django/tests/utils_tests/test_http.py

from datetime import datetime
import sys
import unittest

from django.utils.datastructures import MultiValueDict
from django.utils import http
from django.utils import six


class TestUtilsHttp(unittest.TestCase):

    def test_same_origin_true(self):
        # Identical
        self.assertTrue(http.same_origin('http://foo.com/', 'http://foo.com/'))
        # One with trailing slash - see #15617
        self.assertTrue(http.same_origin('http://foo.com', 'http://foo.com/'))
        self.assertTrue(http.same_origin('http://foo.com/', 'http://foo.com'))
        # With port
        self.assertTrue(http.same_origin('https://foo.com:8000', 'https://foo.com:8000/'))

    def test_same_origin_false(self):
        # Different scheme
        self.assertFalse(http.same_origin('http://foo.com', 'https://foo.com'))
        # Different host
        self.assertFalse(http.same_origin('http://foo.com', 'http://goo.com'))
        # Different host again
        self.assertFalse(http.same_origin('http://foo.com', 'http://foo.com.evil.com'))
        # Different port
        self.assertFalse(http.same_origin('http://foo.com:8000', 'http://foo.com:8001'))

    def test_urlencode(self):
        # 2-tuples (the norm)
        result = http.urlencode((('a', 1), ('b', 2), ('c', 3)))
        self.assertEqual(result, 'a=1&b=2&c=3')

        # A dictionary
        result = http.urlencode({'a': 1, 'b': 2, 'c': 3})
        acceptable_results = [
            # Need to allow all of these as dictionaries have to be treated as
            # unordered
            'a=1&b=2&c=3',
            'a=1&c=3&b=2',
            'b=2&a=1&c=3',
            'b=2&c=3&a=1',
            'c=3&a=1&b=2',
            'c=3&b=2&a=1'
        ]
        self.assertTrue(result in acceptable_results)
        result = http.urlencode({'a': [1, 2]}, doseq=False)
        self.assertEqual(result, 'a=%5B%271%27%2C+%272%27%5D')
        result = http.urlencode({'a': [1, 2]}, doseq=True)
        self.assertEqual(result, 'a=1&a=2')
        result = http.urlencode({'a': []}, doseq=True)
        self.assertEqual(result, '')

        # A MultiValueDict
        result = http.urlencode(MultiValueDict({
            'name': ['Adrian', 'Simon'],
            'position': ['Developer']
        }), doseq=True)
        acceptable_results = [
            # MultiValueDicts are similarly unordered
            'name=Adrian&name=Simon&position=Developer',
            'position=Developer&name=Adrian&name=Simon'
        ]
        self.assertTrue(result in acceptable_results)

    def test_base36(self):
        # reciprocity works
        for n in [0, 1, 1000, 1000000]:
            self.assertEqual(n, http.base36_to_int(http.int_to_base36(n)))
        if six.PY2:
            self.assertEqual(sys.maxint, http.base36_to_int(http.int_to_base36(sys.maxint)))

        # bad input
        self.assertRaises(ValueError, http.int_to_base36, -1)
        if six.PY2:
            self.assertRaises(ValueError, http.int_to_base36, sys.maxint + 1)
        for n in ['1', 'foo', {1: 2}, (1, 2, 3), 3.141]:
            self.assertRaises(TypeError, http.int_to_base36, n)

        for n in ['#', ' ']:
            self.assertRaises(ValueError, http.base36_to_int, n)
        for n in [123, {1: 2}, (1, 2, 3), 3.141]:
            self.assertRaises(TypeError, http.base36_to_int, n)

        # more explicit output testing
        for n, b36 in [(0, '0'), (1, '1'), (42, '16'), (818469960, 'django')]:
            self.assertEqual(http.int_to_base36(n), b36)
            self.assertEqual(http.base36_to_int(b36), n)

