diff options
| author | Michael Merickel <michael@merickel.org> | 2023-08-24 23:49:50 -0600 |
|---|---|---|
| committer | Michael Merickel <michael@merickel.org> | 2023-08-24 23:49:50 -0600 |
| commit | b4e78bd14f7bbfce76399510a78b5346f9bd73e1 (patch) | |
| tree | c6a3597b7d05ec644ba7093198e7d6a64e8b1c05 /tests/test_static.py | |
| parent | 0919da5326ef65fb6569bc045ee0c0f033185f1c (diff) | |
| parent | 6726314834d0de9e29c45dcb3d6f3ce9118a956d (diff) | |
| download | pyramid-b4e78bd14f7bbfce76399510a78b5346f9bd73e1.tar.gz pyramid-b4e78bd14f7bbfce76399510a78b5346f9bd73e1.tar.bz2 pyramid-b4e78bd14f7bbfce76399510a78b5346f9bd73e1.zip | |
Merge branch 'tseaver-jp_exploit_fix'
Diffstat (limited to 'tests/test_static.py')
| -rw-r--r-- | tests/test_static.py | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/tests/test_static.py b/tests/test_static.py index af487fa24..5b11d89a8 100644 --- a/tests/test_static.py +++ b/tests/test_static.py @@ -104,6 +104,17 @@ class Test_static_view_use_subpath_False(unittest.TestCase): self.assertRaises(HTTPNotFound, inst, context, request) + def test_oob_nul_char(self): + import os + + inst = self._makeOne(f'{os.getcwd()}/tests/fixtures/static') + super_w_null = '..\x00/' + request = self._makeRequest({'PATH_INFO': f'/{super_w_null}'}) + context = DummyContext() + from pyramid.httpexceptions import HTTPNotFound + + self.assertRaises(HTTPNotFound, inst, context, request) + def test_resource_doesnt_exist(self): inst = self._makeOne('tests:fixtures/static') request = self._makeRequest({'PATH_INFO': '/notthere'}) |