Added missed poisoned host header test changes

This commit is contained in:
Preston Holmes 2012-10-18 11:18:25 -07:00
parent 8c46ead92b
commit 773a29295a
1 changed files with 65 additions and 0 deletions

View File

@ -7,6 +7,7 @@ from StringIO import StringIO
from django.conf import settings from django.conf import settings
from django.core.handlers.modpython import ModPythonRequest from django.core.handlers.modpython import ModPythonRequest
from django.core.exceptions import SuspiciousOperation
from django.core.handlers.wsgi import WSGIRequest, LimitedStream from django.core.handlers.wsgi import WSGIRequest, LimitedStream
from django.http import HttpRequest, HttpResponse, parse_cookie, build_request_repr, UnreadablePostError from django.http import HttpRequest, HttpResponse, parse_cookie, build_request_repr, UnreadablePostError
from django.test.utils import get_warnings_state, restore_warnings_state from django.test.utils import get_warnings_state, restore_warnings_state
@ -145,6 +146,38 @@ class RequestsTests(unittest.TestCase):
} }
self.assertEqual(request.get_host(), 'internal.com:8042') self.assertEqual(request.get_host(), 'internal.com:8042')
# Poisoned host headers are rejected as suspicious
legit_hosts = [
'example.com',
'example.com:80',
'12.34.56.78',
'12.34.56.78:443',
'[2001:19f0:feee::dead:beef:cafe]',
'[2001:19f0:feee::dead:beef:cafe]:8080',
]
poisoned_hosts = [
'example.com@evil.tld',
'example.com:dr.frankenstein@evil.tld',
'example.com:someone@somestie.com:80',
'example.com:80/badpath'
]
for host in legit_hosts:
request = HttpRequest()
request.META = {
'HTTP_HOST': host,
}
request.get_host()
for host in poisoned_hosts:
with self.assertRaises(SuspiciousOperation):
request = HttpRequest()
request.META = {
'HTTP_HOST': host,
}
request.get_host()
finally: finally:
settings.USE_X_FORWARDED_HOST = old_USE_X_FORWARDED_HOST settings.USE_X_FORWARDED_HOST = old_USE_X_FORWARDED_HOST
@ -189,6 +222,38 @@ class RequestsTests(unittest.TestCase):
} }
self.assertEqual(request.get_host(), 'internal.com:8042') self.assertEqual(request.get_host(), 'internal.com:8042')
# Poisoned host headers are rejected as suspicious
legit_hosts = [
'example.com',
'example.com:80',
'12.34.56.78',
'12.34.56.78:443',
'[2001:19f0:feee::dead:beef:cafe]',
'[2001:19f0:feee::dead:beef:cafe]:8080',
]
poisoned_hosts = [
'example.com@evil.tld',
'example.com:dr.frankenstein@evil.tld',
'example.com:dr.frankenstein@evil.tld:80',
'example.com:80/badpath'
]
for host in legit_hosts:
request = HttpRequest()
request.META = {
'HTTP_HOST': host,
}
request.get_host()
for host in poisoned_hosts:
with self.assertRaises(SuspiciousOperation):
request = HttpRequest()
request.META = {
'HTTP_HOST': host,
}
request.get_host()
finally: finally:
settings.USE_X_FORWARDED_HOST = old_USE_X_FORWARDED_HOST settings.USE_X_FORWARDED_HOST = old_USE_X_FORWARDED_HOST