[Zope-Checkins] CVS: Zope/lib/python/Products/ZReST/tests - __init__.py:1.1.2.1 test_ZReST.py:1.1.2.1

Tres Seaver tseaver at palladion.com
Mon Jul 10 17:28:30 EDT 2006 

Update of /cvs-repository/Zope/lib/python/Products/ZReST/tests
In directory cvs.zope.org:/tmp/cvs-serv7924/lib/python/Products/ZReST/tests

Added Files:
      Tag: Zope-2_7-branch
	__init__.py test_ZReST.py 
Log Message:
 - Backport tests and fixes for ReST file inclusion vulnerability.


=== Added File Zope/lib/python/Products/ZReST/tests/__init__.py ===
""" Unit tests for ZReST product.

$Id: __init__.py,v 1.1.2.1 2006/07/10 21:28:29 tseaver Exp $
"""


=== Added File Zope/lib/python/Products/ZReST/tests/test_ZReST.py ===
""" Unit tests for ZReST objects

$Id: test_ZReST.py,v 1.1.2.1 2006/07/10 21:28:29 tseaver Exp $
"""
import unittest

class TestZReST(unittest.TestCase):

    def _getTargetClass(self):
        from Products.ZReST.ZReST import ZReST
        return ZReST

    def _makeOne(self, id='test', *args, **kw):
        return self._getTargetClass()(id=id, *args, **kw)

    def test_include_directive_raises(self):
        resty = self._makeOne()
        resty.source = 'hello world\n .. include:: /etc/passwd'
        self.assertRaises(NotImplementedError, resty.render)

    def test_raw_directive_disabled(self):

        EXPECTED = '<h1>HELLO WORLD</h1>'

        resty = self._makeOne()
        resty.source = '.. raw:: html\n\n  %s\n' % EXPECTED
        resty.render() # don't raise, but don't work either
        result = resty.formatted
        self.failIf(EXPECTED in result)

        self.failUnless("&quot;raw&quot; directive disabled" in result)
        from cgi import escape
        self.failUnless(escape(EXPECTED) in result)

    def test_raw_directive_file_directive_raises(self):

        resty = self._makeOne()
        resty.source = '.. raw:: html\n  :file: inclusion.txt'
        self.assertRaises(NotImplementedError, resty.render)

    def test_raw_directive_url_directive_raises(self):

        resty = self._makeOne()
        resty.source = '.. raw:: html\n  :url: http://www.zope.org/'
        self.assertRaises(NotImplementedError, resty.render)

def test_suite():
    suite = unittest.TestSuite()
    suite.addTest(unittest.makeSuite(TestZReST))
    return suite

if __name__ == '__main__':
    unittest.main(defaultSuite='test_suite')

More information about the Zope-Checkins mailing list