diff options
author | Maat <maat-pub@mageia.biz> | 2020-05-08 18:29:30 +0200 |
---|---|---|
committer | Maat <maat-pub@mageia.biz> | 2020-05-08 21:36:04 +0200 |
commit | 36bc1870f21fac04736a1049c1d5b8e127d729f4 (patch) | |
tree | 9d102331eeaf1ef3cd23e656320d7c08e65757ed /tests/security/redirect_test.php | |
parent | 8875d385d0579b451dac4d9bda465172b4f69ee0 (diff) | |
parent | 149375253685b3a38996f63015a74b7a0f53aa14 (diff) | |
download | forums-36bc1870f21fac04736a1049c1d5b8e127d729f4.tar forums-36bc1870f21fac04736a1049c1d5b8e127d729f4.tar.gz forums-36bc1870f21fac04736a1049c1d5b8e127d729f4.tar.bz2 forums-36bc1870f21fac04736a1049c1d5b8e127d729f4.tar.xz forums-36bc1870f21fac04736a1049c1d5b8e127d729f4.zip |
Merge remote-tracking branch 'upstream/prep-release-3.1.11'
Diffstat (limited to 'tests/security/redirect_test.php')
-rw-r--r-- | tests/security/redirect_test.php | 105 |
1 files changed, 83 insertions, 22 deletions
diff --git a/tests/security/redirect_test.php b/tests/security/redirect_test.php index 9a24ba5d65..a88fc63858 100644 --- a/tests/security/redirect_test.php +++ b/tests/security/redirect_test.php @@ -1,65 +1,126 @@ <?php /** * -* @package testing -* @copyright (c) 2008 phpBB Group -* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2 +* This file is part of the phpBB Forum Software package. +* +* @copyright (c) phpBB Limited <https://www.phpbb.com> +* @license GNU General Public License, version 2 (GPL-2.0) +* +* For full copyright and license information, please see +* the docs/CREDITS.txt file. * */ require_once dirname(__FILE__) . '/base.php'; require_once dirname(__FILE__) . '/../../phpBB/includes/functions.php'; -require_once dirname(__FILE__) . '/../../phpBB/includes/session.php'; class phpbb_security_redirect_test extends phpbb_security_test_base { - static public function provider() + protected $path_helper; + + public function provider() { // array(Input -> redirect(), expected triggered error (else false), expected returned result url (else false)) return array( - array('data://x', 'Tried to redirect to potentially insecure url.', false), - array('bad://localhost/phpBB/index.php', 'Tried to redirect to potentially insecure url.', false), - array('http://www.otherdomain.com/somescript.php', 'Tried to redirect to potentially insecure url.', false), - array("http://localhost/phpBB/memberlist.php\n\rConnection: close", 'Tried to redirect to potentially insecure url.', false), - array('javascript:test', false, 'http://localhost/phpBB/../javascript:test'), - array('http://localhost/phpBB/index.php;url=', 'Tried to redirect to potentially insecure url.', false), - array('https://foobar.com\@http://localhost/phpBB', 'Tried to redirect to potentially insecure url.', false), - array('https://foobar.com\@localhost/troll/http://localhost/', 'Tried to redirect to potentially insecure url.', false), - array('http://localhost.foobar.com\@localhost/troll/http://localhost/', 'Tried to redirect to potentially insecure url.', false), - array('http://localhost/phpBB', false, 'http://localhost/phpBB'), - array('http://localhost/phpBB/', false, 'http://localhost/phpBB/'), + array('data://x', false, 'INSECURE_REDIRECT', false), + array('bad://localhost/phpBB/index.php', false, 'INSECURE_REDIRECT', false), + array('http://www.otherdomain.com/somescript.php', false, 'INSECURE_REDIRECT', false), + array("http://localhost/phpBB/memberlist.php\n\rConnection: close", false, 'INSECURE_REDIRECT', false), + array('javascript:test', false, false, 'http://localhost/phpBB/javascript:test'), + array('http://localhost/phpBB/index.php;url=', false, 'INSECURE_REDIRECT', false), + array('http://localhost/phpBB/app.php/foobar', false, false, 'http://localhost/phpBB/app.php/foobar'), + array('./app.php/foobar', false, false, 