[CalendarServer-changes] [8073] CalendarServer/branches/users/glyph/other-html/twistedcaldav/test/ test_extensions.py

source_changes at macosforge.org source_changes at macosforge.org
Tue Sep 13 12:09:48 PDT 2011 

Revision: 8073
          http://trac.macosforge.org/projects/calendarserver/changeset/8073
Author:   glyph at apple.com
Date:     2011-09-13 12:09:48 -0700 (Tue, 13 Sep 2011)
Log Message:
-----------
funky letters might appear in filenames, make sure they're not XSS either.

Modified Paths:
--------------
    CalendarServer/branches/users/glyph/other-html/twistedcaldav/test/test_extensions.py

Modified: CalendarServer/branches/users/glyph/other-html/twistedcaldav/test/test_extensions.py
===================================================================
--- CalendarServer/branches/users/glyph/other-html/twistedcaldav/test/test_extensions.py	2011-09-13 19:09:42 UTC (rev 8072)
+++ CalendarServer/branches/users/glyph/other-html/twistedcaldav/test/test_extensions.py	2011-09-13 19:09:48 UTC (rev 8073)
@@ -105,7 +105,8 @@
     """
 
     @inlineCallbacks
-    def doDirectoryTest(self, addedNames, modify=lambda x: None, expectedNames=None):
+    def doDirectoryTest(self, addedNames, modify=lambda x: None,
+                        expectedNames=None):
         """
         Do a test of a L{DAVFile} pointed at a directory, verifying that files
         existing with the given names will be faithfully 'played back' via HTML
@@ -119,9 +120,8 @@
             fp.child(sampleName).touch()
         df = DAVFile(fp)
         modify(df)
-        responseXML = browserHTML2ETree(
-            (yield df.render(SimpleFakeRequest('/'))).stream.read()
-        )
+        responseText = (yield df.render(SimpleFakeRequest('/'))).stream.read()
+        responseXML = browserHTML2ETree(responseText)
         names = set([element.text.encode("utf-8")
                      for element in responseXML.findall(".//a")])
         self.assertEquals(set(expectedNames), names)
@@ -185,7 +185,16 @@
                                    [nonASCIIFilename.encode("utf-8")])
 
 
+    def test_quotedCharacters(self):
+        """
+        Filenames might contain < or > characters, which need to be quoted in
+        HTML.
+        """
+        return self.doDirectoryTest([u'<a>.txt', u'<script>.html',
+                                     u'<style>.xml'])
 
+
+
 class ChildTraversalTests(TestCase):
     def test_makeChildDeferred(self):
         """
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20110913/f64fdee4/attachment.html>

More information about the calendarserver-changes mailing list