aboutsummaryrefslogtreecommitdiffstats
path: root/tests/security
diff options
context:
space:
mode:
Diffstat (limited to 'tests/security')
-rw-r--r--tests/security/base.php50
-rw-r--r--tests/security/extract_current_page_test.php61
-rw-r--r--tests/security/redirect_test.php4
3 files changed, 39 insertions, 76 deletions
diff --git a/tests/security/base.php b/tests/security/base.php
index 5519cac441..330408b448 100644
--- a/tests/security/base.php
+++ b/tests/security/base.php
@@ -13,6 +13,8 @@
abstract class phpbb_security_test_base extends phpbb_test_case
{
+ protected $server = array();
+
/**
* Set up the required user object and server variables for the suites
*/
@@ -21,17 +23,18 @@ abstract class phpbb_security_test_base extends phpbb_test_case
global $user, $phpbb_root_path, $phpEx, $request, $symfony_request, $phpbb_filesystem;
// Put this into a global function being run by every test to init a proper user session
- $server['HTTP_HOST'] = 'localhost';
- $server['SERVER_NAME'] = 'localhost';
- $server['SERVER_ADDR'] = '127.0.0.1';
- $server['SERVER_PORT'] = 80;
- $server['REMOTE_ADDR'] = '127.0.0.1';
- $server['QUERY_STRING'] = '';
- $server['REQUEST_URI'] = '/tests/';
- $server['SCRIPT_NAME'] = '/tests/index.php';
- $server['PHP_SELF'] = '/tests/index.php';
- $server['HTTP_USER_AGENT'] = 'Mozilla/5.0 (Windows; U; Windows NT 6.0; de; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14';
- $server['HTTP_ACCEPT_LANGUAGE'] = 'de-de,de;q=0.8,en-us;q=0.5,en;q=0.3';
+ $this->server['HTTP_HOST'] = 'localhost';
+ $this->server['SERVER_NAME'] = 'localhost';
+ $this->server['SERVER_ADDR'] = '127.0.0.1';
+ $this->server['SERVER_PORT'] = 80;
+ $this->server['REMOTE_ADDR'] = '127.0.0.1';
+ $this->server['QUERY_STRING'] = '';
+ $this->server['REQUEST_URI'] = '/tests/';
+ $this->server['SCRIPT_NAME'] = '/tests/index.php';
+ $this->server['SCRIPT_FILENAME'] = '/var/www/tests/index.php';
+ $this->server['PHP_SELF'] = '/tests/index.php';
+ $this->server['HTTP_USER_AGENT'] = 'Mozilla/5.0 (Windows; U; Windows NT 6.0; de; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14';
+ $this->server['HTTP_ACCEPT_LANGUAGE'] = 'de-de,de;q=0.8,en-us;q=0.5,en;q=0.3';
/*
[HTTP_ACCEPT_ENCODING] => gzip,deflate
@@ -40,31 +43,18 @@ abstract class phpbb_security_test_base extends phpbb_test_case
[SCRIPT_FILENAME] => /var/www/tests/index.php
*/
- $request = new phpbb_mock_request(array(), array(), array(), $server);
- $symfony_request = $this->getMock("\phpbb\symfony_request", array(), array(
- $request,
- ));
- $symfony_request->expects($this->any())
- ->method('getScriptName')
- ->will($this->returnValue($server['SCRIPT_NAME']));
- $symfony_request->expects($this->any())
- ->method('getQueryString')
- ->will($this->returnValue($server['QUERY_STRING']));
- $symfony_request->expects($this->any())
- ->method('getBasePath')
- ->will($this->returnValue($server['REQUEST_URI']));
- $symfony_request->expects($this->any())
- ->method('getPathInfo')
- ->will($this->returnValue('/'));
- $phpbb_filesystem = new \phpbb\filesystem($symfony_request, $phpbb_root_path, $phpEx);
+ $request = new phpbb_mock_request(array(), array(), array(), $this->server);
+ $symfony_request = new \phpbb\symfony_request($request);
+
+ $phpbb_filesystem = new \phpbb\filesystem();
// Set no user and trick a bit to circumvent errors
$user = new \phpbb\user('\phpbb\datetime');
$user->lang = true;
- $user->browser = $server['HTTP_USER_AGENT'];
+ $user->browser = $this->server['HTTP_USER_AGENT'];
$user->referer = '';
$user->forwarded_for = '';
- $user->host = $server['HTTP_HOST'];
+ $user->host = $this->server['HTTP_HOST'];
$user->page = \phpbb\session::extract_current_page($phpbb_root_path);
}
diff --git a/tests/security/extract_current_page_test.php b/tests/security/extract_current_page_test.php
index c127b69b2b..767b901a43 100644
--- a/tests/security/extract_current_page_test.php
+++ b/tests/security/extract_current_page_test.php
@@ -20,33 +20,25 @@ class phpbb_security_extract_current_page_test extends phpbb_security_test_base
public function security_variables()
{
return array(
- array('http://localhost/phpBB/index.php', 'mark=forums&x="><script>alert(/XSS/);</script>', 'mark=forums&x=%22%3E%3Cscript%3Ealert(/XSS/);%3C/script%3E'),
