From 882a3c383103802c491404032c5d267e4f5271a0 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sat, 22 Jul 2017 17:26:41 +0200 Subject: [ticket/security/211] Make sure website URL only uses http & https schemes SECURITY-211 --- tests/profilefields/type_url_test.php | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'tests') diff --git a/tests/profilefields/type_url_test.php b/tests/profilefields/type_url_test.php index cc37f04f30..aaba227348 100644 --- a/tests/profilefields/type_url_test.php +++ b/tests/profilefields/type_url_test.php @@ -89,6 +89,19 @@ class phpbb_profilefield_type_url_test extends phpbb_test_case 'FIELD_INVALID_URL-field', 'Field should reject invalid URL having multi value parameters', ), + // Not allowed schemes + array( + 'ftp://example.com/', + array(), + 'FIELD_INVALID_URL-field', + 'Field should reject invalid URL having multi value parameters', + ), + array( + 'javascript://alert.com', + array(), + 'FIELD_INVALID_URL-field', + 'Field should reject invalid URL having multi value parameters', + ), // IDN url type profilefields array( -- cgit v1.2.1 From 91f9050a70d95a472daf9f6fa15187c195f05909 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sun, 23 Jul 2017 11:18:07 +0200 Subject: [ticket/security/211] Extend tests for profile field values SECURITY-211 --- tests/profilefields/type_string_test.php | 12 +++++++ tests/profilefields/type_url_test.php | 54 ++++++++++++++++++++++++++++++++ 2 files changed, 66 insertions(+) (limited to 'tests') diff --git a/tests/profilefields/type_string_test.php b/tests/profilefields/type_string_test.php index 0417afbfab..43f88c01ae 100644 --- a/tests/profilefields/type_string_test.php +++ b/tests/profilefields/type_string_test.php @@ -270,6 +270,18 @@ class phpbb_profilefield_type_string_test extends phpbb_test_case null, 'Field should simply output null for empty vlaue', ), + array( + 'http://foobar.com', + array('field_show_novalue' => false), + 'http://foobar.com', + 'Field should output the given value but not make it clickable', + ), + array( + 'javascript://foobar.com', + array('field_show_novalue' => true), + 'javascript://foobar.com', + 'Field should output the given value but not make it clickable', + ), ); } diff --git a/tests/profilefields/type_url_test.php b/tests/profilefields/type_url_test.php index aaba227348..af17cc125a 100644 --- a/tests/profilefields/type_url_test.php +++ b/tests/profilefields/type_url_test.php @@ -12,6 +12,8 @@ */ require_once dirname(__FILE__) . '/../../phpBB/includes/functions.php'; +require_once dirname(__FILE__) . '/../../phpBB/includes/functions_content.php'; +require_once dirname(__FILE__) . '/../../phpBB/includes/utf/utf_tools.php'; class phpbb_profilefield_type_url_test extends phpbb_test_case { @@ -26,6 +28,9 @@ class phpbb_profilefield_type_url_test extends phpbb_test_case */ public function setUp() { + global $request, $user, $cache; + + $cache = new phpbb_mock_cache; $user = $this->getMock('\phpbb\user', array(), array('\phpbb\datetime')); $user->expects($this->any()) ->method('lang') @@ -175,6 +180,55 @@ class phpbb_profilefield_type_url_test extends phpbb_test_case ); } + public function profile_value_data() + { + return array( + array( + 'http://foobar.com', + array('field_show_novalue' => true), + 'foobar.com', + 'Field should output the given value', + ), + array( + 'http://foobar.com', + array('field_show_novalue' => false), + 'foobar.com', + 'Field should output the given value', + ), + array( + 'test', + array('field_show_novalue' => true), + null, + 'Field should output nothing for empty value', + ), + array( + 'test', + array('field_show_novalue' => false), + null, + 'Field should simply output null for empty value', + ), + array( + 'javascript://foobar.com', + array('field_show_novalue' => true), + null, + 'Field should output nothing for empty value', + ), + ); + } + + + /** + * @dataProvider profile_value_data + */ + public function test_get_profile_value($value, $field_options, $expected, $description) + { + $field_options = array_merge($this->field_options, $field_options); + + $result = $this->cp->get_profile_value($value, $field_options); + + $this->assertSame($expected, $result, $description); + } + /** * @dataProvider profile_value_raw_data */ -- cgit v1.2.1 From 0aba1faa0803af6013c9ac2071e87f117e9c4835 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Wed, 26 Jul 2017 21:14:05 +0200 Subject: [ticket/security/211] Do not match javascript URIs with URL regexes SECURITY-211 --- tests/functions/make_clickable_test.php | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'tests') diff --git a/tests/functions/make_clickable_test.php b/tests/functions/make_clickable_test.php index 63beeb06b2..2cdefe689d 100644 --- a/tests/functions/make_clickable_test.php +++ b/tests/functions/make_clickable_test.php @@ -55,6 +55,10 @@ class phpbb_functions_make_clickable_test extends phpbb_test_case 'http://testhost/viewtopic.php?t=1', 'viewtopic.php?t=1' ), + array( + 'javascript://testhost/viewtopic.php?t=1', + 'javascript://testhost/viewtopic.php?t=1' + ), array( 'email@domain.com', 'email@domain.com' @@ -92,6 +96,10 @@ class phpbb_functions_make_clickable_test extends phpbb_test_case 'ftp://ftp.täst.de/', 'ftp://ftp.täst.de/' ), + array( + 'javascript://täst.de/', + 'javascript://täst.de/' + ), array( 'sip://bantu@täst.de', 'sip://bantu@täst.de' -- cgit v1.2.1 From f7d387f93c421e93ef13375bd5e0fb408e921598 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Thu, 27 Jul 2017 18:23:43 +0200 Subject: [ticket/security/211] Add test for line breaks in URL SECURITY-211 --- tests/functions/make_clickable_test.php | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'tests') diff --git a/tests/functions/make_clickable_test.php b/tests/functions/make_clickable_test.php index 2cdefe689d..2bb7721d21 100644 --- a/tests/functions/make_clickable_test.php +++ b/tests/functions/make_clickable_test.php @@ -59,6 +59,10 @@ class phpbb_functions_make_clickable_test extends phpbb_test_case 'javascript://testhost/viewtopic.php?t=1', 'javascript://testhost/viewtopic.php?t=1' ), + array( + "java\nscri\npt://testhost/viewtopic.php?t=1", + "java\nscri\npt://testhost/viewtopic.php?t=1" + ), array( 'email@domain.com', 'email@domain.com' -- cgit v1.2.1 From 342a7cbd55829283663ad6ba29f924eeb53fca38 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Thu, 3 Aug 2017 22:20:33 +0200 Subject: [ticket/security/211] Allow make_clickable() again after change to regex SECURITY-211 --- tests/profilefields/type_string_test.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'tests') diff --git a/tests/profilefields/type_string_test.php b/tests/profilefields/type_string_test.php index 43f88c01ae..9709b48470 100644 --- a/tests/profilefields/type_string_test.php +++ b/tests/profilefields/type_string_test.php @@ -273,8 +273,8 @@ class phpbb_profilefield_type_string_test extends phpbb_test_case array( 'http://foobar.com', array('field_show_novalue' => false), - 'http://foobar.com', - 'Field should output the given value but not make it clickable', + 'foobar.com', + 'Field should output the given value and make it clickable', ), array( 'javascript://foobar.com', -- cgit v1.2.1