Uploaded file names should be sanitized before ever reaching the view.
(self)
| 377 | self.assertEqual(received["file"], "non-printable_chars.txt") |
| 378 | |
| 379 | def test_dangerous_file_names(self): |
| 380 | """ |
| 381 | Uploaded file names should be sanitized before ever reaching the view. |
| 382 | """ |
| 383 | # This test simulates possible directory traversal attacks by a |
| 384 | # malicious uploader We have to do some monkeybusiness here to |
| 385 | # construct a malicious payload with an invalid file name (containing |
| 386 | # os.sep or os.pardir). This similar to what an attacker would need to |
| 387 | # do when trying such an attack. |
| 388 | payload = client.FakePayload() |
| 389 | for i, name in enumerate(CANDIDATE_TRAVERSAL_FILE_NAMES): |
| 390 | payload.write( |
| 391 | "\r\n".join( |
| 392 | [ |
| 393 | "--" + client.BOUNDARY, |
| 394 | 'Content-Disposition: form-data; name="file%s"; filename="%s"' |
| 395 | % (i, name), |
| 396 | "Content-Type: application/octet-stream", |
| 397 | "", |
| 398 | "You got pwnd.\r\n", |
| 399 | ] |
| 400 | ) |
| 401 | ) |
| 402 | payload.write("\r\n--" + client.BOUNDARY + "--\r\n") |
| 403 | |
| 404 | r = { |
| 405 | "CONTENT_LENGTH": len(payload), |
| 406 | "CONTENT_TYPE": client.MULTIPART_CONTENT, |
| 407 | "PATH_INFO": "/echo/", |
| 408 | "REQUEST_METHOD": "POST", |
| 409 | "wsgi.input": payload, |
| 410 | } |
| 411 | response = self.client.request(**r) |
| 412 | # The filenames should have been sanitized by the time it got to the |
| 413 | # view. |
| 414 | received = response.json() |
| 415 | for i, name in enumerate(CANDIDATE_TRAVERSAL_FILE_NAMES): |
| 416 | got = received["file%s" % i] |
| 417 | self.assertEqual(got, "hax0rd.txt") |
| 418 | |
| 419 | def test_filename_overflow(self): |
| 420 | """ |