diff options
Diffstat (limited to 'lib-python/2.7/test/test_cookielib.py')
-rw-r--r-- | lib-python/2.7/test/test_cookielib.py | 74 |
1 files changed, 73 insertions, 1 deletions
diff --git a/lib-python/2.7/test/test_cookielib.py b/lib-python/2.7/test/test_cookielib.py index f2dd9727d1..f3711b966e 100644 --- a/lib-python/2.7/test/test_cookielib.py +++ b/lib-python/2.7/test/test_cookielib.py @@ -6,7 +6,7 @@ import os import re import time -from cookielib import http2time, time2isoz, time2netscape +from cookielib import http2time, time2isoz, iso2time, time2netscape from unittest import TestCase from test import test_support @@ -117,6 +117,19 @@ class DateTimeTests(TestCase): "http2time(test) %s" % (test, http2time(test)) ) + def test_http2time_redos_regression_actually_completes(self): + # LOOSE_HTTP_DATE_RE was vulnerable to malicious input which caused catastrophic backtracking (REDoS). + # If we regress to cubic complexity, this test will take a very long time to succeed. + # If fixed, it should complete within a fraction of a second. + http2time("01 Jan 1970{}00:00:00 GMT!".format(" " * 10 ** 5)) + http2time("01 Jan 1970 00:00:00{}GMT!".format(" " * 10 ** 5)) + + def test_iso2time_performance_regression(self): + # If ISO_DATE_RE regresses to quadratic complexity, this test will take a very long time to succeed. + # If fixed, it should complete within a fraction of a second. + iso2time('1994-02-03{}14:15:29 -0100!'.format(' '*10**6)) + iso2time('1994-02-03 14:15:29{}-0100!'.format(' '*10**6)) + class HeaderTests(TestCase): @@ -368,6 +381,7 @@ class CookieTests(TestCase): ("http://foo.bar.com/", ".foo.bar.com", True), ("http://foo.bar.com/", "foo.bar.com", True), ("http://foo.bar.com/", ".bar.com", True), + ("http://foo.bar.com/", "bar.com", True), ("http://foo.bar.com/", "com", True), ("http://foo.com/", "rhubarb.foo.com", False), ("http://foo.com/", ".foo.com", True), @@ -378,6 +392,8 @@ class CookieTests(TestCase): ("http://foo/", "foo", True), ("http://foo/", "foo.local", True), ("http://foo/", ".local", True), + ("http://barfoo.com", ".foo.com", False), + ("http://barfoo.com", "foo.com", False), ]: request = urllib2.Request(url) r = pol.domain_return_ok(domain, request) @@ -646,6 +662,35 @@ class CookieTests(TestCase): req = Request("http://www.example.com") self.assertEqual(request_path(req), "/") + def test_path_prefix_match(self): + from cookielib import CookieJar, DefaultCookiePolicy + from urllib2 import Request + + pol = DefaultCookiePolicy() + strict_ns_path_pol = DefaultCookiePolicy(strict_ns_set_path=True) + + c = CookieJar(pol) + base_url = "http://bar.com" + interact_netscape(c, base_url, 'spam=eggs; Path=/foo') + cookie = c._cookies['bar.com']['/foo']['spam'] + + for path, ok in [('/foo', True), + ('/foo/', True), + ('/foo/bar', True), + ('/', False), + ('/foobad/foo', False)]: + url = '{0}{1}'.format(base_url, path) + req = Request(url) + h = interact_netscape(c, url) + if ok: + self.assertIn('spam=eggs', h, + "cookie not set for {0}".format(path)) + self.assertTrue(strict_ns_path_pol.set_ok_path(cookie, req)) + else: + self.assertNotIn('spam=eggs', h, + "cookie set for {0}".format(path)) + self.assertFalse(strict_ns_path_pol.set_ok_path(cookie, req)) + def test_request_port(self): from urllib2 import Request from cookielib import request_port, DEFAULT_HTTP_PORT @@ -938,6 +983,33 @@ class CookieTests(TestCase): c.add_cookie_header(req) self.assertFalse(req.has_header("Cookie")) + c.clear() + + pol.set_blocked_domains([]) + req = Request("http://acme.com/") + res = FakeResponse(headers, "http://acme.com/") + cookies = c.make_cookies(res, req) + c.extract_cookies(res, req) + self.assertEqual(len(c), 1) + + req = Request("http://acme.com/") + c.add_cookie_header(req) + self.assertTrue(req.has_header("Cookie")) + + req = Request("http://badacme.com/") + c.add_cookie_header(req) + self.assertFalse(pol.return_ok(cookies[0], req)) + self.assertFalse(req.has_header("Cookie")) + + p = pol.set_blocked_domains(["acme.com"]) + req = Request("http://acme.com/") + c.add_cookie_header(req) + self.assertFalse(req.has_header("Cookie")) + + req = Request("http://badacme.com/") + c.add_cookie_header(req) + self.assertFalse(req.has_header("Cookie")) + def test_secure(self): from cookielib import CookieJar, DefaultCookiePolicy |