mirror of
				https://github.com/django/django.git
				synced 2025-10-22 21:29:11 +00:00 
			
		
		
		
	Refs Python CVE-2022-0391. Django is not affected, but others who incorrectly use internal function url_has_allowed_host_and_scheme() with unsanitized input could be at risk.
		
			
				
	
	
		
			514 lines
		
	
	
		
			18 KiB
		
	
	
	
		
			Python
		
	
	
	
	
	
			
		
		
	
	
			514 lines
		
	
	
		
			18 KiB
		
	
	
	
		
			Python
		
	
	
	
	
	
| import platform
 | ||
| import unittest
 | ||
| from datetime import datetime, timezone
 | ||
| from unittest import mock
 | ||
| 
 | ||
| from django.test import SimpleTestCase
 | ||
| from django.utils.datastructures import MultiValueDict
 | ||
| from django.utils.http import (
 | ||
|     base36_to_int,
 | ||
|     escape_leading_slashes,
 | ||
|     http_date,
 | ||
|     int_to_base36,
 | ||
|     is_same_domain,
 | ||
|     parse_etags,
 | ||
|     parse_header_parameters,
 | ||
|     parse_http_date,
 | ||
|     quote_etag,
 | ||
|     url_has_allowed_host_and_scheme,
 | ||
|     urlencode,
 | ||
|     urlsafe_base64_decode,
 | ||
|     urlsafe_base64_encode,
 | ||
| )
 | ||
| 
 | ||
| 
 | ||
| class URLEncodeTests(SimpleTestCase):
 | ||
|     cannot_encode_none_msg = (
 | ||
|         "Cannot encode None for key 'a' in a query string. Did you mean to "
 | ||
|         "pass an empty string or omit the value?"
 | ||
|     )
 | ||
| 
 | ||
|     def test_tuples(self):
 | ||
|         self.assertEqual(urlencode((("a", 1), ("b", 2), ("c", 3))), "a=1&b=2&c=3")
 | ||
| 
 | ||
|     def test_dict(self):
 | ||
|         result = urlencode({"a": 1, "b": 2, "c": 3})
 | ||
|         # Dictionaries are treated as unordered.
 | ||
|         self.assertIn(
 | ||
|             result,
 | ||
|             [
 | ||
|                 "a=1&b=2&c=3",
 | ||
|                 "a=1&c=3&b=2",
 | ||
|                 "b=2&a=1&c=3",
 | ||
|                 "b=2&c=3&a=1",
 | ||
|                 "c=3&a=1&b=2",
 | ||
|                 "c=3&b=2&a=1",
 | ||
|             ],
 | ||
|         )
 | ||
| 
 | ||
|     def test_dict_containing_sequence_not_doseq(self):
 | ||
|         self.assertEqual(urlencode({"a": [1, 2]}, doseq=False), "a=%5B1%2C+2%5D")
 | ||
| 
 | ||
|     def test_dict_containing_tuple_not_doseq(self):
 | ||
|         self.assertEqual(urlencode({"a": (1, 2)}, doseq=False), "a=%281%2C+2%29")
 | ||
| 
 | ||
|     def test_custom_iterable_not_doseq(self):
 | ||
|         class IterableWithStr:
 | ||
|             def __str__(self):
 | ||
|                 return "custom"
 | ||
| 
 | ||
|             def __iter__(self):
 | ||
|                 yield from range(0, 3)
 | ||
| 
 | ||
|         self.assertEqual(urlencode({"a": IterableWithStr()}, doseq=False), "a=custom")
 | ||
| 
 | ||
|     def test_dict_containing_sequence_doseq(self):
 | ||
|         self.assertEqual(urlencode({"a": [1, 2]}, doseq=True), "a=1&a=2")
 | ||
| 
 | ||
|     def test_dict_containing_empty_sequence_doseq(self):
 | ||
|         self.assertEqual(urlencode({"a": []}, doseq=True), "")
 | ||
| 
 | ||
|     def test_multivaluedict(self):
 | ||
|         result = urlencode(
 | ||
|             MultiValueDict(
 | ||
|                 {
 | ||
|                     "name": ["Adrian", "Simon"],
 | ||
|                     "position": ["Developer"],
 | ||
|                 }
 | ||
|             ),
 | ||
|             doseq=True,
 | ||
|         )
 | ||
|         # MultiValueDicts are similarly unordered.
 | ||
|         self.assertIn(
 | ||
|             result,
 | ||
|             [
 | ||
|                 "name=Adrian&name=Simon&position=Developer",
 | ||
|                 "position=Developer&name=Adrian&name=Simon",
 | ||
|             ],
 | ||
|         )
 | ||
| 
 | ||
