2012-10-30 03:33:00 +08:00
|
|
|
# -*- encoding: utf-8 -*-
|
2012-06-08 00:08:47 +08:00
|
|
|
from __future__ import unicode_literals
|
|
|
|
|
2010-11-07 23:41:17 +08:00
|
|
|
from datetime import datetime, timedelta
|
2012-08-11 17:11:20 +08:00
|
|
|
from io import BytesIO
|
2013-07-13 16:16:40 +08:00
|
|
|
from itertools import chain
|
2013-07-01 20:22:27 +08:00
|
|
|
import time
|
2008-03-08 11:06:30 +08:00
|
|
|
|
2012-10-19 02:10:46 +08:00
|
|
|
from django.core.exceptions import SuspiciousOperation
|
2010-11-07 23:41:17 +08:00
|
|
|
from django.core.handlers.wsgi import WSGIRequest, LimitedStream
|
2013-10-08 20:05:39 +08:00
|
|
|
from django.http import (HttpRequest, HttpResponse, parse_cookie,
|
|
|
|
build_request_repr, UnreadablePostError, RawPostDataException)
|
2013-11-04 07:34:11 +08:00
|
|
|
from django.test import SimpleTestCase, RequestFactory, override_settings
|
2012-10-20 21:53:28 +08:00
|
|
|
from django.test.client import FakePayload
|
2013-12-23 23:01:13 +08:00
|
|
|
from django.test.utils import str_prefix
|
2012-12-17 17:49:26 +08:00
|
|
|
from django.utils import six
|
2014-08-02 00:29:59 +08:00
|
|
|
from django.utils.encoding import force_str
|
2012-11-03 19:54:06 +08:00
|
|
|
from django.utils.http import cookie_date, urlencode
|
2013-09-06 03:38:59 +08:00
|
|
|
from django.utils.six.moves.urllib.parse import urlencode as original_urlencode
|
2012-03-19 04:58:22 +08:00
|
|
|
from django.utils.timezone import utc
|
2008-03-08 11:06:30 +08:00
|
|
|
|
2011-09-10 08:46:38 +08:00
|
|
|
|
2013-04-04 04:27:20 +08:00
|
|
|
class RequestsTests(SimpleTestCase):
|
2010-09-28 15:06:37 +08:00
|
|
|
def test_httprequest(self):
|
2010-09-28 19:54:58 +08:00
|
|
|
request = HttpRequest()
|
2012-08-11 17:11:20 +08:00
|
|
|
self.assertEqual(list(request.GET.keys()), [])
|
|
|
|
self.assertEqual(list(request.POST.keys()), [])
|
|
|
|
self.assertEqual(list(request.COOKIES.keys()), [])
|
|
|
|
self.assertEqual(list(request.META.keys()), [])
|
2008-08-24 01:28:12 +08:00
|
|
|
|
Fixed #22799 -- Made GET and POST on HttpRequest QueryDicts, and FILES a MultiValueDict.
Previously, GET, POST, and FILES on an HttpRequest were created in
the __init__ method as dictionaries. This was not something you would
usually notice causing trouble in production as you'd only see a
WSGIRequest, but in testing using the test client, calling .getlist
on GET, POST, or FILES for a request with no get/post data resulted in
an AttributeError.
Changed GET and POST on an HttpRequest object to be mutable
QueryDicts (mutable because the Django tests, and probably many
third party tests, were expecting it).
2014-06-08 07:47:43 +08:00
|
|
|
# .GET and .POST should be QueryDicts
|
|
|
|
self.assertEqual(request.GET.urlencode(), '')
|
|
|
|
self.assertEqual(request.POST.urlencode(), '')
|
|
|
|
|
|
|
|
# and FILES should be MultiValueDict
|
|
|
|
self.assertEqual(request.FILES.getlist('foo'), [])
|
|
|
|
|
2014-10-31 23:43:34 +08:00
|
|
|
def test_httprequest_full_path(self):
|
|
|
|
request = HttpRequest()
|
|
|
|
request.path = request.path_info = '/;some/?awful/=path/foo:bar/'
|
|
|
|
request.META['QUERY_STRING'] = ';some=query&+query=string'
|
|
|
|
expected = '/%3Bsome/%3Fawful/%3Dpath/foo:bar/?;some=query&+query=string'
|
|
|
|
self.assertEqual(request.get_full_path(), expected)
|
|
|
|
|
|
|
|
def test_httprequest_full_path_with_query_string_and_fragment(self):
|
|
|
|
request = HttpRequest()
|
|
|
|
request.path = request.path_info = '/foo#bar'
|
|
|
|
request.META['QUERY_STRING'] = 'baz#quux'
|
|
|
|
self.assertEqual(request.get_full_path(), '/foo%23bar?baz#quux')
|
|
|
|
|
2011-06-10 07:15:42 +08:00
|
|
|
def test_httprequest_repr(self):
|
|
|
|
request = HttpRequest()
|
2012-06-08 00:08:47 +08:00
|
|
|
request.path = '/somepath/'
|
2014-11-20 17:28:16 +08:00
|
|
|
request.method = 'GET'
|
2012-06-08 00:08:47 +08:00
|
|
|
request.GET = {'get-key': 'get-value'}
|
|
|
|
request.POST = {'post-key': 'post-value'}
|
|
|
|
request.COOKIES = {'post-key': 'post-value'}
|
|
|
|
request.META = {'post-key': 'post-value'}
|
2014-11-20 17:28:16 +08:00
|
|
|
self.assertEqual(repr(request), str_prefix("<HttpRequest: GET '/somepath/'>"))
|
|
|
|
self.assertEqual(build_request_repr(request), str_prefix("<HttpRequest\npath:/somepath/,\nGET:{%(_)s'get-key': %(_)s'get-value'},\nPOST:{%(_)s'post-key': %(_)s'post-value'},\nCOOKIES:{%(_)s'post-key': %(_)s'post-value'},\nMETA:{%(_)s'post-key': %(_)s'post-value'}>"))
|
2012-06-08 00:08:47 +08:00
|
|
|
self.assertEqual(build_request_repr(request, path_override='/otherpath/', GET_override={'a': 'b'}, POST_override={'c': 'd'}, COOKIES_override={'e': 'f'}, META_override={'g': 'h'}),
|
|
|
|
str_prefix("<HttpRequest\npath:/otherpath/,\nGET:{%(_)s'a': %(_)s'b'},\nPOST:{%(_)s'c': %(_)s'd'},\nCOOKIES:{%(_)s'e': %(_)s'f'},\nMETA:{%(_)s'g': %(_)s'h'}>"))
|
2011-06-10 07:15:42 +08:00
|
|
|
|
2014-11-20 17:28:16 +08:00
|
|
|
def test_httprequest_repr_invalid_method_and_path(self):
|
|
|
|
request = HttpRequest()
|
|
|
|
self.assertEqual(repr(request), str_prefix("<HttpRequest>"))
|
|
|
|
request = HttpRequest()
|
|
|
|
request.method = "GET"
|
|
|
|
self.assertEqual(repr(request), str_prefix("<HttpRequest>"))
|
|
|
|
request = HttpRequest()
|
|
|
|
request.path = ""
|
|
|
|
self.assertEqual(repr(request), str_prefix("<HttpRequest>"))
|
|
|
|
|
2013-11-16 07:54:20 +08:00
|
|
|
def test_bad_httprequest_repr(self):
|
|
|
|
"""
|
|
|
|
If an exception occurs when parsing GET, POST, COOKIES, or META, the
|
|
|
|
repr of the request should show it.
