def test_clean_url(self, get_current): """Verify that protocol and domain get removed.""" get_current.return_value.domain = "su.mo.com" r = RequestFactory().post("/users/login", {"next": "https://su.mo.com/kb/new?f=b"}) eq_("/kb/new?f=b", _clean_next_url(r)) r = RequestFactory().post("/users/login", {"next": "http://su.mo.com/kb/new"}) eq_("/kb/new", _clean_next_url(r))
def test_clean_url(self, get_current): '''Verify that protocol and domain get removed.''' get_current.return_value.domain = 'su.mo.com' r = RequestFactory().post('/users/login', {'next': 'https://su.mo.com/kb/new?f=b'}) eq_('/kb/new?f=b', _clean_next_url(r)) r = RequestFactory().post('/users/login', {'next': 'http://su.mo.com/kb/new'}) eq_('/kb/new', _clean_next_url(r))
def test_clean_next_url_request_properties(self, get_current): """_clean_next_url checks POST, GET, and REFERER""" get_current.return_value.domain = "dev.mo.org" r = RequestFactory().get("/users/login", {"next": "/demos/submit"}, HTTP_REFERER="referer-trumped-by-get") eq_("/demos/submit", _clean_next_url(r)) r = RequestFactory().post("/users/login", {"next": "/demos/submit"}) eq_("/demos/submit", _clean_next_url(r)) r = RequestFactory().get("/users/login", HTTP_REFERER="/demos/submit") eq_("/demos/submit", _clean_next_url(r))
def test_clean_next_url_request_properties(self, get_current): '''_clean_next_url checks POST, GET, and REFERER''' get_current.return_value.domain = 'dev.mo.org' r = RequestFactory().get('/users/login', {'next': '/demos/submit'}, HTTP_REFERER='referer-trumped-by-get') eq_('/demos/submit', _clean_next_url(r)) r = RequestFactory().post('/users/login', {'next': '/demos/submit'}) eq_('/demos/submit', _clean_next_url(r)) r = RequestFactory().get('/users/login', HTTP_REFERER='/demos/submit') eq_('/demos/submit', _clean_next_url(r))
def test_clean_next_url_invalid_next_parameter(self, get_current): '''_clean_next_url cleans invalid urls''' get_current.return_value.domain = 'dev.mo.org' for next in self._invalid_nexts(): r = RequestFactory().get('/users/login', {'next': next}) eq_(None, _clean_next_url(r))
def test_clean_next_url_no_self_redirects(self, get_current): '''_clean_next_url checks POST, GET, and REFERER''' get_current.return_value.domain = 'dev.mo.org' for next in [settings.LOGIN_URL, settings.LOGOUT_URL]: r = RequestFactory().get('/users/login', {'next': next}) eq_(None, _clean_next_url(r))
def test_clean_next_url_invalid_next_parameter(self, get_current): """_clean_next_url cleans invalid urls""" get_current.return_value.domain = "dev.mo.org" for next in self._invalid_nexts(): r = RequestFactory().get("/users/login", {"next": next}) eq_(None, _clean_next_url(r))
def test_clean_next_url_no_self_redirects(self, get_current): """_clean_next_url checks POST, GET, and REFERER""" get_current.return_value.domain = "dev.mo.org" for next in [settings.LOGIN_URL, settings.LOGOUT_URL]: r = RequestFactory().get("/users/login", {"next": next}) eq_(None, _clean_next_url(r))
def test_clean_next_url_protocol_relative_redirect(self, get_current): '''Test with an XSS in ?next parameter.''' get_current.return_value.domain = 'testserver.com' redir_next = '%252f%252fgoo.gl/yY9B5&paddingpaddingpadding' redir_request = RequestFactory().get('/users/login', {'next': redir_next}) eq_(None, _clean_next_url(redir_request))