|
12 | 12 |
|
13 | 13 | from roundup.cgi import client, actions, exceptions |
14 | 14 | from roundup.cgi.exceptions import FormError |
15 | | -from roundup.cgi.templating import HTMLItem, HTMLRequest, NoTemplate |
| 15 | +from roundup.cgi.templating import HTMLItem, HTMLRequest, NoTemplate, anti_csrf_nonce |
16 | 16 | from roundup.cgi.templating import HTMLProperty, _HTMLItem |
17 | 17 | from roundup.cgi.form_parser import FormParser |
18 | 18 | from roundup import init, instance, password, hyperdb, date |
@@ -857,7 +857,7 @@ def hasPermission(s, p, classname=None, d=None, e=None, **kw): |
857 | 857 | </html> |
858 | 858 | """.strip ()) |
859 | 859 |
|
860 | | - def testCsrfHeaderProtection(self): |
| 860 | + def testCsrfProtection(self): |
861 | 861 | # need to set SENDMAILDEBUG to prevent |
862 | 862 | # downstream issue when email is sent on successful |
863 | 863 | # issue creation. Also delete the file afterwards |
@@ -894,7 +894,6 @@ def testCsrfHeaderProtection(self): |
894 | 894 | pt = RoundupPageTemplate() |
895 | 895 | pt.pt_edit(page_template, 'text/html') |
896 | 896 | out = [] |
897 | | - print "out1: ", id(out), out |
898 | 897 | def wh(s): |
899 | 898 | out.append(s) |
900 | 899 | cl.write_html = wh |
@@ -923,7 +922,6 @@ def hasPermission(s, p, classname=None, d=None, e=None, **kw): |
923 | 922 | # test with no headers and config by default requires 1 |
924 | 923 | cl.inner_main() |
925 | 924 | match_at=out[0].find('Unable to verify sufficient headers') |
926 | | - print out[0] |
927 | 925 | self.assertNotEqual(match_at, -1) |
928 | 926 | del(out[0]) |
929 | 927 |
|
@@ -971,6 +969,32 @@ def hasPermission(s, p, classname=None, d=None, e=None, **kw): |
971 | 969 | cl.inner_main() |
972 | 970 | match_at=out[0].find('Invalid X-FORWARDED-HOST whoami.net') |
973 | 971 | self.assertNotEqual(match_at, -1) |
| 972 | + del(cl.env['HTTP_X-FORWARDED-HOST']) |
| 973 | + del(out[0]) |
| 974 | + |
| 975 | + import copy |
| 976 | + |
| 977 | + form2 = copy.copy(form) |
| 978 | + form2.update({'@csrf': 'booogus'}) |
| 979 | + # add a bogus csrf field to the form and rerun the inner_main |
| 980 | + cl.form = makeForm(form2) |
| 981 | + |
| 982 | + cl.env['HTTP_REFERER'] = 'http://whoami.com/path/' |
| 983 | + cl.inner_main() |
| 984 | + match_at=out[0].find('Invalid csrf token found: booogus') |
| 985 | + self.assertEqual(match_at, 36) |
| 986 | + del(out[0]) |
| 987 | + |
| 988 | + form2 = copy.copy(form) |
| 989 | + nonce = anti_csrf_nonce(cl, cl) |
| 990 | + form2.update({'@csrf': nonce}) |
| 991 | + # add a real csrf field to the form and rerun the inner_main |
| 992 | + cl.form = makeForm(form2) |
| 993 | + cl.inner_main() |
| 994 | + # csrf passes and redirects to the new issue. |
| 995 | + match_at=out[0].find('Redirecting to <a href="http://whoami.com/path/issue1?@ok_message') |
| 996 | + self.assertEqual(match_at, 0) |
| 997 | + del(cl.env['HTTP_REFERER']) |
974 | 998 | del(out[0]) |
975 | 999 |
|
976 | 1000 | # clean up from email log |
|
0 commit comments