2013-07-01 20:22:27 +08:00
|
|
|
import unittest
|
2015-01-28 20:35:27 +08:00
|
|
|
from datetime import datetime
|
2012-02-16 08:58:49 +08:00
|
|
|
|
2019-02-05 07:53:11 +08:00
|
|
|
from django.test import SimpleTestCase, ignore_warnings
|
2012-08-04 00:46:30 +08:00
|
|
|
from django.utils.datastructures import MultiValueDict
|
2019-02-05 07:53:11 +08:00
|
|
|
from django.utils.deprecation import RemovedInDjango40Warning
|
2017-10-06 02:20:23 +08:00
|
|
|
from django.utils.http import (
|
2018-12-28 09:35:20 +08:00
|
|
|
base36_to_int, escape_leading_slashes, http_date, int_to_base36,
|
|
|
|
is_safe_url, is_same_domain, parse_etags, parse_http_date, quote_etag,
|
|
|
|
urlencode, urlquote, urlquote_plus, urlsafe_base64_decode,
|
2018-07-25 04:18:17 +08:00
|
|
|
urlsafe_base64_encode, urlunquote, urlunquote_plus,
|
2017-10-06 02:20:23 +08:00
|
|
|
)
|
|
|
|
|
|
|
|
|
2018-12-28 00:19:55 +08:00
|
|
|
class URLEncodeTests(SimpleTestCase):
|
|
|
|
cannot_encode_none_msg = (
|
|
|
|
'Cannot encode None in a query string. Did you mean to pass an '
|
|
|
|
'empty string or omit the value?'
|
|
|
|
)
|
|
|
|
|
2017-10-06 02:20:23 +08:00
|
|
|
def test_tuples(self):
|
|
|
|
self.assertEqual(urlencode((('a', 1), ('b', 2), ('c', 3))), 'a=1&b=2&c=3')
|
|
|
|
|
|
|
|
def test_dict(self):
|
|
|
|
result = urlencode({'a': 1, 'b': 2, 'c': 3})
|
|
|
|
# Dictionaries are treated as unordered.
|
|
|
|
self.assertIn(result, [
|
2011-04-22 20:01:41 +08:00
|
|
|
'a=1&b=2&c=3',
|
|
|
|
'a=1&c=3&b=2',
|
|
|
|
'b=2&a=1&c=3',
|
|
|
|
'b=2&c=3&a=1',
|
|
|
|
'c=3&a=1&b=2',
|
2017-10-06 02:20:23 +08:00
|
|
|
'c=3&b=2&a=1',
|
|
|
|
])
|
|
|
|
|
|
|
|
def test_dict_containing_sequence_not_doseq(self):
|
|
|
|
self.assertEqual(urlencode({'a': [1, 2]}, doseq=False), 'a=%5B%271%27%2C+%272%27%5D')
|
|
|
|
|
|
|
|
def test_dict_containing_sequence_doseq(self):
|
|
|
|
self.assertEqual(urlencode({'a': [1, 2]}, doseq=True), 'a=1&a=2')
|
|
|
|
|
|
|
|
def test_dict_containing_empty_sequence_doseq(self):
|
|
|
|
self.assertEqual(urlencode({'a': []}, doseq=True), '')
|
|
|
|
|
|
|
|
def test_multivaluedict(self):
|
|
|
|
result = urlencode(MultiValueDict({
|
2011-04-22 20:01:41 +08:00
|
|
|
'name': ['Adrian', 'Simon'],
|
2017-10-06 02:20:23 +08:00
|
|
|
'position': ['Developer'],
|
2011-04-22 20:01:41 +08:00
|
|
|
}), doseq=True)