|
|
|
|
"""
|
|
|
|
class Bomb(object):
|
|
|
|
"""An object that raises an exception when printed out."""
|
|
|
|
def __repr__(self):
|
|
|
|
raise Exception('boom!')
|
|
|
|
|
|
|
|
bomb = Bomb()
|
|
|
|
for attr in ['GET', 'POST', 'COOKIES', 'META']:
|
|
|
|
request = HttpRequest()
|
|
|
|
setattr(request, attr, {'bomb': bomb})
|
2014-11-20 17:28:16 +08:00
|
|
|
self.assertIn('%s:<could not parse>' % attr, build_request_repr(request))
|
2013-11-16 07:54:20 +08:00
|
|
|
|
2010-09-28 15:06:37 +08:00
|
|
|
def test_wsgirequest(self):
|
2012-08-11 17:11:20 +08:00
|
|
|
request = WSGIRequest({'PATH_INFO': 'bogus', 'REQUEST_METHOD': 'bogus', 'wsgi.input': BytesIO(b'')})
|
|
|
|
self.assertEqual(list(request.GET.keys()), [])
|
|
|
|
self.assertEqual(list(request.POST.keys()), [])
|
|
|
|
self.assertEqual(list(request.COOKIES.keys()), [])
|
2014-09-26 20:31:50 +08:00
|
|
|
self.assertEqual(set(request.META.keys()), {'PATH_INFO', 'REQUEST_METHOD', 'SCRIPT_NAME', 'wsgi.input'})
|
2010-09-28 19:54:58 +08:00
|
|
|
self.assertEqual(request.META['PATH_INFO'], 'bogus')
|
|
|
|
self.assertEqual(request.META['REQUEST_METHOD'], 'bogus')
|
|
|
|
self.assertEqual(request.META['SCRIPT_NAME'], '')
|
2010-09-13 04:52:49 +08:00
|
|
|
|
2013-03-31 15:54:52 +08:00
|
|
|
def test_wsgirequest_with_script_name(self):
|
|
|
|
"""
|
|
|
|
Ensure that the request's path is correctly assembled, regardless of
|
|
|
|
whether or not the SCRIPT_NAME has a trailing slash.
|
|
|
|
Refs #20169.
|
|
|
|
"""
|
|
|
|
# With trailing slash
|
|
|
|
request = WSGIRequest({'PATH_INFO': '/somepath/', 'SCRIPT_NAME': '/PREFIX/', 'REQUEST_METHOD': 'get', 'wsgi.input': BytesIO(b'')})
|
|
|
|
self.assertEqual(request.path, '/PREFIX/somepath/')
|
|
|
|
# Without trailing slash
|
|
|
|
request = WSGIRequest({'PATH_INFO': '/somepath/', 'SCRIPT_NAME': '/PREFIX', 'REQUEST_METHOD': 'get', 'wsgi.input': BytesIO(b'')})
|
|
|
|
self.assertEqual(request.path, '/PREFIX/somepath/')
|
|
|
|
|
|
|
|
def test_wsgirequest_with_force_script_name(self):
|
|
|
|
"""
|
|
|
|
Ensure that the FORCE_SCRIPT_NAME setting takes precedence over the
|
|
|
|
request's SCRIPT_NAME environment parameter.
|
|
|
|
Refs #20169.
|
|
|
|
"""
|
|
|
|
with override_settings(FORCE_SCRIPT_NAME='/FORCED_PREFIX/'):
|
|
|
|
request = WSGIRequest({'PATH_INFO': '/somepath/', 'SCRIPT_NAME': '/PREFIX/', 'REQUEST_METHOD': 'get', 'wsgi.input': BytesIO(b'')})
|
|
|
|
self.assertEqual(request.path, '/FORCED_PREFIX/somepath/')
|
|
|
|
|
|
|
|
def test_wsgirequest_path_with_force_script_name_trailing_slash(self):
|
|
|
|
"""
|
|
|
|
Ensure that the request's path is correctly assembled, regardless of
|
|
|
|
whether or not the FORCE_SCRIPT_NAME setting has a trailing slash.
|
|
|
|
Refs #20169.
|
|
|
|
"""
|
|
|
|
# With trailing slash
|
|
|
|
with override_settings(FORCE_SCRIPT_NAME='/FORCED_PREFIX/'):
|
|
|
|
request = WSGIRequest({'PATH_INFO': '/somepath/', 'REQUEST_METHOD': 'get', 'wsgi.input': BytesIO(b'')})
|
|
|
|
self.assertEqual(request.path, '/FORCED_PREFIX/somepath/')
|
|
|
|
# Without trailing slash
|
|
|
|
with override_settings(FORCE_SCRIPT_NAME='/FORCED_PREFIX'):
|
|
|
|
request = WSGIRequest({'PATH_INFO': '/somepath/', 'REQUEST_METHOD': 'get', 'wsgi.input': BytesIO(b'')})
|
|
|
|
self.assertEqual(request.path, '/FORCED_PREFIX/somepath/')
|
|
|
|
|
2011-06-10 07:15:42 +08:00
|
|
|
def test_wsgirequest_repr(self):
|
2014-11-20 17:28:16 +08:00
|
|
|
request = WSGIRequest({'REQUEST_METHOD': 'get', 'wsgi.input': BytesIO(b'')})
|
|
|
|
self.assertEqual(repr(request), str_prefix("<WSGIRequest: GET '/'>"))
|
2012-08-11 17:11:20 +08:00
|
|
|
request = WSGIRequest({'PATH_INFO': '/somepath/', 'REQUEST_METHOD': 'get', 'wsgi.input': BytesIO(b'')})
|
2012-06-08 00:08:47 +08:00
|
|
|
request.GET = {'get-key': 'get-value'}
|
|
|
|
request.POST = {'post-key': 'post-value'}
|
|
|
|
request.COOKIES = {'post-key': 'post-value'}
|
|
|
|
request.META = {'post-key': 'post-value'}
|
2014-11-20 17:28:16 +08:00
|
|
|
self.assertEqual(repr(request), str_prefix("<WSGIRequest: GET '/somepath/'>"))
|
|
|
|
self.assertEqual(build_request_repr(request), str_prefix("<WSGIRequest\npath:/somepath/,\nGET:{%(_)s'get-key': %(_)s'get-value'},\nPOST:{%(_)s'post-key': %(_)s'post-value'},\nCOOKIES:{%(_)s'post-key': %(_)s'post-value'},\nMETA:{%(_)s'post-key': %(_)s'post-value'}>"))
|
2012-06-08 00:08:47 +08:00
|
|
|
self.assertEqual(build_request_repr(request, path_override='/otherpath/', GET_override={'a': 'b'}, POST_override={'c': 'd'}, COOKIES_override={'e': 'f'}, META_override={'g': 'h'}),
|
|
|
|
str_prefix("<WSGIRequest\npath:/otherpath/,\nGET:{%(_)s'a': %(_)s'b'},\nPOST:{%(_)s'c': %(_)s'd'},\nCOOKIES:{%(_)s'e': %(_)s'f'},\nMETA:{%(_)s'g': %(_)s'h'}>"))
|
2011-06-10 07:15:42 +08:00
|
|
|
|
2012-12-17 17:49:26 +08:00
|
|
|
def test_wsgirequest_path_info(self):
|
|
|
|
def wsgi_str(path_info):
|
|
|
|
path_info = path_info.encode('utf-8') # Actual URL sent by the browser (bytestring)
|
|
|
|
if six.PY3:
|
|
|
|
path_info = path_info.decode('iso-8859-1') # Value in the WSGI environ dict (native string)
|
|
|
|
return path_info
|
|
|
|
# Regression for #19468
|
|
|
|
request = WSGIRequest({'PATH_INFO': wsgi_str("/سلام/"), 'REQUEST_METHOD': 'get', 'wsgi.input': BytesIO(b'')})
|
|
|
|
self.assertEqual(request.path, "/سلام/")
|
|
|
|
|
2010-09-28 15:06:37 +08:00
|
|
|
def test_parse_cookie(self):
|
2012-09-28 23:09:05 +08:00
|
|
|
self.assertEqual(parse_cookie('invalid@key=true'), {})
|
2010-09-28 15:06:37 +08:00
|
|
|
|
|
|
|
def test_httprequest_location(self):
|
|
|
|
request = HttpRequest()
|
2010-09-28 19:54:58 +08:00
|
|
|
self.assertEqual(request.build_absolute_uri(location="https://www.example.com/asdf"),
|
2010-09-28 15:06:37 +08:00
|
|
|
'https://www.example.com/asdf')
|
|
|
|
|
|
|
|
request.get_host = lambda: 'www.example.com'
|
|
|
|
request.path = ''
|
2010-09-28 19:54:58 +08:00
|
|
|
self.assertEqual(request.build_absolute_uri(location="/path/with:colons"),
|
2010-09-28 15:06:37 +08:00
|
|
|
'http://www.example.com/path/with:colons')
|
|
|
|
|
|
|
|
def test_near_expiration(self):
|
|
|
|
"Cookie will expire when an near expiration time is provided"
|
|
|
|
response = HttpResponse()