    def test_is_safe_url(self):
        for bad_url in ('http://example.com',
                        'http:///example.com',
                        'https://example.com',
                        'ftp://exampel.com',
                        r'\\example.com',
                        r'\\\example.com',
                        r'/\\/example.com',
                        r'\\\example.com',
                        r'\\example.com',
                        r'\\//example.com',
                        r'/\/example.com',
                        r'\/example.com',
                        r'/\example.com',
                        'http:///example.com',
                        'http:/\//example.com',
                        'http:\/example.com',
                        'http:/\example.com',
                        'javascript:alert("XSS")'):
            self.assertFalse(http.is_safe_url(bad_url, host='testserver'), "%s should be blocked" % bad_url)
        for good_url in ('/view/?param=http://example.com',
                     '/view/?param=https://example.com',
                     '/view?param=ftp://exampel.com',
                     'view/?param=//example.com',
                     'https://testserver/',
                     'HTTPS://testserver/',
                     '//testserver/',
                     '/url%20with%20spaces/'):
            self.assertTrue(http.is_safe_url(good_url, host='testserver'), "%s should be allowed" % good_url)

    def test_urlsafe_base64_roundtrip(self):
        bytestring = b'foo'
        encoded = http.urlsafe_base64_encode(bytestring)
        decoded = http.urlsafe_base64_decode(encoded)
        self.assertEqual(bytestring, decoded)


class ETagProcessingTests(unittest.TestCase):
    def test_parsing(self):
        etags = http.parse_etags(r'"", "etag", "e\"t\"ag", "e\\tag", W/"weak"')
        self.assertEqual(etags, ['', 'etag', 'e"t"ag', r'e\tag', 'weak'])

    def test_quoting(self):
        quoted_etag = http.quote_etag(r'e\t"ag')
        self.assertEqual(quoted_etag, r'"e\\t\"ag"')


class HttpDateProcessingTests(unittest.TestCase):
    def test_parsing_rfc1123(self):
        parsed = http.parse_http_date('Sun, 06 Nov 1994 08:49:37 GMT')
        self.assertEqual(datetime.utcfromtimestamp(parsed),
                         datetime(1994, 11, 6, 8, 49, 37))

    def test_parsing_rfc850(self):
        parsed = http.parse_http_date('Sunday, 06-Nov-94 08:49:37 GMT')
        self.assertEqual(datetime.utcfromtimestamp(parsed),
                         datetime(1994, 11, 6, 8, 49, 37))

    def test_parsing_asctime(self):
        parsed = http.parse_http_date('Sun Nov  6 08:49:37 1994')
        self.assertEqual(datetime.utcfromtimestamp(parsed),
                         datetime(1994, 11, 6, 8, 49, 37))
Fixed parse_http_date docstring and moved related tests Refs #18675. 2012-09-27 03:10:17 +08:00			`from datetime import datetime`
Fixed #17693. Input validation and tests for base36 conversion utils. Thanks Keryn Knight for the report. git-svn-id: http://code.djangoproject.com/svn/django/trunk@17525 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2012-02-16 08:58:49 +08:00			`import sys`
Stopped using django.utils.unittest in the test suite. Refs #20680. 2013-07-01 20:22:27 +08:00			`import unittest`
Fixed #17693. Input validation and tests for base36 conversion utils. Thanks Keryn Knight for the report. git-svn-id: http://code.djangoproject.com/svn/django/trunk@17525 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2012-02-16 08:58:49 +08:00
[py3] Removed uses of sys.maxint under Python 3. Also fixed #18706: improved exceptions raised by int_to_base36. 2012-08-04 00:46:30 +08:00			`from django.utils.datastructures import MultiValueDict`
			`from django.utils import http`
			`from django.utils import six`
Fixed #15617 - CSRF referer checking too strict Thanks to adam for the report. git-svn-id: http://code.djangoproject.com/svn/django/trunk@15840 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2011-03-16 04:37:09 +08:00
Fixed parse_http_date docstring and moved related tests Refs #18675. 2012-09-27 03:10:17 +08:00
Fixed #15617 - CSRF referer checking too strict Thanks to adam for the report. git-svn-id: http://code.djangoproject.com/svn/django/trunk@15840 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2011-03-16 04:37:09 +08:00			`class TestUtilsHttp(unittest.TestCase):`

			`def test_same_origin_true(self):`
			`# Identical`
			`self.assertTrue(http.same_origin('http://foo.com/', 'http://foo.com/'))`
			`# One with trailing slash - see #15617`
			`self.assertTrue(http.same_origin('http://foo.com', 'http://foo.com/'))`
			`self.assertTrue(http.same_origin('http://foo.com/', 'http://foo.com'))`
			`# With port`
			`self.assertTrue(http.same_origin('https://foo.com:8000', 'https://foo.com:8000/'))`