|     def test_dict_with_bytes_values(self):
 | ||
|         self.assertEqual(urlencode({"a": b"abc"}, doseq=True), "a=abc")
 | ||
| 
 | ||
|     def test_dict_with_sequence_of_bytes(self):
 | ||
|         self.assertEqual(
 | ||
|             urlencode({"a": [b"spam", b"eggs", b"bacon"]}, doseq=True),
 | ||
|             "a=spam&a=eggs&a=bacon",
 | ||
|         )
 | ||
| 
 | ||
|     def test_dict_with_bytearray(self):
 | ||
|         self.assertEqual(urlencode({"a": bytearray(range(2))}, doseq=True), "a=0&a=1")
 | ||
| 
 | ||
|     def test_generator(self):
 | ||
|         self.assertEqual(urlencode({"a": range(2)}, doseq=True), "a=0&a=1")
 | ||
|         self.assertEqual(urlencode({"a": range(2)}, doseq=False), "a=range%280%2C+2%29")
 | ||
| 
 | ||
|     def test_none(self):
 | ||
|         with self.assertRaisesMessage(TypeError, self.cannot_encode_none_msg):
 | ||
|             urlencode({"a": None})
 | ||
| 
 | ||
|     def test_none_in_sequence(self):
 | ||
|         with self.assertRaisesMessage(TypeError, self.cannot_encode_none_msg):
 | ||
|             urlencode({"a": [None]}, doseq=True)
 | ||
| 
 | ||
|     def test_none_in_generator(self):
 | ||
|         def gen():
 | ||
|             yield None
 | ||
| 
 | ||
|         with self.assertRaisesMessage(TypeError, self.cannot_encode_none_msg):
 | ||
|             urlencode({"a": gen()}, doseq=True)
 | ||
| 
 | ||
| 
 | ||
| class Base36IntTests(SimpleTestCase):
 | ||
|     def test_roundtrip(self):
 | ||
|         for n in [0, 1, 1000, 1000000]:
 | ||
|             self.assertEqual(n, base36_to_int(int_to_base36(n)))
 | ||
| 
 | ||
|     def test_negative_input(self):
 | ||
|         with self.assertRaisesMessage(ValueError, "Negative base36 conversion input."):
 | ||
|             int_to_base36(-1)
 | ||
| 
 | ||
|     def test_to_base36_errors(self):
 | ||
|         for n in ["1", "foo", {1: 2}, (1, 2, 3), 3.141]:
 | ||
|             with self.assertRaises(TypeError):
 | ||
|                 int_to_base36(n)
 | ||
| 
 | ||
|     def test_invalid_literal(self):
 | ||
|         for n in ["#", " "]:
 | ||
|             with self.assertRaisesMessage(
 | ||
|                 ValueError, "invalid literal for int() with base 36: '%s'" % n
 | ||
|             ):
 | ||
|                 base36_to_int(n)
 | ||
| 
 | ||
|     def test_input_too_large(self):
 | ||
|         with self.assertRaisesMessage(ValueError, "Base36 input too large"):
 | ||
|             base36_to_int("1" * 14)
 | ||
| 
 | ||
|     def test_to_int_errors(self):
 | ||
|         for n in [123, {1: 2}, (1, 2, 3), 3.141]:
 | ||
|             with self.assertRaises(TypeError):
 | ||
|                 base36_to_int(n)
 | ||
| 
 | ||
|     def test_values(self):
 | ||
|         for n, b36 in [(0, "0"), (1, "1"), (42, "16"), (818469960, "django")]:
 | ||
|             self.assertEqual(int_to_base36(n), b36)
 | ||
|             self.assertEqual(base36_to_int(b36), n)
 | ||
| 
 | ||
| 
 | ||
| class URLHasAllowedHostAndSchemeTests(unittest.TestCase):
 | ||
|     def test_bad_urls(self):
 | ||
|         bad_urls = (
 | ||
|             "http://example.com",
 | ||
|             "http:///example.com",
 | ||
|             "https://example.com",
 | ||
|             "ftp://example.com",
 | ||
|             r"\\example.com",
 | ||
|             r"\\\example.com",
 | ||
|             r"/\\/example.com",
 | ||
|             r"\\\example.com",
 | ||
|             r"\\example.com",
 | ||
|             r"\\//example.com",
 | ||
|             r"/\/example.com",
 | ||
|             r"\/example.com",
 | ||
|             r"/\example.com",
 | ||
|             "http:///example.com",
 | ||
|             r"http:/\//example.com",
 | ||
|             r"http:\/example.com",
 | ||
