mirror of
https://github.com/kakwa/ldapcherry
synced 2024-11-22 01:14:21 +01:00
fix many error with html unescaped attributes
This commit is contained in:
parent
91a1f3e7e3
commit
0beac119f9
@ -16,6 +16,7 @@ import logging.handlers
|
||||
from operator import itemgetter
|
||||
from socket import error as socket_error
|
||||
import base64
|
||||
import cgi
|
||||
|
||||
from exceptions import *
|
||||
from ldapcherry.lclogging import *
|
||||
@ -54,6 +55,31 @@ class LdapCherry(object):
|
||||
traceback=True
|
||||
)
|
||||
|
||||
def _escape_list(self, data):
|
||||
ret = []
|
||||
for i in data:
|
||||
ret.append(cgi.escape(i, True))
|
||||
|
||||
def _escape_dict(self, data):
|
||||
for d in data:
|
||||
if isinstance(data[d], list):
|
||||
data[d] = self._escape_list(data[d])
|
||||
elif isinstance(data[d], dict):
|
||||
data[d] = self._escape_dict(data[d])
|
||||
else:
|
||||
data[d] = cgi.escape(data[d], True)
|
||||
return data
|
||||
|
||||
def _escape(self, data, dtype):
|
||||
if data is None:
|
||||
return None
|
||||
elif dtype == 'search_list':
|
||||
for d in data:
|
||||
data[d] = self._escape_dict(data[d])
|
||||
elif dtype == 'attr_list':
|
||||
data = self._escape_dict(data)
|
||||
return data
|
||||
|
||||
def _get_param(self, section, key, config, default=None):
|
||||
""" Get configuration parameter "key" from config
|
||||
@str section: the section of the config file
|
||||
@ -895,7 +921,7 @@ class LdapCherry(object):
|
||||
return self.temp['index.tmpl'].render(
|
||||
is_admin=is_admin,
|
||||
attrs_list=attrs_list,
|
||||
searchresult=user_attrs,
|
||||
searchresult=self._escape(user_attrs, 'attr_list'),
|
||||
notifications=self._empty_notification(),
|
||||
)
|
||||
|
||||
@ -911,7 +937,7 @@ class LdapCherry(object):
|
||||
res = None
|
||||
attrs_list = self.attributes.get_search_attributes()
|
||||
return self.temp['searchuser.tmpl'].render(
|
||||
searchresult=res,
|
||||
searchresult=self._escape(res, 'search_list'),
|
||||
attrs_list=attrs_list,
|
||||
is_admin=is_admin,
|
||||
custom_js=self.custom_js,
|
||||
@ -948,7 +974,7 @@ class LdapCherry(object):
|
||||
res = None
|
||||
attrs_list = self.attributes.get_search_attributes()
|
||||
return self.temp['searchadmin.tmpl'].render(
|
||||
searchresult=res,
|
||||
searchresult=self._escape(res, 'search_list'),
|
||||
attrs_list=attrs_list,
|
||||
is_admin=is_admin,
|
||||
custom_js=self.custom_js,
|
||||
@ -1053,7 +1079,7 @@ class LdapCherry(object):
|
||||
key = self.attributes.get_key()
|
||||
form = self.temp['form.tmpl'].render(
|
||||
attributes=self.attributes.attributes,
|
||||
values=user_attrs,
|
||||
values=self._escape(user_attrs, 'attr_list'),
|
||||
modify=True,
|
||||
keyattr=key,
|
||||
autofill=False
|
||||
@ -1069,7 +1095,7 @@ class LdapCherry(object):
|
||||
form=form,
|
||||
roles=roles,
|
||||
is_admin=is_admin,
|
||||
standalone_groups=user_lonely_groups,
|
||||
standalone_groups=self._escape(user_lonely_groups, 'attr_list'),
|
||||
backends_display_names=self.backends_display_names,
|
||||
custom_js=self.custom_js,
|
||||
notifications=self._empty_notification(),
|
||||
@ -1115,7 +1141,7 @@ class LdapCherry(object):
|
||||
)
|
||||
form = self.temp['form.tmpl'].render(
|
||||
attributes=self.attributes.get_selfattributes(),
|
||||
values=user_attrs,
|
||||
values=self._escape(user_attrs, 'attr_list'),
|
||||
modify=True,
|
||||
autofill=False
|
||||
)
|
||||
|
@ -29,6 +29,8 @@ for a in sorted(attributes.keys(), key=lambda attr: attributes[attr]['weight']):
|
||||
tmp = values[a][0]
|
||||
else:
|
||||
tmp = values[a]
|
||||
if tmp is None:
|
||||
tmp = ''
|
||||
value = ' value="'+ tmp + '"'
|
||||
value2 = '<option>'+ tmp +'</option>'
|
||||
else:
|
||||
|
484
tests/cfg/blns.json
Normal file
484
tests/cfg/blns.json
Normal file
@ -0,0 +1,484 @@
|
||||
[
|
||||
"good",
|
||||
"undefined",
|
||||
"undef",
|
||||
"null",
|
||||
"NULL",
|
||||
"(null)",
|
||||
"nil",
|
||||
"NIL",
|
||||
"true",
|
||||
"false",
|
||||
"True",
|
||||
"False",
|
||||
"None",
|
||||
"hasOwnProperty",
|
||||
"\\",
|
||||
"\\\\",
|
||||
"0",
|
||||
"1",
|
||||
"1.00",
|
||||
"$1.00",
|
||||
"1/2",
|
||||
"1E2",
|
||||
"1E02",
|
||||
"1E+02",
|
||||
"-1",
|
||||
"-1.00",
|
||||
"-$1.00",
|
||||
"-1/2",
|
||||
"-1E2",
|
||||
"-1E02",
|
||||
"-1E+02",
|
||||
"1/0",
|
||||
"0/0",
|
||||
"-2147483648/-1",
|
||||
"-9223372036854775808/-1",
|
||||
"0.00",
|
||||
"0..0",
|
||||
".",
|
||||
"0.0.0",
|
||||
"0,00",
|
||||
"0,,0",
|
||||
",",
|
||||
"0,0,0",
|
||||
"0.0/0",
|
||||
"1.0/0.0",
|
||||
"0.0/0.0",
|
||||
"1,0/0,0",
|
||||
"0,0/0,0",
|
||||
"--1",
|
||||
"-",
|
||||
"-.",
|
||||
"-,",
|
||||
"999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999",
|
||||
"NaN",
|
||||
"Infinity",
|
||||
"-Infinity",
|
||||
"INF",
|
||||
"1#INF",
|
||||
"-1#IND",
|
||||
"1#QNAN",
|
||||
"1#SNAN",
|
||||
"1#IND",
|
||||
"0x0",
|
||||
"0xffffffff",
|
||||
"0xffffffffffffffff",
|
||||
"0xabad1dea",
|
||||
"123456789012345678901234567890123456789",
|
||||
"1,000.00",
|
||||
"1 000.00",
|
||||
"1'000.00",
|
||||
"1,000,000.00",
|
||||
"1 000 000.00",
|
||||
"1'000'000.00",
|
||||
"1.000,00",
|
||||
"1 000,00",
|
||||
"1'000,00",
|
||||
"1.000.000,00",
|
||||
"1 000 000,00",
|
||||
"1'000'000,00",
|
||||
"01000",
|
||||
"08",
|
||||
"09",
|
||||
"2.2250738585072011e-308",
|
||||
",./;'[]\\-=",
|
||||
"<>?:\"{}|_+",
|
||||
"!@#$%^&*()`~",
|
||||
"Ω≈ç√∫˜µ≤≥÷",
|
||||
"åß∂ƒ©˙∆˚¬…æ",
|
||||
"œ∑´®†¥¨ˆøπ“‘",
|
||||
"¡™£¢∞§¶•ªº–≠",
|
||||
"¸˛Ç◊ı˜Â¯˘¿",
|
||||
"ÅÍÎÏ˝ÓÔÒÚÆ☃",
|
||||
"Œ„´‰ˇÁ¨ˆØ∏”’",
|
||||
"`⁄€‹›fifl‡°·‚—±",
|
||||
"⅛⅜⅝⅞",
|
||||
"ЁЂЃЄЅІЇЈЉЊЋЌЍЎЏАБВГДЕЖЗИЙКЛМНОПРСТУФХЦЧШЩЪЫЬЭЮЯабвгдежзийклмнопрстуфхцчшщъыьэюя",
|
||||
"٠١٢٣٤٥٦٧٨٩",
|
||||
"⁰⁴⁵",
|
||||
"₀₁₂",
|
||||
"⁰⁴⁵₀₁₂",
|
||||
"'",
|
||||
"\"",
|
||||
"''",
|
||||
"\"\"",
|
||||
"'\"'",
|
||||
"\"''''\"'\"",
|
||||
"\"'\"'\"''''\"",
|
||||
"<foo val=“bar” />",
|
||||
"<foo val=“bar” />",
|
||||
"<foo val=”bar“ />",
|
||||
"<foo val=`bar' />",
|
||||
"田中さんにあげて下さい",
|
||||
"パーティーへ行かないか",
|
||||
"和製漢語",
|
||||
"部落格",
|
||||
"사회과학원 어학연구소",
|
||||
"찦차를 타고 온 펲시맨과 쑛다리 똠방각하",
|
||||
"社會科學院語學研究所",
|
||||
"울란바토르",
|
||||
"𠜎𠜱𠝹𠱓𠱸𠲖𠳏",
|
||||
"ヽ༼ຈل͜ຈ༽ノ ヽ༼ຈل͜ຈ༽ノ ",
|
||||
"(。◕ ∀ ◕。)",
|
||||
"`ィ(´∀`∩",
|
||||
"__ロ(,_,*)",
|
||||
"・( ̄∀ ̄)・:*:",
|
||||
"゚・✿ヾ╲(。◕‿◕。)╱✿・゚",
|
||||
",。・:*:・゜’( ☻ ω ☻ )。・:*:・゜’",
|
||||
"(╯°□°)╯︵ ┻━┻) ",
|
||||
"(ノಥ益ಥ)ノ ┻━┻",
|
||||
"( ͡° ͜ʖ ͡°)",
|
||||
"😍",
|
||||
"👩🏽",
|
||||
"👾 🙇 💁 🙅 🙆 🙋 🙎 🙍 ",
|
||||
"🐵 🙈 🙉 🙊",
|
||||
"❤️ 💔 💌 💕 💞 💓 💗 💖 💘 💝 💟 💜 💛 💚 💙",
|
||||
"✋🏿 💪🏿 👐🏿 🙌🏿 👏🏿 🙏🏿",
|
||||
"🚾 🆒 🆓 🆕 🆖 🆗 🆙 🏧",
|
||||
"0️⃣ 1️⃣ 2️⃣ 3️⃣ 4️⃣ 5️⃣ 6️⃣ 7️⃣ 8️⃣ 9️⃣ 🔟",
|
||||
"🇺🇸🇷🇺🇸 🇦🇫🇦🇲🇸 ",
|
||||
"🇺🇸🇷🇺🇸🇦🇫🇦🇲",
|
||||
"🇺🇸🇷🇺🇸🇦",
|
||||
"123",
|
||||
"١٢٣",
|
||||
"ثم نفس سقطت وبالتحديد،, جزيرتي باستخدام أن دنو. إذ هنا؟ الستار وتنصيب كان. أهّل ايطاليا، بريطانيا-فرنسا قد أخذ. سليمان، إتفاقية بين ما, يذكر الحدود أي بعد, معاملة بولندا، الإطلاق عل إيو.",
|
||||
"בְּרֵאשִׁית, בָּרָא אֱלֹהִים, אֵת הַשָּׁמַיִם, וְאֵת הָאָרֶץ",
|
||||
"הָיְתָהtestالصفحات التّحول",
|
||||
"﷽",
|
||||
"ﷺ",
|
||||
