From 9a52bd030189280f48a35d3b9e52f9d77071cb5e Mon Sep 17 00:00:00 2001 From: Igor Wiedler Date: Mon, 3 Jan 2011 22:21:54 +0100 Subject: [task/phpunit-xml] Use phpunit.xml for test suite PHPBB3-9967 --- tests/security/all_tests.php | 86 --------------------------------- tests/security/base.php | 54 +++++++++++++++++++++ tests/security/extract_current_page.php | 8 +-- tests/security/redirect.php | 12 +++-- 4 files changed, 65 insertions(+), 95 deletions(-) delete mode 100644 tests/security/all_tests.php create mode 100644 tests/security/base.php (limited to 'tests/security') diff --git a/tests/security/all_tests.php b/tests/security/all_tests.php deleted file mode 100644 index 8e3916733f..0000000000 --- a/tests/security/all_tests.php +++ /dev/null @@ -1,86 +0,0 @@ - gzip,deflate - [HTTP_ACCEPT_CHARSET] => ISO-8859-1,utf-8;q=0.7,*;q=0.7 - DOCUMENT_ROOT] => /var/www/ - [SCRIPT_FILENAME] => /var/www/tests/index.php -*/ - - // Set no user and trick a bit to circumvent errors - $user = new user(); - $user->lang = true; - $user->browser = (!empty($_SERVER['HTTP_USER_AGENT'])) ? htmlspecialchars((string) $_SERVER['HTTP_USER_AGENT']) : ''; - $user->referer = (!empty($_SERVER['HTTP_REFERER'])) ? htmlspecialchars((string) $_SERVER['HTTP_REFERER']) : ''; - $user->forwarded_for = (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) ? (string) $_SERVER['HTTP_X_FORWARDED_FOR'] : ''; - $user->host = (!empty($_SERVER['HTTP_HOST'])) ? (string) strtolower($_SERVER['HTTP_HOST']) : ((!empty($_SERVER['SERVER_NAME'])) ? $_SERVER['SERVER_NAME'] : getenv('SERVER_NAME')); - $user->page = session::extract_current_page($phpbb_root_path); - } - - protected function tearDown() - { - global $user; - $user = NULL; - } - - public static function main() - { - PHPUnit_TextUI_TestRunner::run(self::suite()); - } - - public static function suite() - { - // I bet there is a better method calling this... :) - $suite = new phpbb_security_all_tests('phpBB Security Fixes'); - - $suite->addTestSuite('phpbb_security_extract_current_page_test'); - $suite->addTestSuite('phpbb_security_redirect_test'); - - return $suite; - } -} - -if (PHPUnit_MAIN_METHOD == 'phpbb_security_all_tests::main') -{ - phpbb_security_all_tests::main(); -} diff --git a/tests/security/base.php b/tests/security/base.php new file mode 100644 index 0000000000..db9c884cf4 --- /dev/null +++ b/tests/security/base.php @@ -0,0 +1,54 @@ + gzip,deflate + [HTTP_ACCEPT_CHARSET] => ISO-8859-1,utf-8;q=0.7,*;q=0.7 + DOCUMENT_ROOT] => /var/www/ + [SCRIPT_FILENAME] => /var/www/tests/index.php +*/ + + // Set no user and trick a bit to circumvent errors + $user = new user(); + $user->lang = true; + $user->browser = (!empty($_SERVER['HTTP_USER_AGENT'])) ? htmlspecialchars((string) $_SERVER['HTTP_USER_AGENT']) : ''; + $user->referer = (!empty($_SERVER['HTTP_REFERER'])) ? htmlspecialchars((string) $_SERVER['HTTP_REFERER']) : ''; + $user->forwarded_for = (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) ? (string) $_SERVER['HTTP_X_FORWARDED_FOR'] : ''; + $user->host = (!empty($_SERVER['HTTP_HOST'])) ? (string) strtolower($_SERVER['HTTP_HOST']) : ((!empty($_SERVER['SERVER_NAME'])) ? $_SERVER['SERVER_NAME'] : getenv('SERVER_NAME')); + $user->page = session::extract_current_page($phpbb_root_path); + } + + protected function tearDown() + { + global $user; + $user = NULL; + } +} diff --git a/tests/security/extract_current_page.php b/tests/security/extract_current_page.php index 8c72fe1440..ff0ab4d1bb 100644 --- a/tests/security/extract_current_page.php +++ b/tests/security/extract_current_page.php @@ -7,12 +7,12 @@ * */ -require_once 'test_framework/framework.php'; +require_once __DIR__ . '/base.php'; -require_once '../phpBB/includes/functions.php'; -require_once '../phpBB/includes/session.php'; +require_once __DIR__ . '/../../phpBB/includes/functions.php'; +require_once __DIR__ . '/../../phpBB/includes/session.php'; -class phpbb_security_extract_current_page_test extends phpbb_test_case +class phpbb_security_extract_current_page_test extends phpbb_security_test_base { public static function security_variables() { diff --git a/tests/security/redirect.php b/tests/security/redirect.php index 37b0a5bb41..c53414e7df 100644 --- a/tests/security/redirect.php +++ b/tests/security/redirect.php @@ -7,12 +7,12 @@ * */ -require_once 'test_framework/framework.php'; +require_once __DIR__ . '/base.php'; -require_once '../phpBB/includes/functions.php'; -require_once '../phpBB/includes/session.php'; +require_once __DIR__ . '/../../phpBB/includes/functions.php'; +require_once __DIR__ . '/../../phpBB/includes/session.php'; -class phpbb_security_redirect_test extends phpbb_test_case +class phpbb_security_redirect_test extends phpbb_security_test_base { public static function provider() { @@ -22,13 +22,15 @@ class phpbb_security_redirect_test extends phpbb_test_case array('bad://localhost/phpBB/index.php', 'Tried to redirect to potentially insecure url.', false), array('http://www.otherdomain.com/somescript.php', false, 'http://localhost/phpBB'), array("http://localhost/phpBB/memberlist.php\n\rConnection: close", 'Tried to redirect to potentially insecure url.', false), - array('javascript:test', false, 'http://localhost/phpBB/../tests/javascript:test'), + array('javascript:test', false, 'http://localhost/phpBB/../javascript:test'), array('http://localhost/phpBB/index.php;url=', 'Tried to redirect to potentially insecure url.', false), ); } protected function setUp() { + parent::setUp(); + $GLOBALS['config'] = array( 'force_server_vars' => '0', ); -- cgit v1.2.1 From 01fe91c5c4e897801f5c179cd4060e686762f105 Mon Sep 17 00:00:00 2001 From: Igor Wiedler Date: Mon, 10 Jan 2011 00:18:37 +0100 Subject: [ticket/9987] Rename test files to include a _test suffix PHPBB3-9987 --- tests/security/extract_current_page.php | 53 ------------------------ tests/security/extract_current_page_test.php | 53 ++++++++++++++++++++++++ tests/security/redirect.php | 60 ---------------------------- tests/security/redirect_test.php | 60 ++++++++++++++++++++++++++++ 4 files changed, 113 insertions(+), 113 deletions(-) delete mode 100644 tests/security/extract_current_page.php create mode 100644 tests/security/extract_current_page_test.php delete mode 100644 tests/security/redirect.php create mode 100644 tests/security/redirect_test.php (limited to 'tests/security') diff --git a/tests/security/extract_current_page.php b/tests/security/extract_current_page.php deleted file mode 100644 index ff0ab4d1bb..0000000000 --- a/tests/security/extract_current_page.php +++ /dev/null @@ -1,53 +0,0 @@ -', 'mark=forums&x=%22%3E%3Cscript%3Ealert(/XSS/);%3C/script%3E'), - array('http://localhost/phpBB/index.php', 'mark=forums&x=%22%3E%3Cscript%3Ealert(/XSS/);%3C/script%3E', 'mark=forums&x=%22%3E%3Cscript%3Ealert(/XSS/);%3C/script%3E'), - ); - } - - /** - * @dataProvider security_variables - */ - public function test_query_string_php_self($url, $query_string, $expected) - { - $_SERVER['PHP_SELF'] = $url; - $_SERVER['QUERY_STRING'] = $query_string; - - $result = session::extract_current_page('./'); - - $label = 'Running extract_current_page on ' . $query_string . ' with PHP_SELF filled.'; - $this->assertEquals($expected, $result['query_string'], $label); - } - - /** - * @dataProvider security_variables - */ - public function