Skip to content

Commit

Permalink
Merge pull request tornadoweb#3276 from bdarnell/open-redirect-test
Browse files Browse the repository at this point in the history
test: Add test for open redirect fixed in 6.3.2
  • Loading branch information
bdarnell authored Jun 22, 2023
2 parents cb5db3b + b562457 commit 6e3521d
Showing 1 changed file with 30 additions and 1 deletion.
31 changes: 30 additions & 1 deletion tornado/test/web_test.py
Original file line number Diff line number Diff line change
Expand Up @@ -1437,6 +1437,35 @@ def test_static_default_redirect(self):
self.assertTrue(response.headers["Location"].endswith("/static/dir/"))


class StaticDefaultFilenameRootTest(WebTestCase):
def get_app_kwargs(self):
return dict(
static_path=os.path.abspath(relpath("static")),
static_handler_args=dict(default_filename="index.html"),
static_url_prefix="/",
)

def get_handlers(self):
return []

def get_http_client(self):
# simple_httpclient only: curl doesn't let you send a request starting
# with two slashes.
return SimpleAsyncHTTPClient()

def test_no_open_redirect(self):
# This test verifies that the open redirect that affected some configurations
# prior to Tornado 6.3.2 is no longer possible. The vulnerability required
# a static_url_prefix of "/" and a default_filename (any value) to be set.
# The absolute server-side path to the static directory must also be known.
with ExpectLog(gen_log, ".*cannot redirect path with two initial slashes"):
response = self.fetch(
f"//evil.com/../{os.path.dirname(__file__)}/static/dir",
follow_redirects=False,
)
self.assertEqual(response.code, 403)


class StaticFileWithPathTest(WebTestCase):
def get_app_kwargs(self):
return dict(
Expand Down Expand Up @@ -2847,7 +2876,7 @@ def test_xsrf_success_header(self):
body=b"",
headers=dict(
{"X-Xsrftoken": self.xsrf_token}, # type: ignore
**self.cookie_headers()
**self.cookie_headers(),
),
)
self.assertEqual(response.code, 200)
Expand Down

0 comments on commit 6e3521d

Please sign in to comment.