|
|
|
|
# There is a timing weakness in this test; The
|
|
|
|
# expected result for max-age requires that there be
|
|
|
|
# a very slight difference between the evaluated expiration
|
|
|
|
# time, and the time evaluated in set_cookie(). If this
|
|
|
|
# difference doesn't exist, the cookie time will be
|
|
|
|
# 1 second larger. To avoid the problem, put in a quick sleep,
|
|
|
|
# which guarantees that there will be a time difference.
|
|
|
|
expires = datetime.utcnow() + timedelta(seconds=10)
|
|
|
|
time.sleep(0.001)
|
|
|
|
response.set_cookie('datetime', expires=expires)
|
|
|
|
datetime_cookie = response.cookies['datetime']
|
2010-09-28 19:54:58 +08:00
|
|
|
self.assertEqual(datetime_cookie['max-age'], 10)
|
2010-09-28 15:06:37 +08:00
|
|
|
|
2012-03-19 04:58:22 +08:00
|
|
|
def test_aware_expiration(self):
|
|
|
|
"Cookie accepts an aware datetime as expiration time"
|
|
|
|
response = HttpResponse()
|
|
|
|
expires = (datetime.utcnow() + timedelta(seconds=10)).replace(tzinfo=utc)
|
|
|
|
time.sleep(0.001)
|
|
|
|
response.set_cookie('datetime', expires=expires)
|
|
|
|
datetime_cookie = response.cookies['datetime']
|
|
|
|
self.assertEqual(datetime_cookie['max-age'], 10)
|
|
|
|
|
2010-09-28 15:06:37 +08:00
|
|
|
def test_far_expiration(self):
|
|
|
|
"Cookie will expire when an distant expiration time is provided"
|
|
|
|
response = HttpResponse()
|
|
|
|
response.set_cookie('datetime', expires=datetime(2028, 1, 1, 4, 5, 6))
|
|
|
|
datetime_cookie = response.cookies['datetime']
|
2014-12-30 23:23:42 +08:00
|
|
|
self.assertIn(
|
|
|
|
datetime_cookie['expires'],
|
|
|
|
# Slight time dependency; refs #23450
|
|
|
|
('Sat, 01-Jan-2028 04:05:06 GMT', 'Sat, 01-Jan-2028 04:05:07 GMT')
|
|
|
|
)
|
2010-09-28 15:06:37 +08:00
|
|
|
|
|
|
|
def test_max_age_expiration(self):
|
|
|
|
"Cookie will expire if max_age is provided"
|
|
|
|
response = HttpResponse()
|
|
|
|
response.set_cookie('max_age', max_age=10)
|
|
|
|
max_age_cookie = response.cookies['max_age']
|
|
|
|
self.assertEqual(max_age_cookie['max-age'], 10)
|
2013-11-04 02:08:55 +08:00
|
|
|
self.assertEqual(max_age_cookie['expires'], cookie_date(time.time() + 10))
|
2010-10-30 00:39:25 +08:00
|
|
|
|
2010-11-26 21:30:50 +08:00
|
|
|
def test_httponly_cookie(self):
|
|
|
|
response = HttpResponse()
|
|
|
|
response.set_cookie('example', httponly=True)
|
|
|
|
example_cookie = response.cookies['example']
|
|
|
|
# A compat cookie may be in use -- check that it has worked
|
|
|
|
# both as an output string, and using the cookie attributes
|
2014-10-28 18:02:56 +08:00
|
|
|
self.assertIn('; httponly', str(example_cookie))
|
2010-11-26 21:30:50 +08:00
|
|
|
self.assertTrue(example_cookie['httponly'])
|
|
|
|
|
2014-08-02 00:29:59 +08:00
|
|
|
def test_unicode_cookie(self):
|
|
|
|
"Verify HttpResponse.set_cookie() works with unicode data."
|
|
|
|
response = HttpResponse()
|
|
|
|
cookie_value = '清風'
|
|
|
|
response.set_cookie('test', cookie_value)
|
|
|
|
self.assertEqual(force_str(cookie_value), response.cookies['test'].value)
|
|
|
|
|
2010-10-30 00:39:25 +08:00
|
|
|
def test_limited_stream(self):
|
|
|
|
# Read all of a limited stream
|
2012-08-11 17:11:20 +08:00
|
|
|
stream = LimitedStream(BytesIO(b'test'), 2)
|
2012-05-19 23:43:34 +08:00
|
|
|
self.assertEqual(stream.read(), b'te')
|
2011-01-16 15:31:35 +08:00
|
|
|
# Reading again returns nothing.
|
2012-05-19 23:43:34 +08:00
|
|
|
self.assertEqual(stream.read(), b'')
|
2010-10-30 00:39:25 +08:00
|
|
|
|
|
|
|
# Read a number of characters greater than the stream has to offer
|
2012-08-11 17:11:20 +08:00
|
|
|
stream = LimitedStream(BytesIO(b'test'), 2)
|
2012-05-19 23:43:34 +08:00
|
|
|
self.assertEqual(stream.read(5), b'te')
|
2011-01-16 15:31:35 +08:00
|
|
|
# Reading again returns nothing.
|
2012-05-19 23:43:34 +08:00
|
|
|
self.assertEqual(stream.readline(5), b'')
|
2010-10-30 00:39:25 +08:00
|
|
|
|
|
|
|
# Read sequentially from a stream
|
2012-08-11 17:11:20 +08:00
|
|
|
stream = LimitedStream(BytesIO(b'12345678'), 8)
|
2012-05-19 23:43:34 +08:00
|
|
|
self.assertEqual(stream.read(5), b'12345')
|
|
|
|
self.assertEqual(stream.read(5), b'678')