|
2017-10-06 02:20:23 +08:00
|
|
|
# MultiValueDicts are similarly unordered.
|
|
|
|
self.assertIn(result, [
|
2011-04-22 20:01:41 +08:00
|
|
|
'name=Adrian&name=Simon&position=Developer',
|
2017-10-06 02:20:23 +08:00
|
|
|
'position=Developer&name=Adrian&name=Simon',
|
|
|
|
])
|
|
|
|
|
2017-10-10 04:20:01 +08:00
|
|
|
def test_dict_with_bytes_values(self):
|
|
|
|
self.assertEqual(urlencode({'a': b'abc'}, doseq=True), 'a=abc')
|
|
|
|
|
|
|
|
def test_dict_with_sequence_of_bytes(self):
|
|
|
|
self.assertEqual(urlencode({'a': [b'spam', b'eggs', b'bacon']}, doseq=True), 'a=spam&a=eggs&a=bacon')
|
|
|
|
|
|
|
|
def test_dict_with_bytearray(self):
|
|
|
|
self.assertEqual(urlencode({'a': bytearray(range(2))}, doseq=True), 'a=0&a=1')
|
|
|
|
self.assertEqual(urlencode({'a': bytearray(range(2))}, doseq=False), 'a=%5B%270%27%2C+%271%27%5D')
|
|
|
|
|
|
|
|
def test_generator(self):
|
|
|
|
def gen():
|
|
|
|
yield from range(2)
|
|
|
|
|
|
|
|
self.assertEqual(urlencode({'a': gen()}, doseq=True), 'a=0&a=1')
|
|
|
|
self.assertEqual(urlencode({'a': gen()}, doseq=False), 'a=%5B%270%27%2C+%271%27%5D')
|
|
|
|
|
2018-12-28 00:19:55 +08:00
|
|
|
def test_none(self):
|
|
|
|
with self.assertRaisesMessage(TypeError, self.cannot_encode_none_msg):
|
|
|
|
urlencode({'a': None})
|
|
|
|
|
|
|
|
def test_none_in_sequence(self):
|
|
|
|
with self.assertRaisesMessage(TypeError, self.cannot_encode_none_msg):
|
|
|
|
urlencode({'a': [None]}, doseq=True)
|
|
|
|
|
|
|
|
def test_none_in_generator(self):
|
|
|
|
def gen():
|
|
|
|
yield None
|
|
|
|
with self.assertRaisesMessage(TypeError, self.cannot_encode_none_msg):
|
|
|
|
urlencode({'a': gen()}, doseq=True)
|
|
|
|
|
2011-12-11 16:58:14 +08:00
|
|
|
|
2017-10-06 02:20:23 +08:00
|
|
|
class Base36IntTests(SimpleTestCase):
|
|
|
|
def test_roundtrip(self):
|
2012-08-04 00:46:30 +08:00
|
|
|
for n in [0, 1, 1000, 1000000]:
|
2017-10-06 02:20:23 +08:00
|
|
|
self.assertEqual(n, base36_to_int(int_to_base36(n)))
|
2012-02-16 08:58:49 +08:00
|
|
|
|
2017-10-06 02:20:23 +08:00
|
|
|
def test_negative_input(self):
|
|
|
|
with self.assertRaisesMessage(ValueError, 'Negative base36 conversion input.'):
|
|
|
|
int_to_base36(-1)
|
|
|
|
|
|
|
|
def test_to_base36_errors(self):
|
2012-08-04 00:46:30 +08:00
|
|
|
for n in ['1', 'foo', {1: 2}, (1, 2, 3), 3.141]:
|
2016-01-17 19:26:39 +08:00
|
|
|
with self.assertRaises(TypeError):
|
2017-10-06 02:20:23 +08:00
|
|
|
int_to_base36(n)
|
2012-08-04 00:46:30 +08:00
|
|
|
|
2017-10-06 02:20:23 +08:00
|
|
|
def test_invalid_literal(self):
|
2012-02-16 08:58:49 +08:00
|
|
|
for n in ['#', ' ']:
|
2017-10-06 02:20:23 +08:00
|
|
|
with self.assertRaisesMessage(ValueError, "invalid literal for int() with base 36: '%s'" % n):
|
|
|
|
base36_to_int(n)
|
|
|
|
|
|
|
|
def test_input_too_large(self):
|
|
|
|
with self.assertRaisesMessage(ValueError, 'Base36 input too large'):
|
|
|
|
base36_to_int('1' * 14)
|
|
|
|
|
|
|
|
def test_to_int_errors(self):
|
