diff --git a/tests/security/all_tests.php b/tests/security/all_tests.php index 4b65b97e84..bc482f1f90 100644 --- a/tests/security/all_tests.php +++ b/tests/security/all_tests.php @@ -21,8 +21,51 @@ require_once 'PHPUnit/TextUI/TestRunner.php'; require_once 'security/extract_current_page.php'; require_once 'security/redirect.php'; -class phpbb_security_all_tests +class phpbb_security_all_tests extends PHPUnit_Framework_TestSuite { + /** + * Set up the required user object and server variables for the suites + */ + protected function setUp() + { + global $user; + + // Put this into a global function being run by every test to init a proper user session + $_SERVER['HTTP_HOST'] = 'localhost'; + $_SERVER['SERVER_NAME'] = 'localhost'; + $_SERVER['SERVER_ADDR'] = '127.0.0.1'; + $_SERVER['SERVER_PORT'] = 80; + $_SERVER['REMOTE_ADDR'] = '127.0.0.1'; + $_SERVER['QUERY_STRING'] = ''; + $_SERVER['REQUEST_URI'] = '/tests/'; + $_SERVER['SCRIPT_NAME'] = '/tests/index.php'; + $_SERVER['PHP_SELF'] = '/tests/index.php'; + $_SERVER['HTTP_USER_AGENT'] = 'Mozilla/5.0 (Windows; U; Windows NT 6.0; de; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14'; + $_SERVER['HTTP_ACCEPT_LANGUAGE'] = 'de-de,de;q=0.8,en-us;q=0.5,en;q=0.3'; + +/* + [HTTP_ACCEPT_ENCODING] => gzip,deflate + [HTTP_ACCEPT_CHARSET] => ISO-8859-1,utf-8;q=0.7,*;q=0.7 + DOCUMENT_ROOT] => /var/www/ + [SCRIPT_FILENAME] => /var/www/tests/index.php +*/ + + // Set no user and trick a bit to circumvent errors + $user = new user(); + $user->lang = true; + $user->browser = (!empty($_SERVER['HTTP_USER_AGENT'])) ? htmlspecialchars((string) $_SERVER['HTTP_USER_AGENT']) : ''; + $user->referer = (!empty($_SERVER['HTTP_REFERER'])) ? htmlspecialchars((string) $_SERVER['HTTP_REFERER']) : ''; + $user->forwarded_for = (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) ? (string) $_SERVER['HTTP_X_FORWARDED_FOR'] : ''; + $user->host = (!empty($_SERVER['HTTP_HOST'])) ? (string) strtolower($_SERVER['HTTP_HOST']) : ((!empty($_SERVER['SERVER_NAME'])) ? $_SERVER['SERVER_NAME'] : getenv('SERVER_NAME')); + $user->page = session::extract_current_page(PHPBB_ROOT_PATH); + } + + protected function tearDown() + { + global $user; + $user = NULL; + } + public static function main() { PHPUnit_TextUI_TestRunner::run(self::suite()); @@ -30,7 +73,8 @@ class phpbb_security_all_tests public static function suite() { - $suite = new PHPUnit_Framework_TestSuite('phpBB Security Fixes'); + // I bet there is a better method calling this... :) + $suite = new phpbb_security_all_tests('phpBB Security Fixes'); $suite->addTestSuite('phpbb_security_extract_current_page_test'); $suite->addTestSuite('phpbb_security_redirect_test'); diff --git a/tests/security/redirect.php b/tests/security/redirect.php index c2613c3265..88e8e3d0a9 100644 --- a/tests/security/redirect.php +++ b/tests/security/redirect.php @@ -21,11 +21,17 @@ require_once '../phpBB/includes/session.php'; class phpbb_security_redirect_test extends PHPUnit_Extensions_OutputTestCase { + protected $error_triggered = false; + public static function provider() { + // array(Input -> redirect(), expected triggered error (else false), expected returned result url (else false)) return array( - array('data://x', 'Tried to redirect to potentially insecure url.', 'data://x'), - array('javascript:test', '', 'http://../tests/javascript:test'), + array('data://x', false, 'http://localhost/phpBB'), + array('http://www.otherdomain.com/somescript.php', false, 'http://localhost/phpBB'), + array("http://localhost/phpBB/memberlist.php\n\rConnection: close", 'Tried to redirect to potentially insecure url.', false), + array('javascript:test', false, 'http://localhost/phpBB/../tests/javascript:test'), + array('http://localhost/phpBB/index.php;url=', 'Tried to redirect to potentially insecure url.', false), ); } @@ -35,26 +41,42 @@ class phpbb_security_redirect_test extends PHPUnit_Extensions_OutputTestCase public function own_error_handler($errno, $errstr, $errfile, $errline) { echo $errstr; + $this->error_triggered = true; } /** * @dataProvider provider */ - public function test_redirect($test, $expected_output, $expected_result) + public function test_redirect($test, $expected_error, $expected_result) { global $user; - // Set no user and trick a bit to circumvent errors - $user = new user(); - $user->lang = true; - $user->page = session::extract_current_page(PHPBB_ROOT_PATH); - - $this->expectOutputString($expected_output . '#' . $expected_result); - set_error_handler(array($this, 'own_error_handler')); - $result = redirect($test, true); - print "#" . $result; + + // If we expect no error and a returned result, we set the output string to be expected and check if an error was triggered (then fail instantly) + if ($expected_error === false) + { + $this->expectOutputString($expected_result); + print $result; + + if ($this->error_triggered) + { + $this->fail(); + } + } + // If we expect an error, we set the expected output string to the error and check if there was an error triggered. + else + { + $this->expectOutputString($expected_error); + + if (!$this->error_triggered) + { + $this->fail(); + } + + $this->error_triggered = false; + } restore_error_handler(); }