Ups, just pushed your patch accidentially (thanks anyway). I wanted to wait for Darshit to confirm it...
Regards, Tim Am Sonntag, 31. Januar 2016, 17:40:12 schrieb Ander Juaristi: > The test looks good to me, but I think I've spotted a bug _in the test > engine_ where the 'RejectHeader' rule doesn't get enforced. > > You can strip the 'secure' parameter from this testcase and still it will > pass. I've written a patch to fix this. > > I.e. this: > > ---request begin--- > GET /File2 HTTP/1.1 > User-Agent: Wget/1.16.3.168-be847 (linux-gnu) > Accept: */* > Accept-Encoding: identity > Host: 127.0.0.1:44832 > Connection: Keep-Alive > Cookie: sess-id=0213 > > ---request end--- > HTTP request sent, awaiting response... 127.0.0.1 - - [31/Jan/2016 17:33:20] > "GET /File2 HTTP/1.1" 200 - > > ---response begin--- > HTTP/1.1 200 OK > Server: BaseHTTP/0.6 Python/3.4.3+ > Date: Sun, 31 Jan 2016 16:33:20 GMT > content-length: 29 > content-type: text/plain > > versus this: > > ---request begin--- > GET /File2 HTTP/1.1 > User-Agent: Wget/1.16.3.168-be847 (linux-gnu) > Accept: */* > Accept-Encoding: identity > Host: 127.0.0.1:37251 > Connection: Keep-Alive > Cookie: sess-id=0213 > > ---request end--- > HTTP request sent, awaiting response... 127.0.0.1 - - [31/Jan/2016 17:34:18] > code 400, message Blacklisted Header Cookie received 127.0.0.1 - - > [31/Jan/2016 17:34:18] "GET /File2 HTTP/1.1" 400 - > > ---response begin--- > HTTP/1.1 400 Blacklisted Header Cookie received > Server: BaseHTTP/0.6 Python/3.4.3+ > Date: Sun, 31 Jan 2016 16:34:18 GMT > Content-Type: text/html;charset=utf-8 > Connection: close > Content-Length: 483 > > ---response end--- > 400 Blacklisted Header Cookie received > Header Cookie received > URI content encoding = ‘utf-8’ > Disabling further reuse of socket 3. > Closed fd 3 > 2016-01-31 17:34:18 ERROR 400: Blacklisted Header Cookie received. > > On 01/30/2016 09:31 PM, Kushagra Singh wrote: > > Hi, > > > > I'm a bit stuck while writing tests. How do I test the fact that a secure > > only cookie does not get saved over an insecure connection? Even if the > > cookie gets saved, it will not be transmitted over an insecure connection > > (cookie_matches_url() ensures that). So even though I can see in the log > > that the cookie is not saved, I can't figure out how exactly to test that > > in the test suite, since I cannot check using RejectHeader. Please find > > attached the test I have written. > > > > And one thing I noticed, Test-Proto.py tries to import HTTP and HTTPS > > classes from " misc.constants", which is wrong. It should be imported from > > test.base_test right? > > > > Regards, > > Kushagra > > Regards, > - AJ
