TestAttackVectorsFunctional test_widget_traversal_2 assumed a 302 htt…

…p return code when accessing some private API. Meanwhile it changed to return a 404 on the URL.
plone · Dec 28, 2016 · d74a7c1 · d74a7c1
1 parent 6a05595
commit d74a7c1
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 3 deletions.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -68,6 +68,12 @@ Bug fixes:
 - Don't fail, if ``timestamp.txt`` was deleted from the resource registries production folder.
   [thet]
 
+- Fix security test assertion: 
+  TestAttackVectorsFunctional test_widget_traversal_2 assumed a 302 http return code when accessing some private API.
+  Meanwhile it changed to return a 404 on the URL. 
+  Reflect this in the test and expect a 404.
+  [jensens]
+
 
 5.0.6 (2016-09-23)
 ------------------

diff --git a/Products/CMFPlone/tests/testSecurity.py b/Products/CMFPlone/tests/testSecurity.py
@@ -71,9 +71,7 @@ def test_widget_traversal_1(self):
     def test_widget_traversal_2(self):
         res = self.publish(
             '/plone/@@discussion-settings/++widget++captcha/terms/field/interface/setTaggedValue?tag=cake&value=lovely')
-        self.assertEqual(302, res.status)
-        self.assertTrue(res.headers['location'].startswith(
-            'http://nohost/plone/acl_users/credentials_cookie_auth/require_login'))
+        self.assertEqual(404, res.status)
 
     def test_registerConfiglet_1(self):
         VECTOR = "/plone/portal_controlpanel/registerConfiglet?id=cake&name=Cakey&action=woo&permission=View&icon_expr="