[Zope-Checkins] SVN: Zope/branches/2.9/lib/python/ Backport tests
for ZReST / reStructuredText security fixes.
Tres Seaver
tseaver at palladion.com
Mon Jul 10 15:28:15 EDT 2006
Log message for revision 69079:
Backport tests for ZReST / reStructuredText security fixes.
Changed:
U Zope/branches/2.9/lib/python/Products/ZReST/tests/test_ZReST.py
U Zope/branches/2.9/lib/python/docutils/parsers/rst/directives/misc.py
U Zope/branches/2.9/lib/python/reStructuredText/tests/testReST.py
-=-
Modified: Zope/branches/2.9/lib/python/Products/ZReST/tests/test_ZReST.py
===================================================================
--- Zope/branches/2.9/lib/python/Products/ZReST/tests/test_ZReST.py 2006-07-10 19:19:17 UTC (rev 69078)
+++ Zope/branches/2.9/lib/python/Products/ZReST/tests/test_ZReST.py 2006-07-10 19:28:14 UTC (rev 69079)
@@ -29,6 +29,36 @@
self.failIf('IGNORE ME' in resty.index_html())
+ def test_include_directive_raises(self):
+ resty = self._makeOne()
+ resty.source = 'hello world\n .. include:: /etc/passwd'
+ self.assertRaises(NotImplementedError, resty.render)
+
+ def test_raw_directive_disabled(self):
+
+ EXPECTED = '<h1>HELLO WORLD</h1>'
+
+ resty = self._makeOne()
+ resty.source = '.. raw:: html\n\n %s\n' % EXPECTED
+ result = resty.render() # don't raise, but don't work either
+ self.failIf(EXPECTED in result)
+
+ self.failUnless(""raw" directive disabled" in result)
+ from cgi import escape
+ self.failUnless(escape(EXPECTED) in result)
+
+ def test_raw_directive_file_directive_raises(self):
+
+ resty = self._makeOne()
+ resty.source = '.. raw:: html\n :file: inclusion.txt'
+ self.assertRaises(NotImplementedError, resty.render)
+
+ def test_raw_directive_url_directive_raises(self):
+
+ resty = self._makeOne()
+ resty.source = '.. raw:: html\n :url: http://www.zope.org/'
+ self.assertRaises(NotImplementedError, resty.render)
+
def test_suite():
suite = unittest.TestSuite()
suite.addTest(unittest.makeSuite(TestZReST))
Modified: Zope/branches/2.9/lib/python/docutils/parsers/rst/directives/misc.py
===================================================================
--- Zope/branches/2.9/lib/python/docutils/parsers/rst/directives/misc.py 2006-07-10 19:19:17 UTC (rev 69078)
+++ Zope/branches/2.9/lib/python/docutils/parsers/rst/directives/misc.py 2006-07-10 19:28:14 UTC (rev 69079)
@@ -42,7 +42,6 @@
"""
if options.has_key('file') or options.has_key('url'):
raise NotImplementedError, 'File inclusion not allowed!'
- print 2
if ( not state.document.settings.raw_enabled
or (not state.document.settings.file_insertion_enabled
and (options.has_key('file') or options.has_key('url'))) ):
Modified: Zope/branches/2.9/lib/python/reStructuredText/tests/testReST.py
===================================================================
--- Zope/branches/2.9/lib/python/reStructuredText/tests/testReST.py 2006-07-10 19:19:17 UTC (rev 69078)
+++ Zope/branches/2.9/lib/python/reStructuredText/tests/testReST.py 2006-07-10 19:28:14 UTC (rev 69079)
@@ -26,6 +26,32 @@
self.assertEquals(output, expected)
+ def test_include_directive_raises(self):
+ source = 'hello world\n .. include:: /etc/passwd'
+ self.assertRaises(NotImplementedError, HTML, source)
+
+ def test_raw_directive_disabled(self):
+
+ EXPECTED = '<h1>HELLO WORLD</h1>'
+
+ source = '.. raw:: html\n\n %s\n' % EXPECTED
+ result = HTML(source) # don't raise, but don't work either
+ self.failIf(EXPECTED in result)
+
+ self.failUnless(""raw" directive disabled" in result)
+ from cgi import escape
+ self.failUnless(escape(EXPECTED) in result)
+
+ def test_raw_directive_file_option_raises(self):
+
+ source = '.. raw:: html\n :file: inclusion.txt'
+ self.assertRaises(NotImplementedError, HTML, source)
+
+ def test_raw_directive_url_option_raises(self):
+
+ source = '.. raw:: html\n :url: http://www.zope.org'
+ self.assertRaises(NotImplementedError, HTML, source)
+
def test_suite():
from unittest import TestSuite, makeSuite
return TestSuite((makeSuite(TestReST),))
More information about the Zope-Checkins
mailing list