|
2011-01-16 15:31:35 +08:00
|
|
|
# Reading again returns nothing.
|
2012-05-19 23:43:34 +08:00
|
|
|
self.assertEqual(stream.readline(5), b'')
|
2010-10-30 00:39:25 +08:00
|
|
|
|
|
|
|
# Read lines from a stream
|
2012-08-11 17:11:20 +08:00
|
|
|
stream = LimitedStream(BytesIO(b'1234\n5678\nabcd\nefgh\nijkl'), 24)
|
2010-10-30 00:39:25 +08:00
|
|
|
# Read a full line, unconditionally
|
2012-05-19 23:43:34 +08:00
|
|
|
self.assertEqual(stream.readline(), b'1234\n')
|
2010-10-30 00:39:25 +08:00
|
|
|
# Read a number of characters less than a line
|
2012-05-19 23:43:34 +08:00
|
|
|
self.assertEqual(stream.readline(2), b'56')
|
2010-10-30 00:39:25 +08:00
|
|
|
# Read the rest of the partial line
|
2012-05-19 23:43:34 +08:00
|
|
|
self.assertEqual(stream.readline(), b'78\n')
|
2010-10-30 00:39:25 +08:00
|
|
|
# Read a full line, with a character limit greater than the line length
|
2012-05-19 23:43:34 +08:00
|
|
|
self.assertEqual(stream.readline(6), b'abcd\n')
|
2010-10-30 00:39:25 +08:00
|
|
|
# Read the next line, deliberately terminated at the line end
|
2012-05-19 23:43:34 +08:00
|
|
|
self.assertEqual(stream.readline(4), b'efgh')
|
2010-10-30 00:39:25 +08:00
|
|
|
# Read the next line... just the line end
|
2012-05-19 23:43:34 +08:00
|
|
|
self.assertEqual(stream.readline(), b'\n')
|
2010-10-30 00:39:25 +08:00
|
|
|
# Read everything else.
|
2012-05-19 23:43:34 +08:00
|
|
|
self.assertEqual(stream.readline(), b'ijkl')
|
2010-10-30 00:39:25 +08:00
|
|
|
|
2011-01-16 15:31:35 +08:00
|
|
|
# Regression for #15018
|
|
|
|
# If a stream contains a newline, but the provided length
|
|
|
|
# is less than the number of provided characters, the newline
|
|
|
|
# doesn't reset the available character count
|
2012-08-11 17:11:20 +08:00
|
|
|
stream = LimitedStream(BytesIO(b'1234\nabcdef'), 9)
|
2012-05-19 23:43:34 +08:00
|
|
|
self.assertEqual(stream.readline(10), b'1234\n')
|
|
|
|
self.assertEqual(stream.readline(3), b'abc')
|
2011-01-16 15:31:35 +08:00
|
|
|
# Now expire the available characters
|
2012-05-19 23:43:34 +08:00
|
|
|
self.assertEqual(stream.readline(3), b'd')
|
2011-01-16 15:31:35 +08:00
|
|
|
# Reading again returns nothing.
|
2012-05-19 23:43:34 +08:00
|
|
|
self.assertEqual(stream.readline(2), b'')
|
2011-01-16 15:31:35 +08:00
|
|
|
|
|
|
|
# Same test, but with read, not readline.
|
2012-08-11 17:11:20 +08:00
|
|
|
stream = LimitedStream(BytesIO(b'1234\nabcdef'), 9)
|
2012-05-19 23:43:34 +08:00
|
|
|
self.assertEqual(stream.read(6), b'1234\na')
|
|
|
|
self.assertEqual(stream.read(2), b'bc')
|
|
|
|
self.assertEqual(stream.read(2), b'd')
|
|
|
|
self.assertEqual(stream.read(2), b'')
|
|
|
|
self.assertEqual(stream.read(), b'')
|
2011-01-16 15:31:35 +08:00
|
|
|
|
2010-10-30 00:39:25 +08:00
|
|
|
def test_stream(self):
|
2012-10-20 21:53:28 +08:00
|
|
|
payload = FakePayload('name=value')
|
2011-06-28 18:17:56 +08:00
|
|
|
request = WSGIRequest({'REQUEST_METHOD': 'POST',
|
2012-10-20 20:33:57 +08:00
|
|
|
'CONTENT_TYPE': 'application/x-www-form-urlencoded',
|
2011-06-28 18:17:56 +08:00
|
|
|
'CONTENT_LENGTH': len(payload),
|
2012-10-20 21:53:28 +08:00
|
|
|
'wsgi.input': payload})
|
2012-05-19 23:43:34 +08:00
|
|
|
self.assertEqual(request.read(), b'name=value')
|
2010-10-30 00:39:25 +08:00
|
|
|
|
|
|
|
def test_read_after_value(self):
|
|
|
|
"""
|
|
|
|
Reading from request is allowed after accessing request contents as
|
2011-12-17 07:40:32 +08:00
|
|
|
POST or body.
|
2010-10-30 00:39:25 +08:00
|
|
|
"""
|
2012-10-20 21:53:28 +08:00
|
|
|
payload = FakePayload('name=value')
|
2011-06-28 18:17:56 +08:00
|
|
|
request = WSGIRequest({'REQUEST_METHOD': 'POST',
|
2012-10-20 20:33:57 +08:00
|
|
|
'CONTENT_TYPE': 'application/x-www-form-urlencoded',
|
2011-06-28 18:17:56 +08:00
|
|
|
'CONTENT_LENGTH': len(payload),
|
2012-10-20 21:53:28 +08:00
|
|
|
'wsgi.input': payload})
|
2012-06-08 00:08:47 +08:00
|
|
|
self.assertEqual(request.POST, {'name': ['value']})
|
2012-05-19 23:43:34 +08:00
|
|
|
self.assertEqual(request.body, b'name=value')
|
|
|
|
self.assertEqual(request.read(), b'name=value')
|
2010-10-30 00:39:25 +08:00
|
|
|
|
|
|
|
def test_value_after_read(self):
|
|
|
|
"""
|
2011-12-17 07:40:32 +08:00
|
|
|
Construction of POST or body is not allowed after reading
|
2010-10-30 00:39:25 +08:00
|
|
|
from request.
|
|
|
|
"""
|
2012-10-20 21:53:28 +08:00
|
|
|
payload = FakePayload('name=value')
|
2011-06-28 18:17:56 +08:00
|
|
|
request = WSGIRequest({'REQUEST_METHOD': 'POST',
|
2012-10-20 20:33:57 +08:00
|
|
|
'CONTENT_TYPE': 'application/x-www-form-urlencoded',
|
2011-06-28 18:17:56 +08:00
|
|
|
'CONTENT_LENGTH': len(payload),
|
2012-10-20 21:53:28 +08:00
|
|
|
'wsgi.input': payload})
|
2012-05-19 23:43:34 +08:00
|
|
|
self.assertEqual(request.read(2), b'na')
|
2013-10-08 20:05:39 +08:00
|
|
|
self.assertRaises(RawPostDataException, lambda: request.body)
|
2010-10-30 00:39:25 +08:00
|
|
|
self.assertEqual(request.POST, {})
|
|
|
|
|
2012-11-03 19:54:06 +08:00
|
|
|
def test_non_ascii_POST(self):
|
|
|
|
payload = FakePayload(urlencode({'key': 'España'}))
|
|
|
|
request = WSGIRequest({
|
|
|
|
'REQUEST_METHOD': 'POST',
|
|
|
|
'CONTENT_LENGTH': len(payload),
|
|
|
|
'CONTENT_TYPE': 'application/x-www-form-urlencoded',
|
|
|
|
'wsgi.input': payload,
|
|
|
|
})
|
|
|
|
self.assertEqual(request.POST, {'key': ['España']})
|
|
|
|
|
2012-10-30 03:33:00 +08:00
|
|
|
def test_alternate_charset_POST(self):
|
|
|
|
"""
|
|
|
|
Test a POST with non-utf-8 payload encoding.
