The test looks good to me, but I think I've spotted a bug _in the test engine_ where the 'RejectHeader' rule doesn't get enforced.
You can strip the 'secure' parameter from this testcase and still it will pass. I've written a patch to fix this. I.e. this: ---request begin--- GET /File2 HTTP/1.1 User-Agent: Wget/1.16.3.168-be847 (linux-gnu) Accept: */* Accept-Encoding: identity Host: 127.0.0.1:44832 Connection: Keep-Alive Cookie: sess-id=0213 ---request end--- HTTP request sent, awaiting response... 127.0.0.1 - - [31/Jan/2016 17:33:20] "GET /File2 HTTP/1.1" 200 - ---response begin--- HTTP/1.1 200 OK Server: BaseHTTP/0.6 Python/3.4.3+ Date: Sun, 31 Jan 2016 16:33:20 GMT content-length: 29 content-type: text/plain versus this: ---request begin--- GET /File2 HTTP/1.1 User-Agent: Wget/1.16.3.168-be847 (linux-gnu) Accept: */* Accept-Encoding: identity Host: 127.0.0.1:37251 Connection: Keep-Alive Cookie: sess-id=0213 ---request end--- HTTP request sent, awaiting response... 127.0.0.1 - - [31/Jan/2016 17:34:18] code 400, message Blacklisted Header Cookie received 127.0.0.1 - - [31/Jan/2016 17:34:18] "GET /File2 HTTP/1.1" 400 - ---response begin--- HTTP/1.1 400 Blacklisted Header Cookie received Server: BaseHTTP/0.6 Python/3.4.3+ Date: Sun, 31 Jan 2016 16:34:18 GMT Content-Type: text/html;charset=utf-8 Connection: close Content-Length: 483 ---response end--- 400 Blacklisted Header Cookie received Header Cookie received URI content encoding = ‘utf-8’ Disabling further reuse of socket 3. Closed fd 3 2016-01-31 17:34:18 ERROR 400: Blacklisted Header Cookie received. On 01/30/2016 09:31 PM, Kushagra Singh wrote:
Hi, I'm a bit stuck while writing tests. How do I test the fact that a secure only cookie does not get saved over an insecure connection? Even if the cookie gets saved, it will not be transmitted over an insecure connection (cookie_matches_url() ensures that). So even though I can see in the log that the cookie is not saved, I can't figure out how exactly to test that in the test suite, since I cannot check using RejectHeader. Please find attached the test I have written. And one thing I noticed, Test-Proto.py tries to import HTTP and HTTPS classes from " misc.constants", which is wrong. It should be imported from test.base_test right? Regards, Kushagra
Regards, - AJ
>From 325c1de3894b86b7a708ea56cb45acfc59ebbfb7 Mon Sep 17 00:00:00 2001 From: Ander Juaristi <[email protected]> Date: Sun, 31 Jan 2016 17:27:11 +0100 Subject: [PATCH] Enforce 'RejectHeader' rule in tests * server/http/http_server.py (_Handler.RejectHeader): enforce 'RejectHeader' rule. --- testenv/server/http/http_server.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/testenv/server/http/http_server.py b/testenv/server/http/http_server.py index 78aa605..e96f6e8 100644 --- a/testenv/server/http/http_server.py +++ b/testenv/server/http/http_server.py @@ -369,7 +369,7 @@ class _Handler(BaseHTTPRequestHandler): rej_headers = header_obj.headers for header_line in rej_headers: header_recd = self.headers.get(header_line) - if not header_recd and header_recd == rej_headers[header_line]: + if header_recd and header_recd == rej_headers[header_line]: self.send_error(400, 'Blacklisted Header %s received' % header_line) self.finish_headers() -- 2.5.0