- array('http://localhost/phpBB/index.php', 'mark=forums&x=%22%3E%3Cscript%3Ealert(/XSS/);%3C/script%3E', 'mark=forums&x=%22%3E%3Cscript%3Ealert(/XSS/);%3C/script%3E'),
+ array('mark=forums&x="><script>alert(/XSS/);</script>', 'mark=forums&x=%22%3E%3Cscript%3Ealert%28%2FXSS%2F%29%3B%3C%2Fscript%3E'),
+ array('mark=forums&x=%22%3E%3Cscript%3Ealert(/XSS/);%3C/script%3E', 'mark=forums&x=%22%3E%3Cscript%3Ealert%28%2FXSS%2F%29%3B%3C%2Fscript%3E'),
+ array('mark=forums&x=%22%3E%3Cscript%3Ealert%28%2FXSS%2F%29%3B%3C%2Fscript%3E', 'mark=forums&x=%22%3E%3Cscript%3Ealert%28%2FXSS%2F%29%3B%3C%2Fscript%3E'),
);
}
/**
* @dataProvider security_variables
*/
- public function test_query_string_php_self($url, $query_string, $expected)
+ public function test_query_string_php_self($query_string, $expected)
{
global $symfony_request, $request;
- $symfony_request = $this->getMock("\phpbb\symfony_request", array(), array(
- $request,
- ));
- $symfony_request->expects($this->any())
- ->method('getScriptName')
- ->will($this->returnValue($this->sanitizer($url)));
- $symfony_request->expects($this->any())
- ->method('getQueryString')
- ->will($this->returnValue($this->sanitizer($query_string)));
- $symfony_request->expects($this->any())
- ->method('getBasePath')
- ->will($this->returnValue($server['REQUEST_URI']));
- $symfony_request->expects($this->sanitizer($this->any()))
- ->method('getPathInfo')
- ->will($this->returnValue($this->sanitizer('/')));
+ $this->server['REQUEST_URI'] = '';
+ $this->server['QUERY_STRING'] = $query_string;
+
+ $request = new phpbb_mock_request(array(), array(), array(), $this->server);
+ $symfony_request = new \phpbb\symfony_request($request);
+
$result = \phpbb\session::extract_current_page('./');
$label = 'Running extract_current_page on ' . $query_string . ' with PHP_SELF filled.';
@@ -56,41 +48,18 @@ class phpbb_security_extract_current_page_test extends phpbb_security_test_base
/**
* @dataProvider security_variables
*/
- public function test_query_string_request_uri($url, $query_string, $expected)
+ public function test_query_string_request_uri($query_string, $expected)
{
global $symfony_request, $request;
- $symfony_request = $this->getMock("\phpbb\symfony_request", array(), array(
- $request,
- ));
- $symfony_request->expects($this->any())
- ->method('getScriptName')
- ->will($this->returnValue($this->sanitizer($url)));
- $symfony_request->expects($this->any())
- ->method('getQueryString')
- ->will($this->returnValue($this->sanitizer($query_string)));
- $symfony_request->expects($this->any())
- ->method('getBasePath')
- ->will($this->returnValue($this->sanitizer($server['REQUEST_URI'])));
- $symfony_request->expects($this->any())
- ->method('getPathInfo')
- ->will($this->returnValue($this->sanitizer('/')));
+ $this->server['QUERY_STRING'] = $query_string;
+
+ $request = new phpbb_mock_request(array(), array(), array(), $this->server);
+ $symfony_request = new \phpbb\symfony_request($request);
$result = \phpbb\session::extract_current_page('./');
$label = 'Running extract_current_page on ' . $query_string . ' with REQUEST_URI filled.';
$this->assertEquals($expected, $result['query_string'], $label);
}
-
- protected function sanitizer($value)
- {
- // Fix for objects passed in phpunit
- if (is_object($value))
- {
- return $value;
- }
- $type_cast_helper = new \phpbb\request\type_cast_helper();
- $type_cast_helper->set_var($value, $value, gettype($value), true);
- return str_replace('&amp;', '&', $value);
- }
}
diff --git a/tests/security/redirect_test.php b/tests/security/redirect_test.php
index 3961c2781e..21fb103ed1 100644
--- a/tests/security/redirect_test.php
+++ b/tests/security/redirect_test.php
@@ -73,6 +73,8 @@ class phpbb_security_redirect_test extends phpbb_security_test_base
protected function setUp()
{
+ global $phpbb_dispatcher;
+
parent::setUp();
$GLOBALS['config'] = array(
@@ -80,6 +82,8 @@ class phpbb_security_redirect_test extends phpbb_security_test_base
);
$this->path_helper = $this->get_path_helper();
+
+ $phpbb_dispatcher = new phpbb_mock_event_dispatcher();
}
/**
generated by cgit v1.2.1 (git 2.21.0) at 2025-05-15 16:59:27 +0000