Merge pull request #41 from phpbb/ticket/security/211-rhea

[ticket/security/211] Rhea version of security fix
author: Marc Alexander <admin@m-a-styles.de> 2018-01-07 10:28:59 +0100
committer: Marc Alexander <admin@m-a-styles.de> 2018-01-07 10:28:59 +0100
commit: 2a939fa779059b2eedc5eaf33706b4a1627ed30e (patch)
tree: 12aa20249ca31f91fa3c8ab6795a2bce6f55f3a4 /tests/profilefields
parent: 39b142077478876b4c2ef270c081681070f264d7 (diff)
parent: bf5f11e11ac0f25441ba891fc16d5a780e4450e2 (diff)
download: forums-2a939fa779059b2eedc5eaf33706b4a1627ed30e.tar
forums-2a939fa779059b2eedc5eaf33706b4a1627ed30e.tar.gz
forums-2a939fa779059b2eedc5eaf33706b4a1627ed30e.tar.bz2
forums-2a939fa779059b2eedc5eaf33706b4a1627ed30e.tar.xz
forums-2a939fa779059b2eedc5eaf33706b4a1627ed30e.zip
2 files changed, 83 insertions, 2 deletions
diff --git a/tests/profilefields/type_string_test.php b/tests/profilefields/type_string_test.php
index 7c7fa3f3e6..a5e1d89ef2 100644
--- a/tests/profilefields/type_string_test.php
+++ b/tests/profilefields/type_string_test.php
@@ -24,7 +24,7 @@ class phpbb_profilefield_type_string_test extends phpbb_test_case
 	*/
 	public function setUp()
 	{
-		global $request, $user, $cache, $phpbb_root_path, $phpEx;
+		global $config, $request, $user, $cache, $phpbb_root_path, $phpEx;
 
 		$user = $this->getMock('\phpbb\user', array(), array(
 			new \phpbb\language\language(new \phpbb\language\language_file_loader($phpbb_root_path, $phpEx)),
@@ -34,6 +34,7 @@ class phpbb_profilefield_type_string_test extends phpbb_test_case
 		$user->expects($this->any())
 			->method('lang')
 			->will($this->returnCallback(array($this, 'return_callback_implode')));
+		$config = new \phpbb\config\config([]);
 
 		$request = $this->getMock('\phpbb\request\request');
 		$template = $this->getMock('\phpbb\template\template');
@@ -269,6 +270,18 @@ class phpbb_profilefield_type_string_test extends phpbb_test_case
 				null,
 				'Field should simply output null for empty vlaue',
 			),
+			array(
+				'http://foobar.com',
+				array('field_show_novalue' => false),
+				'http://foobar.com',
+				'Field should output the given value but not make it clickable',
+			),
+			array(
+				'javascript://foobar.com',
+				array('field_show_novalue' => true),
+				'javascript://foobar.com',
+				'Field should output the given value but not make it clickable',
+			),
 		);
 	}
 
diff --git a/tests/profilefields/type_url_test.php b/tests/profilefields/type_url_test.php
index 1d90e2c34c..3bb5d52899 100644
--- a/tests/profilefields/type_url_test.php
+++ b/tests/profilefields/type_url_test.php
@@ -11,6 +11,10 @@
 *
 */
 
+require_once dirname(__FILE__) . '/../../phpBB/includes/functions.php';
+require_once dirname(__FILE__) . '/../../phpBB/includes/functions_content.php';
+require_once dirname(__FILE__) . '/../../phpBB/includes/utf/utf_tools.php';
+
 class phpbb_profilefield_type_url_test extends phpbb_test_case
 {
 	protected $cp;
@@ -24,8 +28,10 @@ class phpbb_profilefield_type_url_test extends phpbb_test_case
 	*/
 	public function setUp()
 	{
-		global $phpbb_root_path, $phpEx;
+		global $config, $request, $user, $cache, $phpbb_root_path, $phpEx;
 
+		$config = new \phpbb\config\config([]);
+		$cache = new phpbb_mock_cache;
 		$user = $this->getMock('\phpbb\user', array(), array(
 			new \phpbb\language\language(new \phpbb\language\language_file_loader($phpbb_root_path, $phpEx)),
 			'\phpbb\datetime'
@@ -92,6 +98,19 @@ class phpbb_profilefield_type_url_test extends phpbb_test_case
 				'FIELD_INVALID_URL-field',
 				'Field should reject invalid URL having multi value parameters',
 			),
+			// Not allowed schemes
+			array(
+				'ftp://example.com/',
+				array(),
+				'FIELD_INVALID_URL-field',
+				'Field should reject invalid URL having multi value parameters',
+			),
+			array(
+				'javascript://alert.com',
+				array(),
+				'FIELD_INVALID_URL-field',
+				'Field should reject invalid URL having multi value parameters',
+			),
 
 			// IDN url type profilefields
 			array(
@@ -165,6 +184,55 @@ class phpbb_profilefield_type_url_test extends phpbb_test_case
 		);
 	}
 
+	public function profile_value_data()
+	{
+		return array(
+			array(
+				'http://foobar.com',
+				array('field_show_novalue' => true),
+				'<!-- l --><a class="postlink-local" href="http://foobar.com">foobar.com</a><!-- l -->',
+				'Field should output the given value',
+			),
+			array(
+				'http://foobar.com',
+				array('field_show_novalue' => false),
+				'<!-- l --><a class="postlink-local" href="http://foobar.com">foobar.com</a><!-- l -->',
+				'Field should output the given value',
+			),
+			array(
+				'test',
+				array('field_show_novalue' => true),
+				null,
+				'Field should output nothing for empty value',
+			),
+			array(
+				'test',
+				array('field_show_novalue' => false),
+				null,
+				'Field should simply output null for empty value',
+			),
+			array(
+				'javascript://foobar.com',
+				array('field_show_novalue' => true),
+				null,
+				'Field should output nothing for empty value',
+			),
+		);
+	}
+
+
+	/**
+	 * @dataProvider profile_value_data
+	 */
+	public function test_get_profile_value($value, $field_options, $expected, $description)
+	{
+		$field_options = array_merge($this->field_options, $field_options);
+
+		$result = $this->cp->get_profile_value($value, $field_options);
+
+		$this->assertSame($expected, $result, $description);
+	}
+
 	/**
 	* @dataProvider profile_value_raw_data
 	*/
author	Marc Alexander <admin@m-a-styles.de>	2018-01-07 10:28:59 +0100
committer	Marc Alexander <admin@m-a-styles.de>	2018-01-07 10:28:59 +0100
commit	2a939fa779059b2eedc5eaf33706b4a1627ed30e (patch)
tree	12aa20249ca31f91fa3c8ab6795a2bce6f55f3a4 /tests/profilefields
parent	39b142077478876b4c2ef270c081681070f264d7 (diff)
parent	bf5f11e11ac0f25441ba891fc16d5a780e4450e2 (diff)
download	forums-2a939fa779059b2eedc5eaf33706b4a1627ed30e.tar forums-2a939fa779059b2eedc5eaf33706b4a1627ed30e.tar.gz forums-2a939fa779059b2eedc5eaf33706b4a1627ed30e.tar.bz2 forums-2a939fa779059b2eedc5eaf33706b4a1627ed30e.tar.xz forums-2a939fa779059b2eedc5eaf33706b4a1627ed30e.zip