1
0
mirror of https://github.com/django/django.git synced 2025-01-26 10:09:42 +00:00
Russell Keith-Magee 8bee4604a1 SECURITY ALERT: Corrected a problem with the Admin media handler that could lead to the exposure of system files. Thanks to Gary Wilson for the patch.
This is a security-related update. A full announcement, as well as backports for 1.0.X and 0.96.X will be forthcoming.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@11351 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-07-29 02:40:14 +00:00

68 lines
2.2 KiB
Python

"""
Tests for django.core.servers.
"""
import os
import django
from django.test import TestCase
from django.core.handlers.wsgi import WSGIHandler
from django.core.servers.basehttp import AdminMediaHandler
class AdminMediaHandlerTests(TestCase):
def setUp(self):
self.admin_media_file_path = \
os.path.join(django.__path__[0], 'contrib', 'admin', 'media')
self.handler = AdminMediaHandler(WSGIHandler())
def test_media_urls(self):
"""
Tests that URLs that look like absolute file paths after the
settings.ADMIN_MEDIA_PREFIX don't turn into absolute file paths.
"""
# Cases that should work on all platforms.
data = (
('/media/css/base.css', ('css', 'base.css')),
)
# Cases that should raise an exception.
bad_data = ()
# Add platform-specific cases.
if os.sep == '/':
data += (
# URL, tuple of relative path parts.
('/media/\\css/base.css', ('\\css', 'base.css')),
)
bad_data += (
'/media//css/base.css',
'/media////css/base.css',
'/media/../css/base.css',
)
elif os.sep == '\\':
bad_data += (
'/media/C:\css/base.css',
'/media//\\css/base.css',
'/media/\\css/base.css',
'/media/\\\\css/base.css'
)
for url, path_tuple in data:
try:
output = self.handler.file_path(url)
except ValueError:
self.fail("Got a ValueError exception, but wasn't expecting"
" one. URL was: %s" % url)
rel_path = os.path.join(*path_tuple)
desired = os.path.normcase(
os.path.join(self.admin_media_file_path, rel_path))
self.assertEqual(output, desired,
"Got: %s, Expected: %s, URL was: %s" % (output, desired, url))
for url in bad_data:
try:
output = self.handler.file_path(url)
except ValueError:
continue
self.fail('URL: %s should have caused a ValueError exception.'
% url)