def testCSRF(self): """ test csrf protection """ # for this test, we need a bit more serious request simulation from ZPublisher.HTTPRequest import HTTPRequest from ZPublisher.HTTPResponse import HTTPResponse environ = {} environ.setdefault("SERVER_NAME", "foo") environ.setdefault("SERVER_PORT", "80") environ.setdefault("REQUEST_METHOD", "POST") request = HTTPRequest(sys.stdin, environ, HTTPResponse(stdout=sys.stdout)) request.form = {"topic": "test subject", "replyto": "*****@*****.**", "comments": "test comments"} self.ff1.checkAuthenticator = True self.assertRaises(zExceptions.Forbidden, self.ff1.fgvalidate, request) # with authenticator... no error tag = AuthenticatorView("context", "request").authenticator() token = tag.split('"')[5] request.form["_authenticator"] = token errors = self.ff1.fgvalidate(REQUEST=request) self.assertEqual(errors, {}) # sneaky GET request environ["REQUEST_METHOD"] = "GET" request = HTTPRequest(sys.stdin, environ, HTTPResponse(stdout=sys.stdout)) self.assertRaises(zExceptions.Forbidden, self.ff1.fgvalidate, request) # bad authenticator request.form["_authenticator"] = "inauthentic" request = HTTPRequest(sys.stdin, environ, HTTPResponse(stdout=sys.stdout)) self.assertRaises(zExceptions.Forbidden, self.ff1.fgvalidate, request)
def testCSRF(self): """ test CSRF check on data clear """ # create a saver and add a record self.ff1.invokeFactory('FormSaveDataAdapter', 'saver') saver = self.ff1.saver self.ff1.setActionAdapter( ('saver',) ) request = FakeRequest(topic = 'test subject', replyto='*****@*****.**', comments='test comments') errors = self.ff1.fgvalidate(REQUEST=request) self.assertEqual( errors, {} ) # for the rest of this test, we need a bit more serious request simulation environ = {} environ.setdefault('SERVER_NAME', 'foo') environ.setdefault('SERVER_PORT', '80') environ.setdefault('REQUEST_METHOD', 'POST') request = HTTPRequest(sys.stdin, environ, HTTPResponse(stdout=sys.stdout)) # clearSavedFormInput is part of the API, so it should work if there's no # request saver.clearSavedFormInput() # But, if this is from a form, we should need a valid authenticator request.form = {'clearSavedFormInput':'1',} self.assertRaises(zExceptions.Forbidden, saver.clearSavedFormInput, **{'request':request}) # with authenticator... no error tag = AuthenticatorView('context', 'request').authenticator() token = tag.split('"')[5] request.form['_authenticator'] = token saver.clearSavedFormInput(request=request)
def checkAuthenticator(self, path, query='', status=200): credentials = '%s:%s' % (ptc.default_user, ptc.default_password) path = '/' + self.portal.absolute_url(relative=True) + path data = StringIO(query) # without authenticator... response = self.publish(path=path, basic=credentials, env={}, request_method='POST', stdin=data) self.assertEqual(response.getStatus(), 403) # with authenticator... tag = AuthenticatorView('context', 'request').authenticator() token = tag.split('"')[5] data = StringIO(query + '&_authenticator=%s' % token) response = self.publish(path=path, basic=credentials, env={}, request_method='POST', stdin=data) self.assertEqual(response.getStatus(), status)
def checkAuthenticator(self, path, query='', status=200): credentials = '%s:%s' % (TEST_USER_NAME, TEST_USER_PASSWORD) path = '/' + self.portal.absolute_url(relative=True) + path data = StringIO(query) # without authenticator... response = self.publish(path=path, basic=credentials, env={}, request_method='POST', stdin=data) self.assertEqual(response.getStatus(), 403) # with authenticator... tag = AuthenticatorView('context', 'request').authenticator() token = tag.split('"')[5] data = StringIO(query + '&_authenticator=%s' % token) response = self.publish(path=path, basic=credentials, env={}, request_method='POST', stdin=data) self.assertEqual(response.getStatus(), status)
