request, None, None, None)
        self.assertIsNone(response)
        self.assertEquals(request.META['ORIGINAL_HTTP_REFERER'], 'https://foo.google.com/')
        self.assertEquals(request.META['HTTP_REFERER'], 'https://foobar.com/')

        with settings_override(CORS_URLS_REGEX='^.*$', CORS_REPLACE_HTTPS_REFERER=True):
            post_middleware.process_view(request, None, None, None)
        self.assertTrue('ORIGINAL_HTTP_REFERER' not in request.META)
        self.assertEquals(request.META['HTTP_REFERER'], 'https://foo.google.com/')

        with settings_override(CORS_URLS_REGEX='^.*$', CORS_REPLACE_HTTPS_REFERER=True):
            response = post_middleware.process_view(request, None, None, None)
        self.assertIsNone(response)
Ejemplo n.º 3
0
    def test_process_view_replace_https_referer(self):
        post_middleware = CorsPostCsrfMiddleware()
        request = Mock(path='/')
        request.method = 'GET'
        request.is_secure = lambda: True
        request.META = {
            'HTTP_REFERER': 'https://foo.google.com/',
            'HTTP_HOST': 'foobar.com',
            'HTTP_ORIGIN': 'https://foo.google.com',
        }
        with override_settings(CORS_URLS_REGEX='^.*$',
                               CORS_ORIGIN_REGEX_WHITELIST='.*google.*',
                               CORS_REPLACE_HTTPS_REFERER=True):
            response = self.middleware.process_view(request, None, None, None)
        self.assertIsNone(response)
        self.assertEquals(request.META['ORIGINAL_HTTP_REFERER'], 'https://foo.google.com/')
        self.assertEquals(request.META['HTTP_REFERER'], 'https://foobar.com/')

        with override_settings(CORS_URLS_REGEX='^.*$', CORS_REPLACE_HTTPS_REFERER=True):
            post_middleware.process_view(request, None, None, None)
        self.assertTrue('ORIGINAL_HTTP_REFERER' not in request.META)
        self.assertEquals(request.META['HTTP_REFERER'], 'https://foo.google.com/')

        with override_settings(CORS_URLS_REGEX='^.*$', CORS_REPLACE_HTTPS_REFERER=True):
            response = post_middleware.process_view(request, None, None, None)
        self.assertIsNone(response)
Ejemplo n.º 4
0
    def test_process_view_replace_https_referer(self):
        post_middleware = CorsPostCsrfMiddleware()
        request = self.req_factory.get(
            '/',
            HTTP_FAKE_SECURE='true',
            HTTP_HOST='foobar.com',
            HTTP_ORIGIN='https://foo.google.com',
            HTTP_REFERER='https://foo.google.com/',
        )
        response = self.middleware.process_view(request, None, None, None)
        assert response is None
        assert request.META['ORIGINAL_HTTP_REFERER'] == 'https://foo.google.com/'
        assert request.META['HTTP_REFERER'] == 'https://foobar.com/'

        post_middleware.process_view(request, None, None, None)
        assert 'ORIGINAL_HTTP_REFERER' not in request.META
        assert request.META['HTTP_REFERER'] == 'https://foo.google.com/'

        response = post_middleware.process_view(request, None, None, None)
        assert response is None
Ejemplo n.º 5
0
    def test_process_view_replace_https_referer(self):
        post_middleware = CorsPostCsrfMiddleware()
        request = Mock(path='/')
        request.method = 'GET'
        request.is_secure = lambda: True
        request.META = {
            'HTTP_REFERER': 'https://foo.google.com/',
            'HTTP_HOST': 'foobar.com',
            'HTTP_ORIGIN': 'https://foo.google.com',
        }
        response = self.middleware.process_view(request, None, None, None)
        assert response is None
        assert request.META[
            'ORIGINAL_HTTP_REFERER'] == 'https://foo.google.com/'
        assert request.META['HTTP_REFERER'] == 'https://foobar.com/'

        post_middleware.process_view(request, None, None, None)
        assert 'ORIGINAL_HTTP_REFERER' not in request.META
        assert request.META['HTTP_REFERER'] == 'https://foo.google.com/'

        response = post_middleware.process_view(request, None, None, None)
        assert response is None
Ejemplo n.º 6
0
    def test_process_request_replace_https_referer(self):
        post_middleware = CorsPostCsrfMiddleware()
        request = Mock(path='/')
        request.method = 'GET'
        request.is_secure = lambda: True