			`def test_same_origin_false(self):`
			`# Different scheme`
			`self.assertFalse(http.same_origin('http://foo.com', 'https://foo.com'))`
			`# Different host`
			`self.assertFalse(http.same_origin('http://foo.com', 'http://goo.com'))`
			`# Different host again`
			`self.assertFalse(http.same_origin('http://foo.com', 'http://foo.com.evil.com'))`
			`# Different port`
			`self.assertFalse(http.same_origin('http://foo.com:8000', 'http://foo.com:8001'))`
Fixed #9089 -- Correctly handle list values in MultiValueDict instances when passed to django.utils.http.urlencode. Thanks, kratorius, guettli and obeattie. git-svn-id: http://code.djangoproject.com/svn/django/trunk@16064 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2011-04-22 20:01:41 +08:00
			`def test_urlencode(self):`
			`# 2-tuples (the norm)`
			`result = http.urlencode((('a', 1), ('b', 2), ('c', 3)))`
			`self.assertEqual(result, 'a=1&b=2&c=3')`
Fixed #12140 -- Fixed http.urlencode result for empty lists Thanks aneil for the report and the initial patch. 2012-06-14 17:32:40 +08:00
Fixed #9089 -- Correctly handle list values in MultiValueDict instances when passed to django.utils.http.urlencode. Thanks, kratorius, guettli and obeattie. git-svn-id: http://code.djangoproject.com/svn/django/trunk@16064 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2011-04-22 20:01:41 +08:00			`# A dictionary`
Fixed #21266 -- Fixed E201,E202 pep8 warnings. 2013-10-15 03:13:14 +08:00			`result = http.urlencode({'a': 1, 'b': 2, 'c': 3})`
Fixed #9089 -- Correctly handle list values in MultiValueDict instances when passed to django.utils.http.urlencode. Thanks, kratorius, guettli and obeattie. git-svn-id: http://code.djangoproject.com/svn/django/trunk@16064 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2011-04-22 20:01:41 +08:00			`acceptable_results = [`
			`# Need to allow all of these as dictionaries have to be treated as`
			`# unordered`
			`'a=1&b=2&c=3',`
			`'a=1&c=3&b=2',`
			`'b=2&a=1&c=3',`
			`'b=2&c=3&a=1',`
			`'c=3&a=1&b=2',`
			`'c=3&b=2&a=1'`
			`]`
			`self.assertTrue(result in acceptable_results)`
Fixed #12140 -- Fixed http.urlencode result for empty lists Thanks aneil for the report and the initial patch. 2012-06-14 17:32:40 +08:00			`result = http.urlencode({'a': [1, 2]}, doseq=False)`
			`self.assertEqual(result, 'a=%5B%271%27%2C+%272%27%5D')`
			`result = http.urlencode({'a': [1, 2]}, doseq=True)`
			`self.assertEqual(result, 'a=1&a=2')`
			`result = http.urlencode({'a': []}, doseq=True)`
			`self.assertEqual(result, '')`