|             r"http:/\example.com",
 | ||
|             'javascript:alert("XSS")',
 | ||
|             "\njavascript:alert(x)",
 | ||
|             "java\nscript:alert(x)",
 | ||
|             "\x08//example.com",
 | ||
|             r"http://otherserver\@example.com",
 | ||
|             r"http:\\testserver\@example.com",
 | ||
|             r"http://testserver\me:pass@example.com",
 | ||
|             r"http://testserver\@example.com",
 | ||
|             r"http:\\testserver\confirm\me@example.com",
 | ||
|             "http:999999999",
 | ||
|             "ftp:9999999999",
 | ||
|             "\n",
 | ||
|             "http://[2001:cdba:0000:0000:0000:0000:3257:9652/",
 | ||
|             "http://2001:cdba:0000:0000:0000:0000:3257:9652]/",
 | ||
|         )
 | ||
|         for bad_url in bad_urls:
 | ||
|             with self.subTest(url=bad_url):
 | ||
|                 self.assertIs(
 | ||
|                     url_has_allowed_host_and_scheme(
 | ||
|                         bad_url, allowed_hosts={"testserver", "testserver2"}
 | ||
|                     ),
 | ||
|                     False,
 | ||
|                 )
 | ||
| 
 | ||
|     def test_good_urls(self):
 | ||
|         good_urls = (
 | ||
|             "/view/?param=http://example.com",
 | ||
|             "/view/?param=https://example.com",
 | ||
|             "/view?param=ftp://example.com",
 | ||
|             "view/?param=//example.com",
 | ||
|             "https://testserver/",
 | ||
|             "HTTPS://testserver/",
 | ||
|             "//testserver/",
 | ||
|             "http://testserver/confirm?email=me@example.com",
 | ||
|             "/url%20with%20spaces/",
 | ||
|             "path/http:2222222222",
 | ||
|         )
 | ||
|         for good_url in good_urls:
 | ||
|             with self.subTest(url=good_url):
 | ||
|                 self.assertIs(
 | ||
|                     url_has_allowed_host_and_scheme(
 | ||
|                         good_url, allowed_hosts={"otherserver", "testserver"}
 | ||
|                     ),
 | ||
|                     True,
 | ||
|                 )
 | ||
| 
 | ||
|     def test_basic_auth(self):
 | ||
|         # Valid basic auth credentials are allowed.
 | ||
|         self.assertIs(
 | ||
|             url_has_allowed_host_and_scheme(
 | ||
|                 r"http://user:pass@testserver/", allowed_hosts={"user:pass@testserver"}
 | ||
|             ),
 | ||
|             True,
 | ||
|         )
 | ||
| 
 | ||
|     def test_no_allowed_hosts(self):
 | ||
|         # A path without host is allowed.
 | ||
|         self.assertIs(
 | ||
|             url_has_allowed_host_and_scheme(
 | ||
|                 "/confirm/me@example.com", allowed_hosts=None
 | ||
|             ),
 | ||
|             True,
 | ||
|         )
 | ||
|         # Basic auth without host is not allowed.
 | ||
|         self.assertIs(
 | ||
|             url_has_allowed_host_and_scheme(
 | ||
|                 r"http://testserver\@example.com", allowed_hosts=None
 | ||
|             ),
 | ||
|             False,
 | ||
|         )
 | ||
| 
 | ||
|     def test_allowed_hosts_str(self):
 | ||
|         self.assertIs(
 | ||
|             url_has_allowed_host_and_scheme(
 | ||
|                 "http://good.com/good", allowed_hosts="good.com"
 | ||
|             ),
 | ||
|             True,
 | ||
|         )
 | ||
|         self.assertIs(
 | ||
|             url_has_allowed_host_and_scheme(
 | ||
|                 "http://good.co/evil", allowed_hosts="good.com"
 | ||
|             ),
 | ||
|             False,
 | ||
|         )
 | ||
| 
 | ||
|     def test_secure_param_https_urls(self):
 | ||
|         secure_urls = (
 | ||
|             "https://example.com/p",
 | ||
|             "HTTPS://example.com/p",
