From d3cfdfb508c191278761711f0ce91b789d65b37c Mon Sep 17 00:00:00 2001
From: Claude Paroz <claude@2xlibre.net>
Date: Sat, 26 Sep 2015 10:51:59 +0200
Subject: [PATCH] Separated XML serialization tests

---
 tests/serializers/test_xml.py      | 118 +++++++++++++++++++++++++++++
 tests/serializers/tests.py         |  98 ------------------------
 tests/serializers_regress/tests.py |  17 +----
 3 files changed, 119 insertions(+), 114 deletions(-)
 create mode 100644 tests/serializers/test_xml.py

diff --git a/tests/serializers/test_xml.py b/tests/serializers/test_xml.py
new file mode 100644
index 0000000000..e516444c95
--- /dev/null
+++ b/tests/serializers/test_xml.py
@@ -0,0 +1,118 @@
+# -*- coding: utf-8 -*-
+from __future__ import unicode_literals
+
+from xml.dom import minidom
+
+from django.core import serializers
+from django.core.serializers.xml_serializer import DTDForbidden
+from django.test import TestCase, TransactionTestCase
+from django.utils import six
+
+from .tests import SerializersTestBase, SerializersTransactionTestBase
+
+
+class XmlSerializerTestCase(SerializersTestBase, TestCase):
+    serializer_name = "xml"
+    pkless_str = """<?xml version="1.0" encoding="utf-8"?>
+<django-objects version="1.0">
+    <object model="serializers.category">
+        <field type="CharField" name="name">Reference</field>
+    </object>
+    <object model="serializers.category">
+        <field type="CharField" name="name">Non-fiction</field>
+    </object>
+</django-objects>"""
+    mapping_ordering_str = """<?xml version="1.0" encoding="utf-8"?>
+<django-objects version="1.0">
+  <object model="serializers.article" pk="%(article_pk)s">
+    <field name="author" rel="ManyToOneRel" to="serializers.author">%(author_pk)s</field>
+    <field name="headline" type="CharField">Poker has no place on ESPN</field>
+    <field name="pub_date" type="DateTimeField">2006-06-16T11:00:00</field>
+    <field name="categories" rel="ManyToManyRel" to="serializers.category"><object pk="%(first_category_pk)s"></object><object pk="%(second_category_pk)s"></object></field>
+    <field name="meta_data" rel="ManyToManyRel" to="serializers.categorymetadata"></field>
+  </object>
+</django-objects>"""  # NOQA
+
+    @staticmethod
+    def _comparison_value(value):
+        # The XML serializer handles everything as strings, so comparisons
+        # need to be performed on the stringified value
+        return six.text_type(value)
+
+    @staticmethod
+    def _validate_output(serial_str):
+        try:
+            minidom.parseString(serial_str)
+        except Exception:
+            return False
+        else:
+            return True
+
+    @staticmethod
+    def _get_pk_values(serial_str):
+        ret_list = []
+        dom = minidom.parseString(serial_str)
+        fields = dom.getElementsByTagName("object")
+        for field in fields:
+            ret_list.append(field.getAttribute("pk"))
+        return ret_list
+
+    @staticmethod
+    def _get_field_values(serial_str, field_name):
+        ret_list = []
+        dom = minidom.parseString(serial_str)
+        fields = dom.getElementsByTagName("field")
+        for field in fields:
+            if field.getAttribute("name") == field_name:
+                temp = []
+                for child in field.childNodes:
+                    temp.append(child.nodeValue)
+                ret_list.append("".join(temp))
+        return ret_list
+
+    def test_control_char_failure(self):
+        """
+        Serializing control characters with XML should fail as those characters
+        are not supported in the XML 1.0 standard (except HT, LF, CR).
+        """
+        self.a1.headline = "This contains \u0001 control \u0011 chars"
+        msg = "Article.headline (pk:%s) contains unserializable characters" % self.a1.pk
+        with self.assertRaisesMessage(ValueError, msg):
+            serializers.serialize(self.serializer_name, [self.a1])
+        self.a1.headline = "HT \u0009, LF \u000A, and CR \u000D are allowed"
+        self.assertIn(
+            "HT \t, LF \n, and CR \r are allowed",
+            serializers.serialize(self.serializer_name, [self.a1])
+        )
+
+    def test_no_dtd(self):
+        """
+        The XML deserializer shouldn't allow a DTD.
+
+        This is the most straightforward way to prevent all entity definitions
+        and avoid both external entities and entity-expansion attacks.
+        """
+        xml = '<?xml version="1.0" standalone="no"?><!DOCTYPE example SYSTEM "http://example.com/example.dtd">'
+        with self.assertRaises(DTDForbidden):
+            next(serializers.deserialize('xml', xml))
+
+
+class XmlSerializerTransactionTestCase(SerializersTransactionTestBase, TransactionTestCase):
+    serializer_name = "xml"
+    fwd_ref_str = """<?xml version="1.0" encoding="utf-8"?>
+<django-objects version="1.0">
+    <object pk="1" model="serializers.article">
+        <field to="serializers.author" name="author" rel="ManyToOneRel">1</field>
+        <field type="CharField" name="headline">Forward references pose no problem</field>
+        <field type="DateTimeField" name="pub_date">2006-06-16T15:00:00</field>
+        <field to="serializers.category" name="categories" rel="ManyToManyRel">
+            <object pk="1"></object>
+        </field>
+        <field to="serializers.categorymetadata" name="meta_data" rel="ManyToManyRel"></field>
+    </object>
+    <object pk="1" model="serializers.author">
+        <field type="CharField" name="name">Agnes</field>
+    </object>
+    <object pk="1" model="serializers.category">
+        <field type="CharField" name="name">Reference</field></object>
+</django-objects>"""
diff --git a/tests/serializers/tests.py b/tests/serializers/tests.py
index f92f0775d6..c288bf7ab8 100644
--- a/tests/serializers/tests.py
+++ b/tests/serializers/tests.py
@@ -4,7 +4,6 @@ from __future__ import unicode_literals
 import json
 import re
 from datetime import datetime
-from xml.dom import minidom
 
