diff options
| author | Marc Alexander <admin@m-a-styles.de> | 2013-11-12 00:46:43 +0100 |
|---|---|---|
| committer | Marc Alexander <admin@m-a-styles.de> | 2013-11-12 00:46:43 +0100 |
| commit | d43542a434c6a214c7533f76f3b1dc7afe84e5cf (patch) | |
| tree | 4bee04986d876a9ad72ea4651935e4a1352a29a1 /tests/security | |
| parent | 2d0fb4d166d0f6371b6c9c6a9e1dce2b34992c9e (diff) | |
| download | forums-d43542a434c6a214c7533f76f3b1dc7afe84e5cf.tar forums-d43542a434c6a214c7533f76f3b1dc7afe84e5cf.tar.gz forums-d43542a434c6a214c7533f76f3b1dc7afe84e5cf.tar.bz2 forums-d43542a434c6a214c7533f76f3b1dc7afe84e5cf.tar.xz forums-d43542a434c6a214c7533f76f3b1dc7afe84e5cf.zip | |
[ticket/11997] Use $phpbb_filesystem->clean_path() for proper redirect paths
PHPBB3-11997
Diffstat (limited to 'tests/security')
| -rw-r--r-- | tests/security/redirect_test.php | 58 |
1 files changed, 35 insertions, 23 deletions
diff --git a/tests/security/redirect_test.php b/tests/security/redirect_test.php index e934a4ab1b..6ea94d33be 100644 --- a/tests/security/redirect_test.php +++ b/tests/security/redirect_test.php @@ -17,26 +17,32 @@ class phpbb_security_redirect_test extends phpbb_security_test_base { // array(Input -> redirect(), expected triggered error (else false), expected returned result url (else false)) return array( - array('data://x', false, 'http://localhost/phpBB'), - array('bad://localhost/phpBB/index.php', 'INSECURE_REDIRECT', false), - array('http://www.otherdomain.com/somescript.php', false, 'http://localhost/phpBB'), - array("http://localhost/phpBB/memberlist.php\n\rConnection: close", 'INSECURE_REDIRECT', false), - array('javascript:test', false, 'http://localhost/phpBB/javascript:test'), - array('http://localhost/phpBB/index.php;url=', 'INSECURE_REDIRECT', false), - array('http://localhost/phpBB/app.php/foobar', false, 'http://localhost/phpBB/app.php/foobar'), - array('./app.php/foobar', false, 'http://localhost/phpBB/app.php/foobar'), - array('app.php/foobar', false, 'http://localhost/phpBB/app.php/foobar'), - array('./../app.php/foobar', false, 'http://localhost/phpBB/app.php/foobar'), - array('./../app.php/foo/bar', false, 'http://localhost/phpBB/app.php/foo/bar'), - array('./../foo/bar', false, 'http://localhost/phpBB/foo/bar'), - array('app.php/', false, 'http://localhost/phpBB/app.php/'), - array('./app.php/', false, 'http://localhost/phpBB/app.php/'), - array('foobar', false, 'http://localhost/phpBB/foobar'), - array('./foobar', false, 'http://localhost/phpBB/foobar'), - array('foo/bar', false, 'http://localhost/phpBB/foo/bar'), - array('./foo/bar', false, 'http://localhost/phpBB/foo/bar'), - array('./../index.php', false, 'http://localhost/phpBB/index.php'), - array('../index.php', false, 'http://localhost/phpBB/index.php'), + array('data://x', false, false, 'http://localhost/phpBB'), + array('bad://localhost/phpBB/index.php', false, 'INSECURE_REDIRECT', false), + array('http://www.otherdomain.com/somescript.php', false, false, 'http://localhost/phpBB'), + array("http://localhost/phpBB/memberlist.php\n\rConnection: close", false, 'INSECURE_REDIRECT', false), + array('javascript:test', false, false, 'http://localhost/phpBB/javascript:test'), + array('http://localhost/phpBB/index.php;url=', false, 'INSECURE_REDIRECT', false), + array('http://localhost/phpBB/app.php/foobar', false, false, 'http://localhost/phpBB/app.php/foobar'), + array('./app.php/foobar', false, false, 'http://localhost/phpBB/app.php/foobar'), + array('app.php/foobar', false, false, 'http://localhost/phpBB/app.php/foobar'), + array('./../app.php/foobar', false, false, 'http://localhost/app.php/foobar'), + array('./../app.php/foobar', true, false, 'http://localhost/app.php/foobar'), + array('./../app.php/foo/bar', false, false, 'http://localhost/app.php/foo/bar'), + array('./../app.php/foo/bar', true, false, 'http://localhost/app.php/foo/bar'), + array('./../foo/bar', false, false, 'http://localhost/foo/bar'), + array('./../foo/bar', true, false, 'http://localhost/foo/bar'), + array('app.php/', false, false, 'http://localhost/phpBB/app.php/'), + array('./app.php/', false, false, 'http://localhost/phpBB/app.php/'), + array('foobar', false, false, 'http://localhost/phpBB/foobar'), + array('./foobar', false, false, 'http://localhost/phpBB/foobar'), + array('foo/bar', false, false, 'http://localhost/phpBB/foo/bar'), + array('./foo/bar', false, false, 'http://localhost/phpBB/foo/bar'), + array('./../index.php', false, false, 'http://localhost/index.php'), + array('./../index.php', true, false, 'http://localhost/index.php'), + array('../index.php', false, false, 'http://localhost/index.php'), + array('../index.php', true, false, 'http://localhost/index.php'), + array('./index.php', false, false, 'http://localhost/phpBB/index.php'), ); } @@ -52,21 +58,27 @@ class phpbb_security_redirect_test extends phpbb_security_test_base /** * @dataProvider provider */ - public function test_redirect($test, $expected_error, $expected_result) + public function test_redirect($test, $disable_cd_check, $expected_error, $expected_result) { - global $user; + global $user, $phpbb_root_path; + + $temp_phpbb_root_path = $phpbb_root_path; + // We need to hack phpbb_root_path here, so it matches the actual fileinfo of the testing script. + // Otherwise the paths are returned incorrectly. + $phpbb_root_path = ''; if ($expected_error !== false) { $this->setExpectedTriggerError(E_USER_ERROR, $expected_error); } - $result = redirect($test, true); + $result = redirect($test, true, $disable_cd_check); // only verify result if we did not expect an error if ($expected_error === false) { $this->assertEquals($expected_result, $result); } + $phpbb_root_path = $temp_phpbb_root_path; } } |