        # make sure it doesnt blow up when HTTP_REFERER is not present
        request.META = {
            'HTTP_HOST': 'foobar.com',
            'HTTP_ORIGIN': 'https://foo.google.com',
        }
        response = self.middleware.process_request(request)
        assert response is None

        # make sure it doesnt blow up when HTTP_HOST is not present
        request.META = {
            'HTTP_REFERER': 'http://foo.google.com/',
            'HTTP_ORIGIN': 'https://foo.google.com',
        }
        response = self.middleware.process_request(request)
        assert response is None

        request.is_secure = lambda: False
        request.META = {
            'HTTP_REFERER': 'http://foo.google.com/',
            'HTTP_HOST': 'foobar.com',
            'HTTP_ORIGIN': 'http://foo.google.com',
        }

        # test that we won't replace if the request is not secure
        response = self.middleware.process_request(request)
        assert response is None
        assert 'ORIGINAL_HTTP_REFERER' not in request.META
        assert request.META['HTTP_REFERER'] == 'http://foo.google.com/'

        request.is_secure = lambda: True
        request.META = {
            'HTTP_REFERER': 'https://foo.google.com/',
            'HTTP_HOST': 'foobar.com',
            'HTTP_ORIGIN': 'https://foo.google.com',
        }

        # test that we won't replace with the setting off
        with override_settings(CORS_REPLACE_HTTPS_REFERER=False):
            response = self.middleware.process_request(request)
        assert response is None
        assert 'ORIGINAL_HTTP_REFERER' not in request.META
        assert request.META['HTTP_REFERER'] == 'https://foo.google.com/'

        response = self.middleware.process_request(request)
        assert response is None
        assert request.META[
            'ORIGINAL_HTTP_REFERER'] == 'https://foo.google.com/'
        assert request.META['HTTP_REFERER'] == 'https://foobar.com/'

        # make sure the replace code is idempotent
        response = self.middleware.process_view(request, None, None, None)
        assert response is None
        assert request.META[
            'ORIGINAL_HTTP_REFERER'] == 'https://foo.google.com/'
        assert request.META['HTTP_REFERER'] == 'https://foobar.com/'

        post_middleware.process_request(request)
        assert 'ORIGINAL_HTTP_REFERER' not in request.META
        assert request.META['HTTP_REFERER'] == 'https://foo.google.com/'

        response = post_middleware.process_request(request)
        assert response is None
Ejemplo n.º 7
0
    def test_process_request_replace_https_referer(self):
        post_middleware = CorsPostCsrfMiddleware()
        request = Mock(path='/')
        request.method = 'GET'
        request.is_secure = lambda: True

        # make sure it doesnt blow up when HTTP_REFERER is not present
        request.META = {
            'HTTP_HOST': 'foobar.com',
            'HTTP_ORIGIN': 'https://foo.google.com',
        }
        with settings_override(CORS_URLS_REGEX='^.*$',
                               CORS_ORIGIN_REGEX_WHITELIST='.*google.*',
                               CORS_REPLACE_HTTPS_REFERER=True):
            response = self.middleware.process_request(request)
        self.assertIsNone(response)

        # make sure it doesnt blow up when HTTP_HOST is not present
        request.META = {
            'HTTP_REFERER': 'http://foo.google.com/',
            'HTTP_ORIGIN': 'https://foo.google.com',
        }
        with settings_override(CORS_URLS_REGEX='^.*$',
                               CORS_ORIGIN_REGEX_WHITELIST='.*google.*',
                               CORS_REPLACE_HTTPS_REFERER=True):
            response = self.middleware.process_request(request)
        self.assertIsNone(response)

        request.is_secure = lambda: False
        request.META = {
            'HTTP_REFERER': 'http://foo.google.com/',
            'HTTP_HOST': 'foobar.com',
            'HTTP_ORIGIN': 'http://foo.google.com',
        }

        # test that we won't replace if the request is not secure
        with settings_override(CORS_URLS_REGEX='^.*$',
                               CORS_ORIGIN_REGEX_WHITELIST='.*google.*',
                               CORS_REPLACE_HTTPS_REFERER=True):
            response = self.middleware.process_request(request)
        self.assertIsNone(response)
        self.assertTrue('ORIGINAL_HTTP_REFERER' not in request.META)
        self.assertEquals(request.META['HTTP_REFERER'], 'http://foo.google.com/')

        request.is_secure = lambda: True
        request.META = {
            'HTTP_REFERER': 'https://foo.google.com/',
            'HTTP_HOST': 'foobar.com',
            'HTTP_ORIGIN': 'https://foo.google.com',
        }

