diff options
| author | Marc Alexander <admin@m-a-styles.de> | 2017-07-16 11:29:35 +0200 |
|---|---|---|
| committer | Marc Alexander <admin@m-a-styles.de> | 2017-07-16 11:29:35 +0200 |
| commit | 0b405a2cdc108a42a3d1d49218b733a76f6c2237 (patch) | |
| tree | f5f5edfc2c920ca0c9f952e6de501a812cac715b /tests | |
| parent | 4ed45c4e1276335ff6581a4db58b0173c9905528 (diff) | |
| parent | fa631947f15754a50379598d83cb237bbfac2cca (diff) | |
| download | forums-0b405a2cdc108a42a3d1d49218b733a76f6c2237.tar forums-0b405a2cdc108a42a3d1d49218b733a76f6c2237.tar.gz forums-0b405a2cdc108a42a3d1d49218b733a76f6c2237.tar.bz2 forums-0b405a2cdc108a42a3d1d49218b733a76f6c2237.tar.xz forums-0b405a2cdc108a42a3d1d49218b733a76f6c2237.zip | |
Merge pull request #38 from phpbb/ticket/security/210
[ticket/security/210] Prevent using IP addresses or ports for remote avatar
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/avatar/manager_test.php | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/tests/avatar/manager_test.php b/tests/avatar/manager_test.php index 344eef38ff..802e71939d 100644 --- a/tests/avatar/manager_test.php +++ b/tests/avatar/manager_test.php @@ -372,4 +372,59 @@ class phpbb_avatar_manager_test extends \phpbb_database_test_case 'avatar_height' => 0, ), $row); } + + public function data_remote_avatar_url() + { + return array( + array('127.0.0.1:91?foo.jpg', 80, 80, array('AVATAR_URL_INVALID')), + array(gethostbyname('secure.gravatar.com') . '/avatar/55502f40dc8b7c769880b10874abc9d0.jpg', 80, 80, array('AVATAR_URL_INVALID')), + array('secure.gravatar.com/avatar/55502f40dc8b7c769880b10874abc9d0.jpg', 80, 80), + array(gethostbyname('secure.gravatar.com') . ':120/avatar/55502f40dc8b7c769880b10874abc9d0.jpg', 80, 80, array('AVATAR_URL_INVALID')), + array('secure.gravatar.com:80/avatar/55502f40dc8b7c769880b10874abc9d0.jpg', 80, 80, array('AVATAR_URL_INVALID')), + array('secure.gravatar.com:80?55502f40dc8b7c769880b10874abc9d0.jpg', 80, 80, array('AVATAR_URL_INVALID')), + array('secure.gravatar.com?55502f40dc8b7c769880b10874abc9d0.jpg', 80, 80, array('AVATAR_URL_INVALID')), // should be a 404 + array('2001:db8:0:0:0:0:2:1/avatar/55502f40dc8b7c769880b10874abc9d0.jpg', 80, 80, array('AVATAR_URL_INVALID')), + array('secure.gravatar.com/2001:db8:0:0:0:0:2:1/avatar/55502f40dc8b7c769880b10874abc9d0.jpg', 80, 80, array('AVATAR_URL_INVALID')), + array('secure.gravatar.com/127.0.0.1:80/avatar/55502f40dc8b7c769880b10874abc9d0.jpg', 80, 80, array('AVATAR_URL_INVALID')), + ); + } + + /** + * @dataProvider data_remote_avatar_url + */ + public function test_remote_avatar_url($url, $width, $height, $expected_error = array()) + { + global $phpbb_root_path, $phpEx; + + if (!function_exists('get_preg_expression')) + { + require($phpbb_root_path . 'includes/functions.' . $phpEx); + } + + $this->config['server_name'] = 'foobar.com'; + + /** @var \phpbb\avatar\driver\remote $remote_avatar */ + $remote_avatar = $this->manager->get_driver('avatar.driver.remote', false); + + $request = new phpbb_mock_request(array(), array( + 'avatar_remote_url' => $url, + 'avatar_remote_width' => $width, + 'avatar_remote_height' => $height, + )); + + $user = new \phpbb\user('\phpbb\datetime'); + $row = array(); + $error = array(); + + $return = $remote_avatar->process_form($request, null, $user, $row, $error); + if (count($expected_error) > 0) + { + $this->assertFalse($return); + } + else + { + $this->assertNotEquals(false, $return); + } + $this->assertSame($expected_error, $error); + } } |