2012-08-04 00:46:30 +08:00
|
|
|
for n in [123, {1: 2}, (1, 2, 3), 3.141]:
|
2016-01-17 19:26:39 +08:00
|
|
|
with self.assertRaises(TypeError):
|
2017-10-06 02:20:23 +08:00
|
|
|
base36_to_int(n)
|
2012-02-16 08:58:49 +08:00
|
|
|
|
2017-10-06 02:20:23 +08:00
|
|
|
def test_values(self):
|
2012-02-16 09:10:21 +08:00
|
|
|
for n, b36 in [(0, '0'), (1, '1'), (42, '16'), (818469960, 'django')]:
|
2017-10-06 02:20:23 +08:00
|
|
|
self.assertEqual(int_to_base36(n), b36)
|
|
|
|
self.assertEqual(base36_to_int(b36), n)
|
|
|
|
|
2012-09-27 03:10:17 +08:00
|
|
|
|
2017-10-06 02:20:23 +08:00
|
|
|
class IsSafeURLTests(unittest.TestCase):
|
|
|
|
def test_bad_urls(self):
|
2016-04-08 10:04:45 +08:00
|
|
|
bad_urls = (
|
|
|
|
'http://example.com',
|
|
|
|
'http:///example.com',
|
|
|
|
'https://example.com',
|
|
|
|
'ftp://example.com',
|
|
|
|
r'\\example.com',
|
|
|
|
r'\\\example.com',
|
|
|
|
r'/\\/example.com',
|
|
|
|
r'\\\example.com',
|
|
|
|
r'\\example.com',
|
|
|
|
r'\\//example.com',
|
|
|
|
r'/\/example.com',
|
|
|
|
r'\/example.com',
|
|
|
|
r'/\example.com',
|
|
|
|
'http:///example.com',
|
2016-09-17 00:15:00 +08:00
|
|
|
r'http:/\//example.com',
|
|
|
|
r'http:\/example.com',
|
|
|
|
r'http:/\example.com',
|
2016-04-08 10:04:45 +08:00
|
|
|
'javascript:alert("XSS")',
|
|
|
|
'\njavascript:alert(x)',
|
|
|
|
'\x08//example.com',
|
|
|
|
r'http://otherserver\@example.com',
|
|
|
|
r'http:\\testserver\@example.com',
|
|
|
|
r'http://testserver\me:pass@example.com',
|
|
|
|
r'http://testserver\@example.com',
|
|
|
|
r'http:\\testserver\confirm\me@example.com',
|
2017-03-14 22:46:53 +08:00
|
|
|
'http:999999999',
|
|
|
|
'ftp:9999999999',
|
2016-04-08 10:04:45 +08:00
|
|
|
'\n',
|
2017-04-30 07:10:43 +08:00
|
|
|
'http://[2001:cdba:0000:0000:0000:0000:3257:9652/',
|
|
|
|
'http://2001:cdba:0000:0000:0000:0000:3257:9652]/',
|
2016-04-08 10:04:45 +08:00
|
|
|
)
|
|
|
|
for bad_url in bad_urls:
|
2017-10-06 02:20:23 +08:00
|
|
|
with self.subTest(url=bad_url):
|
|
|
|
self.assertIs(is_safe_url(bad_url, allowed_hosts={'testserver', 'testserver2'}), False)
|
2016-04-08 10:04:45 +08:00
|
|
|
|
2017-10-06 02:20:23 +08:00
|
|
|
def test_good_urls(self):
|
2016-04-08 10:04:45 +08:00
|
|
|
good_urls = (
|
|
|
|
'/view/?param=http://example.com',
|
|
|
|
'/view/?param=https://example.com',
|
|
|
|
'/view?param=ftp://example.com',
|
|
|
|
'view/?param=//example.com',
|
|
|
|
'https://testserver/',
|
|
|
|
'HTTPS://testserver/',
|
|
|
|
'//testserver/',
|
|
|
|
'http://testserver/confirm?email=me@example.com',
|
|
|
|
'/url%20with%20spaces/',
|
2017-03-14 22:46:53 +08:00
|
|
|
'path/http:2222222222',
|
2016-04-08 10:04:45 +08:00
|
|
|
)
|
|
|
|
for good_url in good_urls:
|
2017-10-06 02:20:23 +08:00
|
|
|
with self.subTest(url=good_url):
|
|
|
|
self.assertIs(is_safe_url(good_url, allowed_hosts={'otherserver', 'testserver'}), True)
|
2016-03-04 22:41:52 +08:00
|
|
|
|
2017-10-06 02:20:23 +08:00
|
|
|
def test_basic_auth(self):
|
2016-02-23 05:47:01 +08:00
|
|
|
# Valid basic auth credentials are allowed.
|
2017-10-06 02:20:23 +08:00
|
|
|
self.assertIs(is_safe_url(r'http://user:pass@testserver/', allowed_hosts={'user:pass@testserver'}), True)
|
|
|
|
|
|
|
|
def test_no_allowed_hosts(self):
|
2016-02-23 05:47:01 +08:00
|
|
|
# A path without host is allowed.
|
2018-01-11 20:03:50 +08:00
|
|
|
self.assertIs(is_safe_url('/confirm/me@example.com', allowed_hosts=None), True)
|
2016-02-23 05:47:01 +08:00
|
|
|
# Basic auth without host is not allowed.
|
2018-01-11 20:03:50 +08:00
|
|
|
self.assertIs(is_safe_url(r'http://testserver\@example.com', allowed_hosts=None), False)
|
2014-05-12 19:38:39 +08:00
|
|
|
|
2018-06-22 17:21:52 +08:00
|
|
|
def test_allowed_hosts_str(self):
|
|
|
|
self.assertIs(is_safe_url('http://good.com/good', allowed_hosts='good.com'), True)
|
|
|
|
self.assertIs(is_safe_url('http://good.co/evil', allowed_hosts='good.com'), False)
|
|
|
|
|
2017-10-06 02:20:23 +08:00
|
|
|
def test_secure_param_https_urls(self):
|
2016-08-19 19:23:13 +08:00
|
|
|
secure_urls = (
|
|
|
|
'https://example.com/p',
|
|
|
|
'HTTPS://example.com/p',
|
|
|
|
'/view/?param=http://example.com',
|
|
|
|
)
|
|
|
|
for url in secure_urls:
|
2017-10-06 02:20:23 +08:00
|
|
|
with self.subTest(url=url):
|
|
|
|
self.assertIs(is_safe_url(url, allowed_hosts={'example.com'}, require_https=True), True)
|
2016-08-19 19:23:13 +08:00
|
|
|
|
2017-10-06 02:20:23 +08:00
|
|
|
def test_secure_param_non_https_urls(self):
|
|
|
|
insecure_urls = (
|
2016-08-19 19:23:13 +08:00
|
|
|
'http://example.com/p',
|
|
|
|
'ftp://example.com/p',
|
|
|
|
'//example.com/p',
|
|
|
|
)
|
2017-10-06 02:20:23 +08:00
|
|
|
for url in insecure_urls:
|
|
|
|
with self.subTest(url=url):
|
|
|
|
self.assertIs(is_safe_url(url, allowed_hosts={'example.com'}, require_https=True), False)
|
2016-08-19 19:23:13 +08:00
|
|
|
|
2017-10-06 02:20:23 +08:00
|
|
|
|
|
|
|
class URLSafeBase64Tests(unittest.TestCase):
|
|
|
|
def test_roundtrip(self):
|
2014-08-21 19:53:22 +08:00
|
|
|
bytestring = b'foo'
|
2017-10-06 02:20:23 +08:00
|
|
|
encoded = urlsafe_base64_encode(bytestring)
|
|
|
|
decoded = urlsafe_base64_decode(encoded)
|
2014-08-21 19:53:22 +08:00
|
|
|
self.assertEqual(bytestring, decoded)
|
|
|
|
|
2017-10-06 02:20:23 +08:00
|
|
|
|
2019-02-05 07:53:11 +08:00
|
|
|
@ignore_warnings(category=RemovedInDjango40Warning)
|