 | ||
|             "/view/?param=http://example.com",
 | ||
|         )
 | ||
|         for url in secure_urls:
 | ||
|             with self.subTest(url=url):
 | ||
|                 self.assertIs(
 | ||
|                     url_has_allowed_host_and_scheme(
 | ||
|                         url, allowed_hosts={"example.com"}, require_https=True
 | ||
|                     ),
 | ||
|                     True,
 | ||
|                 )
 | ||
| 
 | ||
|     def test_secure_param_non_https_urls(self):
 | ||
|         insecure_urls = (
 | ||
|             "http://example.com/p",
 | ||
|             "ftp://example.com/p",
 | ||
|             "//example.com/p",
 | ||
|         )
 | ||
|         for url in insecure_urls:
 | ||
|             with self.subTest(url=url):
 | ||
|                 self.assertIs(
 | ||
|                     url_has_allowed_host_and_scheme(
 | ||
|                         url, allowed_hosts={"example.com"}, require_https=True
 | ||
|                     ),
 | ||
|                     False,
 | ||
|                 )
 | ||
| 
 | ||
| 
 | ||
| class URLSafeBase64Tests(unittest.TestCase):
 | ||
|     def test_roundtrip(self):
 | ||
|         bytestring = b"foo"
 | ||
|         encoded = urlsafe_base64_encode(bytestring)
 | ||
|         decoded = urlsafe_base64_decode(encoded)
 | ||
|         self.assertEqual(bytestring, decoded)
 | ||
| 
 | ||
| 
 | ||
| class IsSameDomainTests(unittest.TestCase):
 | ||
|     def test_good(self):
 | ||
|         for pair in (
 | ||
|             ("example.com", "example.com"),
 | ||
|             ("example.com", ".example.com"),
 | ||
|             ("foo.example.com", ".example.com"),
 | ||
|             ("example.com:8888", "example.com:8888"),
 | ||
|             ("example.com:8888", ".example.com:8888"),
 | ||
|             ("foo.example.com:8888", ".example.com:8888"),
 | ||
|         ):
 | ||
|             self.assertIs(is_same_domain(*pair), True)
 | ||
| 
 | ||
|     def test_bad(self):
 | ||
|         for pair in (
 | ||
|             ("example2.com", "example.com"),
 | ||
|             ("foo.example.com", "example.com"),
 | ||
|             ("example.com:9999", "example.com:8888"),
 | ||
|             ("foo.example.com:8888", ""),
 | ||
|         ):
 | ||
|             self.assertIs(is_same_domain(*pair), False)
 | ||
| 
 | ||
| 
 | ||
| class ETagProcessingTests(unittest.TestCase):
 | ||
|     def test_parsing(self):
 | ||
|         self.assertEqual(
 | ||
|             parse_etags(r'"" ,  "etag", "e\\tag", W/"weak"'),
 | ||
|             ['""', '"etag"', r'"e\\tag"', 'W/"weak"'],
 | ||
|         )
 | ||
|         self.assertEqual(parse_etags("*"), ["*"])
 | ||
| 
 | ||
|         # Ignore RFC 2616 ETags that are invalid according to RFC 7232.
 | ||
|         self.assertEqual(parse_etags(r'"etag", "e\"t\"ag"'), ['"etag"'])
 | ||
| 
 | ||
|     def test_quoting(self):
 | ||
|         self.assertEqual(quote_etag("etag"), '"etag"')  # unquoted
 | ||
|         self.assertEqual(quote_etag('"etag"'), '"etag"')  # quoted
 | ||
|         self.assertEqual(quote_etag('W/"etag"'), 'W/"etag"')  # quoted, weak
 | ||
| 
 | ||
| 
 | ||
| class HttpDateProcessingTests(unittest.TestCase):
 | ||
|     def test_http_date(self):
 | ||
|         t = 1167616461.0
 | ||
|         self.assertEqual(http_date(t), "Mon, 01 Jan 2007 01:54:21 GMT")
 | ||
| 
 | ||
|     def test_parsing_rfc1123(self):
 | ||
|         parsed = parse_http_date("Sun, 06 Nov 1994 08:49:37 GMT")
 | ||
|         self.assertEqual(
 | ||
|             datetime.fromtimestamp(parsed, timezone.utc),
 | ||
|             datetime(1994, 11, 6, 8, 49, 37, tzinfo=timezone.utc),
 | ||
|         )
 | ||
| 
 | ||
|     @unittest.skipIf(platform.architecture()[0] == "32bit", "The Year 2038 problem.")
