diff options
| author | Tristan Darricau <github@nicofuma.fr> | 2014-11-07 11:10:03 +0100 |
|---|---|---|
| committer | Tristan Darricau <github@nicofuma.fr> | 2014-11-07 11:10:03 +0100 |
| commit | a1b58d05d158ff7afd789c1b27821e17198f8d58 (patch) | |
| tree | 41c5955e720b462173e78fed5c18c18057e0b62b /tests | |
| parent | 0e772afb9db640e54e84cfccaddcf74f3edbb3fb (diff) | |
| parent | f432193e0789f0182741d1b4a38a8c4cd86dfba4 (diff) | |
| download | forums-a1b58d05d158ff7afd789c1b27821e17198f8d58.tar forums-a1b58d05d158ff7afd789c1b27821e17198f8d58.tar.gz forums-a1b58d05d158ff7afd789c1b27821e17198f8d58.tar.bz2 forums-a1b58d05d158ff7afd789c1b27821e17198f8d58.tar.xz forums-a1b58d05d158ff7afd789c1b27821e17198f8d58.zip | |
Merge pull request #3107 from marc1706/ticket/13280
[ticket/13280] Properly format the current page and add sanitizer to tests
* marc1706/ticket/13280:
[ticket/13280] Remove unneeded str_replace in build_url()
[ticket/13280] Only run sanitizer for server superglobal and modify tests
[ticket/13280] Seperate server sanitizer call and add comment
[ticket/13280] Add additional sanitizer for ampersands in server superglobal
[ticket/13280] Correctly format user page for build_url()
[ticket/13280] Properly format the current page and add sanitizer to tests
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/functions/build_url_test.php | 6 | ||||
| -rw-r--r-- | tests/security/extract_current_page_test.php | 28 |
2 files changed, 26 insertions, 8 deletions
diff --git a/tests/functions/build_url_test.php b/tests/functions/build_url_test.php index 06415a424e..5cfd1300de 100644 --- a/tests/functions/build_url_test.php +++ b/tests/functions/build_url_test.php @@ -69,6 +69,11 @@ class phpbb_build_url_test extends phpbb_test_case array('f', 'style', 't'), 'http://test.phpbb.com/viewtopic.php?', ), + array( + 'posting.php?f=2&mode=delete&p=20%22%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E', + false, + 'phpBB/posting.php?f=2&mode=delete&p=20%22%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E', + ) ); } @@ -80,6 +85,7 @@ class phpbb_build_url_test extends phpbb_test_case global $user, $phpbb_root_path; $user->page['page'] = $page; + $output = build_url($strip_vars); $this->assertEquals($expected, $output); diff --git a/tests/security/extract_current_page_test.php b/tests/security/extract_current_page_test.php index 58dea68dc8..c127b69b2b 100644 --- a/tests/security/extract_current_page_test.php +++ b/tests/security/extract_current_page_test.php @@ -37,16 +37,16 @@ class phpbb_security_extract_current_page_test extends phpbb_security_test_base )); $symfony_request->expects($this->any()) ->method('getScriptName') - ->will($this->returnValue($url)); + ->will($this->returnValue($this->sanitizer($url))); $symfony_request->expects($this->any()) ->method('getQueryString') - ->will($this->returnValue($query_string)); + ->will($this->returnValue($this->sanitizer($query_string))); $symfony_request->expects($this->any()) ->method('getBasePath') ->will($this->returnValue($server['REQUEST_URI'])); - $symfony_request->expects($this->any()) + $symfony_request->expects($this->sanitizer($this->any())) ->method('getPathInfo') - ->will($this->returnValue('/')); + ->will($this->returnValue($this->sanitizer('/'))); $result = \phpbb\session::extract_current_page('./'); $label = 'Running extract_current_page on ' . $query_string . ' with PHP_SELF filled.'; @@ -65,20 +65,32 @@ class phpbb_security_extract_current_page_test extends phpbb_security_test_base )); $symfony_request->expects($this->any()) ->method('getScriptName') - ->will($this->returnValue($url)); + ->will($this->returnValue($this->sanitizer($url))); $symfony_request->expects($this->any()) ->method('getQueryString') - ->will($this->returnValue($query_string)); + ->will($this->returnValue($this->sanitizer($query_string))); $symfony_request->expects($this->any()) ->method('getBasePath') - ->will($this->returnValue($server['REQUEST_URI'])); + ->will($this->returnValue($this->sanitizer($server['REQUEST_URI']))); $symfony_request->expects($this->any()) ->method('getPathInfo') - ->will($this->returnValue('/')); + ->will($this->returnValue($this->sanitizer('/'))); $result = \phpbb\session::extract_current_page('./'); $label = 'Running extract_current_page on ' . $query_string . ' with REQUEST_URI filled.'; $this->assertEquals($expected, $result['query_string'], $label); } + + protected function sanitizer($value) + { + // Fix for objects passed in phpunit + if (is_object($value)) + { + return $value; + } + $type_cast_helper = new \phpbb\request\type_cast_helper(); + $type_cast_helper->set_var($value, $value, gettype($value), true); + return str_replace('&', '&', $value); + } } |