Changeset 8096
- Timestamp:
- 07/26/08 17:48:51 (4 months ago)
- Files:
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
django/trunk/django/core/files/uploadedfile.py
r7908 r8096 4 4 5 5 import os 6 import tempfile7 6 import warnings 8 7 try: … … 12 11 13 12 from django.conf import settings 13 14 from django.core.files import temp as tempfile 14 15 15 16 __all__ = ('UploadedFile', 'TemporaryUploadedFile', 'InMemoryUploadedFile', 'SimpleUploadedFile') django/trunk/tests/regressiontests/file_uploads/tests.py
r8007 r8096 3 3 import sha 4 4 import shutil 5 import tempfile6 5 import unittest 7 6 7 from django.core.files import temp as tempfile 8 8 from django.core.files.uploadedfile import SimpleUploadedFile 9 9 from django.test import TestCase, client … … 23 23 def test_large_upload(self): 24 24 tdir = tempfile.gettempdir() 25 25 26 26 file1 = tempfile.NamedTemporaryFile(suffix=".file1", dir=tdir) 27 27 file1.write('a' * (2 ** 21)) … … 59 59 60 60 self.assertEqual(response.status_code, 200) 61 61 62 62 def test_dangerous_file_names(self): 63 63 """Uploaded file names should be sanitized before ever reaching the view.""" 64 64 # This test simulates possible directory traversal attacks by a 65 # malicious uploader We have to do some monkeybusiness here to construct 65 # malicious uploader We have to do some monkeybusiness here to construct 66 66 # a malicious payload with an invalid file name (containing os.sep or 67 67 # os.pardir). This similar to what an attacker would need to do when … … 80 80 "../..\\hax0rd.txt" # Relative path, mixed. 81 81 ] 82 82 83 83 payload = [] 84 84 for i, name in enumerate(scary_file_names): … … 94 94 '', 95 95 ]) 96 96 97 97 payload = "\r\n".join(payload) 98 98 r = { … … 110 110 got = recieved["file%s" % i] 111 111 self.assertEqual(got, "hax0rd.txt") 112 112 113 113 def test_filename_overflow(self): 114 114 """File names over 256 characters (dangerous on some platforms) get fixed up.""" … … 132 132 got = simplejson.loads(self.client.request(**r).content) 133 133 self.assert_(len(got['file']) < 256, "Got a long file name (%s characters)." % len(got['file'])) 134 134 135 135 def test_custom_upload_handler(self): 136 # A small file (under the 5M quota) 136 # A small file (under the 5M quota) 137 137 smallfile = tempfile.NamedTemporaryFile() 138 138 smallfile.write('a' * (2 ** 21)) … … 141 141 bigfile = tempfile.NamedTemporaryFile() 142 142 bigfile.write('a' * (10 * 2 ** 20)) 143 143 144 144 # Small file posting should work. 145 145 response = self.client.post('/file_uploads/quota/', {'f': open(smallfile.name)}) 146 146 got = simplejson.loads(response.content) 147 147 self.assert_('f' in got) 148 148 149 149 # Large files don't go through. 150 150 response = self.client.post("/file_uploads/quota/", {'f': open(bigfile.name)}) 151 151 got = simplejson.loads(response.content) 152 152 self.assert_('f' not in got) 153 153 154 154 def test_broken_custom_upload_handler(self): 155 155 f = tempfile.NamedTemporaryFile() … … 190 190 class DirectoryCreationTests(unittest.TestCase): 191 191 """ 192 Tests for error handling during directory creation 192 Tests for error handling during directory creation 193 193 via _save_FIELD_file (ticket #6450) 194 194 """ … … 222 222 # The test needs to be done on a specific string as IOError 223 223 # is raised even without the patch (just not early enough) 224 self.assertEquals(err.args[0], 224 self.assertEquals(err.args[0], 225 225 "%s exists and is not a directory" % UPLOAD_TO) 226 226 except:
