5 files changed, 177 insertions, 123 deletions
diff --git a/tests/security/base.php b/tests/security/base.php
index 2658798237..330408b448 100644
--- a/tests/security/base.php
+++ b/tests/security/base.php
@@ -1,33 +1,40 @@
 <?php
 /**
 *
-* @package testing
-* @copyright (c) 2008 phpBB Group
-* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
 *
 */
 
 abstract class phpbb_security_test_base extends phpbb_test_case
 {
+	protected $server = array();
+
 	/**
 	* Set up the required user object and server variables for the suites
 	*/
 	protected function setUp()
 	{
-		global $user, $phpbb_root_path;
+		global $user, $phpbb_root_path, $phpEx, $request, $symfony_request, $phpbb_filesystem;
 
 		// Put this into a global function being run by every test to init a proper user session
-		$_SERVER['HTTP_HOST']		= 'localhost';
-		$_SERVER['SERVER_NAME']		= 'localhost';
-		$_SERVER['SERVER_ADDR']		= '127.0.0.1';
-		$_SERVER['SERVER_PORT']		= 80;
-		$_SERVER['REMOTE_ADDR']		= '127.0.0.1';
-		$_SERVER['QUERY_STRING']	= '';
-		$_SERVER['REQUEST_URI']		= '/tests/';
-		$_SERVER['SCRIPT_NAME']		= '/tests/index.php';
-		$_SERVER['PHP_SELF']		= '/tests/index.php';
-		$_SERVER['HTTP_USER_AGENT']	= 'Mozilla/5.0 (Windows; U; Windows NT 6.0; de; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14';
-		$_SERVER['HTTP_ACCEPT_LANGUAGE']	= 'de-de,de;q=0.8,en-us;q=0.5,en;q=0.3';
+		$this->server['HTTP_HOST']				= 'localhost';
+		$this->server['SERVER_NAME']			= 'localhost';
+		$this->server['SERVER_ADDR']			= '127.0.0.1';
+		$this->server['SERVER_PORT']			= 80;
+		$this->server['REMOTE_ADDR']			= '127.0.0.1';
+		$this->server['QUERY_STRING']			= '';
+		$this->server['REQUEST_URI']			= '/tests/';
+		$this->server['SCRIPT_NAME']			= '/tests/index.php';
+		$this->server['SCRIPT_FILENAME']		= '/var/www/tests/index.php';
+		$this->server['PHP_SELF']				= '/tests/index.php';
+		$this->server['HTTP_USER_AGENT']		= 'Mozilla/5.0 (Windows; U; Windows NT 6.0; de; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14';
+		$this->server['HTTP_ACCEPT_LANGUAGE']	= 'de-de,de;q=0.8,en-us;q=0.5,en;q=0.3';
 
 /*
 		[HTTP_ACCEPT_ENCODING] => gzip,deflate
@@ -36,14 +43,19 @@ abstract class phpbb_security_test_base extends phpbb_test_case
 		[SCRIPT_FILENAME] => /var/www/tests/index.php
 */
 
+		$request = new phpbb_mock_request(array(), array(), array(), $this->server);
+		$symfony_request = new \phpbb\symfony_request($request);
+
+		$phpbb_filesystem = new \phpbb\filesystem();
+
 		// Set no user and trick a bit to circumvent errors
-		$user = new user();
+		$user = new \phpbb\user('\phpbb\datetime');
 		$user->lang = true;
-		$user->browser				= (!empty($_SERVER['HTTP_USER_AGENT'])) ? htmlspecialchars((string) $_SERVER['HTTP_USER_AGENT']) : '';
-		$user->referer				= (!empty($_SERVER['HTTP_REFERER'])) ? htmlspecialchars((string) $_SERVER['HTTP_REFERER']) : '';
-		$user->forwarded_for		= (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) ? (string) $_SERVER['HTTP_X_FORWARDED_FOR'] : '';
-		$user->host					= (!empty($_SERVER['HTTP_HOST'])) ? (string) strtolower($_SERVER['HTTP_HOST']) : ((!empty($_SERVER['SERVER_NAME'])) ? $_SERVER['SERVER_NAME'] : getenv('SERVER_NAME'));
-		$user->page = session::extract_current_page($phpbb_root_path);
+		$user->browser				= $this->server['HTTP_USER_AGENT'];
+		$user->referer				= '';
+		$user->forwarded_for		= '';
+		$user->host					= $this->server['HTTP_HOST'];
+		$user->page = \phpbb\session::extract_current_page($phpbb_root_path);
 	}
 