"مُنَاقَشَةُ سُبُلِ اِسْتِخْدَامِ اللُّغَةِ فِي النُّظُمِ الْقَائِمَةِ وَفِيم يَخُصَّ التَّطْبِيقَاتُ الْحاسُوبِيَّةُ ",
|
||||
"",
|
||||
" ",
|
||||
"",
|
||||
" ",
|
||||
"",
|
||||
"␣",
|
||||
"␢",
|
||||
"␡",
|
||||
"test",
|
||||
"test",
|
||||
"
test
",
|
||||
"testtest",
|
||||
"test",
|
||||
"Ṱ̺̺̕o͞ ̷i̲̬͇̪͙n̝̗͕v̟̜̘̦͟o̶̙̰̠kè͚̮̺̪̹̱̤ ̖t̝͕̳̣̻̪͞h̼͓̲̦̳̘̲e͇̣̰̦̬͎ ̢̼̻̱̘h͚͎͙̜̣̲ͅi̦̲̣̰̤v̻͍e̺̭̳̪̰-m̢iͅn̖̺̞̲̯̰d̵̼̟͙̩̼̘̳ ̞̥̱̳̭r̛̗̘e͙p͠r̼̞̻̭̗e̺̠̣͟s̘͇̳͍̝͉e͉̥̯̞̲͚̬͜ǹ̬͎͎̟̖͇̤t͍̬̤͓̼̭͘ͅi̪̱n͠g̴͉ ͏͉ͅc̬̟h͡a̫̻̯͘o̫̟̖͍̙̝͉s̗̦̲.̨̹͈̣",
|
||||
"̡͓̞ͅI̗̘̦͝n͇͇͙v̮̫ok̲̫̙͈i̖͙̭̹̠̞n̡̻̮̣̺g̲͈͙̭͙̬͎ ̰t͔̦h̞̲e̢̤ ͍̬̲͖f̴̘͕̣è͖ẹ̥̩l͖͔͚i͓͚̦͠n͖͍̗͓̳̮g͍ ̨o͚̪͡f̘̣̬ ̖̘͖̟͙̮c҉͔̫͖͓͇͖ͅh̵̤̣͚͔á̗̼͕ͅo̼̣̥s̱͈̺̖̦̻͢.̛̖̞̠̫̰",
|
||||
"̗̺͖̹̯͓Ṯ̤͍̥͇͈h̲́e͏͓̼̗̙̼̣͔ ͇̜̱̠͓͍ͅN͕͠e̗̱z̘̝̜̺͙p̤̺̹͍̯͚e̠̻̠͜r̨̤͍̺̖͔̖̖d̠̟̭̬̝͟i̦͖̩͓͔̤a̠̗̬͉̙n͚͜ ̻̞̰͚ͅh̵͉i̳̞v̢͇ḙ͎͟-҉̭̩̼͔m̤̭̫i͕͇̝̦n̗͙ḍ̟ ̯̲͕͞ǫ̟̯̰̲͙̻̝f ̪̰̰̗̖̭̘͘c̦͍̲̞͍̩̙ḥ͚a̮͎̟̙͜ơ̩̹͎s̤.̝̝ ҉Z̡̖̜͖̰̣͉̜a͖̰͙̬͡l̲̫̳͍̩g̡̟̼̱͚̞̬ͅo̗͜.̟",
|
||||
"̦H̬̤̗̤͝e͜ ̜̥̝̻͍̟́w̕h̖̯͓o̝͙̖͎̱̮ ҉̺̙̞̟͈W̷̼̭a̺̪͍į͈͕̭͙̯̜t̶̼̮s̘͙͖̕ ̠̫̠B̻͍͙͉̳ͅe̵h̵̬͇̫͙i̹͓̳̳̮͎̫̕n͟d̴̪̜̖ ̰͉̩͇͙̲͞ͅT͖̼͓̪͢h͏͓̮̻e̬̝̟ͅ ̤̹̝W͙̞̝͔͇͝ͅa͏͓͔̹̼̣l̴͔̰̤̟͔ḽ̫.͕",
|
||||
"Z̮̞̠͙͔ͅḀ̗̞͈̻̗Ḷ͙͎̯̹̞͓G̻O̭̗̮",
|
||||
"˙ɐnbᴉlɐ ɐuƃɐɯ ǝɹolop ʇǝ ǝɹoqɐl ʇn ʇunpᴉpᴉɔuᴉ ɹodɯǝʇ poɯsnᴉǝ op pǝs 'ʇᴉlǝ ƃuᴉɔsᴉdᴉpɐ ɹnʇǝʇɔǝsuoɔ 'ʇǝɯɐ ʇᴉs ɹolop ɯnsdᴉ ɯǝɹo˥",
|
||||
"00˙Ɩ$-",
|
||||
"The quick brown fox jumps over the lazy dog",
|
||||
"𝐓𝐡𝐞 𝐪𝐮𝐢𝐜𝐤 𝐛𝐫𝐨𝐰𝐧 𝐟𝐨𝐱 𝐣𝐮𝐦𝐩𝐬 𝐨𝐯𝐞𝐫 𝐭𝐡𝐞 𝐥𝐚𝐳𝐲 𝐝𝐨𝐠",
|
||||
"𝕿𝖍𝖊 𝖖𝖚𝖎𝖈𝖐 𝖇𝖗𝖔𝖜𝖓 𝖋𝖔𝖝 𝖏𝖚𝖒𝖕𝖘 𝖔𝖛𝖊𝖗 𝖙𝖍𝖊 𝖑𝖆𝖟𝖞 𝖉𝖔𝖌",
|
||||
"𝑻𝒉𝒆 𝒒𝒖𝒊𝒄𝒌 𝒃𝒓𝒐𝒘𝒏 𝒇𝒐𝒙 𝒋𝒖𝒎𝒑𝒔 𝒐𝒗𝒆𝒓 𝒕𝒉𝒆 𝒍𝒂𝒛𝒚 𝒅𝒐𝒈",
|
||||
"𝓣𝓱𝓮 𝓺𝓾𝓲𝓬𝓴 𝓫𝓻𝓸𝔀𝓷 𝓯𝓸𝔁 𝓳𝓾𝓶𝓹𝓼 𝓸𝓿𝓮𝓻 𝓽𝓱𝓮 𝓵𝓪𝔃𝔂 𝓭𝓸𝓰",
|
||||
"𝕋𝕙𝕖 𝕢𝕦𝕚𝕔𝕜 𝕓𝕣𝕠𝕨𝕟 𝕗𝕠𝕩 𝕛𝕦𝕞𝕡𝕤 𝕠𝕧𝕖𝕣 𝕥𝕙𝕖 𝕝𝕒𝕫𝕪 𝕕𝕠𝕘",
|
||||
"𝚃𝚑𝚎 𝚚𝚞𝚒𝚌𝚔 𝚋𝚛𝚘𝚠𝚗 𝚏𝚘𝚡 𝚓𝚞𝚖𝚙𝚜 𝚘𝚟𝚎𝚛 𝚝𝚑𝚎 𝚕𝚊𝚣𝚢 𝚍𝚘𝚐",
|
||||
"⒯⒣⒠ ⒬⒰⒤⒞⒦ ⒝⒭⒪⒲⒩ ⒡⒪⒳ ⒥⒰⒨⒫⒮ ⒪⒱⒠⒭ ⒯⒣⒠ ⒧⒜⒵⒴ ⒟⒪⒢",
|
||||
"<script>alert(123)</script>",
|
||||
"<script>alert('123');</script>",
|
||||
"<img src=x onerror=alert(123) />",
|
||||
"<svg><script>123<1>alert(123)</script> ",
|
||||
"\"><script>alert(123)</script>",
|
||||
"'><script>alert(123)</script>",
|
||||
"><script>alert(123)</script>",
|
||||
"</script><script>alert(123)</script>",
|
||||
"< / script >< script >alert(123)< / script >",
|
||||
" onfocus=JaVaSCript:alert(123) autofocus ",
|
||||
"\" onfocus=JaVaSCript:alert(123) autofocus ",
|
||||
"' onfocus=JaVaSCript:alert(123) autofocus ",
|
||||
"<script>alert(123)</script>",
|
||||
"<sc<script>ript>alert(123)</sc</script>ript>",
|
||||
"--><script>alert(123)</script>",
|
||||
"\";alert(123);t=\"",
|
||||
"';alert(123);t='",
|
||||
"JavaSCript:alert(123)",
|
||||
";alert(123);",
|
||||
"src=JaVaSCript:prompt(132)",
|
||||
"\"><script>alert(123);</script x=\"",
|
||||
"'><script>alert(123);</script x='",
|
||||
"><script>alert(123);</script x=",
|
||||
"\" autofocus onkeyup=\"javascript:alert(123)",
|
||||
"' autofocus onkeyup='javascript:alert(123)",
|
||||
"<script\\x20type=\"text/javascript\">javascript:alert(1);</script>",
|
||||
"<script\\x3Etype=\"text/javascript\">javascript:alert(1);</script>",
|
||||
"<script\\x0Dtype=\"text/javascript\">javascript:alert(1);</script>",
|
||||
"<script\\x09type=\"text/javascript\">javascript:alert(1);</script>",
|
||||
"<script\\x0Ctype=\"text/javascript\">javascript:alert(1);</script>",
|
||||
"<script\\x2Ftype=\"text/javascript\">javascript:alert(1);</script>",
|
||||
"<script\\x0Atype=\"text/javascript\">javascript:alert(1);</script>",
|
||||
"'`\"><\\x3Cscript>javascript:alert(1)</script> ",
|
||||
"'`\"><\\x00script>javascript:alert(1)</script>",
|
||||
"ABC<div style=\"x\\x3Aexpression(javascript:alert(1)\">DEF",
|
||||
"ABC<div style=\"x:expression\\x5C(javascript:alert(1)\">DEF",
|
||||
