aboutsummaryrefslogtreecommitdiff
path: root/tests
diff options
context:
space:
mode:
authorWojtek Kosior <koszko@koszko.org>2024-01-26 11:32:46 +0100
committerWojtek Kosior <koszko@koszko.org>2024-01-26 11:32:46 +0100
commit9b39286cda39e66bab3c097937da9be243585f3c (patch)
tree81fb4f06e8edd086553b29b469c0e3ab2fb700e1 /tests
parent4343f40aa77904ff26a5425ed41211d94573002a (diff)
downloadcantius-9b39286cda39e66bab3c097937da9be243585f3c.tar.gz
cantius-9b39286cda39e66bab3c097937da9be243585f3c.zip
Normalize resource path in `find-resource-file`.
`..` and `.` are now legal as long as long as the path does not reference the resource root directory's parent.
Diffstat (limited to 'tests')
-rw-r--r--tests/guile/cantius-test.scm25
1 files changed, 9 insertions, 16 deletions
diff --git a/tests/guile/cantius-test.scm b/tests/guile/cantius-test.scm
index e497bfe..328573c 100644
--- a/tests/guile/cantius-test.scm
+++ b/tests/guile/cantius-test.scm
@@ -189,22 +189,15 @@
(tu:test-assert (string-prefix? ";;; " (cadr valid-resource-result))))
(tu:test-group "illegal-static-resources"
- (for-each (lambda (resource-path)
- (define illegal-resource-result
- (get resource-path))
-
- (tu:test-eqv 403
- (rsp:response-code (car illegal-resource-result)))
-
- ;; Default handler for illegal resource accesses is expected to
- ;; ignore the value of the `%default-headers` parameter.
- (tu:test-equal '(text/plain (charset . "utf-8"))
- (rsp:response-content-type
- (car illegal-resource-result))))
-
- '("/static/../../../../../etc/passwd"
- "/static/stylesheets/."
- "/static/nonfree/../scripts/main.js")))
+ (define illegal-resource-result
+ (get "/static/stylesheets/../../../../../../etc/passwd"))
+
+ (tu:test-eqv 403 (rsp:response-code (car illegal-resource-result)))
+
+ ;; Default handler for illegal resource accesses is expected to ignore the
+ ;; value of the `%default-headers` parameter.
+ (tu:test-equal '(text/plain (charset . "utf-8"))
+ (rsp:response-content-type (car illegal-resource-result))))
(tu:test-group "missing-static-resources"
(define missing-resource-result