 	protected function tearDown()
diff --git a/tests/security/extract_current_page_test.php b/tests/security/extract_current_page_test.php
index 0f5128884b..767b901a43 100644
--- a/tests/security/extract_current_page_test.php
+++ b/tests/security/extract_current_page_test.php
@@ -1,36 +1,45 @@
 <?php
 /**
 *
-* @package testing
-* @copyright (c) 2008 phpBB Group
-* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
 *
 */
 
 require_once dirname(__FILE__) . '/base.php';
 
 require_once dirname(__FILE__) . '/../../phpBB/includes/functions.php';
-require_once dirname(__FILE__) . '/../../phpBB/includes/session.php';
 
 class phpbb_security_extract_current_page_test extends phpbb_security_test_base
 {
-	static public function security_variables()
+	public function security_variables()
 	{
 		return array(
-			array('http://localhost/phpBB/index.php', 'mark=forums&x="><script>alert(/XSS/);</script>', 'mark=forums&x=%22%3E%3Cscript%3Ealert(/XSS/);%3C/script%3E'),
-			array('http://localhost/phpBB/index.php', 'mark=forums&x=%22%3E%3Cscript%3Ealert(/XSS/);%3C/script%3E', 'mark=forums&x=%22%3E%3Cscript%3Ealert(/XSS/);%3C/script%3E'),
+			array('mark=forums&x="><script>alert(/XSS/);</script>', 'mark=forums&x=%22%3E%3Cscript%3Ealert%28%2FXSS%2F%29%3B%3C%2Fscript%3E'),
+			array('mark=forums&x=%22%3E%3Cscript%3Ealert(/XSS/);%3C/script%3E', 'mark=forums&x=%22%3E%3Cscript%3Ealert%28%2FXSS%2F%29%3B%3C%2Fscript%3E'),
+			array('mark=forums&x=%22%3E%3Cscript%3Ealert%28%2FXSS%2F%29%3B%3C%2Fscript%3E', 'mark=forums&x=%22%3E%3Cscript%3Ealert%28%2FXSS%2F%29%3B%3C%2Fscript%3E'),
 		);
 	}
 
 	/**
 	* @dataProvider security_variables
 	*/
-	public function test_query_string_php_self($url, $query_string, $expected)
+	public function test_query_string_php_self($query_string, $expected)
 	{
-		$_SERVER['PHP_SELF'] = $url;
-		$_SERVER['QUERY_STRING'] = $query_string;
+		global $symfony_request, $request;
+
+		$this->server['REQUEST_URI'] = '';
+		$this->server['QUERY_STRING'] = $query_string;
+
+		$request = new phpbb_mock_request(array(), array(), array(), $this->server);
+		$symfony_request = new \phpbb\symfony_request($request);
 
-		$result = session::extract_current_page('./');
+		$result = \phpbb\session::extract_current_page('./');
 
 		$label = 'Running extract_current_page on ' . $query_string . ' with PHP_SELF filled.';
 		$this->assertEquals($expected, $result['query_string'], $label);
@@ -39,15 +48,18 @@ class phpbb_security_extract_current_page_test extends phpbb_security_test_base
 	/**
 	* @dataProvider security_variables
 	*/
-	public function test_query_string_request_uri($url, $query_string, $expected)
+	public function test_query_string_request_uri($query_string, $expected)
 	{
-		$_SERVER['REQUEST_URI'] = $url . '?' . $query_string;
-		$_SERVER['QUERY_STRING'] = $query_string;
+		global $symfony_request, $request;
 
-		$result = session::extract_current_page('./');
+		$this->server['QUERY_STRING'] = $query_string;
+
+		$request = new phpbb_mock_request(array(), array(), array(), $this->server);
+		$symfony_request = new \phpbb\symfony_request($request);
+
+		$result = \phpbb\session::extract_current_page('./');
 
