Receiving file upload when filename is blank (before and after sanitization) should be okay.
(self)
| 305 | self.assertEqual(response.status_code, 200) |
| 306 | |
| 307 | def test_blank_filenames(self): |
| 308 | """ |
| 309 | Receiving file upload when filename is blank (before and after |
| 310 | sanitization) should be okay. |
| 311 | """ |
| 312 | filenames = [ |
| 313 | "", |
| 314 | # Normalized by MultiPartParser.IE_sanitize(). |
| 315 | "C:\\Windows\\", |
| 316 | # Normalized by os.path.basename(). |
| 317 | "/", |
| 318 | "ends-with-slash/", |
| 319 | ] |
| 320 | payload = client.FakePayload() |
| 321 | for i, name in enumerate(filenames): |
| 322 | payload.write( |
| 323 | "\r\n".join( |
| 324 | [ |
| 325 | "--" + client.BOUNDARY, |
| 326 | 'Content-Disposition: form-data; name="file%s"; filename="%s"' |
| 327 | % (i, name), |
| 328 | "Content-Type: application/octet-stream", |
| 329 | "", |
| 330 | "You got pwnd.\r\n", |
| 331 | ] |
| 332 | ) |
| 333 | ) |
| 334 | payload.write("\r\n--" + client.BOUNDARY + "--\r\n") |
| 335 | |
| 336 | r = { |
| 337 | "CONTENT_LENGTH": len(payload), |
| 338 | "CONTENT_TYPE": client.MULTIPART_CONTENT, |
| 339 | "PATH_INFO": "/echo/", |
| 340 | "REQUEST_METHOD": "POST", |
| 341 | "wsgi.input": payload, |
| 342 | } |
| 343 | response = self.client.request(**r) |
| 344 | self.assertEqual(response.status_code, 200) |
| 345 | |
| 346 | # Empty filenames should be ignored |
| 347 | received = response.json() |
| 348 | for i, name in enumerate(filenames): |
| 349 | self.assertIsNone(received.get("file%s" % i)) |
| 350 | |
| 351 | def test_non_printable_chars_in_file_names(self): |
| 352 | file_name = "non-\x00printable\x00\n_chars.txt\x00" |