[Zope-Checkins] SVN: Zope/branches/Zope-2_8-branch/lib/python/ Backport tests for ZReST / reStructuredText security fixes.

Tres Seaver tseaver at palladion.com
Mon Jul 10 15:19:18 EDT 2006 

Log message for revision 69078:
  Backport tests for ZReST / reStructuredText security fixes.

Changed:
  U   Zope/branches/Zope-2_8-branch/lib/python/Products/ZReST/tests/test_ZReST.py
  U   Zope/branches/Zope-2_8-branch/lib/python/reStructuredText/tests/testReST.py

-=-
Modified: Zope/branches/Zope-2_8-branch/lib/python/Products/ZReST/tests/test_ZReST.py
===================================================================
--- Zope/branches/Zope-2_8-branch/lib/python/Products/ZReST/tests/test_ZReST.py	2006-07-10 19:07:18 UTC (rev 69077)
+++ Zope/branches/Zope-2_8-branch/lib/python/Products/ZReST/tests/test_ZReST.py	2006-07-10 19:19:17 UTC (rev 69078)
@@ -29,6 +29,36 @@
 
         self.failIf('IGNORE ME' in resty.index_html())
 
+    def test_include_directive_raises(self):
+        resty = self._makeOne()
+        resty.source = 'hello world\n .. include:: /etc/passwd'
+        self.assertRaises(NotImplementedError, resty.render)
+
+    def test_raw_directive_disabled(self):
+
+        EXPECTED = '<h1>HELLO WORLD</h1>'
+
+        resty = self._makeOne()
+        resty.source = '.. raw:: html\n\n  %s\n' % EXPECTED
+        result = resty.render() # don't raise, but don't work either
+        self.failIf(EXPECTED in result)
+
+        self.failUnless("&quot;raw&quot; directive disabled" in result)
+        from cgi import escape
+        self.failUnless(escape(EXPECTED) in result)
+
+    def test_raw_directive_file_directive_raises(self):
+
+        resty = self._makeOne()
+        resty.source = '.. raw:: html\n  :file: inclusion.txt'
+        self.assertRaises(NotImplementedError, resty.render)
+
+    def test_raw_directive_url_directive_raises(self):
+
+        resty = self._makeOne()
+        resty.source = '.. raw:: html\n  :url: http://www.zope.org/'
+        self.assertRaises(NotImplementedError, resty.render)
+
 def test_suite():
     suite = unittest.TestSuite()
     suite.addTest(unittest.makeSuite(TestZReST))

Modified: Zope/branches/Zope-2_8-branch/lib/python/reStructuredText/tests/testReST.py
===================================================================
--- Zope/branches/Zope-2_8-branch/lib/python/reStructuredText/tests/testReST.py	2006-07-10 19:07:18 UTC (rev 69077)
+++ Zope/branches/Zope-2_8-branch/lib/python/reStructuredText/tests/testReST.py	2006-07-10 19:19:17 UTC (rev 69078)
@@ -22,6 +22,32 @@
         output = HTML(input)     
         self.assertEquals(output, expected) 
 
+    def test_include_directive_raises(self):
+        source = 'hello world\n .. include:: /etc/passwd'
+        self.assertRaises(NotImplementedError, HTML, source)
+
+    def test_raw_directive_disabled(self):
+
+        EXPECTED = '<h1>HELLO WORLD</h1>'
+
+        source = '.. raw:: html\n\n  %s\n' % EXPECTED
+        result = HTML(source)       # don't raise, but don't work either
+        self.failIf(EXPECTED in result)
+
+        self.failUnless("&quot;raw&quot; directive disabled" in result)
+        from cgi import escape
+        self.failUnless(escape(EXPECTED) in result)
+
+    def test_raw_directive_file_option_raises(self):
+
+        source = '.. raw:: html\n  :file: inclusion.txt'
+        self.assertRaises(NotImplementedError, HTML, source)
+
+    def test_raw_directive_url_option_raises(self):
+
+        source = '.. raw:: html\n  :url: http://www.zope.org'
+        self.assertRaises(NotImplementedError, HTML, source)
+
 def test_suite():
     from unittest import TestSuite, makeSuite
     return TestSuite((makeSuite(TestReST),))

More information about the Zope-Checkins mailing list