aboutsummaryrefslogtreecommitdiffstats
path: root/tests/security
diff options
context:
space:
mode:
Diffstat (limited to 'tests/security')
-rw-r--r--tests/security/base.php64
-rw-r--r--tests/security/extract_current_page_test.php59
-rw-r--r--tests/security/hash_test.php12
-rw-r--r--tests/security/redirect_test.php61
4 files changed, 83 insertions, 113 deletions
diff --git a/tests/security/base.php b/tests/security/base.php
index 3ab2d1cfec..d2abdbc362 100644
--- a/tests/security/base.php
+++ b/tests/security/base.php
@@ -1,14 +1,20 @@
<?php
/**
*
-* @package testing
-* @copyright (c) 2008 phpBB Group
-* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
*
*/
abstract class phpbb_security_test_base extends phpbb_test_case
{
+ protected $server = array();
+
/**
* Set up the required user object and server variables for the suites
*/
@@ -17,17 +23,18 @@ abstract class phpbb_security_test_base extends phpbb_test_case
global $user, $phpbb_root_path, $phpEx, $request, $symfony_request, $phpbb_filesystem;
// Put this into a global function being run by every test to init a proper user session
- $server['HTTP_HOST'] = 'localhost';
- $server['SERVER_NAME'] = 'localhost';
- $server['SERVER_ADDR'] = '127.0.0.1';
- $server['SERVER_PORT'] = 80;
- $server['REMOTE_ADDR'] = '127.0.0.1';
- $server['QUERY_STRING'] = '';
- $server['REQUEST_URI'] = '/tests/';
- $server['SCRIPT_NAME'] = '/tests/index.php';
- $server['PHP_SELF'] = '/tests/index.php';
- $server['HTTP_USER_AGENT'] = 'Mozilla/5.0 (Windows; U; Windows NT 6.0; de; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14';
- $server['HTTP_ACCEPT_LANGUAGE'] = 'de-de,de;q=0.8,en-us;q=0.5,en;q=0.3';
+ $this->server['HTTP_HOST'] = 'localhost';
+ $this->server['SERVER_NAME'] = 'localhost';
+ $this->server['SERVER_ADDR'] = '127.0.0.1';
+ $this->server['SERVER_PORT'] = 80;
+ $this->server['REMOTE_ADDR'] = '127.0.0.1';
+ $this->server['QUERY_STRING'] = '';
+ $this->server['REQUEST_URI'] = '/tests/';
+ $this->server['SCRIPT_NAME'] = '/tests/index.php';
+ $this->server['SCRIPT_FILENAME'] = '/var/www/tests/index.php';
+ $this->server['PHP_SELF'] = '/tests/index.php';
+ $this->server['HTTP_USER_AGENT'] = 'Mozilla/5.0 (Windows; U; Windows NT 6.0; de; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14';
+ $this->server['HTTP_ACCEPT_LANGUAGE'] = 'de-de,de;q=0.8,en-us;q=0.5,en;q=0.3';
/*
[HTTP_ACCEPT_ENCODING] => gzip,deflate
@@ -36,31 +43,20 @@ abstract class phpbb_security_test_base extends phpbb_test_case
[SCRIPT_FILENAME] => /var/www/tests/index.php
*/
- $request = new phpbb_mock_request(array(), array(), array(), $server);
- $symfony_request = $this->getMock("\phpbb\symfony_request", array(), array(
- $request,
- ));
- $symfony_request->expects($this->any())
- ->method('getScriptName')
- ->will($this->returnValue($server['SCRIPT_NAME']));
- $symfony_request->expects($this->any())
- ->method('getQueryString')
- ->will($this->returnValue($server['QUERY_STRING']));
- $symfony_request->expects($this->any())
- ->method('getBasePath')
- ->will($this->returnValue($server['REQUEST_URI']));
- $symfony_request->expects($this->any())
- ->method('getPathInfo')
- ->will($this->returnValue('/'));
- $phpbb_filesystem = new \phpbb\filesystem($symfony_request, $phpbb_root_path, $phpEx);
+ $request = new phpbb_mock_request(array(), array(), array(), $this->server);
+ $symfony_request = new \phpbb\symfony_request($request);
+
+ $phpbb_filesystem = new \phpbb\filesystem\filesystem();
// Set no user and trick a bit to circumvent errors
- $user = new \phpbb\user();
+ $lang_loader = new \phpbb\language\language_file_loader($phpbb_root_path, $phpEx);
+ $lang = new \phpbb\language\language($lang_loader);
+ $user = new \phpbb\user($lang, '\phpbb\datetime');
$user->lang = true;
- $user->browser = $server['HTTP_USER_AGENT'];
+ $user->browser = $this->server['HTTP_USER_AGENT'];
$user->referer = '';
$user->forwarded_for = '';
- $user->host = $server['HTTP_HOST'];
+ $user->host = $this->server['HTTP_HOST'];
$user->page = \phpbb\session::extract_current_page($phpbb_root_path);
}
diff --git a/tests/security/extract_current_page_test.php b/tests/security/extract_current_page_test.php
index 1284aab94c..767b901a43 100644
--- a/tests/security/extract_current_page_test.php
+++ b/tests/security/extract_current_page_test.php
@@ -1,9 +1,13 @@
<?php
/**
*
-* @package testing