def testCSRF(self): """ test csrf protection """ # for this test, we need a bit more serious request simulation from ZPublisher.HTTPRequest import HTTPRequest from ZPublisher.HTTPResponse import HTTPResponse environ = {} environ.setdefault('SERVER_NAME', 'foo') environ.setdefault('SERVER_PORT', '80') environ.setdefault('REQUEST_METHOD', 'POST') request = HTTPRequest(sys.stdin, environ, HTTPResponse(stdout=sys.stdout)) request.form = { 'topic': 'test subject', 'replyto': '*****@*****.**', 'comments': 'test comments', } self.ff1.CSRFProtection = True self.assertRaises(zExceptions.Forbidden, self.ff1.fgvalidate, request) # with authenticator... no error tag = AuthenticatorView('context', 'request').authenticator() token = tag.split('"')[5] request.form['_authenticator'] = token errors = self.ff1.fgvalidate(REQUEST=request) self.assertEqual(errors, {}) # sneaky GET request environ['REQUEST_METHOD'] = 'GET' request = HTTPRequest(sys.stdin, environ, HTTPResponse(stdout=sys.stdout)) self.assertRaises(zExceptions.Forbidden, self.ff1.fgvalidate, request) # bad authenticator request.form['_authenticator'] = 'inauthentic' request = HTTPRequest(sys.stdin, environ, HTTPResponse(stdout=sys.stdout)) self.assertRaises(zExceptions.Forbidden, self.ff1.fgvalidate, request)
def testCSRF(self): """ test csrf protection """ # for this test, we need a bit more serious request simulation from ZPublisher.HTTPRequest import HTTPRequest from ZPublisher.HTTPResponse import HTTPResponse environ = {} environ.setdefault('SERVER_NAME', 'foo') environ.setdefault('SERVER_PORT', '80') environ.setdefault('REQUEST_METHOD', 'POST') request = HTTPRequest(sys.stdin, environ, HTTPResponse(stdout=sys.stdout)) request.form = \ {'topic':'test subject', 'replyto':'*****@*****.**', 'comments':'test comments'} self.ff1.checkAuthenticator = True self.assertRaises(zExceptions.Forbidden, self.ff1.fgvalidate, request) # with authenticator... no error tag = AuthenticatorView('context', 'request').authenticator() token = tag.split('"')[5] request.form['_authenticator'] = token errors = self.ff1.fgvalidate(REQUEST=request) self.assertEqual( errors, {} ) # sneaky GET request environ['REQUEST_METHOD'] = 'GET' request = HTTPRequest(sys.stdin, environ, HTTPResponse(stdout=sys.stdout)) self.assertRaises(zExceptions.Forbidden, self.ff1.fgvalidate, request) # bad authenticator request.form['_authenticator'] = 'inauthentic' request = HTTPRequest(sys.stdin, environ, HTTPResponse(stdout=sys.stdout)) self.assertRaises(zExceptions.Forbidden, self.ff1.fgvalidate, request)
def testCSRF(self): """ test CSRF check on data clear """ # create a saver and add a record self.ff1.invokeFactory('FormSaveDataAdapter', 'saver') saver = self.ff1.saver self.ff1.setActionAdapter(('saver', )) request = FakeRequest(topic='test subject', replyto='*****@*****.**', comments='test comments') errors = self.ff1.fgvalidate(REQUEST=request) self.assertEqual(errors, {}) # for the rest of this test, we need a bit more serious request simulation environ = {} environ.setdefault('SERVER_NAME', 'foo') environ.setdefault('SERVER_PORT', '80') environ.setdefault('REQUEST_METHOD', 'POST') request = HTTPRequest(sys.stdin, environ, HTTPResponse(stdout=sys.stdout)) # clearSavedFormInput is part of the API, so it should work if there's no # request saver.clearSavedFormInput() # But, if this is from a form, we should need a valid authenticator request.form = { 'clearSavedFormInput': '1', } self.assertRaises(zExceptions.Forbidden, saver.clearSavedFormInput, **{'request': request}) # with authenticator... no error tag = AuthenticatorView('context', 'request').authenticator() token = tag.split('"')[5] request.form['_authenticator'] = token saver.clearSavedFormInput(request=request)