From 2c641d678ed8185c294dceb05e2ea8c528a8caa5 Mon Sep 17 00:00:00 2001
From: Godmar Back <gback@cs.vt.edu>
Date: Tue, 4 Aug 2020 10:50:51 -0400
Subject: [PATCH] fix test for IDOR vulnerability by preventing path segment
 normalization

---
 tests/server_unit_test_pserv.py | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/tests/server_unit_test_pserv.py b/tests/server_unit_test_pserv.py
index c034672..6773a6d 100755
--- a/tests/server_unit_test_pserv.py
+++ b/tests/server_unit_test_pserv.py
@@ -1417,19 +1417,18 @@ class Access_Control(Doc_Print_Test_Case):
 
         # Use the session cookie to get the private file
         try:
-            response = self.session.get(url, timeout=2)
+            # prevent path segment normalization
+            req = requests.Request('GET', url)
+            response = self.session.send(req.prepare(), timeout=2)
         except requests.exceptions.RequestException:
             raise AssertionError("The server did not respond within 2s")
 
         if (response.status_code == requests.codes.forbidden):
             raise AssertionError('Server responded with 403 FORBIDDEN instead of 404 NOT FOUND')
 
-        if (response.status_code == requests.codes.forbidden):
-            raise AssertionError('Server responded with 403 FORBIDDEN instead of 404 NOT FOUND')
-
         # Ensure that response code is 404
         self.assertEqual(response.status_code, requests.codes.not_found,
-                         "Server responded with a private file despite no authentication.")
+                         "Server did not respond with 404 when it should have, possible IDOR?")
 
 
 class Authentication(Doc_Print_Test_Case):