"ABC<div style=\"x:expression\\x00(javascript:alert(1)\">DEF",
|
||||
"ABC<div style=\"x:exp\\x00ression(javascript:alert(1)\">DEF",
|
||||
"ABC<div style=\"x:exp\\x5Cression(javascript:alert(1)\">DEF",
|
||||
"ABC<div style=\"x:\\x0Aexpression(javascript:alert(1)\">DEF",
|
||||
"ABC<div style=\"x:\\x09expression(javascript:alert(1)\">DEF",
|
||||
"ABC<div style=\"x:\\xE3\\x80\\x80expression(javascript:alert(1)\">DEF",
|
||||
"ABC<div style=\"x:\\xE2\\x80\\x84expression(javascript:alert(1)\">DEF",
|
||||
"ABC<div style=\"x:\\xC2\\xA0expression(javascript:alert(1)\">DEF",
|
||||
"ABC<div style=\"x:\\xE2\\x80\\x80expression(javascript:alert(1)\">DEF",
|
||||
"ABC<div style=\"x:\\xE2\\x80\\x8Aexpression(javascript:alert(1)\">DEF",
|
||||
"ABC<div style=\"x:\\x0Dexpression(javascript:alert(1)\">DEF",
|
||||
"ABC<div style=\"x:\\x0Cexpression(javascript:alert(1)\">DEF",
|
||||
"ABC<div style=\"x:\\xE2\\x80\\x87expression(javascript:alert(1)\">DEF",
|
||||
"ABC<div style=\"x:\\xEF\\xBB\\xBFexpression(javascript:alert(1)\">DEF",
|
||||
"ABC<div style=\"x:\\x20expression(javascript:alert(1)\">DEF",
|
||||
"ABC<div style=\"x:\\xE2\\x80\\x88expression(javascript:alert(1)\">DEF",
|
||||
"ABC<div style=\"x:\\x00expression(javascript:alert(1)\">DEF",
|
||||
"ABC<div style=\"x:\\xE2\\x80\\x8Bexpression(javascript:alert(1)\">DEF",
|
||||
"ABC<div style=\"x:\\xE2\\x80\\x86expression(javascript:alert(1)\">DEF",
|
||||
"ABC<div style=\"x:\\xE2\\x80\\x85expression(javascript:alert(1)\">DEF",
|
||||
"ABC<div style=\"x:\\xE2\\x80\\x82expression(javascript:alert(1)\">DEF",
|
||||
"ABC<div style=\"x:\\x0Bexpression(javascript:alert(1)\">DEF",
|
||||
"ABC<div style=\"x:\\xE2\\x80\\x81expression(javascript:alert(1)\">DEF",
|
||||
"ABC<div style=\"x:\\xE2\\x80\\x83expression(javascript:alert(1)\">DEF",
|
||||
"ABC<div style=\"x:\\xE2\\x80\\x89expression(javascript:alert(1)\">DEF",
|
||||
"<a href=\"\\x0Bjavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
|
||||
"<a href=\"\\x0Fjavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
|
||||
"<a href=\"\\xC2\\xA0javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
|
||||
"<a href=\"\\x05javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
|
||||
"<a href=\"\\xE1\\xA0\\x8Ejavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
|
||||
"<a href=\"\\x18javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
|
||||
"<a href=\"\\x11javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
|
||||
"<a href=\"\\xE2\\x80\\x88javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
|
||||
"<a href=\"\\xE2\\x80\\x89javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
|
||||
"<a href=\"\\xE2\\x80\\x80javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
|
||||
"<a href=\"\\x17javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
|
||||
"<a href=\"\\x03javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
|
||||
"<a href=\"\\x0Ejavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
|
||||
"<a href=\"\\x1Ajavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
|
||||
"<a href=\"\\x00javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
|
||||
"<a href=\"\\x10javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
|
||||
"<a href=\"\\xE2\\x80\\x82javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
|
||||
"<a href=\"\\x20javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
|
||||
"<a href=\"\\x13javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
|
||||
"<a href=\"\\x09javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
|
||||
