django/tests/servers/test_basehttp.py

from io import BytesIO

from django.core.handlers.wsgi import WSGIRequest
from django.core.servers.basehttp import WSGIRequestHandler
from django.test import SimpleTestCase
from django.test.client import RequestFactory


class Stub:
    def __init__(self, **kwargs):
        self.__dict__.update(kwargs)

    def sendall(self, data):
        self.makefile('wb').write(data)


class WSGIRequestHandlerTestCase(SimpleTestCase):
    request_factory = RequestFactory()

    def test_log_message(self):
        request = WSGIRequest(self.request_factory.get('/').environ)
        request.makefile = lambda *args, **kwargs: BytesIO()
        handler = WSGIRequestHandler(request, '192.168.0.2', None)
        level_status_codes = {
            'info': [200, 301, 304],
            'warning': [400, 403, 404],
            'error': [500, 503],
        }
        for level, status_codes in level_status_codes.items():
            for status_code in status_codes:
                # The correct level gets the message.
                with self.assertLogs('django.server', level.upper()) as cm:
                    handler.log_message('GET %s %s', 'A', str(status_code))
                self.assertIn('GET A %d' % status_code, cm.output[0])
                # Incorrect levels don't have any messages.
                for wrong_level in level_status_codes:
                    if wrong_level != level:
                        with self.assertLogs('django.server', 'INFO') as cm:
                            handler.log_message('GET %s %s', 'A', str(status_code))
                        self.assertNotEqual(cm.records[0].levelname, wrong_level.upper())

    def test_https(self):
        request = WSGIRequest(self.request_factory.get('/').environ)
        request.makefile = lambda *args, **kwargs: BytesIO()

        handler = WSGIRequestHandler(request, '192.168.0.2', None)

        with self.assertLogs('django.server', 'ERROR') as cm:
            handler.log_message("GET %s %s", '\x16\x03', "4")
        self.assertIn(
            "You're accessing the development server over HTTPS, "
            "but it only supports HTTP.",
            cm.records[0].getMessage()
        )

    def test_strips_underscore_headers(self):
        """WSGIRequestHandler ignores headers containing underscores.

        This follows the lead of nginx and Apache 2.4, and is to avoid
        ambiguity between dashes and underscores in mapping to WSGI environ,
        which can have security implications.
        """
        def test_app(environ, start_response):
            """A WSGI app that just reflects its HTTP environ."""
            start_response('200 OK', [])
            http_environ_items = sorted(
                '%s:%s' % (k, v) for k, v in environ.items()
                if k.startswith('HTTP_')
            )
            yield (','.join(http_environ_items)).encode()

        rfile = BytesIO()
        rfile.write(b"GET / HTTP/1.0\r\n")
        rfile.write(b"Some-Header: good\r\n")
        rfile.write(b"Some_Header: bad\r\n")
        rfile.write(b"Other_Header: bad\r\n")
        rfile.seek(0)

        # WSGIRequestHandler closes the output file; we need to make this a
        # no-op so we can still read its contents.
        class UnclosableBytesIO(BytesIO):
            def close(self):
                pass

        wfile = UnclosableBytesIO()

        def makefile(mode, *a, **kw):
            if mode == 'rb':
                return rfile
            elif mode == 'wb':
                return wfile

        request = Stub(makefile=makefile)
        server = Stub(base_environ={}, get_app=lambda: test_app)

        # Prevent logging from appearing in test output.
        with self.assertLogs('django.server', 'INFO'):
            # instantiating a handler runs the request as side effect
            WSGIRequestHandler(request, '192.168.0.2', server)

        wfile.seek(0)
        body = list(wfile.readlines())[-1]

        self.assertEqual(body, b'HTTP_SOME_HEADER:good')
Replaced six.BytesIO with io.BytesIO 2015-07-20 20:02:22 +08:00			`from io import BytesIO`

Fixed #23398 -- Added helpful error message when runserver is accessed via HTTPS 2014-09-06 04:27:26 +08:00			`from django.core.handlers.wsgi import WSGIRequest`
			`from django.core.servers.basehttp import WSGIRequestHandler`
Refs #24652 -- Used SimpleTestCase where appropriate. 2015-04-18 05:38:20 +08:00			`from django.test import SimpleTestCase`
Fixed #23398 -- Added helpful error message when runserver is accessed via HTTPS 2014-09-06 04:27:26 +08:00			`from django.test.client import RequestFactory`


Refs #23919 -- Stopped inheriting from object to define new style classes. 2017-01-19 15:39:46 +08:00			`class Stub:`
Stripped headers containing underscores to prevent spoofing in WSGI environ. This is a security fix. Disclosure following shortly. Thanks to Jedediah Smith for the report. 2014-09-11 01:06:19 +08:00			`def __init__(self, **kwargs):`
			`self.__dict__.update(kwargs)`

Refs #27025 -- Fixed a servers test on Python 3.6. After https://hg.python.org/cpython/rev/4ea79767ff75/, test_strips_underscore_headers fails with: 'Stub' object has no attribute 'sendall'. 2016-08-09 04:50:48 +08:00			`def sendall(self, data):`
			`self.makefile('wb').write(data)`

Stripped headers containing underscores to prevent spoofing in WSGI environ. This is a security fix. Disclosure following shortly. Thanks to Jedediah Smith for the report. 2014-09-11 01:06:19 +08:00
Refs #24652 -- Used SimpleTestCase where appropriate. 2015-04-18 05:38:20 +08:00			`class WSGIRequestHandlerTestCase(SimpleTestCase):`
Made reused RequestFactory instances class attributes. 2018-11-27 03:01:27 +08:00			`request_factory = RequestFactory()`
Fixed #25204 -- Added missing space in runserver logging. 2015-08-01 00:45:27 +08:00
			`def test_log_message(self):`
Made reused RequestFactory instances class attributes. 2018-11-27 03:01:27 +08:00			`request = WSGIRequest(self.request_factory.get('/').environ)`
Captured logging in tests with self.assertLogs(). 2018-04-29 17:02:51 +08:00			`request.makefile = lambda args, *kwargs: BytesIO()`
			`handler = WSGIRequestHandler(request, '192.168.0.2', None)`
			`level_status_codes = {`
			`'info': [200, 301, 304],`
			`'warning': [400, 403, 404],`
			`'error': [500, 503],`
			`}`
			`for level, status_codes in level_status_codes.items():`
			`for status_code in status_codes:`
			`# The correct level gets the message.`
			`with self.assertLogs('django.server', level.upper()) as cm:`
			`handler.log_message('GET %s %s', 'A', str(status_code))`
			`self.assertIn('GET A %d' % status_code, cm.output[0])`
			`# Incorrect levels don't have any messages.`
			`for wrong_level in level_status_codes:`
			`if wrong_level != level:`
			`with self.assertLogs('django.server', 'INFO') as cm:`
			`handler.log_message('GET %s %s', 'A', str(status_code))`
			`self.assertNotEqual(cm.records[0].levelname, wrong_level.upper())`
Fixed #25204 -- Added missing space in runserver logging. 2015-08-01 00:45:27 +08:00
Fixed #23398 -- Added helpful error message when runserver is accessed via HTTPS 2014-09-06 04:27:26 +08:00			`def test_https(self):`
Made reused RequestFactory instances class attributes. 2018-11-27 03:01:27 +08:00			`request = WSGIRequest(self.request_factory.get('/').environ)`
Fixed #23398 -- Added helpful error message when runserver is accessed via HTTPS 2014-09-06 04:27:26 +08:00			`request.makefile = lambda args, *kwargs: BytesIO()`

			`handler = WSGIRequestHandler(request, '192.168.0.2', None)`

Replaced django.test.utils.patch_logger() with assertLogs(). Thanks Tim Graham for the review. 2018-04-28 21:20:27 +08:00			`with self.assertLogs('django.server', 'ERROR') as cm:`
Refs #23919 -- Removed unneeded str() calls 2017-01-20 17:20:53 +08:00			`handler.log_message("GET %s %s", '\x16\x03', "4")`
Fixed #25684 -- Made runserver use logging for request/response output. Thanks andreif for the contributing to the patch. 2015-11-07 00:19:41 +08:00			`self.assertIn(`
			`"You're accessing the development server over HTTPS, "`
			`"but it only supports HTTP.",`
Replaced django.test.utils.patch_logger() with assertLogs(). Thanks Tim Graham for the review. 2018-04-28 21:20:27 +08:00			`cm.records[0].getMessage()`
Fixed #25684 -- Made runserver use logging for request/response output. Thanks andreif for the contributing to the patch. 2015-11-07 00:19:41 +08:00			`)`
Stripped headers containing underscores to prevent spoofing in WSGI environ. This is a security fix. Disclosure following shortly. Thanks to Jedediah Smith for the report. 2014-09-11 01:06:19 +08:00
			`def test_strips_underscore_headers(self):`
			`"""WSGIRequestHandler ignores headers containing underscores.`

			`This follows the lead of nginx and Apache 2.4, and is to avoid`
			`ambiguity between dashes and underscores in mapping to WSGI environ,`
			`which can have security implications.`
			`"""`
			`def test_app(environ, start_response):`
			`"""A WSGI app that just reflects its HTTP environ."""`
			`start_response('200 OK', [])`
			`http_environ_items = sorted(`
			`'%s:%s' % (k, v) for k, v in environ.items()`
			`if k.startswith('HTTP_')`
			`)`
Refs #23919 -- Removed default 'utf-8' argument for str.encode()/decode(). 2017-02-08 01:05:47 +08:00			`yield (','.join(http_environ_items)).encode()`
Stripped headers containing underscores to prevent spoofing in WSGI environ. This is a security fix. Disclosure following shortly. Thanks to Jedediah Smith for the report. 2014-09-11 01:06:19 +08:00
			`rfile = BytesIO()`
			`rfile.write(b"GET / HTTP/1.0\r\n")`
			`rfile.write(b"Some-Header: good\r\n")`
			`rfile.write(b"Some_Header: bad\r\n")`
			`rfile.write(b"Other_Header: bad\r\n")`
			`rfile.seek(0)`

			`# WSGIRequestHandler closes the output file; we need to make this a`
			`# no-op so we can still read its contents.`
			`class UnclosableBytesIO(BytesIO):`
			`def close(self):`
			`pass`

			`wfile = UnclosableBytesIO()`

			`def makefile(mode, a, *kw):`
			`if mode == 'rb':`
			`return rfile`
			`elif mode == 'wb':`
			`return wfile`

			`request = Stub(makefile=makefile)`
			`server = Stub(base_environ={}, get_app=lambda: test_app)`

Replaced django.test.utils.patch_logger() with assertLogs(). Thanks Tim Graham for the review. 2018-04-28 21:20:27 +08:00			`# Prevent logging from appearing in test output.`
			`with self.assertLogs('django.server', 'INFO'):`
Stripped headers containing underscores to prevent spoofing in WSGI environ. This is a security fix. Disclosure following shortly. Thanks to Jedediah Smith for the report. 2014-09-11 01:06:19 +08:00			`# instantiating a handler runs the request as side effect`
			`WSGIRequestHandler(request, '192.168.0.2', server)`

			`wfile.seek(0)`
			`body = list(wfile.readlines())[-1]`

			`self.assertEqual(body, b'HTTP_SOME_HEADER:good')`