'http://localhost/phpBB/app.php/foobar'), + array('app.php/foobar', false, false, 'http://localhost/phpBB/app.php/foobar'), + array('./../app.php/foobar', false, false, 'http://localhost/app.php/foobar'), + array('./../app.php/foobar', true, false, 'http://localhost/app.php/foobar'), + array('./../app.php/foo/bar', false, false, 'http://localhost/app.php/foo/bar'), + array('./../app.php/foo/bar', true, false, 'http://localhost/app.php/foo/bar'), + array('./../foo/bar', false, false, 'http://localhost/foo/bar'), + array('./../foo/bar', true, false, 'http://localhost/foo/bar'), + array('app.php/', false, false, 'http://localhost/phpBB/app.php/'), + array('app.php/a', false, false, 'http://localhost/phpBB/app.php/a'), + array('app.php/a/b', false, false, 'http://localhost/phpBB/app.php/a/b'), + array('./app.php/', false, false, 'http://localhost/phpBB/app.php/'), + array('foobar', false, false, 'http://localhost/phpBB/foobar'), + array('./foobar', false, false, 'http://localhost/phpBB/foobar'), + array('foo/bar', false, false, 'http://localhost/phpBB/foo/bar'), + array('./foo/bar', false, false, 'http://localhost/phpBB/foo/bar'), + array('./../index.php', false, false, 'http://localhost/index.php'), + array('./../index.php', true, false, 'http://localhost/index.php'), + array('../index.php', false, false, 'http://localhost/index.php'), + array('../index.php', true, false, 'http://localhost/index.php'), + array('./index.php', false, false, 'http://localhost/phpBB/index.php'), + array('https://foobar.com\@http://localhost/phpBB', false, 'INSECURE_REDIRECT', false), + array('https://foobar.com\@localhost/troll/http://localhost/', false, 'INSECURE_REDIRECT', false), + array('http://localhost.foobar.com\@localhost/troll/http://localhost/', false, 'INSECURE_REDIRECT', false), + array('http://localhost/phpBB', false, false, 'http://localhost/phpBB'), + array('http://localhost/phpBB/', false, false, 'http://localhost/phpBB/'), ); } + protected function get_path_helper() + { + if (!($this->path_helper instanceof \phpbb\path_helper)) + { + $this->path_helper = new \phpbb\path_helper( + new \phpbb\symfony_request( + new phpbb_mock_request() + ), + new \phpbb\filesystem(), + $this->getMock('\phpbb\request\request'), + $this->phpbb_root_path, + 'php' + ); + } + return $this->path_helper; + } + protected function setUp() { + global $phpbb_dispatcher; + parent::setUp(); - + $GLOBALS['config'] = array( 'force_server_vars' => '0', ); + + $this->path_helper = $this->get_path_helper(); + + $phpbb_dispatcher = new phpbb_mock_event_dispatcher(); } /** * @dataProvider provider */ - public function test_redirect($test, $expected_error, $expected_result) + public function test_redirect($test, $disable_cd_check, $expected_error, $expected_result) { - global $user; + global $user, $phpbb_root_path, $phpbb_path_helper; + + $phpbb_path_helper = $this->path_helper; + + $temp_phpbb_root_path = $phpbb_root_path; + $temp_page_dir = $user->page['page_dir']; + // We need to hack phpbb_root_path and the user's page_dir here + // so it matches the actual fileinfo of the testing script. + // Otherwise the paths are returned incorrectly. + $phpbb_root_path = ''; + $user->page['page_dir'] = ''; if ($expected_error !== false) { - $this->setExpectedTriggerError(E_USER_ERROR, $expected_error); + $this->setExpectedTriggerError(E_USER_ERROR, $user->lang[$expected_error]); } - $result = redirect($test, true); + $result = redirect($test, true, $disable_cd_check); // only verify result if we did not expect an error if ($expected_error === false) { $this->assertEquals($expected_result, $result); } + $phpbb_root_path = $temp_phpbb_root_path; + $user->page['page_dir'] = $temp_page_dir; } } - |