 		$label = 'Running extract_current_page on ' . $query_string . ' with REQUEST_URI filled.';
 		$this->assertEquals($expected, $result['query_string'], $label);
 	}
 }
-
diff --git a/tests/security/hash_test.php b/tests/security/hash_test.php
index e226365ef3..0494c55c6d 100644
--- a/tests/security/hash_test.php
+++ b/tests/security/hash_test.php
@@ -1,16 +1,45 @@
 <?php
 /**
 *
-* @package testing
-* @copyright (c) 2011 phpBB Group
-* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
 *
 */
 
-require_once dirname(__FILE__) . '/../../phpBB/includes/functions.php';
+require_once dirname(__FILE__) . '/../../phpBB/includes/functions_compatibility.php';
 
 class phpbb_security_hash_test extends phpbb_test_case
 {
+	public function setUp()
+	{
+		global $phpbb_container;
+
+		$config = new \phpbb\config\config(array());
+		$phpbb_container = $this->getMock('Symfony\Component\DependencyInjection\ContainerInterface');
+		$driver_helper = new \phpbb\passwords\driver\helper($config);
+		$passwords_drivers = array(
+			'passwords.driver.bcrypt_2y'	=> new \phpbb\passwords\driver\bcrypt_2y($config, $driver_helper),
+			'passwords.driver.bcrypt'		=> new \phpbb\passwords\driver\bcrypt($config, $driver_helper),
+			'passwords.driver.salted_md5'	=> new \phpbb\passwords\driver\salted_md5($config, $driver_helper),
+			'passwords.driver.phpass'		=> new \phpbb\passwords\driver\phpass($config, $driver_helper),
+		);
+
+		$passwords_helper = new \phpbb\passwords\helper;
+		// Set up passwords manager
+		$passwords_manager = new \phpbb\passwords\manager($config, $passwords_drivers, $passwords_helper, array_keys($passwords_drivers));
+
+		$phpbb_container
+			->expects($this->any())
+			->method('get')
+			->with('passwords.manager')
+			->will($this->returnValue($passwords_manager));
+	}
+
 	public function test_check_hash_with_phpass()
 	{
 		$this->assertTrue(phpbb_check_hash('test', '$H$9isfrtKXWqrz8PvztXlL3.daw4U0zI1'));
diff --git a/tests/security/redirect_test.php b/tests/security/redirect_test.php
index 9a24ba5d65..a88fc63858 100644
--- a/tests/security/redirect_test.php
+++ b/tests/security/redirect_test.php
@@ -1,65 +1,126 @@
 <?php
 /**
 *
-* @package testing
-* @copyright (c) 2008 phpBB Group
-* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
 *
 */
 
 require_once dirname(__FILE__) . '/base.php';
 
 require_once dirname(__FILE__) . '/../../phpBB/includes/functions.php';
-require_once dirname(__FILE__) . '/../../phpBB/includes/session.php';
 
