aboutsummaryrefslogtreecommitdiffstats
path: root/tests/security/redirect_test.php
diff options
context:
space:
mode:
authorMaat <maat-pub@mageia.biz>2020-05-08 18:29:30 +0200
committerMaat <maat-pub@mageia.biz>2020-05-08 21:36:04 +0200
commit36bc1870f21fac04736a1049c1d5b8e127d729f4 (patch)
tree9d102331eeaf1ef3cd23e656320d7c08e65757ed /tests/security/redirect_test.php
parent8875d385d0579b451dac4d9bda465172b4f69ee0 (diff)
parent149375253685b3a38996f63015a74b7a0f53aa14 (diff)
downloadforums-36bc1870f21fac04736a1049c1d5b8e127d729f4.tar
forums-36bc1870f21fac04736a1049c1d5b8e127d729f4.tar.gz
forums-36bc1870f21fac04736a1049c1d5b8e127d729f4.tar.bz2
forums-36bc1870f21fac04736a1049c1d5b8e127d729f4.tar.xz
forums-36bc1870f21fac04736a1049c1d5b8e127d729f4.zip
Merge remote-tracking branch 'upstream/prep-release-3.1.11'
Diffstat (limited to 'tests/security/redirect_test.php')
-rw-r--r--tests/security/redirect_test.php105
1 files changed, 83 insertions, 22 deletions
diff --git a/tests/security/redirect_test.php b/tests/security/redirect_test.php
index 9a24ba5d65..a88fc63858 100644
--- a/tests/security/redirect_test.php
+++ b/tests/security/redirect_test.php
@@ -1,65 +1,126 @@
<?php
/**
*
-* @package testing
-* @copyright (c) 2008 phpBB Group
-* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
*
*/
require_once dirname(__FILE__) . '/base.php';
require_once dirname(__FILE__) . '/../../phpBB/includes/functions.php';
-require_once dirname(__FILE__) . '/../../phpBB/includes/session.php';
class phpbb_security_redirect_test extends phpbb_security_test_base
{
- static public function provider()
+ protected $path_helper;
+
+ public function provider()
{
// array(Input -> redirect(), expected triggered error (else false), expected returned result url (else false))
return array(
- array('data://x', 'Tried to redirect to potentially insecure url.', false),
- array('bad://localhost/phpBB/index.php', 'Tried to redirect to potentially insecure url.', false),
- array('http://www.otherdomain.com/somescript.php', 'Tried to redirect to potentially insecure url.', false),
- array("http://localhost/phpBB/memberlist.php\n\rConnection: close", 'Tried to redirect to potentially insecure url.', false),
- array('javascript:test', false, 'http://localhost/phpBB/../javascript:test'),
- array('http://localhost/phpBB/index.php;url=', 'Tried to redirect to potentially insecure url.', false),
- array('https://foobar.com\@http://localhost/phpBB', 'Tried to redirect to potentially insecure url.', false),
- array('https://foobar.com\@localhost/troll/http://localhost/', 'Tried to redirect to potentially insecure url.', false),
- array('http://localhost.foobar.com\@localhost/troll/http://localhost/', 'Tried to redirect to potentially insecure url.', false),
- array('http://localhost/phpBB', false, 'http://localhost/phpBB'),
- array('http://localhost/phpBB/', false, 'http://localhost/phpBB/'),
+ array('data://x', false, 'INSECURE_REDIRECT', false),
+ array('bad://localhost/phpBB/index.php', false, 'INSECURE_REDIRECT', false),
+ array('http://www.otherdomain.com/somescript.php', false, 'INSECURE_REDIRECT', false),
+ array("http://localhost/phpBB/memberlist.php\n\rConnection: close", false, 'INSECURE_REDIRECT', false),
+ array('javascript:test', false, false, 'http://localhost/phpBB/javascript:test'),
+ array('http://localhost/phpBB/index.php;url=', false, 'INSECURE_REDIRECT', false),
+ array('http://localhost/phpBB/app.php/foobar', false, false, 'http://localhost/phpBB/app.php/foobar'),
+ array('./app.php/foobar', false, false, 'http://localhost/phpBB/app.php/foobar'),
+ array('app.php/foobar', false, false, 'http://localhost/phpBB/app.php/foobar'),
