Mercurial > kallithea
diff rhodecode/tests/functional/test_login.py @ 2679:dffb92224edf beta
removed ftp from allowed schemas
- added tests for the schemas fix
- moved parsing url if we only have came_from present
author | Marcin Kuzminski <marcin@python-works.com> |
---|---|
date | Tue, 31 Jul 2012 12:15:54 +0200 |
parents | 6c83dc0226d2 |
children | 7d3d0a96e083 |
line wrap: on
line diff
--- a/rhodecode/tests/functional/test_login.py Tue Jul 31 00:27:22 2012 +0200 +++ b/rhodecode/tests/functional/test_login.py Tue Jul 31 12:15:54 2012 +0200 @@ -55,6 +55,25 @@ self.assertEqual(response.status, '200 OK') self.assertTrue('Users administration' in response.body) + @parameterized.expand([ + ('data:text/html,<script>window.alert("xss")</script>',), + ('mailto:test@rhodecode.org',), + ('file:///etc/passwd',), + ('ftp://some.ftp.server',), + ('http://other.domain',), + ]) + def test_login_bad_came_froms(self, url_came_from): + response = self.app.post(url(controller='login', action='index', + came_from=url_came_from), + {'username': 'test_admin', + 'password': 'test12'}) + self.assertEqual(response.status, '302 Found') + self.assertEqual(response._environ['paste.testing_variables'] + ['tmpl_context'].came_from, '/') + response = response.follow() + + self.assertEqual(response.status, '200 OK') + def test_login_short_password(self): response = self.app.post(url(controller='login', action='index'), {'username': 'test_admin',