 class phpbb_security_redirect_test extends phpbb_security_test_base
 {
-	static public function provider()
+	protected $path_helper;
+
+	public function provider()
 	{
 		// array(Input -> redirect(), expected triggered error (else false), expected returned result url (else false))
 		return array(
-			array('data://x', 'Tried to redirect to potentially insecure url.', false),
-			array('bad://localhost/phpBB/index.php', 'Tried to redirect to potentially insecure url.', false),
-			array('http://www.otherdomain.com/somescript.php', 'Tried to redirect to potentially insecure url.', false),
-			array("http://localhost/phpBB/memberlist.php\n\rConnection: close", 'Tried to redirect to potentially insecure url.', false),
-			array('javascript:test', false, 'http://localhost/phpBB/../javascript:test'),
-			array('http://localhost/phpBB/index.php;url=', 'Tried to redirect to potentially insecure url.', false),
-			array('https://foobar.com\@http://localhost/phpBB', 'Tried to redirect to potentially insecure url.', false),
-			array('https://foobar.com\@localhost/troll/http://localhost/', 'Tried to redirect to potentially insecure url.', false),
-			array('http://localhost.foobar.com\@localhost/troll/http://localhost/', 'Tried to redirect to potentially insecure url.', false),
-			array('http://localhost/phpBB', false, 'http://localhost/phpBB'),
-			array('http://localhost/phpBB/', false, 'http://localhost/phpBB/'),
+			array('data://x', false, 'INSECURE_REDIRECT', false),
+			array('bad://localhost/phpBB/index.php', false, 'INSECURE_REDIRECT', false),
+			array('http://www.otherdomain.com/somescript.php', false, 'INSECURE_REDIRECT', false),
+			array("http://localhost/phpBB/memberlist.php\n\rConnection: close", false, 'INSECURE_REDIRECT', false),
+			array('javascript:test', false, false, 'http://localhost/phpBB/javascript:test'),
+			array('http://localhost/phpBB/index.php;url=', false, 'INSECURE_REDIRECT', false),
+			array('http://localhost/phpBB/app.php/foobar', false, false, 'http://localhost/phpBB/app.php/foobar'),
+			array('./app.php/foobar', false, false, 'http://localhost/phpBB/app.php/foobar'),
+			array('app.php/foobar', false, false, 'http://localhost/phpBB/app.php/foobar'),
+			array('./../app.php/foobar', false, false, 'http://localhost/app.php/foobar'),
+			array('./../app.php/foobar', true, false, 'http://localhost/app.php/foobar'),
+			array('./../app.php/foo/bar', false, false, 'http://localhost/app.php/foo/bar'),
+			array('./../app.php/foo/bar', true, false, 'http://localhost/app.php/foo/bar'),
+			array('./../foo/bar', false, false, 'http://localhost/foo/bar'),
+			array('./../foo/bar', true, false, 'http://localhost/foo/bar'),
+			array('app.php/', false, false, 'http://localhost/phpBB/app.php/'),
+			array('app.php/a', false, false, 'http://localhost/phpBB/app.php/a'),
+			array('app.php/a/b', false, false, 'http://localhost/phpBB/app.php/a/b'),
+			array('./app.php/', false, false, 'http://localhost/phpBB/app.php/'),
+			array('foobar', false, false, 'http://localhost/phpBB/foobar'),
+			array('./foobar', false, false, 'http://localhost/phpBB/foobar'),
+			array('foo/bar', false, false, 'http://localhost/phpBB/foo/bar'),
+			array('./foo/bar', false, false, 'http://localhost/phpBB/foo/bar'),
+			array('./../index.php', false, false, 'http://localhost/index.php'),
+			array('./../index.php', true, false, 'http://localhost/index.php'),
+			array('../index.php', false, false, 'http://localhost/index.php'),
+			array('../index.php', true, false, 'http://localhost/index.php'),
+			array('./index.php', false, false, 'http://localhost/phpBB/index.php'),
+			array('https://foobar.com\@http://localhost/phpBB', false, 'INSECURE_REDIRECT', false),
+			array('https://foobar.com\@localhost/troll/http://localhost/', false, 'INSECURE_REDIRECT', false),
+			array('http://localhost.foobar.com\@localhost/troll/http://localhost/', false, 'INSECURE_REDIRECT', false),
+			array('http://localhost/phpBB', false, false, 'http://localhost/phpBB'),
+			array('http://localhost/phpBB/', false, false, 'http://localhost/phpBB/'),
 		);
 	}
 
+	protected function get_path_helper()
+	{
+		if (!($this->path_helper instanceof \phpbb\path_helper))
+		{
+			$this->path_helper = new \phpbb\path_helper(
+				new \phpbb\symfony_request(
+					new phpbb_mock_request()
+				),
+				new \phpbb\filesystem(),
+				$this->getMock('\phpbb\request\request'),
+				$this->phpbb_root_path,
+				'php'
+			);
+		}
+		return $this->path_helper;
+	}
+
 	protected function setUp()
 	{
+		global $phpbb_dispatcher;
+
 		parent::setUp();
-		
+
 		$GLOBALS['config'] = array(
 			'force_server_vars'	=> '0',
 		);
+
+		$this->path_helper = $this->get_path_helper();
+
+		$phpbb_dispatcher = new phpbb_mock_event_dispatcher();
 	}
 