test_query_string_request_uri($url, $query_string, $expected) - { - $_SERVER['REQUEST_URI'] = $url . '?' . $query_string; - $_SERVER['QUERY_STRING'] = $query_string; - - $result = session::extract_current_page('./'); - - $label = 'Running extract_current_page on ' . $query_string . ' with REQUEST_URI filled.'; - $this->assertEquals($expected, $result['query_string'], $label); - } -} - diff --git a/tests/security/extract_current_page_test.php b/tests/security/extract_current_page_test.php new file mode 100644 index 0000000000..ff0ab4d1bb --- /dev/null +++ b/tests/security/extract_current_page_test.php @@ -0,0 +1,53 @@ +', 'mark=forums&x=%22%3E%3Cscript%3Ealert(/XSS/);%3C/script%3E'), + array('http://localhost/phpBB/index.php', 'mark=forums&x=%22%3E%3Cscript%3Ealert(/XSS/);%3C/script%3E', 'mark=forums&x=%22%3E%3Cscript%3Ealert(/XSS/);%3C/script%3E'), + ); + } + + /** + * @dataProvider security_variables + */ + public function test_query_string_php_self($url, $query_string, $expected) + { + $_SERVER['PHP_SELF'] = $url; + $_SERVER['QUERY_STRING'] = $query_string; + + $result = session::extract_current_page('./'); + + $label = 'Running extract_current_page on ' . $query_string . ' with PHP_SELF filled.'; + $this->assertEquals($expected, $result['query_string'], $label); + } + + /** + * @dataProvider security_variables + */ + public function test_query_string_request_uri($url, $query_string, $expected) + { + $_SERVER['REQUEST_URI'] = $url . '?' . $query_string; + $_SERVER['QUERY_STRING'] = $query_string; + + $result = session::extract_current_page('./'); + + $label = 'Running extract_current_page on ' . $query_string . ' with REQUEST_URI filled.'; + $this->assertEquals($expected, $result['query_string'], $label); + } +} + diff --git a/tests/security/redirect.php b/tests/security/redirect.php deleted file mode 100644 index c53414e7df..0000000000 --- a/tests/security/redirect.php +++ /dev/null @@ -1,60 +0,0 @@ - redirect(), expected triggered error (else false), expected returned result url (else false)) - return array( - array('data://x', false, 'http://localhost/phpBB'), - array('bad://localhost/phpBB/index.php', 'Tried to redirect to potentially insecure url.', false), - array('http://www.otherdomain.com/somescript.php', false, 'http://localhost/phpBB'), - array("http://localhost/phpBB/memberlist.php\n\rConnection: close", 'Tried to redirect to potentially insecure url.', false), - array('javascript:test', false, 'http://localhost/phpBB/../javascript:test'), - array('http://localhost/phpBB/index.php;url=', 'Tried to redirect to potentially insecure url.', false), - ); - } - - protected function setUp() - { - parent::setUp(); - - $GLOBALS['config'] = array( - 'force_server_vars' => '0', - ); - } - - /** - * @dataProvider provider - */ - public function test_redirect($test, $expected_error, $expected_result) - { - global $user; - - if ($expected_error !== false) - { - $this->setExpectedTriggerError(E_USER_ERROR, $expected_error); - } - - $result = redirect($test, true); - - // only verify result if we did not expect an error - if ($expected_error === false) - { - $this->assertEquals($expected_result, $result); - } - } -} - diff --git a/tests/security/redirect_test.php b/tests/security/redirect_test.php new file mode 100644 index 0000000000..c53414e7df --- /dev/null +++ b/tests/security/redirect_test.php @@ -0,0 +1,60 @@ + redirect(), expected triggered error (else false), expected returned result url (else false)) + return array( + array('data://x', false, 'http://localhost/phpBB'), + array('bad://localhost/phpBB/index.php', 'Tried to redirect to potentially insecure url.', false), + array('http://www.otherdomain.com/somescript.php', false, 