-* @copyright (c) 2008 phpBB Group
-* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
*
*/
@@ -16,33 +20,25 @@ class phpbb_security_extract_current_page_test extends phpbb_security_test_base
public function security_variables()
{
return array(
- array('http://localhost/phpBB/index.php', 'mark=forums&x="><script>alert(/XSS/);</script>', 'mark=forums&x=%22%3E%3Cscript%3Ealert(/XSS/);%3C/script%3E'),
- array('http://localhost/phpBB/index.php', 'mark=forums&x=%22%3E%3Cscript%3Ealert(/XSS/);%3C/script%3E', 'mark=forums&x=%22%3E%3Cscript%3Ealert(/XSS/);%3C/script%3E'),
+ array('mark=forums&x="><script>alert(/XSS/);</script>', 'mark=forums&x=%22%3E%3Cscript%3Ealert%28%2FXSS%2F%29%3B%3C%2Fscript%3E'),
+ array('mark=forums&x=%22%3E%3Cscript%3Ealert(/XSS/);%3C/script%3E', 'mark=forums&x=%22%3E%3Cscript%3Ealert%28%2FXSS%2F%29%3B%3C%2Fscript%3E'),
+ array('mark=forums&x=%22%3E%3Cscript%3Ealert%28%2FXSS%2F%29%3B%3C%2Fscript%3E', 'mark=forums&x=%22%3E%3Cscript%3Ealert%28%2FXSS%2F%29%3B%3C%2Fscript%3E'),
);
}
/**
* @dataProvider security_variables
*/
- public function test_query_string_php_self($url, $query_string, $expected)
+ public function test_query_string_php_self($query_string, $expected)
{
global $symfony_request, $request;
- $symfony_request = $this->getMock("\phpbb\symfony_request", array(), array(
- $request,
- ));
- $symfony_request->expects($this->any())
- ->method('getScriptName')
- ->will($this->returnValue($url));
- $symfony_request->expects($this->any())
- ->method('getQueryString')
- ->will($this->returnValue($query_string));
- $symfony_request->expects($this->any())
- ->method('getBasePath')
- ->will($this->returnValue($server['REQUEST_URI']));
- $symfony_request->expects($this->any())
- ->method('getPathInfo')
- ->will($this->returnValue('/'));
+ $this->server['REQUEST_URI'] = '';
+ $this->server['QUERY_STRING'] = $query_string;
+
+ $request = new phpbb_mock_request(array(), array(), array(), $this->server);
+ $symfony_request = new \phpbb\symfony_request($request);
+
$result = \phpbb\session::extract_current_page('./');
$label = 'Running extract_current_page on ' . $query_string . ' with PHP_SELF filled.';
@@ -52,25 +48,14 @@ class phpbb_security_extract_current_page_test extends phpbb_security_test_base
/**
* @dataProvider security_variables
*/
- public function test_query_string_request_uri($url, $query_string, $expected)
+ public function test_query_string_request_uri($query_string, $expected)
{
global $symfony_request, $request;
- $symfony_request = $this->getMock("\phpbb\symfony_request", array(), array(
- $request,
- ));
- $symfony_request->expects($this->any())
- ->method('getScriptName')
- ->will($this->returnValue($url));
- $symfony_request->expects($this->any())
- ->method('getQueryString')
- ->will($this->returnValue($query_string));
- $symfony_request->expects($this->any())
- ->method('getBasePath')
- ->will($this->returnValue($server['REQUEST_URI']));
- $symfony_request->expects($this->any())
- ->method('getPathInfo')
- ->will($this->returnValue('/'));
+ $this->server['QUERY_STRING'] = $query_string;
+
+ $request = new phpbb_mock_request(array(), array(), array(), $this->server);
+ $symfony_request = new \phpbb\symfony_request($request);
$result = \phpbb\session::extract_current_page('./');
diff --git a/tests/security/hash_test.php b/tests/security/hash_test.php
index bc1bebd87a..0494c55c6d 100644
--- a/tests/security/hash_test.php
+++ b/tests/security/hash_test.php
@@ -1,13 +1,17 @@
<?php
/**
*
-* @package testing
-* @copyright (c) 2011 phpBB Group
-* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
*
*/
-require_once dirname(__FILE__) . '/../../phpBB/includes/functions.php';
+require_once dirname(__FILE__) . '/../../phpBB/includes/functions_compatibility.php';
class phpbb_security_hash_test extends phpbb_test_case
{
diff --git a/tests/security/redirect_test.php b/tests/security/redirect_test.php
index 77dc955c26..62781f3ee6 100644
--- a/tests/security/redirect_test.php
+++ b/tests/security/redirect_test.php
@@ -1,9 +1,13 @@
<?php
/**
*
-* @package testing
-* @copyright (c) 2008 phpBB Group
-* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
*
*/
@@ -15,16 +19,13 @@ class phpbb_security_redirect_test extends phpbb_security_test_base
{
protected $path_helper;
- protected $controller_helper;
-
public function provider()
{