 from django.core import serializers
 from django.core.serializers.base import ProgressBar
@@ -14,7 +13,6 @@ from django.test import (
     skipUnlessDBFeature,
 )
 from django.test.utils import Approximate
-from django.utils import six
 from django.utils.six import StringIO
 
 from .models import (
@@ -324,102 +322,6 @@ class SerializersTransactionTestBase(object):
         self.assertEqual(art_obj.author.name, "Agnes")
 
 
-class XmlSerializerTestCase(SerializersTestBase, TestCase):
-    serializer_name = "xml"
-    pkless_str = """<?xml version="1.0" encoding="utf-8"?>
-<django-objects version="1.0">
-    <object model="serializers.category">
-        <field type="CharField" name="name">Reference</field>
-    </object>
-    <object model="serializers.category">
-        <field type="CharField" name="name">Non-fiction</field>
-    </object>
-</django-objects>"""
-    mapping_ordering_str = """<?xml version="1.0" encoding="utf-8"?>
-<django-objects version="1.0">
-  <object model="serializers.article" pk="%(article_pk)s">
-    <field name="author" rel="ManyToOneRel" to="serializers.author">%(author_pk)s</field>
-    <field name="headline" type="CharField">Poker has no place on ESPN</field>
-    <field name="pub_date" type="DateTimeField">2006-06-16T11:00:00</field>
-    <field name="categories" rel="ManyToManyRel" to="serializers.category"><object pk="%(first_category_pk)s"></object><object pk="%(second_category_pk)s"></object></field>
-    <field name="meta_data" rel="ManyToManyRel" to="serializers.categorymetadata"></field>
-  </object>
-</django-objects>"""  # NOQA
-
-    @staticmethod
-    def _comparison_value(value):
-        # The XML serializer handles everything as strings, so comparisons
-        # need to be performed on the stringified value
-        return six.text_type(value)
-
-    @staticmethod
-    def _validate_output(serial_str):
-        try:
-            minidom.parseString(serial_str)
-        except Exception:
-            return False
-        else:
-            return True
-
-    @staticmethod
-    def _get_pk_values(serial_str):
-        ret_list = []
-        dom = minidom.parseString(serial_str)
-        fields = dom.getElementsByTagName("object")
-        for field in fields:
-            ret_list.append(field.getAttribute("pk"))
-        return ret_list
-
-    @staticmethod
-    def _get_field_values(serial_str, field_name):
-        ret_list = []
-        dom = minidom.parseString(serial_str)
-        fields = dom.getElementsByTagName("field")
-        for field in fields:
-            if field.getAttribute("name") == field_name:
-                temp = []
-                for child in field.childNodes:
-                    temp.append(child.nodeValue)
-                ret_list.append("".join(temp))
-        return ret_list
-
-    def test_control_char_failure(self):
-        """
-        Serializing control characters with XML should fail as those characters
-        are not supported in the XML 1.0 standard (except HT, LF, CR).
-        """
-        self.a1.headline = "This contains \u0001 control \u0011 chars"
-        msg = "Article.headline (pk:%s) contains unserializable characters" % self.a1.pk