|
|
|
|
"""
|
2013-09-06 03:38:59 +08:00
|
|
|
payload = FakePayload(original_urlencode({'key': 'España'.encode('latin-1')}))
|
2012-10-30 03:33:00 +08:00
|
|
|
request = WSGIRequest({
|
|
|
|
'REQUEST_METHOD': 'POST',
|
|
|
|
'CONTENT_LENGTH': len(payload),
|
|
|
|
'CONTENT_TYPE': 'application/x-www-form-urlencoded; charset=iso-8859-1',
|
|
|
|
'wsgi.input': payload,
|
|
|
|
})
|
|
|
|
self.assertEqual(request.POST, {'key': ['España']})
|
|
|
|
|
2013-05-18 18:26:38 +08:00
|
|
|
def test_body_after_POST_multipart_form_data(self):
|
2011-03-29 00:11:40 +08:00
|
|
|
"""
|
2013-05-18 18:26:38 +08:00
|
|
|
Reading body after parsing multipart/form-data is not allowed
|
2011-03-29 00:11:40 +08:00
|
|
|
"""
|
|
|
|
# Because multipart is used for large amounts fo data i.e. file uploads,
|
|
|
|
# we don't want the data held in memory twice, and we don't want to
|
2011-12-17 07:40:32 +08:00
|
|
|
# silence the error by setting body = '' either.
|
2012-10-20 21:53:28 +08:00
|
|
|
payload = FakePayload("\r\n".join([
|
2013-10-20 07:33:10 +08:00
|
|
|
'--boundary',
|
|
|
|
'Content-Disposition: form-data; name="name"',
|
|
|
|
'',
|
|
|
|
'value',
|
|
|
|
'--boundary--'
|
|
|
|
'']))
|
2011-03-29 00:11:40 +08:00
|
|
|
request = WSGIRequest({'REQUEST_METHOD': 'POST',
|
|
|
|
'CONTENT_TYPE': 'multipart/form-data; boundary=boundary',
|
|
|
|
'CONTENT_LENGTH': len(payload),
|
2012-10-20 21:53:28 +08:00
|
|
|
'wsgi.input': payload})
|
2012-06-08 00:08:47 +08:00
|
|
|
self.assertEqual(request.POST, {'name': ['value']})
|
2013-10-08 20:05:39 +08:00
|
|
|
self.assertRaises(RawPostDataException, lambda: request.body)
|
2011-03-29 00:11:40 +08:00
|
|
|
|
2013-05-18 18:26:38 +08:00
|
|
|
def test_body_after_POST_multipart_related(self):
|
|
|
|
"""
|
|
|
|
Reading body after parsing multipart that isn't form-data is allowed
|
|
|
|
"""
|
|
|
|
# Ticket #9054
|
|
|
|
# There are cases in which the multipart data is related instead of
|
|
|
|
# being a binary upload, in which case it should still be accessible
|
|
|
|
# via body.
|
2013-05-18 19:34:08 +08:00
|
|
|
payload_data = b"\r\n".join([
|
2013-10-20 07:33:10 +08:00
|
|
|
b'--boundary',
|
|
|
|
b'Content-ID: id; name="name"',
|
|
|
|
b'',
|
|
|
|
b'value',
|
|
|
|
b'--boundary--'
|
|
|
|
b''])
|
2013-05-18 18:26:38 +08:00
|
|
|
payload = FakePayload(payload_data)
|
|
|
|
request = WSGIRequest({'REQUEST_METHOD': 'POST',
|
|
|
|
'CONTENT_TYPE': 'multipart/related; boundary=boundary',
|
|
|
|
'CONTENT_LENGTH': len(payload),
|
|
|
|
'wsgi.input': payload})
|
|
|
|
self.assertEqual(request.POST, {})
|
|
|
|
self.assertEqual(request.body, payload_data)
|
|
|
|
|
2011-06-10 16:39:38 +08:00
|
|
|
def test_POST_multipart_with_content_length_zero(self):
|
|
|
|
"""
|
|
|
|
Multipart POST requests with Content-Length >= 0 are valid and need to be handled.
|
|
|
|
"""
|
|
|
|
# According to:
|
|
|
|
# http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.13
|
|
|
|
# Every request.POST with Content-Length >= 0 is a valid request,
|
|
|
|
# this test ensures that we handle Content-Length == 0.
|
2012-10-20 21:53:28 +08:00
|
|
|
payload = FakePayload("\r\n".join([
|
2013-10-20 07:33:10 +08:00
|
|
|
'--boundary',
|
|
|
|
'Content-Disposition: form-data; name="name"',
|
|
|
|
'',
|
|
|
|
'value',
|
|
|
|
'--boundary--'
|
|
|
|
'']))
|
2011-06-10 16:39:38 +08:00
|
|
|
request = WSGIRequest({'REQUEST_METHOD': 'POST',
|
|
|
|
'CONTENT_TYPE': 'multipart/form-data; boundary=boundary',
|
|
|
|
'CONTENT_LENGTH': 0,
|
2012-10-20 21:53:28 +08:00
|
|
|
'wsgi.input': payload})
|
2011-06-10 16:39:38 +08:00
|
|
|
self.assertEqual(request.POST, {})
|
|
|
|
|
2012-10-20 20:33:57 +08:00
|
|
|
def test_POST_binary_only(self):
|
|
|
|
payload = b'\r\n\x01\x00\x00\x00ab\x00\x00\xcd\xcc,@'
|
|
|
|
environ = {'REQUEST_METHOD': 'POST',
|
|
|
|
'CONTENT_TYPE': 'application/octet-stream',
|
|
|
|
'CONTENT_LENGTH': len(payload),
|
|
|
|
'wsgi.input': BytesIO(payload)}
|
|
|
|
request = WSGIRequest(environ)
|
|
|
|
self.assertEqual(request.POST, {})
|
|
|
|
self.assertEqual(request.FILES, {})
|
|
|
|
self.assertEqual(request.body, payload)
|
|
|
|
|
|
|
|
# Same test without specifying content-type
|
|
|
|
environ.update({'CONTENT_TYPE': '', 'wsgi.input': BytesIO(payload)})
|
|
|
|
request = WSGIRequest(environ)
|
|
|
|
self.assertEqual(request.POST, {})
|
|
|
|
self.assertEqual(request.FILES, {})
|
|
|
|
self.assertEqual(request.body, payload)
|
|
|
|
|
2010-10-30 00:39:25 +08:00
|
|
|
def test_read_by_lines(self):
|
2012-10-20 21:53:28 +08:00
|
|
|
payload = FakePayload('name=value')
|
2011-06-28 18:17:56 +08:00
|
|
|
request = WSGIRequest({'REQUEST_METHOD': 'POST',
|
2012-10-20 20:33:57 +08:00
|
|
|
'CONTENT_TYPE': 'application/x-www-form-urlencoded',
|
2011-06-28 18:17:56 +08:00
|
|
|
'CONTENT_LENGTH': len(payload),
|
2012-10-20 21:53:28 +08:00
|
|
|
'wsgi.input': payload})
|
2012-05-19 23:43:34 +08:00
|
|
|
self.assertEqual(list(request), [b'name=value'])
|
2011-03-29 00:11:40 +08:00
|
|
|
|
2011-12-17 07:40:32 +08:00
|
|
|
def test_POST_after_body_read(self):
|
2011-03-29 00:11:40 +08:00
|
|
|
"""
|
2011-12-17 07:40:32 +08:00
|
|
|
POST should be populated even if body is read first
|
2011-03-29 00:11:40 +08:00
|
|
|
"""
|
2012-10-20 21:53:28 +08:00
|
|
|
payload = FakePayload('name=value')
|
2011-06-28 18:17:56 +08:00
|
|
|
request = WSGIRequest({'REQUEST_METHOD': 'POST',
|
2012-10-20 20:33:57 +08:00
|
|
|
'CONTENT_TYPE': 'application/x-www-form-urlencoded',
|
2011-06-28 18:17:56 +08:00
|
|
|
'CONTENT_LENGTH': len(payload),
|
2012-10-20 21:53:28 +08:00
|
|
|
'wsgi.input': payload})
|
2013-10-19 20:31:38 +08:00
|
|
|
request.body # evaluate
|
2012-06-08 00:08:47 +08:00
|
|
|
self.assertEqual(request.POST, {'name': ['value']})
|
2011-03-29 00:11:40 +08:00
|
|
|
|
2011-12-17 07:40:32 +08:00
|
|
|
def test_POST_after_body_read_and_stream_read(self):
|
2011-03-29 00:11:40 +08:00
|
|
|
"""
|
2011-12-17 07:40:32 +08:00
|
|
|
POST should be populated even if body is read first, and then
|
2011-03-29 00:11:40 +08:00
|
|
|
the stream is read second.
