[Zope-Checkins] CVS: Zope/lib/python/reStructuredText/tests - testReST.py:1.1.2.2

Tres Seaver tseaver at palladion.com
Mon Jul 10 17:28:33 EDT 2006 

Update of /cvs-repository/Zope/lib/python/reStructuredText/tests
In directory cvs.zope.org:/tmp/cvs-serv7924/lib/python/reStructuredText/tests

Modified Files:
      Tag: Zope-2_7-branch
	testReST.py 
Log Message:
 - Backport tests and fixes for ReST file inclusion vulnerability.


=== Zope/lib/python/reStructuredText/tests/testReST.py 1.1.2.1 => 1.1.2.2 ===
--- Zope/lib/python/reStructuredText/tests/testReST.py:1.1.2.1	Thu Jan 13 16:28:24 2005
+++ Zope/lib/python/reStructuredText/tests/testReST.py	Mon Jul 10 17:28:30 2006
@@ -1,5 +1,5 @@
-
 import unittest
+from reStructuredText import HTML
 
 
 class TestReST(unittest.TestCase):
@@ -8,6 +8,58 @@
         # Make sure we can import the rst parser
         from docutils.parsers import rst
 
+    def test_include_directive_raises(self):
+        source = 'hello world\n .. include:: /etc/passwd'
+        self.assertRaises(NotImplementedError, HTML, source)
+
+    def test_raw_directive_disabled(self):
+
+        EXPECTED = '<h1>HELLO WORLD</h1>'
+
+        source = '.. raw:: html\n\n  %s\n' % EXPECTED
+        result = HTML(source)       # don't raise, but don't work either
+        self.failIf(EXPECTED in result)
+
+        self.failUnless("&quot;raw&quot; directive disabled" in result)
+        from cgi import escape
+        self.failUnless(escape(EXPECTED) in result)
+
+    def test_raw_directive_file_option_raises(self):
+
+        source = '.. raw:: html\n  :file: inclusion.txt'
+        self.assertRaises(NotImplementedError, HTML, source)
+
+    def test_raw_directive_url_option_raises(self):
+
+        source = '.. raw:: html\n  :url: http://www.zope.org'
+        self.assertRaises(NotImplementedError, HTML, source)
+
+
+    def test_include_directive_raises(self):
+        source = 'hello world\n .. include:: /etc/passwd'
+        self.assertRaises(NotImplementedError, HTML, source)
+
+    def test_raw_directive_disabled(self):
+
+        EXPECTED = '<h1>HELLO WORLD</h1>'
+
+        source = '.. raw:: html\n\n  %s\n' % EXPECTED
+        result = HTML(source)       # don't raise, but don't work either
+        self.failIf(EXPECTED in result)
+
+        self.failUnless("&quot;raw&quot; directive disabled" in result)
+        from cgi import escape
+        self.failUnless(escape(EXPECTED) in result)
+
+    def test_raw_directive_file_option_raises(self):
+
+        source = '.. raw:: html\n  :file: inclusion.txt'
+        self.assertRaises(NotImplementedError, HTML, source)
+
+    def test_raw_directive_url_option_raises(self):
+
+        source = '.. raw:: html\n  :url: http://www.zope.org'
+        self.assertRaises(NotImplementedError, HTML, source)
 
 def test_suite():
     from unittest import TestSuite, makeSuite

More information about the Zope-Checkins mailing list