"<a href=\"\\xE2\\x80\\x8Ajavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
|
||||
"<a href=\"\\x14javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
|
||||
"<a href=\"\\x19javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
|
||||
"<a href=\"\\xE2\\x80\\xAFjavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
|
||||
"<a href=\"\\x1Fjavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
|
||||
"<a href=\"\\xE2\\x80\\x81javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
|
||||
"<a href=\"\\x1Djavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
|
||||
"<a href=\"\\xE2\\x80\\x87javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
|
||||
"<a href=\"\\x07javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
|
||||
"<a href=\"\\xE1\\x9A\\x80javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
|
||||
"<a href=\"\\xE2\\x80\\x83javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
|
||||
"<a href=\"\\x04javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
|
||||
"<a href=\"\\x01javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
|
||||
"<a href=\"\\x08javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
|
||||
"<a href=\"\\xE2\\x80\\x84javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
|
||||
"<a href=\"\\xE2\\x80\\x86javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
|
||||
"<a href=\"\\xE3\\x80\\x80javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
|
||||
"<a href=\"\\x12javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
|
||||
"<a href=\"\\x0Djavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
|
||||
"<a href=\"\\x0Ajavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
|
||||
"<a href=\"\\x0Cjavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
|
||||
"<a href=\"\\x15javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
|
||||
"<a href=\"\\xE2\\x80\\xA8javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
|
||||
"<a href=\"\\x16javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
|
||||
"<a href=\"\\x02javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
|
||||
"<a href=\"\\x1Bjavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
|
||||
"<a href=\"\\x06javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
|
||||
"<a href=\"\\xE2\\x80\\xA9javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
|
||||
"<a href=\"\\xE2\\x80\\x85javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
|
||||
"<a href=\"\\x1Ejavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
|
||||
"<a href=\"\\xE2\\x81\\x9Fjavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
|
||||
"<a href=\"\\x1Cjavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
|
||||
"<a href=\"javascript\\x00:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
|
||||
"<a href=\"javascript\\x3A:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
|
||||
"<a href=\"javascript\\x09:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
|
||||
"<a href=\"javascript\\x0D:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
|
||||
"<a href=\"javascript\\x0A:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
|
||||
"`\"'><img src=xxx:x \\x0Aonerror=javascript:alert(1)>",
|
||||
"`\"'><img src=xxx:x \\x22onerror=javascript:alert(1)>",
|
||||
"`\"'><img src=xxx:x \\x0Bonerror=javascript:alert(1)>",
|
||||
"`\"'><img src=xxx:x \\x0Donerror=javascript:alert(1)>",
|
||||
"`\"'><img src=xxx:x \\x2Fonerror=javascript:alert(1)>",
|
||||
"`\"'><img src=xxx:x \\x09onerror=javascript:alert(1)>",
|
||||
"`\"'><img src=xxx:x \\x0Conerror=javascript:alert(1)>",
