Commit 8c326d42 authored by Tres Seaver's avatar Tres Seaver

Backport tests for ZReST / reStructuredText security fixes.

parent 75d308f3
...@@ -29,6 +29,36 @@ class TestZReST(unittest.TestCase): ...@@ -29,6 +29,36 @@ class TestZReST(unittest.TestCase):
self.failIf('IGNORE ME' in resty.index_html()) self.failIf('IGNORE ME' in resty.index_html())
def test_include_directive_raises(self):
resty = self._makeOne()
resty.source = 'hello world\n .. include:: /etc/passwd'
self.assertRaises(NotImplementedError, resty.render)
def test_raw_directive_disabled(self):
EXPECTED = '<h1>HELLO WORLD</h1>'
resty = self._makeOne()
resty.source = '.. raw:: html\n\n %s\n' % EXPECTED
result = resty.render() # don't raise, but don't work either
self.failIf(EXPECTED in result)
self.failUnless("&quot;raw&quot; directive disabled" in result)
from cgi import escape
self.failUnless(escape(EXPECTED) in result)
def test_raw_directive_file_directive_raises(self):
resty = self._makeOne()
resty.source = '.. raw:: html\n :file: inclusion.txt'
self.assertRaises(NotImplementedError, resty.render)
def test_raw_directive_url_directive_raises(self):
resty = self._makeOne()
resty.source = '.. raw:: html\n :url: http://www.zope.org/'
self.assertRaises(NotImplementedError, resty.render)
def test_suite(): def test_suite():
suite = unittest.TestSuite() suite = unittest.TestSuite()
suite.addTest(unittest.makeSuite(TestZReST)) suite.addTest(unittest.makeSuite(TestZReST))
......
...@@ -42,7 +42,6 @@ def raw(name, arguments, options, content, lineno, ...@@ -42,7 +42,6 @@ def raw(name, arguments, options, content, lineno,
""" """
if options.has_key('file') or options.has_key('url'): if options.has_key('file') or options.has_key('url'):
raise NotImplementedError, 'File inclusion not allowed!' raise NotImplementedError, 'File inclusion not allowed!'
print 2
if ( not state.document.settings.raw_enabled if ( not state.document.settings.raw_enabled
or (not state.document.settings.file_insertion_enabled or (not state.document.settings.file_insertion_enabled
and (options.has_key('file') or options.has_key('url'))) ): and (options.has_key('file') or options.has_key('url'))) ):
......
...@@ -26,6 +26,32 @@ text ...@@ -26,6 +26,32 @@ text
self.assertEquals(output, expected) self.assertEquals(output, expected)
def test_include_directive_raises(self):
source = 'hello world\n .. include:: /etc/passwd'
self.assertRaises(NotImplementedError, HTML, source)
def test_raw_directive_disabled(self):
EXPECTED = '<h1>HELLO WORLD</h1>'
source = '.. raw:: html\n\n %s\n' % EXPECTED
result = HTML(source) # don't raise, but don't work either
self.failIf(EXPECTED in result)
self.failUnless("&quot;raw&quot; directive disabled" in result)
from cgi import escape
self.failUnless(escape(EXPECTED) in result)
def test_raw_directive_file_option_raises(self):
source = '.. raw:: html\n :file: inclusion.txt'
self.assertRaises(NotImplementedError, HTML, source)
def test_raw_directive_url_option_raises(self):
source = '.. raw:: html\n :url: http://www.zope.org'
self.assertRaises(NotImplementedError, HTML, source)
def test_suite(): def test_suite():
from unittest import TestSuite, makeSuite from unittest import TestSuite, makeSuite
return TestSuite((makeSuite(TestReST),)) return TestSuite((makeSuite(TestReST),))
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment