From 0bf6966c5228d446c4f0d3862619db0f619c7369 Mon Sep 17 00:00:00 2001
From: Igor Wiedler <igor@wiedler.ch>
Date: Wed, 13 Jul 2011 19:20:16 +0200
Subject: [feature/request-class] Add server(), header() and is_ajax() to
 request

Extend the request class with helpers for reading server vars (server())
and HTTP request headers (header()). Refactor the existing code base
to make use of these helpers, make $_SERVER a deactivated super global.

Also introduce an is_ajax() method, which checks the X-Requested-With
header for the value 'XMLHttpRequest', which is sent by JavaScript
libraries, such as jQuery.

PHPBB3-9716
---
 tests/security/base.php                      | 36 +++++++++++++++-------------
 tests/security/extract_current_page_test.php | 16 +++++++++----
 2 files changed, 32 insertions(+), 20 deletions(-)

(limited to 'tests/security')

diff --git a/tests/security/base.php b/tests/security/base.php
index db9c884cf4..4b259a2aac 100644
--- a/tests/security/base.php
+++ b/tests/security/base.php
@@ -7,6 +7,8 @@
 *
 */
 
+require_once dirname(__FILE__) . '/../mock/request.php';
+
 abstract class phpbb_security_test_base extends phpbb_test_case
 {
 	/**
@@ -14,20 +16,20 @@ abstract class phpbb_security_test_base extends phpbb_test_case
 	*/
 	protected function setUp()
 	{
-		global $user, $phpbb_root_path;
+		global $user, $phpbb_root_path, $request;
 
 		// Put this into a global function being run by every test to init a proper user session
-		$_SERVER['HTTP_HOST']		= 'localhost';
-		$_SERVER['SERVER_NAME']		= 'localhost';
-		$_SERVER['SERVER_ADDR']		= '127.0.0.1';
-		$_SERVER['SERVER_PORT']		= 80;
-		$_SERVER['REMOTE_ADDR']		= '127.0.0.1';
-		$_SERVER['QUERY_STRING']	= '';
-		$_SERVER['REQUEST_URI']		= '/tests/';
-		$_SERVER['SCRIPT_NAME']		= '/tests/index.php';
-		$_SERVER['PHP_SELF']		= '/tests/index.php';
-		$_SERVER['HTTP_USER_AGENT']	= 'Mozilla/5.0 (Windows; U; Windows NT 6.0; de; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14';
-		$_SERVER['HTTP_ACCEPT_LANGUAGE']	= 'de-de,de;q=0.8,en-us;q=0.5,en;q=0.3';
+		$server['HTTP_HOST']		= 'localhost';
+		$server['SERVER_NAME']		= 'localhost';
+		$server['SERVER_ADDR']		= '127.0.0.1';
+		$server['SERVER_PORT']		= 80;
+		$server['REMOTE_ADDR']		= '127.0.0.1';
+		$server['QUERY_STRING']	= '';
+		$server['REQUEST_URI']		= '/tests/';
+		$server['SCRIPT_NAME']		= '/tests/index.php';
+		$server['PHP_SELF']		= '/tests/index.php';
+		$server['HTTP_USER_AGENT']	= 'Mozilla/5.0 (Windows; U; Windows NT 6.0; de; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14';
+		$server['HTTP_ACCEPT_LANGUAGE']	= 'de-de,de;q=0.8,en-us;q=0.5,en;q=0.3';
 
 /*
 		[HTTP_ACCEPT_ENCODING] => gzip,deflate
@@ -36,13 +38,15 @@ abstract class phpbb_security_test_base extends phpbb_test_case
 		[SCRIPT_FILENAME] => /var/www/tests/index.php
 */
 
+		$request = new phpbb_mock_request(array(), array(), array(), $server);
+
 		// Set no user and trick a bit to circumvent errors
 		$user = new user();
 		$user->lang = true;
-		$user->browser				= (!empty($_SERVER['HTTP_USER_AGENT'])) ? htmlspecialchars((string) $_SERVER['HTTP_USER_AGENT']) : '';
-		$user->referer				= (!empty($_SERVER['HTTP_REFERER'])) ? htmlspecialchars((string) $_SERVER['HTTP_REFERER']) : '';
-		$user->forwarded_for		= (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) ? (string) $_SERVER['HTTP_X_FORWARDED_FOR'] : '';
-		$user->host					= (!empty($_SERVER['HTTP_HOST'])) ? (string) strtolower($_SERVER['HTTP_HOST']) : ((!empty($_SERVER['SERVER_NAME'])) ? $_SERVER['SERVER_NAME'] : getenv('SERVER_NAME'));
+		$user->browser				= $server['HTTP_USER_AGENT'];
+		$user->referer				= '';
+		$user->forwarded_for		= '';
+		$user->host					= $server['HTTP_HOST'];
 		$user->page = session::extract_current_page($phpbb_root_path);
 	}
 
diff --git a/tests/security/extract_current_page_test.php b/tests/security/extract_current_page_test.php
index 71c7a3a397..34c7b52f49 100644
--- a/tests/security/extract_current_page_test.php
+++ b/tests/security/extract_current_page_test.php
@@ -27,8 +27,12 @@ class phpbb_security_extract_current_page_test extends phpbb_security_test_base
 	*/
 	public function test_query_string_php_self($url, $query_string, $expected)
 	{
-		$_SERVER['PHP_SELF'] = $url;
-		$_SERVER['QUERY_STRING'] = $query_string;
+		global $request;
+
+		$request->merge(phpbb_request_interface::SERVER, array(
+			'PHP_SELF'	=> $url,
+			'QUERY_STRING'	=> $query_string,
+		));
 
 		$result = session::extract_current_page('./');
 
@@ -41,8 +45,12 @@ class phpbb_security_extract_current_page_test extends phpbb_security_test_base
 	*/
 	public function test_query_string_request_uri($url, $query_string, $expected)
 	{
-		$_SERVER['REQUEST_URI'] = $url . '?' . $query_string;
-		$_SERVER['QUERY_STRING'] = $query_string;
+		global $request;
+
+		$request->merge(phpbb_request_interface::SERVER, array(
+			'PHP_SELF'	=> $url,
+			'QUERY_STRING'	=> $query_string,
+		));
 
 		$result = session::extract_current_page('./');
 
-- 
cgit v1.2.1


From 17991823ea72ef973852fd9d0a9c516703f2137e Mon Sep 17 00:00:00 2001
From: Unknown <unknownbliss@phpbbdevelopers.net>
Date: Sat, 31 Dec 2011 16:05:02 +0000
Subject: [ticket/9916] Updating License in the header

PHPBB3-9916
---
 tests/security/base.php                      | 2 +-
 tests/security/extract_current_page_test.php | 2 +-
 tests/security/hash_test.php                 | 2 +-
 tests/security/redirect_test.php             | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

(limited to 'tests/security')

diff --git a/tests/security/base.php b/tests/security/base.php
index db9c884cf4..2658798237 100644
--- a/tests/security/base.php
+++ b/tests/security/base.php
@@ -3,7 +3,7 @@
 *
 * @package testing
 * @copyright (c) 2008 phpBB Group
-* @license http://opensource.org/licenses/gpl-license.php GNU Public License
+* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2
 *
 */
 
diff --git a/tests/security/extract_current_page_test.php b/tests/security/extract_current_page_test.php
index 71c7a3a397..4911f7b452 100644
--- a/tests/security/extract_current_page_test.php
+++ b/tests/security/extract_current_page_test.php
@@ -3,7 +3,7 @@
 *
 * @package testing
 * @copyright (c) 2008 phpBB Group
-* @license http://opensource.org/licenses/gpl-license.php GNU Public License
+* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2
 *
 */
 
diff --git a/tests/security/hash_test.php b/tests/security/hash_test.php
index 19a3822145..0c2580c19b 100644
--- a/tests/security/hash_test.php
+++ b/tests/security/hash_test.php
@@ -3,7 +3,7 @@
 *
 * @package testing
 * @copyright (c) 2011 phpBB Group
-* @license http://opensource.org/licenses/gpl-license.php GNU Public License
+* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2
 *
 */
 
diff --git a/tests/security/redirect_test.php b/tests/security/redirect_test.php
index 70ba8527b1..4848a938c6 100644
--- a/tests/security/redirect_test.php
+++ b/tests/security/redirect_test.php
@@ -3,7 +3,7 @@
 *
 * @package testing
 * @copyright (c) 2008 phpBB Group
-* @license http://opensource.org/licenses/gpl-license.php GNU Public License
+* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2
 *
 */
 
-- 
cgit v1.2.1


From 6deb7b3671c29ab7ce1db6e11b5c6be0950d265f Mon Sep 17 00:00:00 2001
From: Igor Wiedler <igor@wiedler.ch>
Date: Sat, 31 Mar 2012 02:50:19 +0200
Subject: [feature/class-prefix] Rename user and session to phpbb_*

PHPBB-10609
---
 tests/security/base.php                      | 4 ++--
 tests/security/extract_current_page_test.php | 5 ++---
 tests/security/redirect_test.php             | 1 -
 3 files changed, 4 insertions(+), 6 deletions(-)

(limited to 'tests/security')

diff --git a/tests/security/base.php b/tests/security/base.php
index f7f3f9f661..82e4dda9d0 100644
--- a/tests/security/base.php
+++ b/tests/security/base.php
@@ -41,13 +41,13 @@ abstract class phpbb_security_test_base extends phpbb_test_case
 		$request = new phpbb_mock_request(array(), array(), array(), $server);
 
