diff options
| author | Nils Adermann <naderman@naderman.de> | 2010-11-20 17:00:05 +0100 |
|---|---|---|
| committer | Nils Adermann <naderman@naderman.de> | 2010-11-20 17:00:05 +0100 |
| commit | 7f21a5f46156660d7ea6a4bdb59166ac553e2be8 (patch) | |
| tree | 3963b4075f58c43ffc01fe290b04a800668bc53c /tests/security/extract_current_page.php | |
| parent | c4e02a191628b4b9f7b6340f2876607663baeb5a (diff) | |
| parent | af4c2a3eb15fc4318b23dcb7794c230cf3ec2a0f (diff) | |
| download | forums-7f21a5f46156660d7ea6a4bdb59166ac553e2be8.tar forums-7f21a5f46156660d7ea6a4bdb59166ac553e2be8.tar.gz forums-7f21a5f46156660d7ea6a4bdb59166ac553e2be8.tar.bz2 forums-7f21a5f46156660d7ea6a4bdb59166ac553e2be8.tar.xz forums-7f21a5f46156660d7ea6a4bdb59166ac553e2be8.zip | |
Merge commit 'release-3.0.8'
* commit 'release-3.0.8': (393 commits)
[prep-release-3.0.8] Incrementing version number to 3.0.8 and update changelog
[ticket/9903] Script for detecting potentially malicious flash bbcodes
[ticket/9904] Update WebPI Parameters.xml to work with WebMatrix.
[ticket/9899] Change recaptcha theme from default to 'clean' in the ACP.
[ticket/9509] Fix a typo and wrong period placement
[ticket/9903] Fix XSS in BBcode-parser's Flash-BBcode.
[develop-olympus] Updating changelog for last minute 3.0.8-RC1 fixes.
[ticket/9140] Check current board version in incremental update packages
[ticket/9891] Updater drops language-selection after database-update
[develop-olympus] Updating changelog with latest changes for 3.0.8-RC1
[ticket/9884] Reduce queue interval to 60 seconds, email package size to 20
[ticket/9886] Update fails on PostgreSQL because of an error in _add_module
[ticket/9888] Update fails when Bing [Bot] was already added to the users table
[develop-olympus] Bumping version number for 3.0.8-RC1.
[ticket/9885] Fix extension group name updater. Loop through all languages.
[ticket/9847] Fix typo in search synonyms. Use british english for 'judgement'.
[ticket/9883] Change an American English spelling to British English.
[task/phing-build] Correct the path for update package patch files.
[ticket/9880] Change "antibot" to "anti-spambot".
[ticket/9696] Surpress is_dir() notice when using SQLite with open_basedir.
...
Diffstat (limited to 'tests/security/extract_current_page.php')
| -rw-r--r-- | tests/security/extract_current_page.php | 53 |
1 files changed, 53 insertions, 0 deletions
diff --git a/tests/security/extract_current_page.php b/tests/security/extract_current_page.php new file mode 100644 index 0000000000..8c72fe1440 --- /dev/null +++ b/tests/security/extract_current_page.php @@ -0,0 +1,53 @@ +<?php +/** +* +* @package testing +* @copyright (c) 2008 phpBB Group +* @license http://opensource.org/licenses/gpl-license.php GNU Public License +* +*/ + +require_once 'test_framework/framework.php'; + +require_once '../phpBB/includes/functions.php'; +require_once '../phpBB/includes/session.php'; + +class phpbb_security_extract_current_page_test extends phpbb_test_case +{ + public static function security_variables() + { + return array( + array('http://localhost/phpBB/index.php', 'mark=forums&x="><script>alert(/XSS/);</script>', 'mark=forums&x=%22%3E%3Cscript%3Ealert(/XSS/);%3C/script%3E'), + array('http://localhost/phpBB/index.php', 'mark=forums&x=%22%3E%3Cscript%3Ealert(/XSS/);%3C/script%3E', 'mark=forums&x=%22%3E%3Cscript%3Ealert(/XSS/);%3C/script%3E'), + ); + } + + /** + * @dataProvider security_variables + */ + public function test_query_string_php_self($url, $query_string, $expected) + { + $_SERVER['PHP_SELF'] = $url; + $_SERVER['QUERY_STRING'] = $query_string; + + $result = session::extract_current_page('./'); + + $label = 'Running extract_current_page on ' . $query_string . ' with PHP_SELF filled.'; + $this->assertEquals($expected, $result['query_string'], $label); + } + + /** + * @dataProvider security_variables + */ + public function test_query_string_request_uri($url, $query_string, $expected) + { + $_SERVER['REQUEST_URI'] = $url . '?' . $query_string; + $_SERVER['QUERY_STRING'] = $query_string; + + $result = session::extract_current_page('./'); + + $label = 'Running extract_current_page on ' . $query_string . ' with REQUEST_URI filled.'; + $this->assertEquals($expected, $result['query_string'], $label); + } +} + |