-
-
Notifications
You must be signed in to change notification settings - Fork 182
/
testURLTool.py
107 lines (85 loc) · 4.23 KB
/
testURLTool.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
import unittest
from Products.CMFCore.tests.base.dummy import DummySite
from Products.CMFCore.tests.base.dummy import DummyFolder
from Products.CMFCore.tests.base.dummy import DummyContent
from Acquisition import aq_parent
class DummyFolder(DummyFolder):
def absolute_url(self):
return '/'.join([aq_parent(self).absolute_url(), self.getId()])
class DummyProperties(DummyContent):
_allow_external_login_sites = [
'http://external1',
'http://external2/',
'http://external3/site',
'http://external4/site/'
]
def getProperty(self, name, default=None):
if name == 'allow_external_login_sites':
return self._allow_external_login_sites
return default
class TestURLTool(unittest.TestCase):
def setUp(self):
self.site = DummySite(id='foo')
self.site._setObject('foo', DummyFolder(id='foo'))
self.site.foo._setObject('doc1', DummyContent(id='doc1'))
self.site.portal_properties = DummyProperties(id='portal_properties')
self.site.portal_properties.site_properties = \
DummyProperties(id='site_properties')
def _makeOne(self, *args, **kw):
from Products.CMFPlone.URLTool import URLTool
url_tool = URLTool(*args, **kw)
return url_tool.__of__(self.site)
def test_isURLInPortal(self):
url_tool = self._makeOne()
iURLiP = url_tool.isURLInPortal
self.assertTrue(iURLiP('http://www.foobar.com/bar/foo/folder'))
self.assertTrue(iURLiP('http://www.foobar.com/bar/foo'))
self.assertFalse(iURLiP('http://www.foobar.com/bar2/foo'))
self.assertTrue(iURLiP('https://www.foobar.com/bar/foo/folder'))
self.assertFalse(iURLiP('http://www.foobar.com:8080/bar/foo/folder'))
self.assertFalse(iURLiP('http://www.foobar.com/bar'))
self.assertFalse(iURLiP('/images'))
self.assertTrue(iURLiP('/bar/foo/foo'))
def test_isURLInPortalRelative(self):
url_tool = self._makeOne()
iURLiP = url_tool.isURLInPortal
#non-root relative urls will need a current context to be passed in
self.assertTrue(iURLiP('images/img1.jpg'))
self.assertTrue(iURLiP('./images/img1.jpg'))
# /bar/foo/something
self.assertTrue(iURLiP('../something', self.site.foo.doc1))
# /bar/afolder
self.assertFalse(iURLiP('../../afolder', self.site.foo.doc1))
# /afolder
self.assertFalse(iURLiP('../../../afolder', self.site.foo.doc1))
# /../afolder? How do we have more ../'s than there are parts in
# the URL?
self.assertFalse(iURLiP('../../../../afolder', self.site.foo.doc1))
# /bar/foo/afolder
self.assertTrue(iURLiP('../../foo/afolder', self.site.foo.doc1))
def test_isURLInPortalExternal(self):
url_tool = self._makeOne()
iURLiP = url_tool.isURLInPortal
self.assertTrue(iURLiP('http://external1'))
self.assertTrue(iURLiP('http://external1/'))
self.assertTrue(iURLiP('http://external1/something'))
self.assertTrue(iURLiP('http://external2'))
self.assertTrue(iURLiP('http://external2/'))
self.assertTrue(iURLiP('http://external2/something'))
self.assertTrue(iURLiP('http://external3/site'))
self.assertTrue(iURLiP('http://external3/site/'))
self.assertTrue(iURLiP('http://external3/site/something'))
self.assertTrue(iURLiP('http://external4/site'))
self.assertTrue(iURLiP('http://external4/site/'))
self.assertTrue(iURLiP('http://external4/site/something'))
self.assertFalse(iURLiP('http://external3/other'))
self.assertFalse(iURLiP('http://external4/other'))
self.assertFalse(iURLiP('http://external5'))
self.assertFalse(iURLiP('http://external11'))
def test_script_tag_url_not_in_portal(self):
self.assertFalse(self.portal.portal_url.isURLInPortal('<script>alert("hi");</script>'))
self.assertFalse(
self.portal.portal_url.isURLInPortal('%3Cscript%3Ealert(%22hi%22)%3B%3C%2Fscript%3E'))
def test_inline_url_not_in_portal(self):
self.assertFalse(self.portal.portal_url.isURLInPortal('javascript%3Aalert(3)'))
self.assertFalse(self.portal.portal_url.isURLInPortal('javascript:alert(3)'))