 | ||
|     @mock.patch("django.utils.http.datetime.datetime")
 | ||
|     def test_parsing_rfc850(self, mocked_datetime):
 | ||
|         mocked_datetime.side_effect = datetime
 | ||
|         mocked_datetime.now = mock.Mock()
 | ||
|         now_1 = datetime(2019, 11, 6, 8, 49, 37, tzinfo=timezone.utc)
 | ||
|         now_2 = datetime(2020, 11, 6, 8, 49, 37, tzinfo=timezone.utc)
 | ||
|         now_3 = datetime(2048, 11, 6, 8, 49, 37, tzinfo=timezone.utc)
 | ||
|         tests = (
 | ||
|             (
 | ||
|                 now_1,
 | ||
|                 "Tuesday, 31-Dec-69 08:49:37 GMT",
 | ||
|                 datetime(2069, 12, 31, 8, 49, 37, tzinfo=timezone.utc),
 | ||
|             ),
 | ||
|             (
 | ||
|                 now_1,
 | ||
|                 "Tuesday, 10-Nov-70 08:49:37 GMT",
 | ||
|                 datetime(1970, 11, 10, 8, 49, 37, tzinfo=timezone.utc),
 | ||
|             ),
 | ||
|             (
 | ||
|                 now_1,
 | ||
|                 "Sunday, 06-Nov-94 08:49:37 GMT",
 | ||
|                 datetime(1994, 11, 6, 8, 49, 37, tzinfo=timezone.utc),
 | ||
|             ),
 | ||
|             (
 | ||
|                 now_2,
 | ||
|                 "Wednesday, 31-Dec-70 08:49:37 GMT",
 | ||
|                 datetime(2070, 12, 31, 8, 49, 37, tzinfo=timezone.utc),
 | ||
|             ),
 | ||
|             (
 | ||
|                 now_2,
 | ||
|                 "Friday, 31-Dec-71 08:49:37 GMT",
 | ||
|                 datetime(1971, 12, 31, 8, 49, 37, tzinfo=timezone.utc),
 | ||
|             ),
 | ||
|             (
 | ||
|                 now_3,
 | ||
|                 "Sunday, 31-Dec-00 08:49:37 GMT",
 | ||
|                 datetime(2000, 12, 31, 8, 49, 37, tzinfo=timezone.utc),
 | ||
|             ),
 | ||
|             (
 | ||
|                 now_3,
 | ||
|                 "Friday, 31-Dec-99 08:49:37 GMT",
 | ||
|                 datetime(1999, 12, 31, 8, 49, 37, tzinfo=timezone.utc),
 | ||
|             ),
 | ||
|         )
 | ||
|         for now, rfc850str, expected_date in tests:
 | ||
|             with self.subTest(rfc850str=rfc850str):
 | ||
|                 mocked_datetime.now.return_value = now
 | ||
|                 parsed = parse_http_date(rfc850str)
 | ||
|                 mocked_datetime.now.assert_called_once_with(tz=timezone.utc)
 | ||
|                 self.assertEqual(
 | ||
|                     datetime.fromtimestamp(parsed, timezone.utc),
 | ||
|                     expected_date,
 | ||
|                 )
 | ||
|             mocked_datetime.reset_mock()
 | ||
| 
 | ||
|     def test_parsing_asctime(self):
 | ||
|         parsed = parse_http_date("Sun Nov  6 08:49:37 1994")
 | ||
|         self.assertEqual(
 | ||
|             datetime.fromtimestamp(parsed, timezone.utc),
 | ||
|             datetime(1994, 11, 6, 8, 49, 37, tzinfo=timezone.utc),
 | ||
|         )
 | ||
| 
 | ||
|     def test_parsing_asctime_nonascii_digits(self):
 | ||
|         """Non-ASCII unicode decimals raise an error."""
 | ||
|         with self.assertRaises(ValueError):
 | ||
|             parse_http_date("Sun Nov  6 08:49:37 1994")
 | ||
|         with self.assertRaises(ValueError):
 | ||
|             parse_http_date("Sun Nov 12 08:49:37 1994")
 | ||
| 
 | ||
|     def test_parsing_year_less_than_70(self):
 | ||
|         parsed = parse_http_date("Sun Nov  6 08:49:37 0037")
 | ||
|         self.assertEqual(
 | ||
|             datetime.fromtimestamp(parsed, timezone.utc),
 | ||
|             datetime(2037, 11, 6, 8, 49, 37, tzinfo=timezone.utc),
 | ||
|         )
 | ||
| 
 | ||
| 
 | ||
| class EscapeLeadingSlashesTests(unittest.TestCase):
 | ||
|     def test(self):
 | ||
|         tests = (
 | ||
