[ticket/security-203] Fully validate version check data in version helper

This will also take care of SECURITY-204 as it's the same underlying issue. Admins still need to ensure they don't visit malicious sites for URLs provided by extensions. SECURITY-203
author: Marc Alexander <admin@m-a-styles.de> 2016-12-26 22:01:51 +0100
committer: Marc Alexander <admin@m-a-styles.de> 2016-12-26 22:01:51 +0100
commit: 658820654f5789a786a5537c1b43991744b83d2c (patch)
tree: bc502a5bb97b1a0132498e3c5ddf7d8fbe0a33d2 /tests/version
parent: 97a0f49be42085a91ae3693c70f9c8d3496c1577 (diff)
download: forums-658820654f5789a786a5537c1b43991744b83d2c.tar
forums-658820654f5789a786a5537c1b43991744b83d2c.tar.gz
forums-658820654f5789a786a5537c1b43991744b83d2c.tar.bz2
forums-658820654f5789a786a5537c1b43991744b83d2c.tar.xz
forums-658820654f5789a786a5537c1b43991744b83d2c.zip
1 files changed, 64 insertions, 34 deletions
diff --git a/tests/version/version_helper_remote_test.php b/tests/version/version_helper_remote_test.php
index 65ae7646b9..596b7194de 100644
--- a/tests/version/version_helper_remote_test.php
+++ b/tests/version/version_helper_remote_test.php
@@ -37,21 +37,21 @@ class version_helper_remote_test extends \phpbb_test_case
 			->will($this->returnValue(false));
 		$this->file_downloader = new phpbb_mock_file_downloader();
 
+		$this->user = new \phpbb\user('\phpbb\datetime');
+		$this->user->add_lang('acp/common');
 		$this->version_helper = new \phpbb\version_helper(
 			$this->cache,
 			$config,
 			$this->file_downloader,
-			new \phpbb\user('\phpbb\datetime')
+			$this->user
 		);
-		$this->user = new \phpbb\user('\phpbb\datetime');
-		$this->user->add_lang('acp/common');
 	}
 