        # test that we won't replace with the setting off
        with settings_override(CORS_URLS_REGEX='^.*$',
                               CORS_ORIGIN_REGEX_WHITELIST='.*google.*'):
            response = self.middleware.process_request(request)
        self.assertIsNone(response)
        self.assertTrue('ORIGINAL_HTTP_REFERER' not in request.META)
        self.assertEquals(request.META['HTTP_REFERER'], 'https://foo.google.com/')

        with settings_override(CORS_URLS_REGEX='^.*$',
                               CORS_ORIGIN_REGEX_WHITELIST='.*google.*',
                               CORS_REPLACE_HTTPS_REFERER=True):
            response = self.middleware.process_request(request)
        self.assertIsNone(response)
        self.assertEquals(request.META['ORIGINAL_HTTP_REFERER'], 'https://foo.google.com/')
        self.assertEquals(request.META['HTTP_REFERER'], 'https://foobar.com/')

        # make sure the replace code is idempotent
        with settings_override(CORS_URLS_REGEX='^.*$',
                               CORS_ORIGIN_REGEX_WHITELIST='.*google.*',
                               CORS_REPLACE_HTTPS_REFERER=True):
            response = self.middleware.process_view(request, None, None, None)
        self.assertIsNone(response)
        self.assertEquals(request.META['ORIGINAL_HTTP_REFERER'], 'https://foo.google.com/')
        self.assertEquals(request.META['HTTP_REFERER'], 'https://foobar.com/')

        with settings_override(CORS_URLS_REGEX='^.*$', CORS_REPLACE_HTTPS_REFERER=True):
            post_middleware.process_request(request)
        self.assertTrue('ORIGINAL_HTTP_REFERER' not in request.META)
        self.assertEquals(request.META['HTTP_REFERER'], 'https://foo.google.com/')

        with settings_override(CORS_URLS_REGEX='^.*$', CORS_REPLACE_HTTPS_REFERER=True):
            response = post_middleware.process_request(request)
        self.assertIsNone(response)
Ejemplo n.º 8
0
    def test_process_request_replace_https_referer(self):
        post_middleware = CorsPostCsrfMiddleware()

        # make sure it doesnt blow up when HTTP_REFERER is not present
        request = self.req_factory.get(
            '/',
            HTTP_FAKE_SECURE='true',
            HTTP_HOST='foobar.com',
            HTTP_ORIGIN='https://foo.google.com',
        )
        response = self.middleware.process_request(request)
        assert response is None

        # make sure it doesnt blow up when HTTP_HOST is not present
        request = self.req_factory.get(
            '/',
            HTTP_FAKE_SECURE='true',
            HTTP_ORIGIN='https://foo.google.com',
            HTTP_REFERER='http://foo.google.com/',
        )
        response = self.middleware.process_request(request)
        assert response is None

        # test that we won't replace if the request is not secure
        request = self.req_factory.get(
            '/',
            HTTP_HOST='foobar.com',
            HTTP_ORIGIN='http://foo.google.com',
            HTTP_REFERER='http://foo.google.com/',
        )
        response = self.middleware.process_request(request)
        assert response is None
        assert 'ORIGINAL_HTTP_REFERER' not in request.META
        assert request.META['HTTP_REFERER'] == 'http://foo.google.com/'

        # test that we won't replace with the setting off
        request = self.req_factory.get(
            '/',
            HTTP_FAKE_SECURE='true',
            HTTP_HOST='foobar.com',
            HTTP_ORIGIN='https://foo.google.com',
            HTTP_REFERER='https://foo.google.com/',
        )
        with override_settings(CORS_REPLACE_HTTPS_REFERER=False):
            response = self.middleware.process_request(request)
        assert response is None
        assert 'ORIGINAL_HTTP_REFERER' not in request.META
        assert request.META['HTTP_REFERER'] == 'https://foo.google.com/'

        response = self.middleware.process_request(request)
        assert response is None
        assert request.META['ORIGINAL_HTTP_REFERER'] == 'https://foo.google.com/'
        assert request.META['HTTP_REFERER'] == 'https://foobar.com/'

        # make sure the replace code is idempotent
        response = self.middleware.process_view(request, None, None, None)
        assert response is None
        assert request.META['ORIGINAL_HTTP_REFERER'] == 'https://foo.google.com/'
        assert request.META['HTTP_REFERER'] == 'https://foobar.com/'

        post_middleware.process_request(request)
        assert 'ORIGINAL_HTTP_REFERER' not in request.META
        assert request.META['HTTP_REFERER'] == 'https://foo.google.com/'

        response = post_middleware.process_request(request)
        assert response is None