 		// Set no user and trick a bit to circumvent errors
-		$user = new user();
+		$user = new phpbb_user();
 		$user->lang = true;
 		$user->browser				= $server['HTTP_USER_AGENT'];
 		$user->referer				= '';
 		$user->forwarded_for		= '';
 		$user->host					= $server['HTTP_HOST'];
-		$user->page = session::extract_current_page($phpbb_root_path);
+		$user->page = phpbb_session::extract_current_page($phpbb_root_path);
 	}
 
 	protected function tearDown()
diff --git a/tests/security/extract_current_page_test.php b/tests/security/extract_current_page_test.php
index 00fc3b5841..b4a475ffb3 100644
--- a/tests/security/extract_current_page_test.php
+++ b/tests/security/extract_current_page_test.php
@@ -10,7 +10,6 @@
 require_once dirname(__FILE__) . '/base.php';
 
 require_once dirname(__FILE__) . '/../../phpBB/includes/functions.php';
-require_once dirname(__FILE__) . '/../../phpBB/includes/session.php';
 
 class phpbb_security_extract_current_page_test extends phpbb_security_test_base
 {
@@ -34,7 +33,7 @@ class phpbb_security_extract_current_page_test extends phpbb_security_test_base
 			'QUERY_STRING'	=> $query_string,
 		));
 
-		$result = session::extract_current_page('./');
+		$result = phpbb_session::extract_current_page('./');
 
 		$label = 'Running extract_current_page on ' . $query_string . ' with PHP_SELF filled.';
 		$this->assertEquals($expected, $result['query_string'], $label);
@@ -52,7 +51,7 @@ class phpbb_security_extract_current_page_test extends phpbb_security_test_base
 			'QUERY_STRING'	=> $query_string,
 		));
 
-		$result = session::extract_current_page('./');
+		$result = phpbb_session::extract_current_page('./');
 
 		$label = 'Running extract_current_page on ' . $query_string . ' with REQUEST_URI filled.';
 		$this->assertEquals($expected, $result['query_string'], $label);
diff --git a/tests/security/redirect_test.php b/tests/security/redirect_test.php
index 634a506ab9..da318209e2 100644
--- a/tests/security/redirect_test.php
+++ b/tests/security/redirect_test.php
@@ -10,7 +10,6 @@
 require_once dirname(__FILE__) . '/base.php';
 
 require_once dirname(__FILE__) . '/../../phpBB/includes/functions.php';
-require_once dirname(__FILE__) . '/../../phpBB/includes/session.php';
 
 class phpbb_security_redirect_test extends phpbb_security_test_base
 {
-- 
cgit v1.2.1


From f5bac7686b1678dbd33eddd368d845237bb18943 Mon Sep 17 00:00:00 2001
From: Vjacheslav Trushkin <arty@phpbb.com>
Date: Sun, 1 Apr 2012 19:14:53 +0300
Subject: [ticket/10733] Removing static from data providers

Removing static from data provider functions

PHPBB3-10733
---
 tests/security/extract_current_page_test.php | 2 +-
 tests/security/redirect_test.php             | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

(limited to 'tests/security')

diff --git a/tests/security/extract_current_page_test.php b/tests/security/extract_current_page_test.php
index b4a475ffb3..d77cbbcaf3 100644
--- a/tests/security/extract_current_page_test.php
+++ b/tests/security/extract_current_page_test.php
@@ -13,7 +13,7 @@ require_once dirname(__FILE__) . '/../../phpBB/includes/functions.php';
 
 class phpbb_security_extract_current_page_test extends phpbb_security_test_base
 {
-	public static function security_variables()
+	public function security_variables()
 	{
 		return array(
 			array('http://localhost/phpBB/index.php', 'mark=forums&x="><script>alert(/XSS/);</script>', 'mark=forums&x=%22%3E%3Cscript%3Ealert(/XSS/);%3C/script%3E'),
diff --git a/tests/security/redirect_test.php b/tests/security/redirect_test.php
index da318209e2..1325466137 100644
--- a/tests/security/redirect_test.php
+++ b/tests/security/redirect_test.php
@@ -13,7 +13,7 @@ require_once dirname(__FILE__) . '/../../phpBB/includes/functions.php';
 
 class phpbb_security_redirect_test extends phpbb_security_test_base
 {
-	public static function provider()
+	public function provider()
 	{
 		// array(Input -> redirect(), expected triggered error (else false), expected returned result url (else false))
 		return array(
-- 
cgit v1.2.1


From d3bbde69c441a5d795a16e66c9cc7a9194f42218 Mon Sep 17 00:00:00 2001
From: Andreas Fischer <bantu@phpbb.com>
Date: Sun, 8 Jul 2012 22:53:45 +0200
Subject: [ticket/10973] Drop all require_once for mocks. Use autoloading.

PHPBB3-10973
---
 tests/security/base.php | 2 --
 1 file changed, 2 deletions(-)

(limited to 'tests/security')

diff --git a/tests/security/base.php b/tests/security/base.php
index 82e4dda9d0..08878ad60d 100644
--- a/tests/security/base.php
+++ b/tests/security/base.php
@@ -7,8 +7,6 @@
 *
 */
 
-require_once dirname(__FILE__) . '/../mock/request.php';
-
 abstract class phpbb_security_test_base extends phpbb_test_case
 {
 	/**
-- 
cgit v1.2.1