 	public function provider_get_versions()
 	{
 		return array(
-			array('', false),
-			array('foobar', false),
+			array('', false, '', 'VERSIONCHECK_FAIL'),
+			array('foobar', false, '', 'VERSIONCHECK_FAIL'),
 			array('{
     "stable": {
         "1.0": {
@@ -92,7 +92,7 @@ class version_helper_remote_test extends \phpbb_test_case
             "security": false
         }
     }
-}', false),
+}', false, '', 'VERSIONCHECK_FAIL'),
 			array('{
     "stable": {
         "1.0": {
@@ -103,26 +103,7 @@ class version_helper_remote_test extends \phpbb_test_case
             "security": "<script>alert(\'foo\');</script>"
         }
     }
-}', true, array (
-				'stable' => array (
-					'1.0' => array (
-						'current' => '1.0.1&lt;script&gt;alert(\'foo\');&lt;/script&gt;',
-						'download' => 'https://www.phpbb.com/customise/db/download/104136&lt;script&gt;alert(\'foo\');&lt;/script&gt;',
-						'announcement' => 'https://www.phpbb.com/customise/db/extension/boardrules/&lt;script&gt;alert(\'foo\');&lt;/script&gt;',
-						'eol' => '&lt;script&gt;alert(\'foo\');&lt;/script&gt;',
-						'security' => '&lt;script&gt;alert(\'foo\');&lt;/script&gt;',
-					),
-				),
-				'unstable' => array (
-					'1.0' => array (
-						'current' => '1.0.1&lt;script&gt;alert(\'foo\');&lt;/script&gt;',
-						'download' => 'https://www.phpbb.com/customise/db/download/104136&lt;script&gt;alert(\'foo\');&lt;/script&gt;',
-						'announcement' => 'https://www.phpbb.com/customise/db/extension/boardrules/&lt;script&gt;alert(\'foo\');&lt;/script&gt;',
-						'eol' => '&lt;script&gt;alert(\'foo\');&lt;/script&gt;',
-						'security' => '&lt;script&gt;alert(\'foo\');&lt;/script&gt;',
-					),
-				),
-			)),
+}', false, null, 'VERSIONCHECK_INVALID_VERSION'),
 			array('{
     "unstable": {
         "1.0": {
@@ -133,25 +114,74 @@ class version_helper_remote_test extends \phpbb_test_case
             "security": "<script>alert(\'foo\');</script>"
         }
     }
+}', false, null, 'VERSIONCHECK_INVALID_VERSION'),
+			array('{
+    "unstable": {
+        "1.0<script>alert(\'foo\');</script>": {
+            "current": "1.0.1",
+            "download": "https://www.phpbb.com/customise/db/download/104136",
+            "announcement": "https://www.phpbb.com/customise/db/extension/boardrules/",
+            "eol": "",
+            "security": ""
+        }
+    }
+}', false, array('stable' => array(), 'unstable' => array()), 'VERSIONCHECK_INVALID_VERSION'),
+			array('{
+	"\"\n<script>alert(\'foo\');</script>\n": "test",
+    "stable": {
+        "1.0": {
+            "current": "1.0.1",
+            "download": "https://www.phpbb.com/customise/db/download/104136",
+            "announcement": "https://www.phpbb.com/customise/db/extension/boardrules/",
+            "eol": null,
+            "security": false
+        }
+    }
 }', true, array (
+				'stable' => array (
+					'1.0' => array (
+						'current' => '1.0.1',
+						'download' => 'https://www.phpbb.com/customise/db/download/104136',
+						'announcement' => 'https://www.phpbb.com/customise/db/extension/boardrules/',
+						'eol' => NULL,
+						'security' => false,
+					),
+				),
 				'unstable' => array (
 					'1.0' => array (
-						'current' => '1.0.1&lt;script&gt;alert(\'foo\');&lt;/script&gt;',
-						'download' => 'https://www.phpbb.com/customise/db/download/104136&lt;script&gt;alert(\'foo\');&lt;/script&gt;',
-						'announcement' => 'https://www.phpbb.com/customise/db/extension/boardrules/&lt;script&gt;alert(\'foo\');&lt;/script&gt;',
-						'eol' => '&lt;script&gt;alert(\'foo\');&lt;/script&gt;',
-						'security' => '&lt;script&gt;alert(\'foo\');&lt;/script&gt;',
+						'current' => '1.0.1',
+						'download' => 'https://www.phpbb.com/customise/db/download/104136',
+						'announcement' => 'https://www.phpbb.com/customise/db/extension/boardrules/',
+						'eol' => NULL,
+						'security' => false,
 					),
 				),
-				'stable' => array(),
 			)),
+			array('{
+    "unstable": {
+        "1.0": {
+            "current": "1.0.1",
+            "download": "https://www.phpbb.com/customise/db/download/104136",
+            "announcement": "https://www.phpbb.com/customise/db/extension/boardrules/",
+            "eol": null,
+            "security": false,
+            "foobar": "<script>alert(\'test\');<script>"
+        }
+    }
+}', true, array('stable' => array(), 'unstable' => array('1.0' => array(
+				'current' => '1.0.1',
+				'download'	=> 'https://www.phpbb.com/customise/db/download/104136',
+				'announcement'	=> 'https://www.phpbb.com/customise/db/extension/boardrules/',
+				'eol'		=> null,
+				'security'	=> false,
+			))), 'VERSIONCHECK_INVALID_ENTRY'),
 		);
 	}
 
 	/**
 	 * @dataProvider provider_get_versions
 	 */
-	public function test_get_versions($input, $valid_data, $expected_return = '')
+	public function test_get_versions($input, $valid_data, $expected_return = '', $expected_exception = '')
 	{
 		$this->file_downloader->set($input);
 
@@ -160,7 +190,7 @@ class version_helper_remote_test extends \phpbb_test_case
 			try {
 				$return = $this->version_helper->get_versions();
 			} catch (\RuntimeException $e) {
-				$this->assertEquals((string)$e->getMessage(), $this->user->lang('VERSIONCHECK_FAIL'));
+				$this->assertEquals((string)$e->getMessage(), $this->user->lang($expected_exception));
 			}
 		}
 		else
author	Marc Alexander <admin@m-a-styles.de>	2016-12-26 22:01:51 +0100
committer	Marc Alexander <admin@m-a-styles.de>	2016-12-26 22:01:51 +0100
commit	658820654f5789a786a5537c1b43991744b83d2c (patch)
tree	bc502a5bb97b1a0132498e3c5ddf7d8fbe0a33d2 /tests/version
parent	97a0f49be42085a91ae3693c70f9c8d3496c1577 (diff)
download	forums-658820654f5789a786a5537c1b43991744b83d2c.tar forums-658820654f5789a786a5537c1b43991744b83d2c.tar.gz forums-658820654f5789a786a5537c1b43991744b83d2c.tar.bz2 forums-658820654f5789a786a5537c1b43991744b83d2c.tar.xz forums-658820654f5789a786a5537c1b43991744b83d2c.zip