mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-24 06:06:09 +00:00
Code Issues 32 Releases Wiki Activity

Fixed #7658 -- Added some Windows-specific tempfile handling. The standard

Browse Source 
stuff doesn't work with the way Django's file uploading code wants to operate.
Patch from Mike Axiak.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@8096 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
Malcolm Tredinnick
2008-07-26 22:48:51 +00:00
parent e29aece743
commit 103d484807
3 changed files with 74 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
tests/regressiontests/file_uploads/tests.py
View File

@@ -2,9 +2,9 @@ import os
import errno
import sha
import shutil
import tempfile
import unittest
from django.core.files import temp as tempfile
from django.core.files.uploadedfile import SimpleUploadedFile
from django.test import TestCase, client
from django.utils import simplejson
@@ -22,7 +22,7 @@ class FileUploadTests(TestCase):
def test_large_upload(self):
tdir = tempfile.gettempdir()
file1 = tempfile.NamedTemporaryFile(suffix=".file1", dir=tdir)
file1.write('a' * (2 ** 21))
file1.seek(0)
@@ -58,11 +58,11 @@ class FileUploadTests(TestCase):
pass
self.assertEqual(response.status_code, 200)
def test_dangerous_file_names(self):
"""Uploaded file names should be sanitized before ever reaching the view."""
# This test simulates possible directory traversal attacks by a
# malicious uploader We have to do some monkeybusiness here to construct
# malicious uploader We have to do some monkeybusiness here to construct
# a malicious payload with an invalid file name (containing os.sep or
# os.pardir). This similar to what an attacker would need to do when
# trying such an attack.
@@ -79,7 +79,7 @@ class FileUploadTests(TestCase):
"..\\..\\hax0rd.txt", # Relative path, win-style.
"../..\\hax0rd.txt" # Relative path, mixed.
]
payload = []
for i, name in enumerate(scary_file_names):
payload.extend([
@@ -93,7 +93,7 @@ class FileUploadTests(TestCase):
'--' + client.BOUNDARY + '--',
'',
])
payload = "\r\n".join(payload)
r = {
'CONTENT_LENGTH': len(payload),
@@ -109,7 +109,7 @@ class FileUploadTests(TestCase):
for i, name in enumerate(scary_file_names):
got = recieved["file%s" % i]
self.assertEqual(got, "hax0rd.txt")
def test_filename_overflow(self):
"""File names over 256 characters (dangerous on some platforms) get fixed up."""
name = "%s.txt" % ("f"*500)
@@ -131,26 +131,26 @@ class FileUploadTests(TestCase):
}
got = simplejson.loads(self.client.request(**r).content)
self.assert_(len(got['file']) < 256, "Got a long file name (%s characters)." % len(got['file']))
def test_custom_upload_handler(self):
# A small file (under the 5M quota)
# A small file (under the 5M quota)
smallfile = tempfile.NamedTemporaryFile()
smallfile.write('a' * (2 ** 21))
# A big file (over the quota)
bigfile = tempfile.NamedTemporaryFile()
bigfile.write('a' * (10 * 2 ** 20))
# Small file posting should work.
response = self.client.post('/file_uploads/quota/', {'f': open(smallfile.name)})
got = simplejson.loads(response.content)
self.assert_('f' in got)
# Large files don't go through.
response = self.client.post("/file_uploads/quota/", {'f': open(bigfile.name)})
got = simplejson.loads(response.content)
self.assert_('f' not in got)
def test_broken_custom_upload_handler(self):
f = tempfile.NamedTemporaryFile()
f.write('a' * (2 ** 21))
@@ -189,7 +189,7 @@ class FileUploadTests(TestCase):
class DirectoryCreationTests(unittest.TestCase):
"""
Tests for error handling during directory creation
Tests for error handling during directory creation
via _save_FIELD_file (ticket #6450)
"""
def setUp(self):
@@ -221,7 +221,7 @@ class DirectoryCreationTests(unittest.TestCase):
except IOError, err:
# The test needs to be done on a specific string as IOError
# is raised even without the patch (just not early enough)
self.assertEquals(err.args[0],
self.assertEquals(err.args[0],
"%s exists and is not a directory" % UPLOAD_TO)
except:
self.fail("IOError not raised")