2016-03-04 15:41:52 +01:00
|
|
|
# -*- encoding: utf-8 -*-
|
2014-09-23 19:45:59 +07:00
|
|
|
from __future__ import unicode_literals
|
|
|
|
|
2012-02-16 00:58:49 +00:00
|
|
|
import sys
|
2013-07-01 14:22:27 +02:00
|
|
|
import unittest
|
2015-01-28 07:35:27 -05:00
|
|
|
from datetime import datetime
|
2012-02-16 00:58:49 +00:00
|
|
|
|
2015-01-28 07:35:27 -05:00
|
|
|
from django.utils import http, six
|
2012-08-03 18:46:30 +02:00
|
|
|
from django.utils.datastructures import MultiValueDict
|
2011-03-15 20:37:09 +00:00
|
|
|
|
2012-09-26 21:10:17 +02:00
|
|
|
|
2011-03-15 20:37:09 +00:00
|
|
|
class TestUtilsHttp(unittest.TestCase):
|
|
|
|
|
2011-04-22 12:01:41 +00:00
|
|
|
def test_urlencode(self):
|
|
|
|
# 2-tuples (the norm)
|
|
|
|
result = http.urlencode((('a', 1), ('b', 2), ('c', 3)))
|
|
|
|
self.assertEqual(result, 'a=1&b=2&c=3')
|
2012-06-14 11:32:40 +02:00
|
|
|
|
2011-04-22 12:01:41 +00:00
|
|
|
# A dictionary
|
2013-10-14 20:13:14 +01:00
|
|
|
result = http.urlencode({'a': 1, 'b': 2, 'c': 3})
|
2011-04-22 12:01:41 +00:00
|
|
|
acceptable_results = [
|
|
|
|
# Need to allow all of these as dictionaries have to be treated as
|
|
|
|
# unordered
|
|
|
|
'a=1&b=2&c=3',
|
|
|
|
'a=1&c=3&b=2',
|
|
|
|
'b=2&a=1&c=3',
|
|
|
|
'b=2&c=3&a=1',
|
|
|
|
'c=3&a=1&b=2',
|
|
|
|
'c=3&b=2&a=1'
|
|
|
|
]
|
2014-10-28 12:02:56 +02:00
|
|
|
self.assertIn(result, acceptable_results)
|
2012-06-14 11:32:40 +02:00
|
|
|
result = http.urlencode({'a': [1, 2]}, doseq=False)
|
|
|
|
self.assertEqual(result, 'a=%5B%271%27%2C+%272%27%5D')
|
|
|
|
result = http.urlencode({'a': [1, 2]}, doseq=True)
|
|
|
|
self.assertEqual(result, 'a=1&a=2')
|
|
|
|
result = http.urlencode({'a': []}, doseq=True)
|
|
|
|
self.assertEqual(result, '')
|
|
|
|
|
2011-04-22 12:01:41 +00:00
|
|
|
# A MultiValueDict
|
|
|
|
result = http.urlencode(MultiValueDict({
|
|
|
|
'name': ['Adrian', 'Simon'],
|
|
|
|
'position': ['Developer']
|
|
|
|
}), doseq=True)
|
|
|
|
acceptable_results = [
|
|
|
|
# MultiValueDicts are similarly unordered
|
|
|
|
'name=Adrian&name=Simon&position=Developer',
|
|
|
|
'position=Developer&name=Adrian&name=Simon'
|
|
|
|
]
|
2014-10-28 12:02:56 +02:00
|
|
|
self.assertIn(result, acceptable_results)
|
2011-12-11 08:58:14 +00:00
|
|
|
|
2012-02-16 00:58:49 +00:00
|
|
|
def test_base36(self):
|
|
|
|
# reciprocity works
|
2012-08-03 18:46:30 +02:00
|
|
|
for n in [0, 1, 1000, 1000000]:
|
2012-02-16 00:58:49 +00:00
|
|
|
self.assertEqual(n, http.base36_to_int(http.int_to_base36(n)))
|
2013-09-02 12:06:32 +02:00
|
|
|
if six.PY2:
|
2012-08-03 18:46:30 +02:00
|
|
|
