[Checkins] SVN: zope.testbrowser/branches/jinty-webtest3/src/zope/testbrowser/ Raise a HostNotAllowed error if there is an attempt to access external domains
Brian Sutherland
jinty at web.de
Mon Mar 7 05:42:41 EST 2011
Log message for revision 120779:
Raise a HostNotAllowed error if there is an attempt to access external domains
Changed:
U zope.testbrowser/branches/jinty-webtest3/src/zope/testbrowser/tests/test_wsgi.py
U zope.testbrowser/branches/jinty-webtest3/src/zope/testbrowser/wsgi.py
-=-
Modified: zope.testbrowser/branches/jinty-webtest3/src/zope/testbrowser/tests/test_wsgi.py
===================================================================
--- zope.testbrowser/branches/jinty-webtest3/src/zope/testbrowser/tests/test_wsgi.py 2011-03-07 10:34:58 UTC (rev 120778)
+++ zope.testbrowser/branches/jinty-webtest3/src/zope/testbrowser/tests/test_wsgi.py 2011-03-07 10:42:40 UTC (rev 120779)
@@ -27,6 +27,30 @@
SIMPLE_LAYER = SimpleLayer()
+class TestBrowser(unittest.TestCase):
+
+ def test_allowed_domains(self):
+ browser = zope.testbrowser.wsgi.Browser(wsgi_app=demo_app)
+ # external domains are not allowed
+ self.assertRaises(zope.testbrowser.wsgi.HostNotAllowed, browser.open, 'http://www.google.com')
+ self.assertRaises(zope.testbrowser.wsgi.HostNotAllowed, browser.open, 'https://www.google.com')
+ # internal ones are
+ browser.open('http://localhost')
+ self.assertTrue(browser.contents.startswith('Hello world!\n'))
+ browser.open('http://127.0.0.1')
+ self.assertTrue(browser.contents.startswith('Hello world!\n'))
+ # as are example ones
+ browser.open('http://example.com')
+ self.assertTrue(browser.contents.startswith('Hello world!\n'))
+ browser.open('http://example.net')
+ self.assertTrue(browser.contents.startswith('Hello world!\n'))
+ # and subdomains of example
+ browser.open('http://foo.example.com')
+ self.assertTrue(browser.contents.startswith('Hello world!\n'))
+ browser.open('http://bar.example.net')
+ self.assertTrue(browser.contents.startswith('Hello world!\n'))
+
+
class TestWSGILayer(unittest.TestCase):
def setUp(self):
Modified: zope.testbrowser/branches/jinty-webtest3/src/zope/testbrowser/wsgi.py
===================================================================
--- zope.testbrowser/branches/jinty-webtest3/src/zope/testbrowser/wsgi.py 2011-03-07 10:34:58 UTC (rev 120778)
+++ zope.testbrowser/branches/jinty-webtest3/src/zope/testbrowser/wsgi.py 2011-03-07 10:42:40 UTC (rev 120779)
@@ -23,13 +23,31 @@
import zope.testbrowser.browser
import zope.testbrowser.connection
+class HostNotAllowed(Exception):
+ pass
+
+_allowed_2nd_level = set(['example.com', 'example.net', 'example.org']) # RFC 2606
+
+_allowed = set(['localhost', '127.0.0.1'])
+_allowed.update(_allowed_2nd_level)
+
class WSGIConnection(object):
"""A ``mechanize`` compatible connection object."""
def __init__(self, test_app, host, timeout=None):
self._test_app = TestApp(test_app)
self.host = host
+ self.assert_allowed_host()
+ def assert_allowed_host(self):
+ host = self.host
+ if host in _allowed:
+ return
+ for dom in _allowed_2nd_level:
+ if host.endswith('.%s' % dom):
+ return
+ raise HostNotAllowed(host)
+
def set_debuglevel(self, level):
pass
More information about the checkins
mailing list