spec/session_spec.rb in patron-0.6.4 vs spec/session_spec.rb in patron-0.6.5
- old
+ new
@@ -34,9 +34,30 @@
before(:each) do
@session = Patron::Session.new
@session.base_url = "http://localhost:9001"
end
+ context 'when trying a non-HTTP(s) URL' do
+ forbidden_protos = %w( smb tftp imap smtp telnet dict ftp sftp scp file gopher )
+ forbidden_protos.each do |forbidden_proto|
+ it "should deny a #{forbidden_proto.upcase} request" do
+ @session.base_url = nil
+ expect {
+ @session.get('%s://localhost' % forbidden_proto)
+ }.to raise_error(Patron::UnsupportedProtocol)
+ end
+ end
+ end
+
+ it 'does not follow a redirect to a non-HTTP/HTTPS URL' do
+ # The "/evil-redirect" servlet tries to do a redirect to SMTP,
+ # which can lead to exploits. By default, libCURL will just follow
+ # that redirect.
+ expect {
+ @session.get('/evil-redirect')
+ }.to raise_error(Patron::UnsupportedProtocol)
+ end
+
it "should work when forcing ipv4" do
@session.force_ipv4 = true
expect { @session.get("/test") }.to_not raise_error
end