'http://localhost/phpBB'), + array("http://localhost/phpBB/memberlist.php\n\rConnection: close", 'Tried to redirect to potentially insecure url.', false), + array('javascript:test', false, 'http://localhost/phpBB/../javascript:test'), + array('http://localhost/phpBB/index.php;url=', 'Tried to redirect to potentially insecure url.', false), + ); + } + + protected function setUp() + { + parent::setUp(); + + $GLOBALS['config'] = array( + 'force_server_vars' => '0', + ); + } + + /** + * @dataProvider provider + */ + public function test_redirect($test, $expected_error, $expected_result) + { + global $user; + + if ($expected_error !== false) + { + $this->setExpectedTriggerError(E_USER_ERROR, $expected_error); + } + + $result = redirect($test, true); + + // only verify result if we did not expect an error + if ($expected_error === false) + { + $this->assertEquals($expected_result, $result); + } + } +} + -- cgit v1.2.1 From 14891cdf4ecf0e3ee164962be6685b8563f37a15 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Erik=20Fr=C3=A8rejean?= Date: Mon, 31 Jan 2011 12:58:18 +0100 Subject: [ticket/10011] Tests don't work on PHP < 5.3 Due to the usage of `__DIR__` for the file includes the tests can't be ran on systems with PHP < 5.3. Replace all occurances of `__DIR__` with `dirname(__FILE__)`. PHPBB3-10011 --- tests/security/extract_current_page_test.php | 6 +++--- tests/security/redirect_test.php | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) (limited to 'tests/security') diff --git a/tests/security/extract_current_page_test.php b/tests/security/extract_current_page_test.php index ff0ab4d1bb..71c7a3a397 100644 --- a/tests/security/extract_current_page_test.php +++ b/tests/security/extract_current_page_test.php @@ -7,10 +7,10 @@ * */ -require_once __DIR__ . '/base.php'; +require_once dirname(__FILE__) . '/base.php'; -require_once __DIR__ . '/../../phpBB/includes/functions.php'; -require_once __DIR__ . '/../../phpBB/includes/session.php'; +require_once dirname(__FILE__) . '/../../phpBB/includes/functions.php'; +require_once dirname(__FILE__) . '/../../phpBB/includes/session.php'; class phpbb_security_extract_current_page_test extends phpbb_security_test_base { diff --git a/tests/security/redirect_test.php b/tests/security/redirect_test.php index c53414e7df..70ba8527b1 100644 --- a/tests/security/redirect_test.php +++ b/tests/security/redirect_test.php @@ -7,10 +7,10 @@ * */ -require_once __DIR__ . '/base.php'; +require_once dirname(__FILE__) . '/base.php'; -require_once __DIR__ . '/../../phpBB/includes/functions.php'; -require_once __DIR__ . '/../../phpBB/includes/session.php'; +require_once dirname(__FILE__) . '/../../phpBB/includes/functions.php'; +require_once dirname(__FILE__) . '/../../phpBB/includes/session.php'; class phpbb_security_redirect_test extends phpbb_security_test_base { -- cgit v1.2.1 From 4c3cc152c81af57ec0a25bfee5da4964309a3aa5 Mon Sep 17 00:00:00 2001 From: Igor Wiedler Date: Sun, 20 Mar 2011 22:52:31 +0100 Subject: [ticket/10101] Add test case for native phpass hashes PHPBB3-10101 --- tests/security/hash_test.php | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 tests/security/hash_test.php (limited to 'tests/security') diff --git a/tests/security/hash_test.php b/tests/security/hash_test.php new file mode 100644 index 0000000000..19a3822145 --- /dev/null +++ b/tests/security/hash_test.php @@ -0,0 +1,21 @@ +assertTrue(phpbb_check_hash('test', '$H$9isfrtKXWqrz8PvztXlL3.daw4U0zI1')); + $this->assertTrue(phpbb_check_hash('test', '$P$9isfrtKXWqrz8PvztXlL3.daw4U0zI1')); + $this->assertFalse(phpbb_check_hash('foo', '$H$9isfrtKXWqrz8PvztXlL3.daw4U0zI1')); + } +} + -- cgit v1.2.1