fixed possible security problem in module branch

2010-07-04 20:36:34 +02:00 · 2010-07-04 20:36:34 +02:00 · 8945a97a42
commit 8945a97a42
parent f1cde5bbfc
2 changed files with 22 additions and 1 deletions
--- a/tests/flask_tests.py
+++ b/tests/flask_tests.py
@ -20,6 +20,7 @@ from logging import StreamHandler
 from contextlib import contextmanager
 from datetime import datetime
 from werkzeug import parse_date, parse_options_header
+from werkzeug.exceptions import NotFound
 from cStringIO import StringIO

 example_path = os.path.join(os.path.dirname(__file__), '..', 'examples')
@ -645,6 +646,25 @@ class ModuleTestCase(unittest.TestCase):
            assert flask.url_for('admin.static', filename='test.txt') \
                == '/admin/static/test.txt'

+    def test_safe_access(self):
+        from moduleapp import app
+
+        with app.test_request_context():
+            f = app.view_functions['admin.static']
+
+            try:
+                rv = f('/etc/passwd')
+            except NotFound:
+                pass
+            else:
+                assert 0, 'expected exception'
+            try:
+                rv = f('../__init__.py')
+            except NotFound:
+                pass
+            else:
+                assert 0, 'expected exception'
+

 class SendfileTestCase(unittest.TestCase):