From 9573bdca55ddc5488066d3af525e41ed1d872ea6 Mon Sep 17 00:00:00 2001 From: NavaL Date: Wed, 24 Feb 2016 16:33:20 +0100 Subject: Backend and frontend protection against csrf attacks: - root resources changes the csrf token cookie everytime it is loaded, in particular during the intestitial load during login - it will also add that cookie on single user mode - initialize will still load all resources - but they you cant access them if the csrf token do not match - all ajax calls needs to add the token to the header - non ajax get requests do not need xsrf token validation - non ajax post will have to send the token in as a form input or in the content Issue #612 --- service/test/integration/test_retrieve_attachment.py | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) (limited to 'service/test/integration/test_retrieve_attachment.py') diff --git a/service/test/integration/test_retrieve_attachment.py b/service/test/integration/test_retrieve_attachment.py index 4aaeadc2..31c8c5df 100644 --- a/service/test/integration/test_retrieve_attachment.py +++ b/service/test/integration/test_retrieve_attachment.py @@ -43,6 +43,23 @@ class RetrieveAttachmentTest(SoledadTestBase): self.assertEquals(expected_content_disposition, req.outgoingHeaders['content-disposition']) self.assertEquals(expected_content_type, req.outgoingHeaders['content-type']) + @defer.inlineCallbacks + def test_should_retrieve_attachment_even_if_xsrf_token_not_passed(self): + attachment_id, input_mail = self._create_mail_with_attachment() + yield self.mail_store.add_mail('INBOX', input_mail.as_string()) + + requested_filename = "file name with space" + expected_content_type = 'text/plain' + expected_content_disposition = 'attachment; filename="file name with space"' + + attachment, req = yield self.get_attachment(attachment_id, 'base64', filename=requested_filename, + content_type=expected_content_type, ajax=False, csrf='mismatched token') + + self.assertEqual(200, req.code) + self.assertEquals('pretend to be binary attachment data', attachment) + self.assertEquals(expected_content_disposition, req.outgoingHeaders['content-disposition']) + self.assertEquals(expected_content_type, req.outgoingHeaders['content-type']) + def _create_mail_with_attachment(self): input_mail = MIMEMultipart() input_mail.attach(MIMEText(u'a utf8 message', _charset='utf-8')) -- cgit v1.2.3