Tests and CHANGELOG for LMS-530

27c70ead · Ned Batchelder · 5fad9ccc · 27c70ead · 27c70ead
Commit 27c70ead authored Jul 01, 2013 by Ned Batchelder
Hide whitespace changes
Inline Side-by-side

Showing with 24 additions and 1 deletions

CHANGELOG.rst
+2 -0

lms/djangoapps/staticbook/tests.py
+22 -1

No files found.
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -15,6 +15,8 @@ LMS: Users are no longer auto-activated if they click "reset password"
 This is now done when they click on the link in the reset password
 email they receive (along with usual path through activation email).
+LMS: Fixed a reflected XSS problem in the static textbook views.
 LMS: Problem rescoring.  Added options on the Grades tab of the
 Instructor Dashboard to allow a particular student's submission for a
 particular problem to be rescored.  Provides an option to see a

--- a/lms/djangoapps/staticbook/tests.py
+++ b/lms/djangoapps/staticbook/tests.py
@@ -3,7 +3,7 @@ Test the lms/staticbook views.
 """
 from django.test.utils import override_settings
-from django.core.urlresolvers import reverse
+from django.core.urlresolvers import reverse, NoReverseMatch
 from courseware.tests.tests import TEST_DATA_MONGO_MODULESTORE
 from student.tests.factories import UserFactory, CourseEnrollmentFactory
@@ -115,6 +115,20 @@ class StaticPdfBookTest(StaticBookTest):
        response = self.client.get(url)
        self.assertEqual(response.status_code, 404)
+    def test_chapter_xss(self):
+        # The chapter in the URL used to go right on the page.
+        course = self.make_course(pdf_textbooks=[PDF_BOOK])
+        # It's no longer possible to use a non-integer chapter.
+        with self.assertRaises(NoReverseMatch):
+            reverse('pdf_book', kwargs={'course_id': course.id, 'book_index': 0, 'chapter': 'xyzzy'})
+    def test_page_xss(self):
+        # The page in the URL used to go right on the page.
+        course = self.make_course(pdf_textbooks=[PDF_BOOK])
+        # It's no longer possible to use a non-integer page.
+        with self.assertRaises(NoReverseMatch):
+            reverse('pdf_book', kwargs={'course_id': course.id, 'book_index': 0, 'page': 'xyzzy'})
 class StaticHtmlBookTest(StaticBookTest):
    """
@@ -150,3 +164,10 @@ class StaticHtmlBookTest(StaticBookTest):
        url = self.make_url('html_book', book_index=0, chapter=1)
        response = self.client.get(url)
        self.assertEqual(response.status_code, 404)
+    def test_chapter_xss(self):
+        # The chapter in the URL used to go right on the page.
+        course = self.make_course(pdf_textbooks=[HTML_BOOK])
+        # It's no longer possible to use a non-integer chapter.
+        with self.assertRaises(NoReverseMatch):
+            reverse('html_book', kwargs={'course_id': course.id, 'book_index': 0, 'chapter': 'xyzzy'})