+ array('./../app.php/foobar', false, false, 'http://localhost/app.php/foobar'),
+ array('./../app.php/foobar', true, false, 'http://localhost/app.php/foobar'),
+ array('./../app.php/foo/bar', false, false, 'http://localhost/app.php/foo/bar'),
+ array('./../app.php/foo/bar', true, false, 'http://localhost/app.php/foo/bar'),
+ array('./../foo/bar', false, false, 'http://localhost/foo/bar'),
+ array('./../foo/bar', true, false, 'http://localhost/foo/bar'),
+ array('app.php/', false, false, 'http://localhost/phpBB/app.php/'),
+ array('app.php/a', false, false, 'http://localhost/phpBB/app.php/a'),
+ array('app.php/a/b', false, false, 'http://localhost/phpBB/app.php/a/b'),
+ array('./app.php/', false, false, 'http://localhost/phpBB/app.php/'),
+ array('foobar', false, false, 'http://localhost/phpBB/foobar'),
+ array('./foobar', false, false, 'http://localhost/phpBB/foobar'),
+ array('foo/bar', false, false, 'http://localhost/phpBB/foo/bar'),
+ array('./foo/bar', false, false, 'http://localhost/phpBB/foo/bar'),
+ array('./../index.php', false, false, 'http://localhost/index.php'),
+ array('./../index.php', true, false, 'http://localhost/index.php'),
+ array('../index.php', false, false, 'http://localhost/index.php'),
+ array('../index.php', true, false, 'http://localhost/index.php'),
+ array('./index.php', false, false, 'http://localhost/phpBB/index.php'),
+ array('https://foobar.com\@http://localhost/phpBB', false, 'INSECURE_REDIRECT', false),
+ array('https://foobar.com\@localhost/troll/http://localhost/', false, 'INSECURE_REDIRECT', false),
+ array('http://localhost.foobar.com\@localhost/troll/http://localhost/', false, 'INSECURE_REDIRECT', false),
+ array('http://localhost/phpBB', false, false, 'http://localhost/phpBB'),
+ array('http://localhost/phpBB/', false, false, 'http://localhost/phpBB/'),
);
}
+ protected function get_path_helper()
+ {
+ if (!($this->path_helper instanceof \phpbb\path_helper))
+ {
+ $this->path_helper = new \phpbb\path_helper(
+ new \phpbb\symfony_request(
+ new phpbb_mock_request()
+ ),
+ new \phpbb\filesystem(),
+ $this->getMock('\phpbb\request\request'),
+ $this->phpbb_root_path,
+ 'php'
+ );
+ }
+ return $this->path_helper;
+ }
+
protected function setUp()
{
+ global $phpbb_dispatcher;
+
parent::setUp();
-
+
$GLOBALS['config'] = array(
'force_server_vars' => '0',
);
+
+ $this->path_helper = $this->get_path_helper();
+
+ $phpbb_dispatcher = new phpbb_mock_event_dispatcher();
}
/**
* @dataProvider provider
*/
- public function test_redirect($test, $expected_error, $expected_result)
+ public function test_redirect($test, $disable_cd_check, $expected_error, $expected_result)
{
- global $user;
+ global $user, $phpbb_root_path, $phpbb_path_helper;
+
+ $phpbb_path_helper = $this->path_helper;
+
+ $temp_phpbb_root_path = $phpbb_root_path;
+ $temp_page_dir = $user->page['page_dir'];
+ // We need to hack phpbb_root_path and the user's page_dir here
+ // so it matches the actual fileinfo of the testing script.
+ // Otherwise the paths are returned incorrectly.
+ $phpbb_root_path = '';
+ $user->page['page_dir'] = '';
if ($expected_error !== false)
{
- $this->setExpectedTriggerError(E_USER_ERROR, $expected_error);
+ $this->setExpectedTriggerError(E_USER_ERROR, $user->lang[$expected_error]);
}
- $result = redirect($test, true);
+ $result = redirect($test, true, $disable_cd_check);
// only verify result if we did not expect an error
if ($expected_error === false)
{
$this->assertEquals($expected_result, $result);
}
+ $phpbb_root_path = $temp_phpbb_root_path;
+ $user->page['page_dir'] = $temp_page_dir;
}
}
-
generated by cgit v1.2.1 (git 2.21.0) at 2024-09-25 21:46:46 +0000