|
|
|
|
"""
|
2012-10-20 21:53:28 +08:00
|
|
|
payload = FakePayload('name=value')
|
2011-06-28 18:17:56 +08:00
|
|
|
request = WSGIRequest({'REQUEST_METHOD': 'POST',
|
2012-10-20 20:33:57 +08:00
|
|
|
'CONTENT_TYPE': 'application/x-www-form-urlencoded',
|
2011-06-28 18:17:56 +08:00
|
|
|
'CONTENT_LENGTH': len(payload),
|
2012-10-20 21:53:28 +08:00
|
|
|
'wsgi.input': payload})
|
2013-10-19 20:31:38 +08:00
|
|
|
request.body # evaluate
|
2012-05-19 23:43:34 +08:00
|
|
|
self.assertEqual(request.read(1), b'n')
|
2012-06-08 00:08:47 +08:00
|
|
|
self.assertEqual(request.POST, {'name': ['value']})
|
2011-03-29 00:11:40 +08:00
|
|
|
|
2011-12-17 07:40:32 +08:00
|
|
|
def test_POST_after_body_read_and_stream_read_multipart(self):
|
2011-03-29 00:11:40 +08:00
|
|
|
"""
|
2011-12-17 07:40:32 +08:00
|
|
|
POST should be populated even if body is read first, and then
|
2011-03-29 00:11:40 +08:00
|
|
|
the stream is read second. Using multipart/form-data instead of urlencoded.
|
|
|
|
"""
|
2012-10-20 21:53:28 +08:00
|
|
|
payload = FakePayload("\r\n".join([
|
2013-10-20 07:33:10 +08:00
|
|
|
'--boundary',
|
|
|
|
'Content-Disposition: form-data; name="name"',
|
|
|
|
'',
|
|
|
|
'value',
|
|
|
|
'--boundary--'
|
|
|
|
'']))
|
2011-03-29 00:11:40 +08:00
|
|
|
request = WSGIRequest({'REQUEST_METHOD': 'POST',
|
|
|
|
'CONTENT_TYPE': 'multipart/form-data; boundary=boundary',
|
|
|
|
'CONTENT_LENGTH': len(payload),
|
2012-10-20 21:53:28 +08:00
|
|
|
'wsgi.input': payload})
|
2013-10-19 20:31:38 +08:00
|
|
|
request.body # evaluate
|
2011-03-29 00:11:40 +08:00
|
|
|
# Consume enough data to mess up the parsing:
|
2012-05-19 23:43:34 +08:00
|
|
|
self.assertEqual(request.read(13), b'--boundary\r\nC')
|
2012-06-08 00:08:47 +08:00
|
|
|
self.assertEqual(request.POST, {'name': ['value']})
|
2011-12-17 07:40:32 +08:00
|
|
|
|
2012-02-11 06:51:07 +08:00
|
|
|
def test_POST_connection_error(self):
|
|
|
|
"""
|
|
|
|
If wsgi.input.read() raises an exception while trying to read() the
|
|
|
|
POST, the exception should be identifiable (not a generic IOError).
|
|
|
|
"""
|
2012-08-11 17:11:20 +08:00
|
|
|
class ExplodingBytesIO(BytesIO):
|
2012-02-11 06:51:07 +08:00
|
|
|
def read(self, len=0):
|
|
|
|
raise IOError("kaboom!")
|
|
|
|
|
2012-05-19 23:43:34 +08:00
|
|
|
payload = b'name=value'
|
2012-02-11 06:51:07 +08:00
|
|
|
request = WSGIRequest({'REQUEST_METHOD': 'POST',
|
2012-10-20 20:33:57 +08:00
|
|
|
'CONTENT_TYPE': 'application/x-www-form-urlencoded',
|
2012-02-11 06:51:07 +08:00
|
|
|
'CONTENT_LENGTH': len(payload),
|
2012-08-11 17:11:20 +08:00
|
|
|
'wsgi.input': ExplodingBytesIO(payload)})
|
2012-02-11 06:51:07 +08:00
|
|
|
|
2012-12-25 06:20:38 +08:00
|
|
|
with self.assertRaises(UnreadablePostError):
|
|
|
|
request.body
|
2013-02-06 05:52:29 +08:00
|
|
|
|
2013-06-01 16:26:46 +08:00
|
|
|
def test_FILES_connection_error(self):
|
|
|
|
"""
|
|
|
|
If wsgi.input.read() raises an exception while trying to read() the
|
|
|
|
FILES, the exception should be identifiable (not a generic IOError).
|
|
|
|
"""
|
|
|
|
class ExplodingBytesIO(BytesIO):
|
|
|
|
def read(self, len=0):
|
|
|
|
raise IOError("kaboom!")
