+require_once 'security/all_tests.php';

+ $suite->addTest(phpbb_security_all_tests::suite());

+

+<?php

+/**

+*

+* @package testing

+* @version $Id: all_tests.php 8549 2008-05-04 22:54:16Z naderman $

+* @copyright (c) 2008 phpBB Group

+* @license http://opensource.org/licenses/gpl-license.php GNU Public License

+*

+*/

+

+define('IN_PHPBB', true);

+

+if (!defined('PHPUnit_MAIN_METHOD'))

+{

+ define('PHPUnit_MAIN_METHOD', 'phpbb_security_all_tests::main');

+}

+

+require_once 'PHPUnit/Framework.php';

+require_once 'PHPUnit/TextUI/TestRunner.php';

+

+require_once 'security/extract_current_page.php';

+require_once 'security/redirect.php';

+

+class phpbb_security_all_tests

+{

+ public static function main()

+ {

+ PHPUnit_TextUI_TestRunner::run(self::suite());

+ }

+

+ public static function suite()

+ {

+ $suite = new PHPUnit_Framework_TestSuite('phpBB Security Fixes');

+

+ $suite->addTestSuite('phpbb_security_extract_current_page_test');

+ $suite->addTestSuite('phpbb_security_redirect_test');

+

+ return $suite;

+ }

+}

+

+if (PHPUnit_MAIN_METHOD == 'phpbb_security_all_tests::main')

+{

+ phpbb_security_all_tests::main();

+}

+?> \ No newline at end of file

+<?php

+/**

+*

+* @package testing

+* @version $Id: request_var.php 8549 2008-05-04 22:54:16Z naderman $

+* @copyright (c) 2008 phpBB Group

+* @license http://opensource.org/licenses/gpl-license.php GNU Public License

+*

+*/

+

+define('IN_PHPBB', true);

+

+require_once 'PHPUnit/Framework.php';

+

+require_once '../phpBB/includes/functions.php';

+require_once '../phpBB/includes/session.php';

+

+class phpbb_security_extract_current_page_test extends PHPUnit_Framework_TestCase

+{

+ public static function security_variables()

+ {

+ return array(

+ array('http://localhost/phpBB/index.php', 'mark=forums&x="><script>alert(/XSS/);</script>', 'mark=forums&x=%22%3E%3Cscript%3Ealert(/XSS/);%3C/script%3E'),

+ array('http://localhost/phpBB/index.php', 'mark=forums&x=%22%3E%3Cscript%3Ealert(/XSS/);%3C/script%3E', 'mark=forums&x=%22%3E%3Cscript%3Ealert(/XSS/);%3C/script%3E'),

+ );

+ }

+

+ /**

+ * @dataProvider security_variables

+ */

+ public function test_query_string_php_self($url, $query_string, $expected)

+ {

+ $_SERVER['PHP_SELF'] = $url;

+ $_SERVER['QUERY_STRING'] = $query_string;

+

+ $result = session::extract_current_page('./');

+

+ $label = 'Running extract_current_page on ' . $query_string . ' with PHP_SELF filled.';

+ $this->assertEquals($expected, $result['query_string'], $label);

+ }

+

+ /**

+ * @dataProvider security_variables

+ */

+ public function test_query_string_request_uri($url, $query_string, $expected)

+ {

+ $_SERVER['REQUEST_URI'] = $url . '?' . $query_string;

+ $_SERVER['QUERY_STRING'] = $query_string;

+

+ $result = session::extract_current_page('./');

+

+ $label = 'Running extract_current_page on ' . $query_string . ' with REQUEST_URI filled.';

+ $this->assertEquals($expected, $result['query_string'], $label);

+ }

+}

+

+?> \ No newline at end of file

+<?php

+/**

+*

+* @package testing

+* @version $Id: request_var.php 8549 2008-05-04 22:54:16Z naderman $

+* @copyright (c) 2008 phpBB Group

+* @license http://opensource.org/licenses/gpl-license.php GNU Public License

+*

+*/

+

+define('IN_PHPBB', true);

+

+require_once 'PHPUnit/Framework.php';

+require_once 'PHPUnit/Extensions/OutputTestCase.php';

+

+define('PHPBB_ROOT_PATH', './../phpBB/');

+define('PHP_EXT', 'php');

+

+// Functional phpBB Installation required... we are actually embedding phpBB here

+

+require_once '../phpBB/includes/functions.php';

+require_once '../phpBB/includes/session.php';

+

+class phpbb_security_redirect_test extends PHPUnit_Extensions_OutputTestCase

+{

+ public static function provider()

+ {

+ return array(

+ array('data://x', 'Tried to redirect to potentially insecure url.', 'data://x'),

+ array('javascript:test', '', 'http://../tests/javascript:test'),

+ );

+ }

+

+ /**

+ * Own error handler to catch trigger_error() calls within phpBB

+ */

+ public function own_error_handler($errno, $errstr, $errfile, $errline)

+ {

+ echo $errstr;

+ }

+

+ /**

+ * @dataProvider provider

+ */

+ public function test_redirect($test, $expected_output, $expected_result)

+ {

+ global $user;

+

+ // Set no user and trick a bit to circumvent errors

+ $user = new user();

+ $user->lang = true;

+ $user->page = session::extract_current_page(PHPBB_ROOT_PATH);

+

+ $this->expectOutputString($expected_output . '#' . $expected_result);

+

+ set_error_handler(array($this, 'own_error_handler'));

+

+ $result = redirect($test, true);

+ print "#" . $result;

+

+ restore_error_handler();

+ }

+}

+

+?> \ No newline at end of file

+define(PHPBB_ROOT_PATH, '../phpBB/');

+define(PHP_EXT, 'php');