|             ("//example.com", "/%2Fexample.com"),
 | ||
|             ("//", "/%2F"),
 | ||
|         )
 | ||
|         for url, expected in tests:
 | ||
|             with self.subTest(url=url):
 | ||
|                 self.assertEqual(escape_leading_slashes(url), expected)
 | ||
| 
 | ||
| 
 | ||
| class ParseHeaderParameterTests(unittest.TestCase):
 | ||
|     def test_basic(self):
 | ||
|         tests = [
 | ||
|             ("text/plain", ("text/plain", {})),
 | ||
|             ("text/vnd.just.made.this.up ; ", ("text/vnd.just.made.this.up", {})),
 | ||
|             ("text/plain;charset=us-ascii", ("text/plain", {"charset": "us-ascii"})),
 | ||
|             (
 | ||
|                 'text/plain ; charset="us-ascii"',
 | ||
|                 ("text/plain", {"charset": "us-ascii"}),
 | ||
|             ),
 | ||
|             (
 | ||
|                 'text/plain ; charset="us-ascii"; another=opt',
 | ||
|                 ("text/plain", {"charset": "us-ascii", "another": "opt"}),
 | ||
|             ),
 | ||
|             (
 | ||
|                 'attachment; filename="silly.txt"',
 | ||
|                 ("attachment", {"filename": "silly.txt"}),
 | ||
|             ),
 | ||
|             (
 | ||
|                 'attachment; filename="strange;name"',
 | ||
|                 ("attachment", {"filename": "strange;name"}),
 | ||
|             ),
 | ||
|             (
 | ||
|                 'attachment; filename="strange;name";size=123;',
 | ||
|                 ("attachment", {"filename": "strange;name", "size": "123"}),
 | ||
|             ),
 | ||
|             (
 | ||
|                 'form-data; name="files"; filename="fo\\"o;bar"',
 | ||
|                 ("form-data", {"name": "files", "filename": 'fo"o;bar'}),
 | ||
|             ),
 | ||
|         ]
 | ||
|         for header, expected in tests:
 | ||
|             with self.subTest(header=header):
 | ||
|                 self.assertEqual(parse_header_parameters(header), expected)
 | ||
| 
 | ||
|     def test_rfc2231_parsing(self):
 | ||
|         test_data = (
 | ||
|             (
 | ||
|                 "Content-Type: application/x-stuff; "
 | ||
|                 "title*=us-ascii'en-us'This%20is%20%2A%2A%2Afun%2A%2A%2A",
 | ||
|                 "This is ***fun***",
 | ||
|             ),
 | ||
|             (
 | ||
|                 "Content-Type: application/x-stuff; title*=UTF-8''foo-%c3%a4.html",
 | ||
|                 "foo-ä.html",
 | ||
|             ),
 | ||
|             (
 | ||
|                 "Content-Type: application/x-stuff; title*=iso-8859-1''foo-%E4.html",
 | ||
|                 "foo-ä.html",
 | ||
|             ),
 | ||
|         )
 | ||
|         for raw_line, expected_title in test_data:
 | ||
|             parsed = parse_header_parameters(raw_line)
 | ||
|             self.assertEqual(parsed[1]["title"], expected_title)
 | ||
| 
 | ||
|     def test_rfc2231_wrong_title(self):
 | ||
|         """
 | ||
|         Test wrongly formatted RFC 2231 headers (missing double single quotes).
 | ||
|         Parsing should not crash (#24209).
 | ||
|         """
 | ||
|         test_data = (
 | ||
|             (
 | ||
|                 "Content-Type: application/x-stuff; "
 | ||
|                 "title*='This%20is%20%2A%2A%2Afun%2A%2A%2A",
 | ||
|                 "'This%20is%20%2A%2A%2Afun%2A%2A%2A",
 | ||
|             ),
 | ||
|             ("Content-Type: application/x-stuff; title*='foo.html", "'foo.html"),
 | ||
|             ("Content-Type: application/x-stuff; title*=bar.html", "bar.html"),
 | ||
|         )
 | ||
|         for raw_line, expected_title in test_data:
 | ||
|             parsed = parse_header_parameters(raw_line)
 | ||
|             self.assertEqual(parsed[1]["title"], expected_title)
 |