self.assertEqual(sys.maxint, http.base36_to_int(http.int_to_base36(sys.maxint)))
|
2012-02-16 00:58:49 +00:00
|
|
|
|
|
|
|
# bad input
|
2016-01-17 14:56:39 +03:30
|
|
|
with self.assertRaises(ValueError):
|
|
|
|
http.int_to_base36(-1)
|
2013-09-02 12:06:32 +02:00
|
|
|
if six.PY2:
|
2016-01-17 14:56:39 +03:30
|
|
|
with self.assertRaises(ValueError):
|
|
|
|
http.int_to_base36(sys.maxint + 1)
|
2012-08-03 18:46:30 +02:00
|
|
|
for n in ['1', 'foo', {1: 2}, (1, 2, 3), 3.141]:
|
2016-01-17 14:56:39 +03:30
|
|
|
with self.assertRaises(TypeError):
|
|
|
|
http.int_to_base36(n)
|
2012-08-03 18:46:30 +02:00
|
|
|
|
2012-02-16 00:58:49 +00:00
|
|
|
for n in ['#', ' ']:
|
2016-01-17 14:56:39 +03:30
|
|
|
with self.assertRaises(ValueError):
|
|
|
|
http.base36_to_int(n)
|
2012-08-03 18:46:30 +02:00
|
|
|
for n in [123, {1: 2}, (1, 2, 3), 3.141]:
|
2016-01-17 14:56:39 +03:30
|
|
|
with self.assertRaises(TypeError):
|
|
|
|
http.base36_to_int(n)
|
2012-02-16 00:58:49 +00:00
|
|
|
|
|
|
|
# more explicit output testing
|
2012-02-16 01:10:21 +00:00
|
|
|
for n, b36 in [(0, '0'), (1, '1'), (42, '16'), (818469960, 'django')]:
|
2012-02-16 00:58:49 +00:00
|
|
|
self.assertEqual(http.int_to_base36(n), b36)
|
|
|
|
self.assertEqual(http.base36_to_int(b36), n)
|
2012-09-26 21:10:17 +02:00
|
|
|
|
2014-05-12 07:38:39 -04:00
|
|
|
def test_is_safe_url(self):
|
2016-04-07 22:04:45 -04:00
|
|
|
bad_urls = (
|
|
|
|
'http://example.com',
|
|
|
|
'http:///example.com',
|
|
|
|
'https://example.com',
|
|
|
|
'ftp://example.com',
|
|
|
|
r'\\example.com',
|
|
|
|
r'\\\example.com',
|
|
|
|
r'/\\/example.com',
|
|
|
|
r'\\\example.com',
|
|
|
|
r'\\example.com',
|
|
|
|
r'\\//example.com',
|
|
|
|
r'/\/example.com',
|
|
|
|
r'\/example.com',
|
|
|
|
r'/\example.com',
|
|
|
|
'http:///example.com',
|
|
|
|
'http:/\//example.com',
|
|
|
|
'http:\/example.com',
|
|
|
|
'http:/\example.com',
|
|
|
|
'javascript:alert("XSS")',
|
|
|
|
'\njavascript:alert(x)',
|
|
|
|
'\x08//example.com',
|
|
|
|
r'http://otherserver\@example.com',
|
|
|
|
r'http:\\testserver\@example.com',
|
|
|
|
r'http://testserver\me:pass@example.com',
|
|
|
|
r'http://testserver\@example.com',
|
|
|
|
r'http:\\testserver\confirm\me@example.com',
|
|
|
|
'\n',
|
|
|
|
)
|
|
|
|
for bad_url in bad_urls:
|
2014-05-12 07:38:39 -04:00
|
|
|
self.assertFalse(http.is_safe_url(bad_url, host='testserver'), "%s should be blocked" % bad_url)
|
2016-04-07 22:04:45 -04:00
|
|
|
|
|
|
|
good_urls = (
|
|
|
|
'/view/?param=http://example.com',
|
|
|
|
'/view/?param=https://example.com',
|
|
|
|
'/view?param=ftp://example.com',
|
|
|
|
'view/?param=//example.com',
|
|
|
|
'https://testserver/',
|
|
|
