aboutsummaryrefslogtreecommitdiffstats
path: root/tests/security
diff options
context:
space:
mode:
Diffstat (limited to 'tests/security')
-rw-r--r--tests/security/base.php38
-rw-r--r--tests/security/extract_current_page_test.php23
-rw-r--r--tests/security/redirect_test.php12
3 files changed, 40 insertions, 33 deletions
diff --git a/tests/security/base.php b/tests/security/base.php
index 2658798237..08878ad60d 100644
--- a/tests/security/base.php
+++ b/tests/security/base.php
@@ -14,20 +14,20 @@ abstract class phpbb_security_test_base extends phpbb_test_case
*/
protected function setUp()
{
- global $user, $phpbb_root_path;
+ global $user, $phpbb_root_path, $request;
// Put this into a global function being run by every test to init a proper user session
- $_SERVER['HTTP_HOST'] = 'localhost';
- $_SERVER['SERVER_NAME'] = 'localhost';
- $_SERVER['SERVER_ADDR'] = '127.0.0.1';
- $_SERVER['SERVER_PORT'] = 80;
- $_SERVER['REMOTE_ADDR'] = '127.0.0.1';
- $_SERVER['QUERY_STRING'] = '';
- $_SERVER['REQUEST_URI'] = '/tests/';
- $_SERVER['SCRIPT_NAME'] = '/tests/index.php';
- $_SERVER['PHP_SELF'] = '/tests/index.php';
- $_SERVER['HTTP_USER_AGENT'] = 'Mozilla/5.0 (Windows; U; Windows NT 6.0; de; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14';
- $_SERVER['HTTP_ACCEPT_LANGUAGE'] = 'de-de,de;q=0.8,en-us;q=0.5,en;q=0.3';
+ $server['HTTP_HOST'] = 'localhost';
+ $server['SERVER_NAME'] = 'localhost';
+ $server['SERVER_ADDR'] = '127.0.0.1';
+ $server['SERVER_PORT'] = 80;
+ $server['REMOTE_ADDR'] = '127.0.0.1';
+ $server['QUERY_STRING'] = '';
+ $server['REQUEST_URI'] = '/tests/';
+ $server['SCRIPT_NAME'] = '/tests/index.php';
+ $server['PHP_SELF'] = '/tests/index.php';
+ $server['HTTP_USER_AGENT'] = 'Mozilla/5.0 (Windows; U; Windows NT 6.0; de; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14';
+ $server['HTTP_ACCEPT_LANGUAGE'] = 'de-de,de;q=0.8,en-us;q=0.5,en;q=0.3';
/*
[HTTP_ACCEPT_ENCODING] => gzip,deflate
@@ -36,14 +36,16 @@ abstract class phpbb_security_test_base extends phpbb_test_case
[SCRIPT_FILENAME] => /var/www/tests/index.php
*/
+ $request = new phpbb_mock_request(array(), array(), array(), $server);
+
// Set no user and trick a bit to circumvent errors
- $user = new user();
+ $user = new phpbb_user();
$user->lang = true;
- $user->browser = (!empty($_SERVER['HTTP_USER_AGENT'])) ? htmlspecialchars((string) $_SERVER['HTTP_USER_AGENT']) : '';
- $user->referer = (!empty($_SERVER['HTTP_REFERER'])) ? htmlspecialchars((string) $_SERVER['HTTP_REFERER']) : '';
- $user->forwarded_for = (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) ? (string) $_SERVER['HTTP_X_FORWARDED_FOR'] : '';
- $user->host = (!empty($_SERVER['HTTP_HOST'])) ? (string) strtolower($_SERVER['HTTP_HOST']) : ((!empty($_SERVER['SERVER_NAME'])) ? $_SERVER['SERVER_NAME'] : getenv('SERVER_NAME'));
- $user->page = session::extract_current_page($phpbb_root_path);
+ $user->browser = $server['HTTP_USER_AGENT'];
+ $user->referer = '';
+ $user->forwarded_for = '';
+ $user->host = $server['HTTP_HOST'];
+ $user->page = phpbb_session::extract_current_page($phpbb_root_path);
}
protected function tearDown()
diff --git a/tests/security/extract_current_page_test.php b/tests/security/extract_current_page_test.php
index 0f5128884b..d77cbbcaf3 100644
--- a/tests/security/extract_current_page_test.php
+++ b/tests/security/extract_current_page_test.php
@@ -10,11 +10,10 @@
require_once dirname(__FILE__) . '/base.php';
require_once dirname(__FILE__) . '/../../phpBB/includes/functions.php';
