Commit 84b59619 authored by Tres Seaver's avatar Tres Seaver

Backport tests for ZReST / reStructuredText security fixes.

parent 6be0c1d9
...@@ -29,6 +29,36 @@ class TestZReST(unittest.TestCase): ...@@ -29,6 +29,36 @@ class TestZReST(unittest.TestCase):
self.failIf('IGNORE ME' in resty.index_html()) self.failIf('IGNORE ME' in resty.index_html())
def test_include_directive_raises(self):
resty = self._makeOne()
resty.source = 'hello world\n .. include:: /etc/passwd'
self.assertRaises(NotImplementedError, resty.render)
def test_raw_directive_disabled(self):
EXPECTED = '<h1>HELLO WORLD</h1>'
resty = self._makeOne()
resty.source = '.. raw:: html\n\n %s\n' % EXPECTED
result = resty.render() # don't raise, but don't work either
self.failIf(EXPECTED in result)
self.failUnless("&quot;raw&quot; directive disabled" in result)
from cgi import escape
self.failUnless(escape(EXPECTED) in result)
def test_raw_directive_file_directive_raises(self):
resty = self._makeOne()
resty.source = '.. raw:: html\n :file: inclusion.txt'
self.assertRaises(NotImplementedError, resty.render)
def test_raw_directive_url_directive_raises(self):
resty = self._makeOne()
resty.source = '.. raw:: html\n :url: http://www.zope.org/'
self.assertRaises(NotImplementedError, resty.render)
def test_suite(): def test_suite():
suite = unittest.TestSuite() suite = unittest.TestSuite()
suite.addTest(unittest.makeSuite(TestZReST)) suite.addTest(unittest.makeSuite(TestZReST))
......
...@@ -22,6 +22,32 @@ text ...@@ -22,6 +22,32 @@ text
output = HTML(input) output = HTML(input)
self.assertEquals(output, expected) self.assertEquals(output, expected)
def test_include_directive_raises(self):
source = 'hello world\n .. include:: /etc/passwd'
self.assertRaises(NotImplementedError, HTML, source)
def test_raw_directive_disabled(self):
EXPECTED = '<h1>HELLO WORLD</h1>'
source = '.. raw:: html\n\n %s\n' % EXPECTED
result = HTML(source) # don't raise, but don't work either
self.failIf(EXPECTED in result)
self.failUnless("&quot;raw&quot; directive disabled" in result)
from cgi import escape
self.failUnless(escape(EXPECTED) in result)
def test_raw_directive_file_option_raises(self):
source = '.. raw:: html\n :file: inclusion.txt'
self.assertRaises(NotImplementedError, HTML, source)
def test_raw_directive_url_option_raises(self):
source = '.. raw:: html\n :url: http://www.zope.org'
self.assertRaises(NotImplementedError, HTML, source)
def test_suite(): def test_suite():
from unittest import TestSuite, makeSuite from unittest import TestSuite, makeSuite
return TestSuite((makeSuite(TestReST),)) return TestSuite((makeSuite(TestReST),))
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment