Only redirect to sanitized path under /web

2025-07-29 18:08:31 +00:00 · 2022-01-18 18:20:15 +01:00 · 2022-01-18 18:20:15 +01:00 · 77a3ea7529
commit 77a3ea7529
parent 9e9f2bb780
3 changed files with 24 additions and 21 deletions
--- a/radicale/tests/test_base.py
+++ b/radicale/tests/test_base.py
@ -53,26 +53,28 @@ permissions: RrWw""")

    def test_root(self) -> None:
        """GET request at "/"."""
-        status, headers, answer = self.request("GET", "/", check=302)
-        assert headers.get("Location") == ".web"
-        assert answer == "Redirected to .web"
+        for path in ["", "/", "//"]:
+            _, headers, answer = self.request("GET", path, check=302)
+            assert headers.get("Location") == "/.web"
+            assert answer == "Redirected to /.web"

    def test_root_script_name(self) -> None:
        """GET request at "/" with SCRIPT_NAME."""
-        _, answer = self.get("/", check=302, SCRIPT_NAME="/radicale")
-        assert answer == "Redirected to .web"
+        for path in ["", "/", "//"]:
+            _, headers, _ = self.request("GET", path, check=302,
+                                         SCRIPT_NAME="/radicale")
+            assert headers.get("Location") == "/radicale/.web"

    def test_sanitized_path(self) -> None:
        """GET request with unsanitized paths."""
-        for path, sane_path in [("//", "/"), ("", "/"), ("/a//b", "/a/b"),
-                                ("/a//b/", "/a/b/")]:
-            _, headers, answer = self.request("GET", path, check=301)
+        for path, sane_path in [
+                ("//.web", "/.web"), ("//.web/", "/.web/"),
+                ("/.web//", "/.web/"), ("/.web/a//b", "/.web/a/b")]:
+            _, headers, _ = self.request("GET", path, check=301)
            assert headers.get("Location") == sane_path
-            assert answer == "Redirected to %s" % sane_path
-            _, headers, answer = self.request("GET", path, check=301,
-                                              SCRIPT_NAME="/radicale")
+            _, headers, _ = self.request("GET", path, check=301,
+                                         SCRIPT_NAME="/radicale")
            assert headers.get("Location") == "/radicale%s" % sane_path
-            assert answer == "Redirected to /radicale%s" % sane_path

    def test_add_event(self) -> None:
        """Add an event."""