diff options
author | Marcel Hellkamp <marc@gsites.de> | 2014-04-25 22:21:58 +0200 |
---|---|---|
committer | Marcel Hellkamp <marc@gsites.de> | 2014-04-25 23:14:26 +0200 |
commit | 7c3226867d9005903e268fedd819389ab8c6336d (patch) | |
tree | 03b545f3892cb966050864fbb370619cabf915e5 /test/test_environ.py | |
parent | c4648c3462115398469ebbae1cbd46f48fd253bb (diff) | |
download | bottle-7c3226867d9005903e268fedd819389ab8c6336d.tar.gz |
fix #616: Json content-type not restrictive enough
Possible security issue. See https://github.com/defnull/bottle/issues/616 for details.
Diffstat (limited to 'test/test_environ.py')
-rwxr-xr-x | test/test_environ.py | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/test/test_environ.py b/test/test_environ.py index 517048d..b693e83 100755 --- a/test/test_environ.py +++ b/test/test_environ.py @@ -385,6 +385,15 @@ class TestRequest(unittest.TestCase): e['CONTENT_LENGTH'] = str(len(json_dumps(test))) self.assertEqual(BaseRequest(e).json, test) + def test_json_forged_header_issue616(self): + test = dict(a=5, b='test', c=[1,2,3]) + e = {'CONTENT_TYPE': 'text/plain;application/json'} + wsgiref.util.setup_testing_defaults(e) + e['wsgi.input'].write(tob(json_dumps(test))) + e['wsgi.input'].seek(0) + e['CONTENT_LENGTH'] = str(len(json_dumps(test))) + self.assertEqual(BaseRequest(e).json, None) + def test_isajax(self): e = {} wsgiref.util.setup_testing_defaults(e) |