|
|
|
|
|
|
|
|
payload = b'x'
|
|
|
|
request = WSGIRequest({'REQUEST_METHOD': 'POST',
|
|
|
|
'CONTENT_TYPE': 'multipart/form-data; boundary=foo_',
|
|
|
|
'CONTENT_LENGTH': len(payload),
|
|
|
|
'wsgi.input': ExplodingBytesIO(payload)})
|
|
|
|
|
|
|
|
with self.assertRaises(UnreadablePostError):
|
|
|
|
request.FILES
|
|
|
|
|
2013-03-01 00:05:25 +08:00
|
|
|
|
2013-07-13 16:16:40 +08:00
|
|
|
class HostValidationTests(SimpleTestCase):
|
|
|
|
poisoned_hosts = [
|
|
|
|
'example.com@evil.tld',
|
|
|
|
'example.com:dr.frankenstein@evil.tld',
|
|
|
|
'example.com:dr.frankenstein@evil.tld:80',
|
|
|
|
'example.com:80/badpath',
|
|
|
|
'example.com: recovermypassword.com',
|
|
|
|
]
|
|
|
|
|
|
|
|
@override_settings(
|
|
|
|
USE_X_FORWARDED_HOST=False,
|
|
|
|
ALLOWED_HOSTS=[
|
|
|
|
'forward.com', 'example.com', 'internal.com', '12.34.56.78',
|
|
|
|
'[2001:19f0:feee::dead:beef:cafe]', 'xn--4ca9at.com',
|
|
|
|
'.multitenant.com', 'INSENSITIVE.com',
|
2013-10-18 17:02:43 +08:00
|
|
|
])
|
2013-07-13 16:16:40 +08:00
|
|
|
def test_http_get_host(self):
|
|
|
|
# Check if X_FORWARDED_HOST is provided.
|
|
|
|
request = HttpRequest()
|
|
|
|
request.META = {
|
|
|
|
'HTTP_X_FORWARDED_HOST': 'forward.com',
|
|
|
|
'HTTP_HOST': 'example.com',
|
|
|
|
'SERVER_NAME': 'internal.com',
|
|
|
|
'SERVER_PORT': 80,
|
|
|
|
}
|
|
|
|
# X_FORWARDED_HOST is ignored.
|
|
|
|
self.assertEqual(request.get_host(), 'example.com')
|
|
|
|
|
|
|
|
# Check if X_FORWARDED_HOST isn't provided.
|
|
|
|
request = HttpRequest()
|
|
|
|
request.META = {
|
|
|
|
'HTTP_HOST': 'example.com',
|
|
|
|
'SERVER_NAME': 'internal.com',
|
|
|
|
'SERVER_PORT': 80,
|
|
|
|
}
|
|
|
|
self.assertEqual(request.get_host(), 'example.com')
|
|
|
|
|
|
|
|
# Check if HTTP_HOST isn't provided.
|
|
|
|
request = HttpRequest()
|
|
|
|
request.META = {
|
|
|
|
'SERVER_NAME': 'internal.com',
|
|
|
|
'SERVER_PORT': 80,
|
|
|
|
}
|
|
|
|
self.assertEqual(request.get_host(), 'internal.com')
|
|
|
|
|
|
|
|
# Check if HTTP_HOST isn't provided, and we're on a nonstandard port
|
|
|
|
request = HttpRequest()
|
|
|
|
request.META = {
|
|
|
|
'SERVER_NAME': 'internal.com',
|
|
|
|
'SERVER_PORT': 8042,
|
|
|
|
}
|
|
|
|
self.assertEqual(request.get_host(), 'internal.com:8042')
|
|
|
|
|
|
|
|
legit_hosts = [
|
|
|
|
'example.com',
|
|
|
|
'example.com:80',
|
|
|
|
'12.34.56.78',
|
|
|
|
'12.34.56.78:443',
|
|
|
|
'[2001:19f0:feee::dead:beef:cafe]',
|
|
|
|
'[2001:19f0:feee::dead:beef:cafe]:8080',
|
2013-11-03 05:02:56 +08:00
|
|
|
'xn--4ca9at.com', # Punnycode for öäü.com
|
2013-07-13 16:16:40 +08:00
|
|
|
'anything.multitenant.com',
|
|
|
|
'multitenant.com',
|
|
|
|
'insensitive.com',
|
2013-10-25 01:34:40 +08:00
|
|
|
'example.com.',
|
|
|
|
'example.com.:80',
|
2013-07-13 16:16:40 +08:00
|
|
|
]
|
|
|
|
|
|
|
|
for host in legit_hosts:
|
|
|
|
request = HttpRequest()
|
|
|
|
request.META = {
|
|
|
|
'HTTP_HOST': host,
|
|
|
|
}
|
|
|
|
request.get_host()
|
|
|
|
|
|
|
|
# Poisoned host headers are rejected as suspicious
|
2013-10-25 01:34:40 +08:00
|
|
|
for host in chain(self.poisoned_hosts, ['other.com', 'example.com..']):
|
2013-07-13 16:16:40 +08:00
|
|
|
with self.assertRaises(SuspiciousOperation):
|
|
|
|
request = HttpRequest()
|
|
|
|
request.META = {
|
|
|
|
'HTTP_HOST': host,
|
|
|
|
}
|
|
|
|
request.get_host()
|
|
|
|
|
|
|
|
@override_settings(USE_X_FORWARDED_HOST=True, ALLOWED_HOSTS=['*'])
|
|
|
|
def test_http_get_host_with_x_forwarded_host(self):
|
|
|
|
# Check if X_FORWARDED_HOST is provided.
|
|
|
|
request = HttpRequest()
|
|
|
|
request.META = {
|
|
|
|
'HTTP_X_FORWARDED_HOST': 'forward.com',
|
|
|
|
'HTTP_HOST': 'example.com',
|
|
|
|
'SERVER_NAME': 'internal.com',
|
|
|
|
'SERVER_PORT': 80,
|
|
|
|
}
|
|
|
|
# X_FORWARDED_HOST is obeyed.
|
|
|
|
self.assertEqual(request.get_host(), 'forward.com')
|
|
|
|
|
|
|
|
# Check if X_FORWARDED_HOST isn't provided.
|
|
|
|
request = HttpRequest()
|
|
|
|
request.META = {
|
|
|
|
'HTTP_HOST': 'example.com',
|
|
|
|
'SERVER_NAME': 'internal.com',
|
|
|
|
'SERVER_PORT': 80,
|
|
|
|
}
|
|
|
|
self.assertEqual(request.get_host(), 'example.com')
|
|
|
|
|
|
|
|
# Check if HTTP_HOST isn't provided.
|
|
|
|
request = HttpRequest()
|
|
|
|
request.META = {
|
|
|
|
'SERVER_NAME': 'internal.com',
|
|
|
|
'SERVER_PORT': 80,
|
|
|
|
}
|
|
|
|
self.assertEqual(request.get_host(), 'internal.com')
|
|
|
|
|
|
|
|
# Check if HTTP_HOST isn't provided, and we're on a nonstandard port
|
|
|
|
request = HttpRequest()
|
|
|
|
request.META = {
|
|
|
|
'SERVER_NAME': 'internal.com',
|
|
|
|
'SERVER_PORT': 8042,
|
|
|
|
}
|
|
|
|
self.assertEqual(request.get_host(), 'internal.com:8042')
|
|
|
|
|
|
|
|
# Poisoned host headers are rejected as suspicious
|
|
|
|
legit_hosts = [
|
|
|
|
'example.com',
|
|
|
|
'example.com:80',
|
|
|
|
'12.34.56.78',
|
|
|
|
'12.34.56.78:443',
|
|
|
|
'[2001:19f0:feee::dead:beef:cafe]',
|
|
|
|
'[2001:19f0:feee::dead:beef:cafe]:8080',
|
2013-11-03 05:02:56 +08:00
|
|
|
'xn--4ca9at.com', # Punnycode for öäü.com
|
2013-07-13 16:16:40 +08:00
|
|
|
]
|
|
|
|
|
|
|
|
for host in legit_hosts:
|
|
|
|
request = HttpRequest()
|
|
|
|
request.META = {
|
|
|
|
'HTTP_HOST': host,
|
|
|
|
}
|
|
|
|
request.get_host()
|
|
|
|
|
|
|
|
for host in self.poisoned_hosts:
|
|
|
|
with self.assertRaises(SuspiciousOperation):
|
|
|
|
request = HttpRequest()
|
|
|
|
request.META = {
|
|
|
|
'HTTP_HOST': host,
|
|
|
|
}
|
|
|
|
request.get_host()
|
|
|
|
|
|
|
|
@override_settings(DEBUG=True, ALLOWED_HOSTS=[])
|
|
|
|
def test_host_validation_disabled_in_debug_mode(self):
|
|
|
|
"""If ALLOWED_HOSTS is empty and DEBUG is True, all hosts pass."""