- $this->controller_helper = $this->get_controller_helper();
// array(Input -> redirect(), expected triggered error (else false), expected returned result url (else false))
return array(
- array('data://x', false, false, 'http://localhost/phpBB'),
+ array('data://x', false, 'INSECURE_REDIRECT', false),
array('bad://localhost/phpBB/index.php', false, 'INSECURE_REDIRECT', false),
- array('http://www.otherdomain.com/somescript.php', false, false, 'http://localhost/phpBB'),
+ array('http://www.otherdomain.com/somescript.php', false, 'INSECURE_REDIRECT', false),
array("http://localhost/phpBB/memberlist.php\n\rConnection: close", false, 'INSECURE_REDIRECT', false),
array('javascript:test', false, false, 'http://localhost/phpBB/javascript:test'),
array('http://localhost/phpBB/index.php;url=', false, 'INSECURE_REDIRECT', false),
@@ -38,8 +39,8 @@ class phpbb_security_redirect_test extends phpbb_security_test_base
array('./../foo/bar', false, false, 'http://localhost/foo/bar'),
array('./../foo/bar', true, false, 'http://localhost/foo/bar'),
array('app.php/', false, false, 'http://localhost/phpBB/app.php/'),
- array($this->controller_helper->url('a'), false, false, 'http://localhost/phpBB/app.php/a'),
- array($this->controller_helper->url(''), false, false, 'http://localhost/phpBB/app.php/'),
+ array('app.php/a', false, false, 'http://localhost/phpBB/app.php/a'),
+ array('app.php/a/b', false, false, 'http://localhost/phpBB/app.php/a/b'),
array('./app.php/', false, false, 'http://localhost/phpBB/app.php/'),
array('foobar', false, false, 'http://localhost/phpBB/foobar'),
array('./foobar', false, false, 'http://localhost/phpBB/foobar'),
@@ -50,6 +51,11 @@ class phpbb_security_redirect_test extends phpbb_security_test_base
array('../index.php', false, false, 'http://localhost/index.php'),
array('../index.php', true, false, 'http://localhost/index.php'),
array('./index.php', false, false, 'http://localhost/phpBB/index.php'),
+ array('https://foobar.com\@http://localhost/phpBB', false, 'INSECURE_REDIRECT', false),
+ array('https://foobar.com\@localhost/troll/http://localhost/', false, 'INSECURE_REDIRECT', false),
+ array('http://localhost.foobar.com\@localhost/troll/http://localhost/', false, 'INSECURE_REDIRECT', false),
+ array('http://localhost/phpBB', false, false, 'http://localhost/phpBB'),
+ array('http://localhost/phpBB/', false, false, 'http://localhost/phpBB/'),
);
}
@@ -61,7 +67,8 @@ class phpbb_security_redirect_test extends phpbb_security_test_base
new \phpbb\symfony_request(
new phpbb_mock_request()
),
- new \phpbb\filesystem(),
+ new \phpbb\filesystem\filesystem(),
+ $this->getMock('\phpbb\request\request'),
$this->phpbb_root_path,
'php'
);
@@ -69,33 +76,10 @@ class phpbb_security_redirect_test extends phpbb_security_test_base
return $this->path_helper;
}
- protected function get_controller_helper()
- {
- if (!($this->controller_helper instanceof \phpbb\controller\helper))
- {
- global $phpbb_dispatcher;
-
- $phpbb_dispatcher = new phpbb_mock_event_dispatcher;
- $this->user = $this->getMock('\phpbb\user');
- $phpbb_path_helper = new \phpbb\path_helper(
- new \phpbb\symfony_request(
- new phpbb_mock_request()
- ),
- new \phpbb\filesystem(),
- $phpbb_root_path,
- $phpEx
- );
- $this->template = new phpbb\template\twig\twig($phpbb_path_helper, $config, $this->user, new \phpbb\template\context());
-
- // We don't use mod_rewrite in these tests
- $config = new \phpbb\config\config(array('enable_mod_rewrite' => '0'));
- $this->controller_helper = new \phpbb\controller\helper($this->template, $this->user, $config, '', 'php');
- }
- return $this->controller_helper;
- }
-
protected function setUp()
{
+ global $phpbb_dispatcher;
+
parent::setUp();
$GLOBALS['config'] = array(
@@ -103,7 +87,8 @@ class phpbb_security_redirect_test extends phpbb_security_test_base
);
$this->path_helper = $this->get_path_helper();
- $this->controller_helper = $this->get_controller_helper();
+
+ $phpbb_dispatcher = new phpbb_mock_event_dispatcher();
}
/**
@@ -125,7 +110,7 @@ class phpbb_security_redirect_test extends phpbb_security_test_base
if ($expected_error !== false)
{
- $this->setExpectedTriggerError(E_USER_ERROR, $expected_error);
+ $this->setExpectedTriggerError(E_USER_ERROR, $user->lang[$expected_error]);
}
$result = redirect($test, true, $disable_cd_check);
generated by cgit v1.2.1 (git 2.21.0) at 2025-05-31 22:58:33 +0000