 	/**
 	* @dataProvider provider
 	*/
-	public function test_redirect($test, $expected_error, $expected_result)
+	public function test_redirect($test, $disable_cd_check, $expected_error, $expected_result)
 	{
-		global $user;
+		global $user, $phpbb_root_path, $phpbb_path_helper;
+
+		$phpbb_path_helper = $this->path_helper;
+
+		$temp_phpbb_root_path = $phpbb_root_path;
+		$temp_page_dir = $user->page['page_dir'];
+		// We need to hack phpbb_root_path and the user's page_dir here
+		// so it matches the actual fileinfo of the testing script.
+		// Otherwise the paths are returned incorrectly.
+		$phpbb_root_path = '';
+		$user->page['page_dir'] = '';
 
 		if ($expected_error !== false)
 		{
-			$this->setExpectedTriggerError(E_USER_ERROR, $expected_error);
+			$this->setExpectedTriggerError(E_USER_ERROR, $user->lang[$expected_error]);
 		}
 
-		$result = redirect($test, true);
+		$result = redirect($test, true, $disable_cd_check);
 
 		// only verify result if we did not expect an error
 		if ($expected_error === false)
 		{
 			$this->assertEquals($expected_result, $result);
 		}
+		$phpbb_root_path = $temp_phpbb_root_path;
+		$user->page['page_dir'] = $temp_page_dir;
 	}
 }
-
diff --git a/tests/security/trailing_path_test.php b/tests/security/trailing_path_test.php
deleted file mode 100644
index 9d586e74ef..0000000000
--- a/tests/security/trailing_path_test.php
+++ /dev/null
@@ -1,60 +0,0 @@
-<?php
-/**
- *
- * @package testing
- * @copyright (c) 2011 phpBB Group
- * @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2
- *
- */
-
-require_once dirname(__FILE__) . '/../../phpBB/includes/startup.php';
-
-class phpbb_security_trailing_path_test extends phpbb_test_case
-{
-	public function data_has_trailing_path()
-	{
-		return array(
-			array(false, '', '', ''),
-			array(true, '/', '', ''),
-			array(true, '/foo', '', ''),
-			array(true, '', '/foo', ''),
-			array(true, '/foo', '/foo', ''),
-			array(false, '', '', '/'),
-			array(false, '', '', '/?/x.php/'),
-			array(false, '', '', '/index.php'),
-			array(false, '', '', '/dir.phpisfunny/foo.php'),
-			array(true, '', '', '/index.php/foo.php'),
-			array(false, '', '', '/phpBB/viewtopic.php?f=3&amp;t=5'),
-			array(false, '', '', '/phpBB/viewtopic.php?f=3&amp;t=5/'),
-			array(false, '', '', '/phpBB/viewtopic.php?f=3&amp;t=5/foo'),
-			array(true, '/foo', '/foo', '/phpBB/viewtopic.php?f=3&amp;t=5/foo'),
-			array(false, '', '', '/projects/php.bb/phpBB/viewtopic.php?f=3&amp;t=5/'),
-			array(false, '', '', '/projects/php.bb/phpBB/viewtopic.php?f=3&amp;t=5'),
-			array(false, '', '', '/projects/php.bb/phpBB/viewtopic.php?f=3&amp;t=5/foo.php/'),
-			array(false, '', '', '/projects/php.bb/phpBB/index.php'),
-			array(true, '', '', '/projects/php.bb/phpBB/index.php/'),
-			array(true, '', '', '/phpBB/index.php/?foo/a'),
-			array(true, '', '', '/projects/php.bb/phpBB/index.php/?a=5'),
-			array(false, '', '', '/projects/php.bb/phpBB/index.php?/a=5'),
-			array(false, '', '/phpBB/index.php', '/phpBB/index.php', '/phpBB/index.php'),
-			array(true, '', '/phpBB/index.php', '/phpBB/index.php'),
-			array(true, '', '/phpBB/index.php/', '/phpBB/index.php/', '/phpBB/index.php'),
-			array(true, '', '/phpBB/index.php/', '/phpBB/index.php/'),
-		);
-	}
-
-	/**
-	 * @dataProvider data_has_trailing_path
-	 */
-	public function test_has_trailing_path($expected, $path_info, $orig_path_info, $request_uri, $script_name = '')
-	{
-		global $phpEx;
-
-		$_SERVER['PATH_INFO'] = $path_info;
-		$_SERVER['ORIG_PATH_INFO'] = $orig_path_info;
-		$_SERVER['REQUEST_URI'] = $request_uri;
-		$_SERVER['SCRIPT_NAME'] = $script_name;
-
-		$this->assertSame($expected, phpbb_has_trailing_path($phpEx));
-	}
-}