Permalink
Browse files

Merge no-utf7-4900

Author: glyph

Reviewer: mwh

Fixes: #4900

This change makes error pages and directory listings explicitly set their
encodings in the content-type HTTP header, which should prevent certain
misguided browsers from potentially mis-detecting the encoding and allowing for
inclusion of invalid / insecure content from users.



git-svn-id: svn://svn.twistedmatrix.com/svn/Twisted/trunk@31388 bbbe8e31-12d6-0310-92fd-ac37d47ddeeb
  • Loading branch information...
1 parent 6562466 commit 45fb94f39bd9c4c04f810186b6816cec95a4ad3c @glyph glyph committed Mar 22, 2011
@@ -279,7 +279,7 @@ def __init__(self, status, brief, detail):
def render(self, request):
request.setResponseCode(self.code)
- request.setHeader("content-type", "text/html")
+ request.setHeader("content-type", "text/html; charset=utf-8")
return self.template % dict(
code=self.code,
brief=self.brief,
@@ -1060,6 +1060,7 @@ def render(self, request):
"""
Render a listing of the content of C{self.path}.
"""
+ request.setHeader("content-type", "text/html; charset=utf-8")
if self.dirs is None:
directory = os.listdir(self.path)
directory.sort()
@@ -44,7 +44,8 @@ def _pageRenderingTest(self, page, code, brief, detail):
"</html>\n" % (code, brief, brief, detail))
self.assertEqual(request.responseCode, code)
self.assertEqual(
- request.outgoingHeaders, {'content-type': 'text/html'})
+ request.outgoingHeaders,
+ {'content-type': 'text/html; charset=utf-8'})
def test_errorPageRendering(self):
@@ -1360,6 +1360,20 @@ def test_oddAndEven(self):
self.assertTrue(content[4].startswith('<tr class="odd">'))
+ def test_contentType(self):
+ """
+ L{static.DirectoryLister} produces a MIME-type that indicates that it is
+ HTML, and includes its charset (UTF-8).
+ """
+ path = FilePath(self.mktemp())
+ path.makedirs()
+ lister = static.DirectoryLister(path.path)
+ req = self._request('')
+ lister.render(req)
+ self.assertEquals(req.outgoingHeaders['content-type'],
+ "text/html; charset=utf-8")
+
+
def test_mimeTypeAndEncodings(self):
"""
L{static.DirectoryLister} is able to detect mimetype and encoding of
@@ -6,9 +6,12 @@
"""
from twisted.trial.unittest import TestCase
-from twisted.web.util import _hasSubstring
+from twisted.web.util import _hasSubstring, redirectTo
+from twisted.web.http import FOUND
+from twisted.web.server import Request
+from twisted.web.test.test_web import DummyChannel
class HasSubstringTestCase(TestCase):
"""
@@ -46,3 +49,28 @@ def test_hasSubstringEscapesKey(self):
"""
self.assertTrue(_hasSubstring("[b-a]",
"Python can generate names like [b-a]."))
+
+
+class RedirectToTestCase(TestCase):
+ """
+ Tests for L{redirectTo}.
+ """
+
+ def test_headersAndCode(self):
+ """
+ L{redirectTo} will set the C{Location} and C{Content-Type} headers on
+ its request, and set the response code to C{FOUND}, so the browser will
+ be redirected.
+ """
+ request = Request(DummyChannel(), True)
+ request.method = 'GET'
+ targetURL = "http://target.example.com/4321"
+ redirectTo(targetURL, request)
+ self.assertEquals(request.code, FOUND)
+ self.assertEquals(
+ request.responseHeaders.getRawHeaders('location'), [targetURL])
+ self.assertEquals(
+ request.responseHeaders.getRawHeaders('content-type'),
+ ['text/html; charset=utf-8'])
+
+
@@ -0,0 +1,5 @@
+twisted.web will now properly specify an encoding (UTF-8) on error, redirect,
+and directory listing pages, so that IE7 and previous will not improperly guess
+the 'utf7' encoding in these cases. Please note that Twisted still sets a
+*default* content-type of 'text/html', and you shouldn't rely on that: you
+should set the encoding appropriately in your application.
View
@@ -14,6 +14,7 @@
def redirectTo(URL, request):
+ request.setHeader("content-type", "text/html; charset=utf-8")
request.redirect(URL)
return """
<html>

0 comments on commit 45fb94f

Please sign in to comment.