|
||||
"`\"'><img src=xxx:x \\x00onerror=javascript:alert(1)>",
|
||||
"`\"'><img src=xxx:x \\x27onerror=javascript:alert(1)>",
|
||||
"`\"'><img src=xxx:x \\x20onerror=javascript:alert(1)>",
|
||||
"\"`'><script>\\x3Bjavascript:alert(1)</script>",
|
||||
"\"`'><script>\\x0Djavascript:alert(1)</script>",
|
||||
"\"`'><script>\\xEF\\xBB\\xBFjavascript:alert(1)</script>",
|
||||
"\"`'><script>\\xE2\\x80\\x81javascript:alert(1)</script>",
|
||||
"\"`'><script>\\xE2\\x80\\x84javascript:alert(1)</script>",
|
||||
"\"`'><script>\\xE3\\x80\\x80javascript:alert(1)</script>",
|
||||
"\"`'><script>\\x09javascript:alert(1)</script>",
|
||||
"\"`'><script>\\xE2\\x80\\x89javascript:alert(1)</script>",
|
||||
"\"`'><script>\\xE2\\x80\\x85javascript:alert(1)</script>",
|
||||
"\"`'><script>\\xE2\\x80\\x88javascript:alert(1)</script>",
|
||||
"\"`'><script>\\x00javascript:alert(1)</script>",
|
||||
"\"`'><script>\\xE2\\x80\\xA8javascript:alert(1)</script>",
|
||||
"\"`'><script>\\xE2\\x80\\x8Ajavascript:alert(1)</script>",
|
||||
"\"`'><script>\\xE1\\x9A\\x80javascript:alert(1)</script>",
|
||||
"\"`'><script>\\x0Cjavascript:alert(1)</script>",
|
||||
"\"`'><script>\\x2Bjavascript:alert(1)</script>",
|
||||
"\"`'><script>\\xF0\\x90\\x96\\x9Ajavascript:alert(1)</script>",
|
||||
"\"`'><script>-javascript:alert(1)</script>",
|
||||
"\"`'><script>\\x0Ajavascript:alert(1)</script>",
|
||||
"\"`'><script>\\xE2\\x80\\xAFjavascript:alert(1)</script>",
|
||||
"\"`'><script>\\x7Ejavascript:alert(1)</script>",
|
||||
"\"`'><script>\\xE2\\x80\\x87javascript:alert(1)</script>",
|
||||
"\"`'><script>\\xE2\\x81\\x9Fjavascript:alert(1)</script>",
|
||||
"\"`'><script>\\xE2\\x80\\xA9javascript:alert(1)</script>",
|
||||
"\"`'><script>\\xC2\\x85javascript:alert(1)</script>",
|
||||
"\"`'><script>\\xEF\\xBF\\xAEjavascript:alert(1)</script>",
|
||||
"\"`'><script>\\xE2\\x80\\x83javascript:alert(1)</script>",
|
||||
"\"`'><script>\\xE2\\x80\\x8Bjavascript:alert(1)</script>",
|
||||
"\"`'><script>\\xEF\\xBF\\xBEjavascript:alert(1)</script>",
|
||||
"\"`'><script>\\xE2\\x80\\x80javascript:alert(1)</script>",
|
||||
"\"`'><script>\\x21javascript:alert(1)</script>",
|
||||
"\"`'><script>\\xE2\\x80\\x82javascript:alert(1)</script>",
|
||||
"\"`'><script>\\xE2\\x80\\x86javascript:alert(1)</script>",
|
||||
"\"`'><script>\\xE1\\xA0\\x8Ejavascript:alert(1)</script>",
|
||||
"\"`'><script>\\x0Bjavascript:alert(1)</script>",
|
||||
"\"`'><script>\\x20javascript:alert(1)</script>",
|
||||
"\"`'><script>\\xC2\\xA0javascript:alert(1)</script>",
|
||||
"<img \\x00src=x onerror=\"alert(1)\">",
|
||||
"<img \\x47src=x onerror=\"javascript:alert(1)\">",
|
||||
"<img \\x11src=x onerror=\"javascript:alert(1)\">",
|
||||
"<img \\x12src=x onerror=\"javascript:alert(1)\">",
|
||||
"<img\\x47src=x onerror=\"javascript:alert(1)\">",
|
||||
"<img\\x10src=x onerror=\"javascript:alert(1)\">",
|
||||
"<img\\x13src=x onerror=\"javascript:alert(1)\">",
|
||||
"<img\\x32src=x onerror=\"javascript:alert(1)\">",
|
||||
"<img\\x47src=x onerror=\"javascript:alert(1)\">",
|
||||
"<img\\x11src=x onerror=\"javascript:alert(1)\">",
|
||||
"<img \\x47src=x onerror=\"javascript:alert(1)\">",
|
||||
"<img \\x34src=x onerror=\"javascript:alert(1)\">",
|
||||
"<img \\x39src=x onerror=\"javascript:alert(1)\">",
|
||||
"<img \\x00src=x onerror=\"javascript:alert(1)\">",
|
||||
"<img src\\x09=x onerror=\"javascript:alert(1)\">",
|
||||
"<img src\\x10=x onerror=\"javascript:alert(1)\">",
|
||||
"<img src\\x13=x onerror=\"javascript:alert(1)\">",
|