2017-10-06 02:20:23 +08:00
|
|
|
class URLQuoteTests(unittest.TestCase):
|
|
|
|
def test_quote(self):
|
|
|
|
self.assertEqual(urlquote('Paris & Orl\xe9ans'), 'Paris%20%26%20Orl%C3%A9ans')
|
|
|
|
self.assertEqual(urlquote('Paris & Orl\xe9ans', safe="&"), 'Paris%20&%20Orl%C3%A9ans')
|
|
|
|
|
|
|
|
def test_unquote(self):
|
|
|
|
self.assertEqual(urlunquote('Paris%20%26%20Orl%C3%A9ans'), 'Paris & Orl\xe9ans')
|
|
|
|
self.assertEqual(urlunquote('Paris%20&%20Orl%C3%A9ans'), 'Paris & Orl\xe9ans')
|
|
|
|
|
|
|
|
def test_quote_plus(self):
|
|
|
|
self.assertEqual(urlquote_plus('Paris & Orl\xe9ans'), 'Paris+%26+Orl%C3%A9ans')
|
|
|
|
self.assertEqual(urlquote_plus('Paris & Orl\xe9ans', safe="&"), 'Paris+&+Orl%C3%A9ans')
|
|
|
|
|
|
|
|
def test_unquote_plus(self):
|
|
|
|
self.assertEqual(urlunquote_plus('Paris+%26+Orl%C3%A9ans'), 'Paris & Orl\xe9ans')
|
|
|
|
self.assertEqual(urlunquote_plus('Paris+&+Orl%C3%A9ans'), 'Paris & Orl\xe9ans')
|
|
|
|
|
|
|
|
|
|
|
|
class IsSameDomainTests(unittest.TestCase):
|
|
|
|
def test_good(self):
|
2015-03-17 17:52:55 +08:00
|
|
|
for pair in (
|
|
|
|
('example.com', 'example.com'),
|
|
|
|
('example.com', '.example.com'),
|
|
|
|
('foo.example.com', '.example.com'),
|
|
|
|
('example.com:8888', 'example.com:8888'),
|
|
|
|
('example.com:8888', '.example.com:8888'),
|
|
|
|
('foo.example.com:8888', '.example.com:8888'),
|
|
|
|
):
|
2017-10-06 02:20:23 +08:00
|
|
|
self.assertIs(is_same_domain(*pair), True)
|
2015-03-17 17:52:55 +08:00
|
|
|
|
2017-10-06 02:20:23 +08:00
|
|
|
def test_bad(self):
|
2015-03-17 17:52:55 +08:00
|
|
|
for pair in (
|
|
|
|
('example2.com', 'example.com'),
|
|
|
|
('foo.example.com', 'example.com'),
|
|
|
|
('example.com:9999', 'example.com:8888'),
|
2018-11-03 23:13:28 +08:00
|
|
|
('foo.example.com:8888', ''),
|
2015-03-17 17:52:55 +08:00
|
|
|
):
|
2017-10-06 02:20:23 +08:00
|
|
|
self.assertIs(is_same_domain(*pair), False)
|
2015-03-17 17:52:55 +08:00
|
|
|
|
2012-09-27 03:10:17 +08:00
|
|
|
|
|
|
|
class ETagProcessingTests(unittest.TestCase):
|
2014-07-08 07:08:42 +08:00
|
|
|
def test_parsing(self):
|
2016-09-01 21:32:20 +08:00
|
|
|
self.assertEqual(
|
2017-10-06 02:20:23 +08:00
|
|
|
parse_etags(r'"" , "etag", "e\\tag", W/"weak"'),
|
2016-09-01 21:32:20 +08:00
|
|
|
['""', '"etag"', r'"e\\tag"', 'W/"weak"']
|
|
|
|
)
|
2017-10-06 02:20:23 +08:00
|
|
|
self.assertEqual(parse_etags('*'), ['*'])
