diff options
| author | Tres Seaver <tseaver@palladion.com> | 2023-08-21 14:43:12 -0400 |
|---|---|---|
| committer | Tres Seaver <tseaver@palladion.com> | 2023-08-21 14:43:12 -0400 |
| commit | 354d69a7b397571e3845de13ecabbfeb9d7f100b (patch) | |
| tree | 07354688fe25a0d2d3a556b2d52b27a9035f62a3 /tests | |
| parent | f1941759ee9dedf5f800fc4c9a0c9c51028e06f5 (diff) | |
| download | pyramid-354d69a7b397571e3845de13ecabbfeb9d7f100b.tar.gz pyramid-354d69a7b397571e3845de13ecabbfeb9d7f100b.tar.bz2 pyramid-354d69a7b397571e3845de13ecabbfeb9d7f100b.zip | |
fix: reject NUL character as path element
See: https://github.com/Pylons/pyramid/security/advisories/GHSA-j8g2-6fc7-q8f8
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/fixtures/index.html | 1 | ||||
| -rw-r--r-- | tests/test_static.py | 13 |
2 files changed, 14 insertions, 0 deletions
diff --git a/tests/fixtures/index.html b/tests/fixtures/index.html new file mode 100644 index 000000000..a37df5790 --- /dev/null +++ b/tests/fixtures/index.html @@ -0,0 +1 @@ +<h1>DON'T GO HERE</h1> diff --git a/tests/test_static.py b/tests/test_static.py index af487fa24..97978f2a4 100644 --- a/tests/test_static.py +++ b/tests/test_static.py @@ -104,6 +104,19 @@ class Test_static_view_use_subpath_False(unittest.TestCase): self.assertRaises(HTTPNotFound, inst, context, request) + def test_oob_nul_char(self): + import os + + inst = self._makeOne(f'{os.getcwd()}/tests/fixtures/static') + dds = '..\x00/' + request = self._makeRequest( + {'PATH_INFO': f'/{dds}'} + ) + context = DummyContext() + from pyramid.httpexceptions import HTTPNotFound + + self.assertRaises(HTTPNotFound, inst, context, request) + def test_resource_doesnt_exist(self): inst = self._makeOne('tests:fixtures/static') request = self._makeRequest({'PATH_INFO': '/notthere'}) |