|
|
|
|
request = HttpRequest()
|
|
|
|
request.META = {
|
|
|
|
'HTTP_HOST': 'example.com',
|
|
|
|
}
|
|
|
|
self.assertEqual(request.get_host(), 'example.com')
|
|
|
|
|
2013-03-28 00:37:08 +08:00
|
|
|
# Invalid hostnames would normally raise a SuspiciousOperation,
|
|
|
|
# but we have DEBUG=True, so this check is disabled.
|
|
|
|
request = HttpRequest()
|
|
|
|
request.META = {
|
|
|
|
'HTTP_HOST': "invalid_hostname.com",
|
|
|
|
}
|
|
|
|
self.assertEqual(request.get_host(), "invalid_hostname.com")
|
2013-07-13 16:16:40 +08:00
|
|
|
|
|
|
|
@override_settings(ALLOWED_HOSTS=[])
|
|
|
|
def test_get_host_suggestion_of_allowed_host(self):
|
|
|
|
"""get_host() makes helpful suggestions if a valid-looking host is not in ALLOWED_HOSTS."""
|
|
|
|
msg_invalid_host = "Invalid HTTP_HOST header: %r."
|
2014-07-06 08:20:19 +08:00
|
|
|
msg_suggestion = msg_invalid_host + " You may need to add %r to ALLOWED_HOSTS."
|
|
|
|
msg_suggestion2 = msg_invalid_host + " The domain name provided is not valid according to RFC 1034/1035"
|
2013-07-13 16:16:40 +08:00
|
|
|
|
2013-11-03 05:02:56 +08:00
|
|
|
for host in [ # Valid-looking hosts
|
2013-07-13 16:16:40 +08:00
|
|
|
'example.com',
|
|
|
|
'12.34.56.78',
|
|
|
|
'[2001:19f0:feee::dead:beef:cafe]',
|
2013-11-03 05:02:56 +08:00
|
|
|
'xn--4ca9at.com', # Punnycode for öäü.com
|
2013-07-13 16:16:40 +08:00
|
|
|
]:
|
|
|
|
request = HttpRequest()
|
|
|
|
request.META = {'HTTP_HOST': host}
|
|
|
|
self.assertRaisesMessage(
|
|
|
|
SuspiciousOperation,
|
|
|
|
msg_suggestion % (host, host),
|
|
|
|
request.get_host
|
|
|
|
)
|
|
|
|
|
2013-11-03 05:02:56 +08:00
|
|
|
for domain, port in [ # Valid-looking hosts with a port number
|
2013-07-13 16:16:40 +08:00
|
|
|
('example.com', 80),
|
|
|
|
('12.34.56.78', 443),
|
|
|
|
('[2001:19f0:feee::dead:beef:cafe]', 8080),
|
|
|
|
]:
|
|
|
|
host = '%s:%s' % (domain, port)
|
|
|
|
request = HttpRequest()
|
|
|
|
request.META = {'HTTP_HOST': host}
|
|
|
|
self.assertRaisesMessage(
|
|
|
|
SuspiciousOperation,
|
|
|
|
msg_suggestion % (host, domain),
|
|
|
|
request.get_host
|
|
|
|
)
|
|
|
|
|
|
|
|
for host in self.poisoned_hosts:
|
|
|
|
request = HttpRequest()
|
|
|
|
request.META = {'HTTP_HOST': host}
|
|
|
|
self.assertRaisesMessage(
|
|
|
|
SuspiciousOperation,
|
|
|
|
msg_invalid_host % host,
|
|
|
|
request.get_host
|
|
|
|
)
|
|
|
|
|
2013-03-28 00:37:08 +08:00
|
|
|
request = HttpRequest()
|
|
|
|
request.META = {'HTTP_HOST': "invalid_hostname.com"}
|
|
|
|
self.assertRaisesMessage(
|
|
|
|
SuspiciousOperation,
|
|
|
|
msg_suggestion2 % "invalid_hostname.com",
|
|
|
|
request.get_host
|
|
|
|
)
|
2013-11-04 07:34:11 +08:00
|
|
|
|
|
|
|
|
|
|
|
class BuildAbsoluteURITestCase(SimpleTestCase):
|
|
|
|
"""
|
|
|
|
Regression tests for ticket #18314.
|
|
|
|
"""
|
|
|
|
|
|
|
|
def setUp(self):
|
|
|
|
self.factory = RequestFactory()
|
|
|
|
|
|
|
|
def test_build_absolute_uri_no_location(self):
|
|
|
|
"""
|
|
|
|
Ensures that ``request.build_absolute_uri()`` returns the proper value
|
|
|
|
when the ``location`` argument is not provided, and ``request.path``
|
|
|
|
begins with //.
|
|
|
|
"""
|
|
|
|
# //// is needed to create a request with a path beginning with //
|
|
|
|
request = self.factory.get('////absolute-uri')
|
|
|
|
self.assertEqual(
|
|
|
|
request.build_absolute_uri(),
|
|
|
|
'http://testserver//absolute-uri'
|
|
|
|
)
|
|
|
|
|
|
|
|
def test_build_absolute_uri_absolute_location(self):
|
|
|
|
"""
|
|
|
|
Ensures that ``request.build_absolute_uri()`` returns the proper value
|
|
|
|
when an absolute URL ``location`` argument is provided, and
|
|
|
|
``request.path`` begins with //.
|
|
|
|
"""
|
|
|
|
# //// is needed to create a request with a path beginning with //
|
|
|
|
request = self.factory.get('////absolute-uri')
|
|
|
|
self.assertEqual(
|
|
|
|
request.build_absolute_uri(location='http://example.com/?foo=bar'),
|
|
|
|
'http://example.com/?foo=bar'
|
|
|
|
)
|
|
|
|
|
|
|
|
def test_build_absolute_uri_schema_relative_location(self):
|
|
|
|
"""
|
|
|
|
Ensures that ``request.build_absolute_uri()`` returns the proper value
|
|
|
|
when a schema-relative URL ``location`` argument is provided, and
|
|
|
|
``request.path`` begins with //.
|
|
|
|
"""
|
|
|
|
# //// is needed to create a request with a path beginning with //
|
|
|
|
request = self.factory.get('////absolute-uri')
|
|
|
|
self.assertEqual(
|
|
|
|
request.build_absolute_uri(location='//example.com/?foo=bar'),
|
|
|
|
'http://example.com/?foo=bar'
|
|
|
|
)
|
|
|
|
|
|
|
|
def test_build_absolute_uri_relative_location(self):
|
|
|
|
"""
|
|
|
|
Ensures that ``request.build_absolute_uri()`` returns the proper value
|
|
|
|
when a relative URL ``location`` argument is provided, and
|
|
|
|
``request.path`` begins with //.
|
|
|
|
"""
|
|
|
|
# //// is needed to create a request with a path beginning with //
|
|
|
|
request = self.factory.get('////absolute-uri')
|
|
|
|
self.assertEqual(
|
|
|
|
request.build_absolute_uri(location='/foo/bar/'),
|
|
|
|
'http://testserver/foo/bar/'
|
|
|
|
)
|