Update of /cvs-repository/Zope/lib/python/reStructuredText/tests In directory cvs.zope.org:/tmp/cvs-serv7924/lib/python/reStructuredText/tests
Modified Files: Tag: Zope-2_7-branch testReST.py Log Message: - Backport tests and fixes for ReST file inclusion vulnerability. === Zope/lib/python/reStructuredText/tests/testReST.py 1.1.2.1 => 1.1.2.2 === --- Zope/lib/python/reStructuredText/tests/testReST.py:1.1.2.1 Thu Jan 13 16:28:24 2005 +++ Zope/lib/python/reStructuredText/tests/testReST.py Mon Jul 10 17:28:30 2006 @@ -1,5 +1,5 @@ - import unittest +from reStructuredText import HTML class TestReST(unittest.TestCase): @@ -8,6 +8,58 @@ # Make sure we can import the rst parser from docutils.parsers import rst + def test_include_directive_raises(self): + source = 'hello world\n .. include:: /etc/passwd' + self.assertRaises(NotImplementedError, HTML, source) + + def test_raw_directive_disabled(self): + + EXPECTED = '<h1>HELLO WORLD</h1>' + + source = '.. raw:: html\n\n %s\n' % EXPECTED + result = HTML(source) # don't raise, but don't work either + self.failIf(EXPECTED in result) + + self.failUnless(""raw" directive disabled" in result) + from cgi import escape + self.failUnless(escape(EXPECTED) in result) + + def test_raw_directive_file_option_raises(self): + + source = '.. raw:: html\n :file: inclusion.txt' + self.assertRaises(NotImplementedError, HTML, source) + + def test_raw_directive_url_option_raises(self): + + source = '.. raw:: html\n :url: http://www.zope.org' + self.assertRaises(NotImplementedError, HTML, source) + + + def test_include_directive_raises(self): + source = 'hello world\n .. include:: /etc/passwd' + self.assertRaises(NotImplementedError, HTML, source) + + def test_raw_directive_disabled(self): + + EXPECTED = '<h1>HELLO WORLD</h1>' + + source = '.. raw:: html\n\n %s\n' % EXPECTED + result = HTML(source) # don't raise, but don't work either + self.failIf(EXPECTED in result) + + self.failUnless(""raw" directive disabled" in result) + from cgi import escape + self.failUnless(escape(EXPECTED) in result) + + def test_raw_directive_file_option_raises(self): + + source = '.. raw:: html\n :file: inclusion.txt' + self.assertRaises(NotImplementedError, HTML, source) + + def test_raw_directive_url_option_raises(self): + + source = '.. raw:: html\n :url: http://www.zope.org' + self.assertRaises(NotImplementedError, HTML, source) def test_suite(): from unittest import TestSuite, makeSuite _______________________________________________ Zope-Checkins maillist - Zope-Checkins@zope.org http://mail.zope.org/mailman/listinfo/zope-checkins