Mercurial > kallithea

diff rhodecode/tests/functional/test_login.py @ 2679:dffb92224edf beta

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
removed ftp from allowed schemas - added tests for the schemas fix - moved parsing url if we only have came_from present
author Marcin Kuzminski <marcin@python-works.com>
date Tue, 31 Jul 2012 12:15:54 +0200
parents 6c83dc0226d2
children 7d3d0a96e083
line wrap: on
line diff
--- a/rhodecode/tests/functional/test_login.py	Tue Jul 31 00:27:22 2012 +0200
+++ b/rhodecode/tests/functional/test_login.py	Tue Jul 31 12:15:54 2012 +0200
@@ -55,6 +55,25 @@
         self.assertEqual(response.status, '200 OK')
         self.assertTrue('Users administration' in response.body)
 
+    @parameterized.expand([
+          ('data:text/html,<script>window.alert("xss")</script>',),
+          ('mailto:test@rhodecode.org',),
+          ('file:///etc/passwd',),
+          ('ftp://some.ftp.server',),
+          ('http://other.domain',),
+    ])
+    def test_login_bad_came_froms(self, url_came_from):
+        response = self.app.post(url(controller='login', action='index',
+                                     came_from=url_came_from),
+                                 {'username': 'test_admin',
+                                  'password': 'test12'})
+        self.assertEqual(response.status, '302 Found')
+        self.assertEqual(response._environ['paste.testing_variables']
+                         ['tmpl_context'].came_from, '/')
+        response = response.follow()
+
+        self.assertEqual(response.status, '200 OK')
+
     def test_login_short_password(self):
         response = self.app.post(url(controller='login', action='index'),
                                  {'username': 'test_admin',