|
'HTTPS://testserver/',
|
|
|
|
'//testserver/',
|
|
|
|
'http://testserver/confirm?email=me@example.com',
|
|
|
|
'/url%20with%20spaces/',
|
|
|
|
)
|
|
|
|
for good_url in good_urls:
|
2014-05-12 07:38:39 -04:00
|
|
|
self.assertTrue(http.is_safe_url(good_url, host='testserver'), "%s should be allowed" % good_url)
|
2016-03-04 15:41:52 +01:00
|
|
|
|
|
|
|
if six.PY2:
|
|
|
|
# Check binary URLs, regression tests for #26308
|
|
|
|
self.assertTrue(
|
|
|
|
http.is_safe_url(b'https://testserver/', host='testserver'),
|
|
|
|
"binary URLs should be allowed on Python 2"
|
|
|
|
)
|
|
|
|
self.assertFalse(http.is_safe_url(b'\x08//example.com', host='testserver'))
|
|
|
|
self.assertTrue(http.is_safe_url('àview/'.encode('utf-8'), host='testserver'))
|
2016-03-04 23:33:35 +01:00
|
|
|
self.assertFalse(http.is_safe_url('àview'.encode('latin-1'), host='testserver'))
|
2016-03-04 15:41:52 +01:00
|
|
|
|
2016-02-22 16:47:01 -05:00
|
|
|
# Valid basic auth credentials are allowed.
|
|
|
|
self.assertTrue(http.is_safe_url(r'http://user:pass@testserver/', host='user:pass@testserver'))
|
|
|
|
# A path without host is allowed.
|
|
|
|
self.assertTrue(http.is_safe_url('/confirm/me@example.com'))
|
|
|
|
# Basic auth without host is not allowed.
|
|
|
|
self.assertFalse(http.is_safe_url(r'http://testserver\@example.com'))
|
2014-05-12 07:38:39 -04:00
|
|
|
|
2014-08-21 12:53:22 +01:00
|
|
|
def test_urlsafe_base64_roundtrip(self):
|
|
|
|
bytestring = b'foo'
|
|
|
|
encoded = http.urlsafe_base64_encode(bytestring)
|
|
|
|
decoded = http.urlsafe_base64_decode(encoded)
|
|
|
|
self.assertEqual(bytestring, decoded)
|
|
|
|
|
2014-09-23 19:45:59 +07:00
|
|
|
def test_urlquote(self):
|
2016-04-07 22:04:45 -04:00
|
|
|
self.assertEqual(http.urlquote('Paris & Orl\xe9ans'), 'Paris%20%26%20Orl%C3%A9ans')
|
|
|
|
self.assertEqual(http.urlquote('Paris & Orl\xe9ans', safe="&"), 'Paris%20&%20Orl%C3%A9ans')
|
|
|
|
self.assertEqual(http.urlunquote('Paris%20%26%20Orl%C3%A9ans'), 'Paris & Orl\xe9ans')
|
|
|
|
self.assertEqual(http.urlunquote('Paris%20&%20Orl%C3%A9ans'), 'Paris & Orl\xe9ans')
|
|
|
|
self.assertEqual(http.urlquote_plus('Paris & Orl\xe9ans'), 'Paris+%26+Orl%C3%A9ans')
|
|
|
|
self.assertEqual(http.urlquote_plus('Paris & Orl\xe9ans', safe="&"), 'Paris+&+Orl%C3%A9ans')
|
|
|
|
self.assertEqual(http.urlunquote_plus('Paris+%26+Orl%C3%A9ans'), 'Paris & Orl\xe9ans')
|
|
|
|
self.assertEqual(http.urlunquote_plus('Paris+&+Orl%C3%A9ans'), 'Paris & Orl\xe9ans')
|
2014-09-23 19:45:59 +07:00
|
|
|
|
2015-03-17 02:52:55 -07:00
|
|
|
def test_is_same_domain_good(self):
|
|
|
|
for pair in (
|
|
|
|