-require_once dirname(__FILE__) . '/../../phpBB/includes/session.php';
class phpbb_security_extract_current_page_test extends phpbb_security_test_base
{
- static public function security_variables()
+ public function security_variables()
{
return array(
array('http://localhost/phpBB/index.php', 'mark=forums&x="><script>alert(/XSS/);</script>', 'mark=forums&x=%22%3E%3Cscript%3Ealert(/XSS/);%3C/script%3E'),
@@ -27,10 +26,14 @@ class phpbb_security_extract_current_page_test extends phpbb_security_test_base
*/
public function test_query_string_php_self($url, $query_string, $expected)
{
- $_SERVER['PHP_SELF'] = $url;
- $_SERVER['QUERY_STRING'] = $query_string;
+ global $request;
- $result = session::extract_current_page('./');
+ $request->merge(phpbb_request_interface::SERVER, array(
+ 'PHP_SELF' => $url,
+ 'QUERY_STRING' => $query_string,
+ ));
+
+ $result = phpbb_session::extract_current_page('./');
$label = 'Running extract_current_page on ' . $query_string . ' with PHP_SELF filled.';
$this->assertEquals($expected, $result['query_string'], $label);
@@ -41,10 +44,14 @@ class phpbb_security_extract_current_page_test extends phpbb_security_test_base
*/
public function test_query_string_request_uri($url, $query_string, $expected)
{
- $_SERVER['REQUEST_URI'] = $url . '?' . $query_string;
- $_SERVER['QUERY_STRING'] = $query_string;
+ global $request;
+
+ $request->merge(phpbb_request_interface::SERVER, array(
+ 'PHP_SELF' => $url,
+ 'QUERY_STRING' => $query_string,
+ ));
- $result = session::extract_current_page('./');
+ $result = phpbb_session::extract_current_page('./');
$label = 'Running extract_current_page on ' . $query_string . ' with REQUEST_URI filled.';
$this->assertEquals($expected, $result['query_string'], $label);
diff --git a/tests/security/redirect_test.php b/tests/security/redirect_test.php
index 872a331dc7..8e36780ca4 100644
--- a/tests/security/redirect_test.php
+++ b/tests/security/redirect_test.php
@@ -10,27 +10,26 @@
require_once dirname(__FILE__) . '/base.php';
require_once dirname(__FILE__) . '/../../phpBB/includes/functions.php';
-require_once dirname(__FILE__) . '/../../phpBB/includes/session.php';
class phpbb_security_redirect_test extends phpbb_security_test_base
{
- static public function provider()
+ public function provider()
{
// array(Input -> redirect(), expected triggered error (else false), expected returned result url (else false))
return array(
array('data://x', false, 'http://localhost/phpBB'),
- array('bad://localhost/phpBB/index.php', 'Tried to redirect to potentially insecure url.', false),
+ array('bad://localhost/phpBB/index.php', 'INSECURE_REDIRECT', false),
array('http://www.otherdomain.com/somescript.php', false, 'http://localhost/phpBB'),
- array("http://localhost/phpBB/memberlist.php\n\rConnection: close", 'Tried to redirect to potentially insecure url.', false),
+ array("http://localhost/phpBB/memberlist.php\n\rConnection: close", 'INSECURE_REDIRECT', false),
array('javascript:test', false, 'http://localhost/phpBB/../javascript:test'),
- array('http://localhost/phpBB/index.php;url=', 'Tried to redirect to potentially insecure url.', false),
+ array('http://localhost/phpBB/index.php;url=', 'INSECURE_REDIRECT', false),
);
}
protected function setUp()
{
parent::setUp();
-
+
$GLOBALS['config'] = array(
'force_server_vars' => '0',
);
@@ -57,4 +56,3 @@ class phpbb_security_redirect_test extends phpbb_security_test_base
}
}
}
-
generated by cgit v1.2.1 (git 2.21.0) at 2025-03-21 13:42:56 +0000