def testCSRF(self): """ test csrf protection """ # for this test, we need a bit more serious request simulation from ZPublisher.HTTPRequest import HTTPRequest from ZPublisher.HTTPResponse import HTTPResponse environ = {} environ.setdefault("SERVER_NAME", "foo") environ.setdefault("SERVER_PORT", "80") environ.setdefault("REQUEST_METHOD", "POST") request = HTTPRequest(sys.stdin, environ, HTTPResponse(stdout=sys.stdout)) request.form = {"topic": "test subject", "replyto": "*****@*****.**", "comments": "test comments"} self.ff1.checkAuthenticator = True self.assertRaises(zExceptions.Forbidden, self.ff1.fgvalidate, request) # with authenticator... no error tag = AuthenticatorView("context", "request").authenticator() token = tag.split('"')[5] request.form["_authenticator"] = token errors = self.ff1.fgvalidate(REQUEST=request) self.assertEqual(errors, {}) # sneaky GET request environ["REQUEST_METHOD"] = "GET" request = HTTPRequest(sys.stdin, environ, HTTPResponse(stdout=sys.stdout)) self.assertRaises(zExceptions.Forbidden, self.ff1.fgvalidate, request) # bad authenticator request.form["_authenticator"] = "inauthentic" request = HTTPRequest(sys.stdin, environ, HTTPResponse(stdout=sys.stdout)) self.assertRaises(zExceptions.Forbidden, self.ff1.fgvalidate, request)
def FakeRequest(method='GET', add_auth=False, **kwargs): environ = {} environ.setdefault('SERVER_NAME', 'foo') environ.setdefault('SERVER_PORT', '80') environ.setdefault('REQUEST_METHOD', method) request = HTTPRequest(sys.stdin, environ, HTTPResponse(stdout=StringIO())) request.form = kwargs if add_auth: request.form['_authenticator'] = plone.protect.createToken() return request
def FakeRequest(method='GET', add_auth=False, **kwargs): environ = {} environ.setdefault('SERVER_NAME', 'foo') environ.setdefault('SERVER_PORT', '80') environ.setdefault('REQUEST_METHOD', method) request = HTTPRequest(sys.stdin, environ, HTTPResponse(stdout=StringIO())) request.form = kwargs if add_auth: request.form['_authenticator'] = plone.protect.createToken() return request
def FakeRequest(method="GET", add_auth=False, **kwargs): environ = {} environ.setdefault("SERVER_NAME", "foo") environ.setdefault("SERVER_PORT", "80") environ.setdefault("REQUEST_METHOD", method) if api.env.plone_version() < "5.2": # manually set stdout for Plone < 5.2 request = HTTPRequest(sys.stdin, environ, HTTPResponse(stdout=BytesIO())) else: request = HTTPRequest(sys.stdin, environ, HTTPResponse()) request.form = kwargs if add_auth: request.form["_authenticator"] = plone.protect.createToken() return request
def testCSRF(self): """ test csrf protection """ # for this test, we need a bit more serious request simulation from ZPublisher.HTTPRequest import HTTPRequest from ZPublisher.HTTPResponse import HTTPResponse environ = {} environ.setdefault('SERVER_NAME', 'foo') environ.setdefault('SERVER_PORT', '80') environ.setdefault('REQUEST_METHOD', 'POST') request = HTTPRequest(sys.stdin, environ, HTTPResponse(stdout=sys.stdout)) request.form = { 'topic': 'test subject', 'replyto': '*****@*****.**', 'comments': 'test comments', } self.ff1.CSRFProtection = True self.assertRaises(zExceptions.Forbidden, self.ff1.fgvalidate, request) # with authenticator... no error tag = AuthenticatorView('context', 'request').authenticator() token = tag.split('"')[5] request.form['_authenticator'] = token errors = self.ff1.fgvalidate(REQUEST=request) self.assertEqual(errors, {}) # sneaky GET request environ['REQUEST_METHOD'] = 'GET' request = HTTPRequest(sys.stdin, environ, HTTPResponse(stdout=sys.stdout)) self.assertRaises(zExceptions.Forbidden, self.ff1.fgvalidate, request) # bad authenticator request.form['_authenticator'] = 'inauthentic' request = HTTPRequest(sys.stdin, environ, HTTPResponse(stdout=sys.stdout)) self.assertRaises(zExceptions.Forbidden, self.ff1.fgvalidate, request)
def testCSRF(self): """ test csrf protection """ # for this test, we need a bit more serious request simulation from ZPublisher.HTTPRequest import HTTPRequest from ZPublisher.HTTPResponse import HTTPResponse environ = {} environ.setdefault('SERVER_NAME', 'foo') environ.setdefault('SERVER_PORT', '80') environ.setdefault('REQUEST_METHOD', 'POST') request = HTTPRequest(sys.stdin, environ, HTTPResponse(stdout=sys.stdout)) request.form = \ {'topic':'test subject', 'replyto':'*****@*****.**', 'comments':'test comments'} self.ff1.checkAuthenticator = True self.assertRaises(zExceptions.Forbidden, self.ff1.fgvalidate, request) # with authenticator... no error tag = AuthenticatorView('context', 'request').authenticator() token = tag.split('"')[5] request.form['_authenticator'] = token errors = self.ff1.fgvalidate(REQUEST=request) self.assertEqual( errors, {} ) # sneaky GET request environ['REQUEST_METHOD'] = 'GET' request = HTTPRequest(sys.stdin, environ, HTTPResponse(stdout=sys.stdout)) self.assertRaises(zExceptions.Forbidden, self.ff1.fgvalidate, request) # bad authenticator request.form['_authenticator'] = 'inauthentic' request = HTTPRequest(sys.stdin, environ, HTTPResponse(stdout=sys.stdout)) self.assertRaises(zExceptions.Forbidden, self.ff1.fgvalidate, request)