def test_post_text_html_disables_xss(self):
"""POST request with content-type text/html disables XSS
protection (#12926).
"""
status_sent = []
headers_sent = {}
buf = io.BytesIO()
def write(data):
buf.write(data)
def start_response(status, headers):
status_sent.append(status)
headers_sent.update(dict(headers))
return write
content_type = 'text/html'
content = "The content"
environ = _make_environ(method='POST',
**{
'wsgi.input': io.BytesIO(content),
'CONTENT_LENGTH': str(len(content)),
'CONTENT_TYPE': content_type
})
req = Request(environ, start_response)
with self.assertRaises(RequestDone):
req.send(content, content_type)
self.assertIn('0', headers_sent['X-XSS-Protection'])
def send_project_index(environ,
start_response,
parent_dir=None,
env_paths=None):
req = Request(environ, start_response)
loadpaths = [pkg_resources.resource_filename('trac', 'templates')]
if req.environ.get('trac.env_index_template'):
env_index_template = req.environ['trac.env_index_template']
tmpl_path, template = os.path.split(env_index_template)
loadpaths.insert(0, tmpl_path)
else:
template = 'index.html'
data = {
'trac': {
'version': TRAC_VERSION,
'time': user_time(req, format_datetime)
},
'req': req
}
if req.environ.get('trac.template_vars'):
for pair in req.environ['trac.template_vars'].split(','):
key, val = pair.split('=')
data[key] = val
try:
href = Href(req.base_path)
projects = []
for env_name, env_path in get_environments(environ).items():
try:
env = open_environment(env_path,
use_cache=not environ['wsgi.run_once'])
proj = {
'env': env,
'name': env.project_name,
'description': env.project_description,
'href': href(env_name)
}
except Exception, e:
proj = {'name': env_name, 'description': to_unicode(e)}
projects.append(proj)
projects.sort(lambda x, y: cmp(x['name'].lower(), y['name'].lower()))
data['projects'] = projects
loader = TemplateLoader(loadpaths,
variable_lookup='lenient',
default_encoding='utf-8')
tmpl = loader.load(template)
stream = tmpl.generate(**data)
if template.endswith('.xml'):
output = stream.render('xml')
req.send(output, 'text/xml')
else:
output = stream.render('xhtml',
doctype=DocType.XHTML_STRICT,
encoding='utf-8')
req.send(output, 'text/html')
def send_project_index(environ,
start_response,
parent_dir=None,
env_paths=None):
req = Request(environ, start_response)
loadpaths = [pkg_resources.resource_filename('trac', 'templates')]
if req.environ.get('trac.env_index_template'):
env_index_template = req.environ['trac.env_index_template']
tmpl_path, template = os.path.split(env_index_template)
loadpaths.insert(0, tmpl_path)
else:
template = 'index.html'
data = {
'trac': {
'version': TRAC_VERSION,
'time': user_time(req, format_datetime)
},
'req': req
}
if req.environ.get('trac.template_vars'):
for pair in req.environ['trac.template_vars'].split(','):
key, val = pair.split('=')
data[key] = val
try:
href = Href(req.base_path)
projects = []
for env_name, env_path in get_environments(environ).items():
try:
env = open_environment(env_path,
use_cache=not environ['wsgi.run_once'])
proj = {
'env': env,
'name': env.project_name,
'description': env.project_description,
'href': href(env_name)
}
except Exception as e:
proj = {'name': env_name, 'description': to_unicode(e)}
projects.append(proj)
projects.sort(key=lambda proj: proj['name'].lower())
data['projects'] = projects
jenv = jinja2env(loader=FileSystemLoader(loadpaths))
jenv.globals.update(translation.functions)
tmpl = jenv.get_template(template)
output = valid_html_bytes(tmpl.render(**data).encode('utf-8'))
if template.endswith('.xml'):
req.send(output, 'text/xml')
else:
req.send(output, 'text/html')
except RequestDone:
pass
def send_project_index(environ, start_response, parent_dir=None,
env_paths=None):
req = Request(environ, start_response)
loadpaths = [pkg_resources.resource_filename('trac', 'templates')]
if req.environ.get('trac.env_index_template'):
env_index_template = req.environ['trac.env_index_template']
tmpl_path, template = os.path.split(env_index_template)
loadpaths.insert(0, tmpl_path)
else:
template = 'index.html'
data = {'trac': {'version': TRAC_VERSION,
'time': user_time(req, format_datetime)},
'req': req}
if req.environ.get('trac.template_vars'):
for pair in req.environ['trac.template_vars'].split(','):
key, val = pair.split('=')
data[key] = val
try:
href = Href(req.base_path)
projects = []
for env_name, env_path in get_environments(environ).items():
try:
env = open_environment(env_path,
use_cache=not environ['wsgi.run_once'])
proj = {
'env': env,
'name': env.project_name,
'description': env.project_description,
'href': href(env_name)
}
except Exception as e:
proj = {'name': env_name, 'description': to_unicode(e)}
projects.append(proj)
projects.sort(lambda x, y: cmp(x['name'].lower(), y['name'].lower()))
data['projects'] = projects
loader = TemplateLoader(loadpaths, variable_lookup='lenient',
default_encoding='utf-8')
tmpl = loader.load(template)
stream = tmpl.generate(**data)
if template.endswith('.xml'):
output = stream.render('xml')
req.send(output, 'text/xml')
else:
output = stream.render('xhtml', doctype=DocType.XHTML_STRICT,
encoding='utf-8')
req.send(output, 'text/html')
except RequestDone:
pass
