[Checkins] SVN: zope.testbrowser/branches/jinty-webtest3/src/zope/testbrowser/ Raise a HostNotAllowed error if there is an attempt to access external domains

Brian Sutherland jinty at web.de
Mon Mar 7 05:42:41 EST 2011 

Log message for revision 120779:
  Raise a HostNotAllowed error if there is an attempt to access external domains

Changed:
  U   zope.testbrowser/branches/jinty-webtest3/src/zope/testbrowser/tests/test_wsgi.py
  U   zope.testbrowser/branches/jinty-webtest3/src/zope/testbrowser/wsgi.py

-=-
Modified: zope.testbrowser/branches/jinty-webtest3/src/zope/testbrowser/tests/test_wsgi.py
===================================================================
--- zope.testbrowser/branches/jinty-webtest3/src/zope/testbrowser/tests/test_wsgi.py	2011-03-07 10:34:58 UTC (rev 120778)
+++ zope.testbrowser/branches/jinty-webtest3/src/zope/testbrowser/tests/test_wsgi.py	2011-03-07 10:42:40 UTC (rev 120779)
@@ -27,6 +27,30 @@
 SIMPLE_LAYER = SimpleLayer()
 
 
+class TestBrowser(unittest.TestCase):
+
+    def test_allowed_domains(self):
+        browser = zope.testbrowser.wsgi.Browser(wsgi_app=demo_app)
+        # external domains are not allowed
+        self.assertRaises(zope.testbrowser.wsgi.HostNotAllowed, browser.open, 'http://www.google.com')
+        self.assertRaises(zope.testbrowser.wsgi.HostNotAllowed, browser.open, 'https://www.google.com')
+        # internal ones are
+        browser.open('http://localhost')
+        self.assertTrue(browser.contents.startswith('Hello world!\n'))
+        browser.open('http://127.0.0.1')
+        self.assertTrue(browser.contents.startswith('Hello world!\n'))
+        # as are example ones
+        browser.open('http://example.com')
+        self.assertTrue(browser.contents.startswith('Hello world!\n'))
+        browser.open('http://example.net')
+        self.assertTrue(browser.contents.startswith('Hello world!\n'))
+        # and subdomains of example
+        browser.open('http://foo.example.com')
+        self.assertTrue(browser.contents.startswith('Hello world!\n'))
+        browser.open('http://bar.example.net')
+        self.assertTrue(browser.contents.startswith('Hello world!\n'))
+
+
 class TestWSGILayer(unittest.TestCase):
 
     def setUp(self):

Modified: zope.testbrowser/branches/jinty-webtest3/src/zope/testbrowser/wsgi.py
===================================================================
--- zope.testbrowser/branches/jinty-webtest3/src/zope/testbrowser/wsgi.py	2011-03-07 10:34:58 UTC (rev 120778)
+++ zope.testbrowser/branches/jinty-webtest3/src/zope/testbrowser/wsgi.py	2011-03-07 10:42:40 UTC (rev 120779)
@@ -23,13 +23,31 @@
 import zope.testbrowser.browser
 import zope.testbrowser.connection
 
+class HostNotAllowed(Exception):
+    pass
+
+_allowed_2nd_level = set(['example.com', 'example.net', 'example.org']) # RFC 2606
+
+_allowed = set(['localhost', '127.0.0.1'])
+_allowed.update(_allowed_2nd_level)
+
 class WSGIConnection(object):
     """A ``mechanize`` compatible connection object."""
 
     def __init__(self, test_app, host, timeout=None):
         self._test_app = TestApp(test_app)
         self.host = host
+        self.assert_allowed_host()
 
+    def assert_allowed_host(self):
+        host = self.host
+        if host in _allowed:
+            return
+        for dom in _allowed_2nd_level:
+            if host.endswith('.%s' % dom):
+                return
+        raise HostNotAllowed(host)
+
     def set_debuglevel(self, level):
         pass

More information about the checkins mailing list