diff options
author | Tommi Virtanen <tv@eagain.net> | 2008-03-19 21:52:03 +0200 |
---|---|---|
committer | Tommi Virtanen <tv@eagain.net> | 2008-03-19 21:52:03 +0200 |
commit | f839f889b607c9920659516959795859aab0a86e (patch) | |
tree | 6d00edbdaac32e16b6d64f6ba0437b79901959ec | |
parent | Test that incoming paths cannot contain /../ (diff) | |
download | gitosis-gentoo-f839f889b607c9920659516959795859aab0a86e.tar.gz gitosis-gentoo-f839f889b607c9920659516959795859aab0a86e.tar.bz2 gitosis-gentoo-f839f889b607c9920659516959795859aab0a86e.zip |
Make serve acceptable path unit tests more careful.
Tests used to trigger the wanted security exception merely by being
unquoted, that's not good enough.
-rw-r--r-- | gitosis/test/test_serve.py | 30 |
1 files changed, 27 insertions, 3 deletions
diff --git a/gitosis/test/test_serve.py b/gitosis/test/test_serve.py index cf54cc6..23b6a6f 100644 --- a/gitosis/test/test_serve.py +++ b/gitosis/test/test_serve.py @@ -45,14 +45,38 @@ def test_bad_command(): eq(str(e), 'Unknown command denied') assert isinstance(e, serve.ServingError) -def test_bad_unsafeArguments(): +def test_bad_unsafeArguments_notQuoted(): cfg = RawConfigParser() e = assert_raises( serve.UnsafeArgumentsError, serve.serve, cfg=cfg, user='jdoe', - command='git-upload-pack /evil/attack', + command="git-upload-pack foo", + ) + eq(str(e), 'Arguments to command look dangerous') + assert isinstance(e, serve.ServingError) + +def test_bad_unsafeArguments_absolute(): + cfg = RawConfigParser() + e = assert_raises( + serve.UnsafeArgumentsError, + serve.serve, + cfg=cfg, + user='jdoe', + command="git-upload-pack '/evil/attack'", + ) + eq(str(e), 'Arguments to command look dangerous') + assert isinstance(e, serve.ServingError) + +def test_bad_unsafeArguments_badCharacters(): + cfg = RawConfigParser() + e = assert_raises( + serve.UnsafeArgumentsError, + serve.serve, + cfg=cfg, + user='jdoe', + command="git-upload-pack 'ev!l'", ) eq(str(e), 'Arguments to command look dangerous') assert isinstance(e, serve.ServingError) @@ -64,7 +88,7 @@ def test_bad_unsafeArguments_dotdot(): serve.serve, cfg=cfg, user='jdoe', - command='git-upload-pack something/../evil', + command="git-upload-pack 'something/../evil'", ) eq(str(e), 'Arguments to command look dangerous') assert isinstance(e, serve.ServingError) |