mirror of
https://github.com/jazzband/django-downloadview.git
synced 2026-03-16 22:40:25 +00:00
0568c3c559
This fixes #196, where it was observed that django_downloadview was vulnerable to reflected file download attacks with specially-named files, similar to CVE-2022-36359 in Django. This change adopts the same replacement rules as used in Django's fix in commit b3e4494d759202a3b6bf247fd34455bf13be5b80.
34 lines
No EOL
1.1 KiB
Python
34 lines
No EOL
1.1 KiB
Python
"""Unit tests around responses."""
|
|
import unittest
|
|
|
|
from django_downloadview.response import DownloadResponse
|
|
|
|
|
|
class DownloadResponseTestCase(unittest.TestCase):
|
|
"""Tests around :class:`django_downloadviews.response.DownloadResponse`."""
|
|
|
|
def test_content_disposition_encoding(self):
|
|
"""Content-Disposition header is encoded."""
|
|
response = DownloadResponse(
|
|
"fake file",
|
|
attachment=True,
|
|
basename="espacé .txt",
|
|
)
|
|
headers = response.default_headers
|
|
self.assertIn('filename="espace_.txt"', headers["Content-Disposition"])
|
|
self.assertIn(
|
|
"filename*=UTF-8''espac%C3%A9%20.txt", headers["Content-Disposition"]
|
|
)
|
|
|
|
def test_content_disposition_escaping(self):
|
|
"""Content-Disposition headers escape special characters."""
|
|
response = DownloadResponse(
|
|
"fake file",
|
|
attachment=True,
|
|
basename=r'"malicious\file.exe'
|
|
)
|
|
headers = response.default_headers
|
|
self.assertIn(
|
|
r'filename="\"malicious\\file.exe"',
|
|
headers["Content-Disposition"]
|
|
) |