('example.com', 'example.com'),
|
|
|
|
('example.com', '.example.com'),
|
|
|
|
('foo.example.com', '.example.com'),
|
|
|
|
('example.com:8888', 'example.com:8888'),
|
|
|
|
('example.com:8888', '.example.com:8888'),
|
|
|
|
('foo.example.com:8888', '.example.com:8888'),
|
|
|
|
):
|
|
|
|
self.assertTrue(http.is_same_domain(*pair))
|
|
|
|
|
|
|
|
def test_is_same_domain_bad(self):
|
|
|
|
for pair in (
|
|
|
|
('example2.com', 'example.com'),
|
|
|
|
('foo.example.com', 'example.com'),
|
|
|
|
('example.com:9999', 'example.com:8888'),
|
|
|
|
):
|
|
|
|
self.assertFalse(http.is_same_domain(*pair))
|
|
|
|
|
2012-09-26 21:10:17 +02:00
|
|
|
|
|
|
|
class ETagProcessingTests(unittest.TestCase):
|
2014-07-07 19:08:42 -04:00
|
|
|
def test_parsing(self):
|
2012-09-26 21:10:17 +02:00
|
|
|
etags = http.parse_etags(r'"", "etag", "e\"t\"ag", "e\\tag", W/"weak"')
|
|
|
|
self.assertEqual(etags, ['', 'etag', 'e"t"ag', r'e\tag', 'weak'])
|
|
|
|
|
2014-07-07 19:08:42 -04:00
|
|
|
def test_quoting(self):
|
2016-01-05 08:09:10 +01:00
|
|
|
original_etag = r'e\t"ag'
|
|
|
|
quoted_etag = http.quote_etag(original_etag)
|
2012-09-26 21:10:17 +02:00
|
|
|
self.assertEqual(quoted_etag, r'"e\\t\"ag"')
|
2016-01-05 08:09:10 +01:00
|
|
|
self.assertEqual(http.unquote_etag(quoted_etag), original_etag)
|
2012-09-26 21:10:17 +02:00
|
|
|
|
|
|
|
|
|
|
|
class HttpDateProcessingTests(unittest.TestCase):
|
2014-09-23 19:45:59 +07:00
|
|
|
def test_http_date(self):
|
|
|
|
t = 1167616461.0
|
|
|
|
self.assertEqual(http.http_date(t), 'Mon, 01 Jan 2007 01:54:21 GMT')
|
|
|
|
|
|
|
|
def test_cookie_date(self):
|
|
|
|
t = 1167616461.0
|
|
|
|
self.assertEqual(http.cookie_date(t), 'Mon, 01-Jan-2007 01:54:21 GMT')
|
|
|
|
|
2014-07-07 19:08:42 -04:00
|
|
|
def test_parsing_rfc1123(self):
|
2012-09-26 21:10:17 +02:00
|
|
|
parsed = http.parse_http_date('Sun, 06 Nov 1994 08:49:37 GMT')
|
2016-04-07 22:04:45 -04:00
|
|
|
self.assertEqual(datetime.utcfromtimestamp(parsed), datetime(1994, 11, 6, 8, 49, 37))
|
2012-09-26 21:10:17 +02:00
|
|
|
|
2014-07-07 19:08:42 -04:00
|
|
|
def test_parsing_rfc850(self):
|
2012-09-26 21:10:17 +02:00
|
|
|
parsed = http.parse_http_date('Sunday, 06-Nov-94 08:49:37 GMT')
|
2016-04-07 22:04:45 -04:00
|
|
|
self.assertEqual(datetime.utcfromtimestamp(parsed), datetime(1994, 11, 6, 8, 49, 37))
|
2012-09-26 21:10:17 +02:00
|
|
|
|
2014-07-07 19:08:42 -04:00
|
|
|
def test_parsing_asctime(self):
|
2012-09-26 21:10:17 +02:00
|
|
|
parsed = http.parse_http_date('Sun Nov 6 08:49:37 1994')
|
2016-04-07 22:04:45 -04:00
|
|
|
self.assertEqual(datetime.utcfromtimestamp(parsed), datetime(1994, 11, 6, 8, 49, 37))
|