diff options
Diffstat (limited to 'tests/security/extract_current_page_test.php')
| -rw-r--r-- | tests/security/extract_current_page_test.php | 67 |
1 files changed, 55 insertions, 12 deletions
diff --git a/tests/security/extract_current_page_test.php b/tests/security/extract_current_page_test.php index 0f5128884b..c127b69b2b 100644 --- a/tests/security/extract_current_page_test.php +++ b/tests/security/extract_current_page_test.php @@ -1,20 +1,23 @@ <?php /** * -* @package testing -* @copyright (c) 2008 phpBB Group -* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2 +* This file is part of the phpBB Forum Software package. +* +* @copyright (c) phpBB Limited <https://www.phpbb.com> +* @license GNU General Public License, version 2 (GPL-2.0) +* +* For full copyright and license information, please see +* the docs/CREDITS.txt file. * */ require_once dirname(__FILE__) . '/base.php'; require_once dirname(__FILE__) . '/../../phpBB/includes/functions.php'; -require_once dirname(__FILE__) . '/../../phpBB/includes/session.php'; class phpbb_security_extract_current_page_test extends phpbb_security_test_base { - static public function security_variables() + public function security_variables() { return array( array('http://localhost/phpBB/index.php', 'mark=forums&x="><script>alert(/XSS/);</script>', 'mark=forums&x=%22%3E%3Cscript%3Ealert(/XSS/);%3C/script%3E'), @@ -27,10 +30,24 @@ class phpbb_security_extract_current_page_test extends phpbb_security_test_base */ public function test_query_string_php_self($url, $query_string, $expected) { - $_SERVER['PHP_SELF'] = $url; - $_SERVER['QUERY_STRING'] = $query_string; + global $symfony_request, $request; - $result = session::extract_current_page('./'); + $symfony_request = $this->getMock("\phpbb\symfony_request", array(), array( + $request, + )); + $symfony_request->expects($this->any()) + ->method('getScriptName') + ->will($this->returnValue($this->sanitizer($url))); + $symfony_request->expects($this->any()) + ->method('getQueryString') + ->will($this->returnValue($this->sanitizer($query_string))); + $symfony_request->expects($this->any()) + ->method('getBasePath') + ->will($this->returnValue($server['REQUEST_URI'])); + $symfony_request->expects($this->sanitizer($this->any())) + ->method('getPathInfo') + ->will($this->returnValue($this->sanitizer('/'))); + $result = \phpbb\session::extract_current_page('./'); $label = 'Running extract_current_page on ' . $query_string . ' with PHP_SELF filled.'; $this->assertEquals($expected, $result['query_string'], $label); @@ -41,13 +58,39 @@ class phpbb_security_extract_current_page_test extends phpbb_security_test_base */ public function test_query_string_request_uri($url, $query_string, $expected) { - $_SERVER['REQUEST_URI'] = $url . '?' . $query_string; - $_SERVER['QUERY_STRING'] = $query_string; + global $symfony_request, $request; - $result = session::extract_current_page('./'); + $symfony_request = $this->getMock("\phpbb\symfony_request", array(), array( + $request, + )); + $symfony_request->expects($this->any()) + ->method('getScriptName') + ->will($this->returnValue($this->sanitizer($url))); + $symfony_request->expects($this->any()) + ->method('getQueryString') + ->will($this->returnValue($this->sanitizer($query_string))); + $symfony_request->expects($this->any()) + ->method('getBasePath') + ->will($this->returnValue($this->sanitizer($server['REQUEST_URI']))); + $symfony_request->expects($this->any()) + ->method('getPathInfo') + ->will($this->returnValue($this->sanitizer('/'))); + + $result = \phpbb\session::extract_current_page('./'); $label = 'Running extract_current_page on ' . $query_string . ' with REQUEST_URI filled.'; $this->assertEquals($expected, $result['query_string'], $label); } -} + protected function sanitizer($value) + { + // Fix for objects passed in phpunit + if (is_object($value)) + { + return $value; + } + $type_cast_helper = new \phpbb\request\type_cast_helper(); + $type_cast_helper->set_var($value, $value, gettype($value), true); + return str_replace('&', '&', $value); + } +} |