||||
"<img src\\x32=x onerror=\"javascript:alert(1)\">",
|
||||
"<img src\\x12=x onerror=\"javascript:alert(1)\">",
|
||||
"<img src\\x11=x onerror=\"javascript:alert(1)\">",
|
||||
"<img src\\x00=x onerror=\"javascript:alert(1)\">",
|
||||
"<img src\\x47=x onerror=\"javascript:alert(1)\">",
|
||||
"<img src=x\\x09onerror=\"javascript:alert(1)\">",
|
||||
"<img src=x\\x10onerror=\"javascript:alert(1)\">",
|
||||
"<img src=x\\x11onerror=\"javascript:alert(1)\">",
|
||||
"<img src=x\\x12onerror=\"javascript:alert(1)\">",
|
||||
"<img src=x\\x13onerror=\"javascript:alert(1)\">",
|
||||
"<img[a][b][c]src[d]=x[e]onerror=[f]\"alert(1)\">",
|
||||
"<img src=x onerror=\\x09\"javascript:alert(1)\">",
|
||||
"<img src=x onerror=\\x10\"javascript:alert(1)\">",
|
||||
"<img src=x onerror=\\x11\"javascript:alert(1)\">",
|
||||
"<img src=x onerror=\\x12\"javascript:alert(1)\">",
|
||||
"<img src=x onerror=\\x32\"javascript:alert(1)\">",
|
||||
"<img src=x onerror=\\x00\"javascript:alert(1)\">",
|
||||
"<a href=javascript:javascript:alert(1)>XXX</a>",
|
||||
"<img src=\"x` `<script>javascript:alert(1)</script>\"` `>",
|
||||
"<img src onerror /\" '\"= alt=javascript:alert(1)//\">",
|
||||
"<title onpropertychange=javascript:alert(1)></title><title title=>",
|
||||
"<a href=http://foo.bar/#x=`y></a><img alt=\"`><img src=x:x onerror=javascript:alert(1)></a>\">",
|
||||
"<!--[if]><script>javascript:alert(1)</script -->",
|
||||
"<!--[if<img src=x onerror=javascript:alert(1)//]> -->",
|
||||
"<script src=\"/\\%(jscript)s\"></script>",
|
||||
"<script src=\"\\\\%(jscript)s\"></script>",
|
||||
"<IMG \"\"\"><SCRIPT>alert(\"XSS\")</SCRIPT>\">",
|
||||
"<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>",
|
||||
"<IMG SRC=# onmouseover=\"alert('xxs')\">",
|
||||
"<IMG SRC= onmouseover=\"alert('xxs')\">",
|
||||
"<IMG onmouseover=\"alert('xxs')\">",
|
||||
"<IMG SRC=javascript:alert('XSS')>",
|
||||
"<IMG SRC=javascript:alert('XSS')>",
|
||||
"<IMG SRC=javascript:alert('XSS')>",
|
||||
"<IMG SRC=\"jav ascript:alert('XSS');\">",
|
||||
"<IMG SRC=\"jav	ascript:alert('XSS');\">",
|
||||
"<IMG SRC=\"jav
ascript:alert('XSS');\">",
|
||||
"<IMG SRC=\"jav
ascript:alert('XSS');\">",
|
||||
"perl -e 'print \"<IMG SRC=java\\0script:alert(\\\"XSS\\\")>\";' > out",
|
||||
"<IMG SRC=\"  javascript:alert('XSS');\">",
|
||||
"<SCRIPT/XSS SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>",
|
||||
"<BODY onload!#$%&()*~+-_.,:;?@[/|\\]^`=alert(\"XSS\")>",
|
||||
"<SCRIPT/SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>",
|
||||
"<<SCRIPT>alert(\"XSS\");//<</SCRIPT>",
|
||||
"<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >",
|
||||
"<SCRIPT SRC=//ha.ckers.org/.j>",
|
||||
"<IMG SRC=\"javascript:alert('XSS')\"",
|
||||
"<iframe src=http://ha.ckers.org/scriptlet.html <",
|
||||
"\\\";alert('XSS');//",
|
||||
"<u oncopy=alert()> Copy me</u>",
|
||||
"<i onwheel=alert(1)> Scroll over me </i>",
|
||||
"<plaintext>",
|
||||
"http://a/%%30%30",
|
||||
"1;DROP TABLE users",
|
||||
"1'; DROP TABLE users-- 1",
|
||||
"' OR 1=1 -- 1",
|
||||
"' OR '1'='1",
|
||||
" ",
|
||||
"%",
|
||||
"_",
|
||||
"-",
|
||||
"--",
|
||||
"--version",
|
||||
"--help",
|
||||
"$USER",
|
||||
"/dev/null; touch /tmp/blns.fail ; echo",
|
||||
"`touch /tmp/blns.fail`",
|
||||
"$(touch /tmp/blns.fail)",
|
||||
"@{[system \"touch /tmp/blns.fail\"]}",
|
||||
"eval(\"puts 'hello world'\")",
|
||||
"System(\"ls -al /\")",
|
||||
"`ls -al /`",
|
||||
"Kernel.exec(\"ls -al /\")",
|
||||
"Kernel.exit(1)",
|
||||
"%x('ls -al /')",
