fix #616: Json content-type not restrictive enough

Possible security issue. See https://github.com/defnull/bottle/issues/616 for details.
author: Marcel Hellkamp <marc@gsites.de> 2014-04-25 22:21:58 +0200
committer: Marcel Hellkamp <marc@gsites.de> 2014-04-25 23:14:26 +0200
commit: 7c3226867d9005903e268fedd819389ab8c6336d (patch)
tree: 03b545f3892cb966050864fbb370619cabf915e5 /test/test_environ.py
parent: c4648c3462115398469ebbae1cbd46f48fd253bb (diff)
download: bottle-7c3226867d9005903e268fedd819389ab8c6336d.tar.gz
1 files changed, 9 insertions, 0 deletions
diff --git a/test/test_environ.py b/test/test_environ.py
index 517048d..b693e83 100755
--- a/test/test_environ.py
+++ b/test/test_environ.py
@@ -385,6 +385,15 @@ class TestRequest(unittest.TestCase):
         e['CONTENT_LENGTH'] = str(len(json_dumps(test)))
         self.assertEqual(BaseRequest(e).json, test)
 
+    def test_json_forged_header_issue616(self):
+        test = dict(a=5, b='test', c=[1,2,3])
+        e = {'CONTENT_TYPE': 'text/plain;application/json'}
+        wsgiref.util.setup_testing_defaults(e)
+        e['wsgi.input'].write(tob(json_dumps(test)))
+        e['wsgi.input'].seek(0)
+        e['CONTENT_LENGTH'] = str(len(json_dumps(test)))
+        self.assertEqual(BaseRequest(e).json, None)
+
     def test_isajax(self):
         e = {}
         wsgiref.util.setup_testing_defaults(e)
author	Marcel Hellkamp <marc@gsites.de>	2014-04-25 22:21:58 +0200
committer	Marcel Hellkamp <marc@gsites.de>	2014-04-25 23:14:26 +0200
commit	7c3226867d9005903e268fedd819389ab8c6336d (patch)
tree	03b545f3892cb966050864fbb370619cabf915e5 /test/test_environ.py
parent	c4648c3462115398469ebbae1cbd46f48fd253bb (diff)
download	bottle-7c3226867d9005903e268fedd819389ab8c6336d.tar.gz