File names over 256 characters (dangerous on some platforms) get fixed up.
(self)
| 417 | self.assertEqual(got, "hax0rd.txt") |
| 418 | |
| 419 | def test_filename_overflow(self): |
| 420 | """ |
| 421 | File names over 256 characters (dangerous on some platforms) get fixed |
| 422 | up. |
| 423 | """ |
| 424 | long_str = "f" * 300 |
| 425 | cases = [ |
| 426 | # field name, filename, expected |
| 427 | ("long_filename", "%s.txt" % long_str, "%s.txt" % long_str[:251]), |
| 428 | ("long_extension", "foo.%s" % long_str, ".%s" % long_str[:254]), |
| 429 | ("no_extension", long_str, long_str[:255]), |
| 430 | ("no_filename", ".%s" % long_str, ".%s" % long_str[:254]), |
| 431 | ("long_everything", "%s.%s" % (long_str, long_str), ".%s" % long_str[:254]), |
| 432 | ] |
| 433 | payload = client.FakePayload() |
| 434 | for name, filename, _ in cases: |
| 435 | payload.write( |
| 436 | "\r\n".join( |
| 437 | [ |
| 438 | "--" + client.BOUNDARY, |
| 439 | 'Content-Disposition: form-data; name="{}"; filename="{}"', |
| 440 | "Content-Type: application/octet-stream", |
| 441 | "", |
| 442 | "Oops.", |
| 443 | "", |
| 444 | ] |
| 445 | ).format(name, filename) |
| 446 | ) |
| 447 | payload.write("\r\n--" + client.BOUNDARY + "--\r\n") |
| 448 | r = { |
| 449 | "CONTENT_LENGTH": len(payload), |
| 450 | "CONTENT_TYPE": client.MULTIPART_CONTENT, |
| 451 | "PATH_INFO": "/echo/", |
| 452 | "REQUEST_METHOD": "POST", |
| 453 | "wsgi.input": payload, |
| 454 | } |
| 455 | response = self.client.request(**r) |
| 456 | result = response.json() |
| 457 | for name, _, expected in cases: |
| 458 | got = result[name] |
| 459 | self.assertEqual(expected, got, "Mismatch for {}".format(name)) |
| 460 | self.assertLess( |
| 461 | len(got), 256, "Got a long file name (%s characters)." % len(got) |
| 462 | ) |
| 463 | |
| 464 | def test_file_content(self): |
| 465 | file = tempfile.NamedTemporaryFile |