From 6a59f3efd68ad9467d053bd151273e898ce65504 Mon Sep 17 00:00:00 2001
From: Meik Sievertsen <acydburn@phpbb.com>
Date: Sun, 8 Jun 2008 21:43:27 +0000
Subject: fix security test for redirect. Also set common server variables to
 mimick a real testbed.

git-svn-id: file:///svn/phpbb/trunk@8623 89ea8834-ac86-4346-8a33-228a782c2dd0
---
 tests/security/redirect.php | 44 +++++++++++++++++++++++++++++++++-----------
 1 file changed, 33 insertions(+), 11 deletions(-)

(limited to 'tests/security/redirect.php')

diff --git a/tests/security/redirect.php b/tests/security/redirect.php
index c2613c3265..88e8e3d0a9 100644
--- a/tests/security/redirect.php
+++ b/tests/security/redirect.php
@@ -21,11 +21,17 @@ require_once '../phpBB/includes/session.php';
 
 class phpbb_security_redirect_test extends PHPUnit_Extensions_OutputTestCase
 {
+	protected $error_triggered = false;
+
 	public static function provider()
 	{
+		// array(Input -> redirect(), expected triggered error (else false), expected returned result url (else false))
 		return array(
-			array('data://x', 'Tried to redirect to potentially insecure url.', 'data://x'),
-			array('javascript:test', '', 'http://../tests/javascript:test'),
+			array('data://x', false, 'http://localhost/phpBB'),
+			array('http://www.otherdomain.com/somescript.php', false, 'http://localhost/phpBB'),
+			array("http://localhost/phpBB/memberlist.php\n\rConnection: close", 'Tried to redirect to potentially insecure url.', false),
+			array('javascript:test', false, 'http://localhost/phpBB/../tests/javascript:test'),
+			array('http://localhost/phpBB/index.php;url=', 'Tried to redirect to potentially insecure url.', false),
 		);
 	}
 
@@ -35,26 +41,42 @@ class phpbb_security_redirect_test extends PHPUnit_Extensions_OutputTestCase
 	public function own_error_handler($errno, $errstr, $errfile, $errline)
 	{
 		echo $errstr;
+		$this->error_triggered = true;
 	}
 
 	/**
 	* @dataProvider provider
 	*/
-	public function test_redirect($test, $expected_output, $expected_result)
+	public function test_redirect($test, $expected_error, $expected_result)
 	{
 		global $user;
 
-		// Set no user and trick a bit to circumvent errors
-		$user = new user();
-		$user->lang = true;
-		$user->page = session::extract_current_page(PHPBB_ROOT_PATH);
+		set_error_handler(array($this, 'own_error_handler'));
+		$result = redirect($test, true);
+
+		// If we expect no error and a returned result, we set the output string to be expected and check if an error was triggered (then fail instantly)
+		if ($expected_error === false)
+		{
+			$this->expectOutputString($expected_result);
+			print $result;
 
-		$this->expectOutputString($expected_output . '#' . $expected_result);
+			if ($this->error_triggered)
+			{
+				$this->fail();
+			}
+		}
+		// If we expect an error, we set the expected output string to the error and check if there was an error triggered.
+		else
+		{
+			$this->expectOutputString($expected_error);
 
-		set_error_handler(array($this, 'own_error_handler'));
+			if (!$this->error_triggered)
+			{
+				$this->fail();
+			}
 
-		$result = redirect($test, true);
-		print "#" . $result;
+			$this->error_triggered = false;
+		}
 
 		restore_error_handler();
 	}
-- 
cgit v1.2.1