tests/session/validate_referrer_test.php


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74

<?php
/**
*
* This file is part of the phpBB Forum Software package.
*
* @copyright (c) phpBB Limited <https://www.phpbb.com>
* @license GNU General Public License, version 2 (GPL-2.0)
*
* For full copyright and license information, please see
* the docs/CREDITS.txt file.
*
*/

require_once dirname(__FILE__) . '/../test_framework/phpbb_session_test_case.php';

class phpbb_session_validate_referrer_test extends phpbb_session_test_case
{
	public function getDataSet()
	{
		return $this->createXMLDataSet(dirname(__FILE__) . '/fixtures/sessions_empty.xml');
	}

	static function referrer_inputs()
	{
		$ex = "example.org";
		$alt = "example.com";
		return array(
			// checkpath   referrer  host    forcevars    port servername   rootpath   pass?
			// 0 Referrer or host wasn't collected, therefore should validate
			array(false,  '',  $ex,  false,  80, $ex,  '', true),
			array(false,  $ex, '',   false,  80, $ex,  '', true),
			// 2 Referrer doesn't match host or server_name
			array(false,  $alt, $ex,   false,  80, $ex,  '', false),
			// 3 Everything should check out
			array(false,  $ex, $ex,  false,    80, $ex,  '', true),
			// 4 Check Script Path
			array(true,  $ex, $ex,  false,    80, $ex,  '', true),
			array(true,  "$ex/foo", $ex,  false,    80, $ex,  "/foo", true),
			array(true,  "$ex/bar", $ex,  false,    80, $ex,  "/foo", false),
			// 7 Port (This is not checked unless path is checked)
			array(true,  "$ex:80/foo", "$ex:80",  false, 80, "$ex:80",  "/foo", true),
			array(true,  "$ex:80/bar", "$ex:80",  false, 80, "$ex:80",  "/foo", false),
			array(true,  "$ex:79/foo", "$ex:81",  false, 81, "$ex:81",  "/foo", false),
		);
	}

	/** @dataProvider referrer_inputs */
	function test_referrer_inputs(
		$check_script_path,
		$referrer,
		$host,
		$force_server_vars,
		$server_port,
		$server_name,
		$root_script_path,
		$pass_or_fail
	)
	{
		// Referrer needs http:// because it's going to get stripped in function.
		$referrer = $referrer ? 'http://' . $referrer : '';
		$this->assertEquals(
			$pass_or_fail,
			$this->session_facade->validate_referer(
				$check_script_path,
				$referrer,
				$host,
				$force_server_vars,
				$server_port,
				$server_name,
				$root_script_path
			),
			"referrer should" . ($pass_or_fail ? '' : "n't") . " be validated");
	}
}