Fixed #9089 -- Correctly handle list values in MultiValueDict instances when passed to django.utils.http.urlencode. Thanks, kratorius, guettli and obeattie. git-svn-id: http://code.djangoproject.com/svn/django/trunk@16064 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2011-04-22 20:01:41 +08:00			`# A MultiValueDict`
			`result = http.urlencode(MultiValueDict({`
			`'name': ['Adrian', 'Simon'],`
			`'position': ['Developer']`
			`}), doseq=True)`
			`acceptable_results = [`
			`# MultiValueDicts are similarly unordered`
			`'name=Adrian&name=Simon&position=Developer',`
			`'position=Developer&name=Adrian&name=Simon'`
			`]`
			`self.assertTrue(result in acceptable_results)`
Fixed #16632 -- Crash on responses without Content-Type with IE. Thanks juan for the report and kenth for the patch. git-svn-id: http://code.djangoproject.com/svn/django/trunk@17196 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2011-12-11 16:58:14 +08:00
Fixed #17693. Input validation and tests for base36 conversion utils. Thanks Keryn Knight for the report. git-svn-id: http://code.djangoproject.com/svn/django/trunk@17525 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2012-02-16 08:58:49 +08:00			`def test_base36(self):`
			`# reciprocity works`
[py3] Removed uses of sys.maxint under Python 3. Also fixed #18706: improved exceptions raised by int_to_base36. 2012-08-04 00:46:30 +08:00			`for n in [0, 1, 1000, 1000000]:`
Fixed #17693. Input validation and tests for base36 conversion utils. Thanks Keryn Knight for the report. git-svn-id: http://code.djangoproject.com/svn/django/trunk@17525 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2012-02-16 08:58:49 +08:00			`self.assertEqual(n, http.base36_to_int(http.int_to_base36(n)))`
Replaced "not PY3" by "PY2", new in six 1.4.0. 2013-09-02 18:06:32 +08:00			`if six.PY2:`
[py3] Removed uses of sys.maxint under Python 3. Also fixed #18706: improved exceptions raised by int_to_base36. 2012-08-04 00:46:30 +08:00			`self.assertEqual(sys.maxint, http.base36_to_int(http.int_to_base36(sys.maxint)))`
Fixed #17693. Input validation and tests for base36 conversion utils. Thanks Keryn Knight for the report. git-svn-id: http://code.djangoproject.com/svn/django/trunk@17525 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2012-02-16 08:58:49 +08:00
			`# bad input`
[py3] Removed uses of sys.maxint under Python 3. Also fixed #18706: improved exceptions raised by int_to_base36. 2012-08-04 00:46:30 +08:00			`self.assertRaises(ValueError, http.int_to_base36, -1)`
Replaced "not PY3" by "PY2", new in six 1.4.0. 2013-09-02 18:06:32 +08:00			`if six.PY2:`
[py3] Removed uses of sys.maxint under Python 3. Also fixed #18706: improved exceptions raised by int_to_base36. 2012-08-04 00:46:30 +08:00			`self.assertRaises(ValueError, http.int_to_base36, sys.maxint + 1)`
			`for n in ['1', 'foo', {1: 2}, (1, 2, 3), 3.141]:`
			`self.assertRaises(TypeError, http.int_to_base36, n)`

Fixed #17693. Input validation and tests for base36 conversion utils. Thanks Keryn Knight for the report. git-svn-id: http://code.djangoproject.com/svn/django/trunk@17525 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2012-02-16 08:58:49 +08:00			`for n in ['#', ' ']:`
			`self.assertRaises(ValueError, http.base36_to_int, n)`
[py3] Removed uses of sys.maxint under Python 3. Also fixed #18706: improved exceptions raised by int_to_base36. 2012-08-04 00:46:30 +08:00			`for n in [123, {1: 2}, (1, 2, 3), 3.141]:`
Fixed #17693. Input validation and tests for base36 conversion utils. Thanks Keryn Knight for the report. git-svn-id: http://code.djangoproject.com/svn/django/trunk@17525 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2012-02-16 08:58:49 +08:00			`self.assertRaises(TypeError, http.base36_to_int, n)`