|
2016-09-01 21:32:20 +08:00
|
|
|
|
|
|
|
# Ignore RFC 2616 ETags that are invalid according to RFC 7232.
|
2017-10-06 02:20:23 +08:00
|
|
|
self.assertEqual(parse_etags(r'"etag", "e\"t\"ag"'), ['"etag"'])
|
2012-09-27 03:10:17 +08:00
|
|
|
|
2014-07-08 07:08:42 +08:00
|
|
|
def test_quoting(self):
|
2017-10-06 02:20:23 +08:00
|
|
|
self.assertEqual(quote_etag('etag'), '"etag"') # unquoted
|
|
|
|
self.assertEqual(quote_etag('"etag"'), '"etag"') # quoted
|
|
|
|
self.assertEqual(quote_etag('W/"etag"'), 'W/"etag"') # quoted, weak
|
2012-09-27 03:10:17 +08:00
|
|
|
|
|
|
|
|
|
|
|
class HttpDateProcessingTests(unittest.TestCase):
|
2014-09-23 20:45:59 +08:00
|
|
|
def test_http_date(self):
|
|
|
|
t = 1167616461.0
|
2017-10-06 02:20:23 +08:00
|
|
|
self.assertEqual(http_date(t), 'Mon, 01 Jan 2007 01:54:21 GMT')
|
2014-09-23 20:45:59 +08:00
|
|
|
|
2014-07-08 07:08:42 +08:00
|
|
|
def test_parsing_rfc1123(self):
|
2017-10-06 02:20:23 +08:00
|
|
|
parsed = parse_http_date('Sun, 06 Nov 1994 08:49:37 GMT')
|
2016-04-08 10:04:45 +08:00
|
|
|
self.assertEqual(datetime.utcfromtimestamp(parsed), datetime(1994, 11, 6, 8, 49, 37))
|
2012-09-27 03:10:17 +08:00
|
|
|
|
2014-07-08 07:08:42 +08:00
|
|
|
def test_parsing_rfc850(self):
|
2017-10-06 02:20:23 +08:00
|
|
|
parsed = parse_http_date('Sunday, 06-Nov-94 08:49:37 GMT')
|
2016-04-08 10:04:45 +08:00
|
|
|
self.assertEqual(datetime.utcfromtimestamp(parsed), datetime(1994, 11, 6, 8, 49, 37))
|
2012-09-27 03:10:17 +08:00
|
|
|
|
2014-07-08 07:08:42 +08:00
|
|
|
def test_parsing_asctime(self):
|
2017-10-06 02:20:23 +08:00
|
|
|
parsed = parse_http_date('Sun Nov 6 08:49:37 1994')
|
2016-04-08 10:04:45 +08:00
|
|
|
self.assertEqual(datetime.utcfromtimestamp(parsed), datetime(1994, 11, 6, 8, 49, 37))
|
2018-07-25 04:18:17 +08:00
|
|
|
|
2018-11-03 23:13:28 +08:00
|
|
|
def test_parsing_year_less_than_70(self):
|
|
|
|
parsed = parse_http_date('Sun Nov 6 08:49:37 0050')
|
|
|
|
self.assertEqual(datetime.utcfromtimestamp(parsed), datetime(2050, 11, 6, 8, 49, 37))
|
|
|
|
|
2018-07-25 04:18:17 +08:00
|
|
|
|
|
|
|
class EscapeLeadingSlashesTests(unittest.TestCase):
|
|
|
|
def test(self):
|
|
|
|
tests = (
|
|
|
|
('//example.com', '/%2Fexample.com'),
|
|
|
|
('//', '/%2F'),
|
|
|
|
)
|
|
|
|
for url, expected in tests:
|
|
|
|
with self.subTest(url=url):
|
|
|
|
self.assertEqual(escape_leading_slashes(url), expected)
|