-        with self.assertRaisesMessage(ValueError, msg):
-            serializers.serialize(self.serializer_name, [self.a1])
-        self.a1.headline = "HT \u0009, LF \u000A, and CR \u000D are allowed"
-        self.assertIn(
-            "HT \t, LF \n, and CR \r are allowed",
-            serializers.serialize(self.serializer_name, [self.a1])
-        )
-
-
-class XmlSerializerTransactionTestCase(SerializersTransactionTestBase, TransactionTestCase):
-    serializer_name = "xml"
-    fwd_ref_str = """<?xml version="1.0" encoding="utf-8"?>
-<django-objects version="1.0">
-    <object pk="1" model="serializers.article">
-        <field to="serializers.author" name="author" rel="ManyToOneRel">1</field>
-        <field type="CharField" name="headline">Forward references pose no problem</field>
-        <field type="DateTimeField" name="pub_date">2006-06-16T15:00:00</field>
-        <field to="serializers.category" name="categories" rel="ManyToManyRel">
-            <object pk="1"></object>
-        </field>
-        <field to="serializers.categorymetadata" name="meta_data" rel="ManyToManyRel"></field>
-    </object>
-    <object pk="1" model="serializers.author">
-        <field type="CharField" name="name">Agnes</field>
-    </object>
-    <object pk="1" model="serializers.category">
-        <field type="CharField" name="name">Reference</field></object>
-</django-objects>"""
-
-
 class JsonSerializerTestCase(SerializersTestBase, TestCase):
     serializer_name = "json"
     pkless_str = """[
diff --git a/tests/serializers_regress/tests.py b/tests/serializers_regress/tests.py
index 3da6ddafb4..fd05eedc43 100644
--- a/tests/serializers_regress/tests.py
+++ b/tests/serializers_regress/tests.py
@@ -15,10 +15,9 @@ import uuid
 from django.core import serializers
 from django.core.serializers import SerializerDoesNotExist
 from django.core.serializers.base import DeserializationError
-from django.core.serializers.xml_serializer import DTDForbidden
 from django.db import connection, models
 from django.http import HttpResponse
-from django.test import SimpleTestCase, TestCase, skipUnlessDBFeature
+from django.test import TestCase, skipUnlessDBFeature
 from django.utils import six
 from django.utils.functional import curry
 
@@ -570,17 +569,3 @@ for format in [f for f in serializers.get_serializer_formats()
     setattr(SerializerTests, 'test_' + format + '_serializer_natural_keys', curry(naturalKeyTest, format))
     if format != 'python':
         setattr(SerializerTests, 'test_' + format + '_serializer_stream', curry(streamTest, format))
-
-
-class XmlDeserializerSecurityTests(SimpleTestCase):
-
-    def test_no_dtd(self):
-        """
-        The XML deserializer shouldn't allow a DTD.
-
-        This is the most straightforward way to prevent all entity definitions
-        and avoid both external entities and entity-expansion attacks.
-        """
-        xml = '<?xml version="1.0" standalone="no"?><!DOCTYPE example SYSTEM "http://example.com/example.dtd">'
-        with self.assertRaises(DTDForbidden):
-            next(serializers.deserialize('xml', xml))