			`# more explicit output testing`
Use Python's changed comparisons, which makes this a bit more readable. git-svn-id: http://code.djangoproject.com/svn/django/trunk@17526 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2012-02-16 09:10:21 +08:00			`for n, b36 in [(0, '0'), (1, '1'), (42, '16'), (818469960, 'django')]:`
Fixed #17693. Input validation and tests for base36 conversion utils. Thanks Keryn Knight for the report. git-svn-id: http://code.djangoproject.com/svn/django/trunk@17525 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2012-02-16 08:58:49 +08:00			`self.assertEqual(http.int_to_base36(n), b36)`
			`self.assertEqual(http.base36_to_int(b36), n)`
Fixed parse_http_date docstring and moved related tests Refs #18675. 2012-09-27 03:10:17 +08:00
Added additional checks in is_safe_url to account for flexible parsing. This is a security fix. Disclosure following shortly. 2014-05-12 19:38:39 +08:00			`def test_is_safe_url(self):`
			`for bad_url in ('http://example.com',`
			`'http:///example.com',`
			`'https://example.com',`
			`'ftp://exampel.com',`
			`r'\\example.com',`
			`r'\\\example.com',`
			`r'/\\/example.com',`
			`r'\\\example.com',`
			`r'\\example.com',`
			`r'\\//example.com',`
			`r'/\/example.com',`
			`r'\/example.com',`
			`r'/\example.com',`
			`'http:///example.com',`
			`'http:/\//example.com',`
			`'http:\/example.com',`
			`'http:/\example.com',`
			`'javascript:alert("XSS")'):`
			`self.assertFalse(http.is_safe_url(bad_url, host='testserver'), "%s should be blocked" % bad_url)`
			`for good_url in ('/view/?param=http://example.com',`
			`'/view/?param=https://example.com',`
			`'/view?param=ftp://exampel.com',`
			`'view/?param=//example.com',`
			`'https://testserver/',`
			`'HTTPS://testserver/',`
			`'//testserver/',`
			`'/url%20with%20spaces/'):`
			`self.assertTrue(http.is_safe_url(good_url, host='testserver'), "%s should be allowed" % good_url)`

Fixed #23333 -- Made urlsafe_base64_decode() return proper type on Python 3. 2014-08-21 19:53:22 +08:00			`def test_urlsafe_base64_roundtrip(self):`
			`bytestring = b'foo'`
			`encoded = http.urlsafe_base64_encode(bytestring)`
			`decoded = http.urlsafe_base64_decode(encoded)`
			`self.assertEqual(bytestring, decoded)`

Fixed parse_http_date docstring and moved related tests Refs #18675. 2012-09-27 03:10:17 +08:00
			`class ETagProcessingTests(unittest.TestCase):`
Fixed #22909 -- Removed camelCasing in some tests. Thanks brylie. 2014-07-08 07:08:42 +08:00			`def test_parsing(self):`
Fixed parse_http_date docstring and moved related tests Refs #18675. 2012-09-27 03:10:17 +08:00			`etags = http.parse_etags(r'"", "etag", "e\"t\"ag", "e\\tag", W/"weak"')`
			`self.assertEqual(etags, ['', 'etag', 'e"t"ag', r'e\tag', 'weak'])`

Fixed #22909 -- Removed camelCasing in some tests. Thanks brylie. 2014-07-08 07:08:42 +08:00			`def test_quoting(self):`
Fixed parse_http_date docstring and moved related tests Refs #18675. 2012-09-27 03:10:17 +08:00			`quoted_etag = http.quote_etag(r'e\t"ag')`
			`self.assertEqual(quoted_etag, r'"e\\t\"ag"')`


			`class HttpDateProcessingTests(unittest.TestCase):`
Fixed #22909 -- Removed camelCasing in some tests. Thanks brylie. 2014-07-08 07:08:42 +08:00			`def test_parsing_rfc1123(self):`
Fixed parse_http_date docstring and moved related tests Refs #18675. 2012-09-27 03:10:17 +08:00			`parsed = http.parse_http_date('Sun, 06 Nov 1994 08:49:37 GMT')`
			`self.assertEqual(datetime.utcfromtimestamp(parsed),`
			`datetime(1994, 11, 6, 8, 49, 37))`

Fixed #22909 -- Removed camelCasing in some tests. Thanks brylie. 2014-07-08 07:08:42 +08:00			`def test_parsing_rfc850(self):`
Fixed parse_http_date docstring and moved related tests Refs #18675. 2012-09-27 03:10:17 +08:00			`parsed = http.parse_http_date('Sunday, 06-Nov-94 08:49:37 GMT')`
			`self.assertEqual(datetime.utcfromtimestamp(parsed),`
			`datetime(1994, 11, 6, 8, 49, 37))`

Fixed #22909 -- Removed camelCasing in some tests. Thanks brylie. 2014-07-08 07:08:42 +08:00			`def test_parsing_asctime(self):`
Fixed parse_http_date docstring and moved related tests Refs #18675. 2012-09-27 03:10:17 +08:00			`parsed = http.parse_http_date('Sun Nov 6 08:49:37 1994')`
			`self.assertEqual(datetime.utcfromtimestamp(parsed),`
			`datetime(1994, 11, 6, 8, 49, 37))`