|
||||
"<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?><!DOCTYPE foo [ <!ELEMENT foo ANY ><!ENTITY xxe SYSTEM \"file:///etc/passwd\" >]><foo>&xxe;</foo>",
|
||||
"$HOME",
|
||||
"$ENV{'HOME'}",
|
||||
"%d",
|
||||
"%s",
|
||||
"{0}",
|
||||
"%*.*s",
|
||||
"../../../../../../../../../../../etc/passwd%00",
|
||||
"../../../../../../../../../../../etc/hosts",
|
||||
"() { 0; }; touch /tmp/blns.shellshock1.fail;",
|
||||
"() { _; } >_[$($())] { touch /tmp/blns.shellshock2.fail; }",
|
||||
"CON",
|
||||
"PRN",
|
||||
"AUX",
|
||||
"CLOCK$",
|
||||
"NUL",
|
||||
"A:",
|
||||
"ZZ:",
|
||||
"COM1",
|
||||
"LPT1",
|
||||
"LPT2",
|
||||
"LPT3",
|
||||
"COM2",
|
||||
"COM3",
|
||||
"COM4",
|
||||
"Scunthorpe General Hospital",
|
||||
"Penistone Community Church",
|
||||
"Lightwater Country Park",
|
||||
"Jimmy Clitheroe",
|
||||
"Horniman Museum",
|
||||
"shitake mushrooms",
|
||||
"RomansInSussex.co.uk",
|
||||
"http://www.cum.qc.ca/",
|
||||
"Craig Cockburn, Software Specialist",
|
||||
"Linda Callahan",
|
||||
"Dr. Herman I. Libshitz",
|
||||
"magna cum laude",
|
||||
"Super Bowl XXX",
|
||||
"medieval erection of parapets",
|
||||
"evaluate",
|
||||
"mocha",
|
||||
"expression",
|
||||
"Arsenal canal",
|
||||
"classic",
|
||||
"Tyson Gay",
|
||||
"basement",
|
||||
"If you're reading this, you've been in a coma for almost 20 years now. We're trying a new technique. We don't know where this message will end up in your dream, but we hope it works. Please wake up, we miss you.",
|
||||
"Powerلُلُصّبُلُلصّبُررً ॣ ॣh ॣ ॣ冗"
|
||||
]
|
@ -19,6 +19,7 @@ from cherrypy.process import plugins, servers
|
||||
from cherrypy import Application
|
||||
import logging
|
||||
from ldapcherry.lclogging import *
|
||||
import json
|
||||
|
||||
cherrypy.session = {}
|
||||
|
||||
@ -261,6 +262,29 @@ class TestError(object):
|
||||
print(page)
|
||||
htmlvalidator(pages[page])
|
||||
|
||||
def testNoneType(self):
|
||||
app = LdapCherry()
|
||||
loadconf('./tests/cfg/ldapcherry_test.ini', app)
|
||||
app.modify('ssmith'),
|
||||
|
||||
def testNaughtyStrings(self):
|
||||
app = LdapCherry()
|
||||
loadconf('./tests/cfg/ldapcherry_test.ini', app)
|
||||
with open('./tests/cfg/blns.json') as data_file:
|
||||
data = json.load(data_file)
|
||||
for attr in data:
|
||||
print('testing: ' + attr)
|
||||
# delete whatever is happening...
|
||||
try:
|
||||
app._deleteuser('test')
|
||||
except:
|
||||
pass
|
||||
form = {'groups': {}, 'attrs': {'password1': u'password☭', 'password2': u'password☭', 'cn': 'Test', 'name': attr, 'uidNumber': u'1000', 'gidNumber': u'1000', 'home': u'/home/test', 'first-name': u'Test ☭', 'email': u'test@test.fr', 'uid': 'test'}, 'roles': {'admin-lv3': u'on', 'admin-lv2': u'on', 'users': u'on'}}
|
||||
app._adduser(form)
|
||||
page = app.searchuser('test'),
|
||||
app._deleteuser('test')
|
||||
htmlvalidator(page[0])
|
||||
|
||||
def testLogger(self):
|
||||
app = LdapCherry()
|
||||
loadconf('./tests/cfg/ldapcherry.ini', app)
|
||||
|
@ -2,6 +2,7 @@
|
||||
|
||||
DEBIAN_FRONTEND=noninteractive apt-get install ldap-utils slapd -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" -f -q -y
|
||||
DEBIAN_FRONTEND=noninteractive apt-get install samba -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" -f -q -y
|
||||
DEBIAN_FRONTEND=noninteractive apt-get install w3c-markup-validator -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" -f -q -y
|
||||
|
||||
rsync -a `dirname $0`/ /
|
||||
cd `dirname $0`/../../
|
||||
|
Loading…
Reference in New Issue
Block a user