From 354d69a7b397571e3845de13ecabbfeb9d7f100b Mon Sep 17 00:00:00 2001
From: Tres Seaver <tseaver@palladion.com>
Date: Mon, 21 Aug 2023 14:43:12 -0400
Subject: fix: reject NUL character as path element

See: https://github.com/Pylons/pyramid/security/advisories/GHSA-j8g2-6fc7-q8f8
---
 tests/test_static.py | 13 +++++++++++++
 1 file changed, 13 insertions(+)

(limited to 'tests/test_static.py')

diff --git a/tests/test_static.py b/tests/test_static.py
index af487fa24..97978f2a4 100644
--- a/tests/test_static.py
+++ b/tests/test_static.py
@@ -104,6 +104,19 @@ class Test_static_view_use_subpath_False(unittest.TestCase):
 
         self.assertRaises(HTTPNotFound, inst, context, request)
 
+    def test_oob_nul_char(self):
+        import os
+
+        inst = self._makeOne(f'{os.getcwd()}/tests/fixtures/static')
+        dds = '..\x00/'
+        request = self._makeRequest(
+            {'PATH_INFO': f'/{dds}'}
+        )
+        context = DummyContext()
+        from pyramid.httpexceptions import HTTPNotFound
+
+        self.assertRaises(HTTPNotFound, inst, context, request)
+
     def test_resource_doesnt_exist(self):
         inst = self._makeOne('tests:fixtures/static')
         request = self._makeRequest({'PATH_INFO': '/notthere'})
-- 
cgit v1.2.3


From d1dc3789e30c5ffa3e75df39033b9bd9752aebd5 Mon Sep 17 00:00:00 2001
From: Tres Seaver <tseaver@palladion.com>
Date: Mon, 21 Aug 2023 14:50:34 -0400
Subject: chore: appease lint, better varname

---
 tests/test_static.py | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

(limited to 'tests/test_static.py')

diff --git a/tests/test_static.py b/tests/test_static.py
index 97978f2a4..5b11d89a8 100644
--- a/tests/test_static.py
+++ b/tests/test_static.py
@@ -108,10 +108,8 @@ class Test_static_view_use_subpath_False(unittest.TestCase):
         import os
 
         inst = self._makeOne(f'{os.getcwd()}/tests/fixtures/static')
-        dds = '..\x00/'
-        request = self._makeRequest(
-            {'PATH_INFO': f'/{dds}'}
-        )
+        super_w_null = '..\x00/'
+        request = self._makeRequest({'PATH_INFO': f'/{super_w_null}'})
         context = DummyContext()
         from pyramid.httpexceptions import HTTPNotFound
 
-- 
cgit v1.2.3