diff --git a/tests/all_tests.php b/tests/all_tests.php index 4799627602..8a871917eb 100644 --- a/tests/all_tests.php +++ b/tests/all_tests.php @@ -21,6 +21,7 @@ require_once 'PHPUnit/TextUI/TestRunner.php'; require_once 'bbcode/all_tests.php'; require_once 'utf/all_tests.php'; require_once 'request/all_tests.php'; +require_once 'security/all_tests.php'; // exclude the test directory from code coverage reports PHPUnit_Util_Filter::addDirectoryToFilter('./'); @@ -39,6 +40,7 @@ class phpbb_all_tests $suite->addTest(phpbb_bbcode_all_tests::suite()); $suite->addTest(phpbb_utf_all_tests::suite()); $suite->addTest(phpbb_request_all_tests::suite()); + $suite->addTest(phpbb_security_all_tests::suite()); return $suite; } @@ -48,4 +50,5 @@ if (PHPUnit_MAIN_METHOD == 'phpbb_all_tests::main') { phpbb_all_tests::main(); } + ?> \ No newline at end of file diff --git a/tests/security/all_tests.php b/tests/security/all_tests.php new file mode 100644 index 0000000000..23ddb94c44 --- /dev/null +++ b/tests/security/all_tests.php @@ -0,0 +1,46 @@ +addTestSuite('phpbb_security_extract_current_page_test'); + $suite->addTestSuite('phpbb_security_redirect_test'); + + return $suite; + } +} + +if (PHPUnit_MAIN_METHOD == 'phpbb_security_all_tests::main') +{ + phpbb_security_all_tests::main(); +} +?> \ No newline at end of file diff --git a/tests/security/extract_current_page.php b/tests/security/extract_current_page.php new file mode 100644 index 0000000000..4048a6303c --- /dev/null +++ b/tests/security/extract_current_page.php @@ -0,0 +1,57 @@ +', 'mark=forums&x=%22%3E%3Cscript%3Ealert(/XSS/);%3C/script%3E'), + array('http://localhost/phpBB/index.php', 'mark=forums&x=%22%3E%3Cscript%3Ealert(/XSS/);%3C/script%3E', 'mark=forums&x=%22%3E%3Cscript%3Ealert(/XSS/);%3C/script%3E'), + ); + } + + /** + * @dataProvider security_variables + */ + public function test_query_string_php_self($url, $query_string, $expected) + { + $_SERVER['PHP_SELF'] = $url; + $_SERVER['QUERY_STRING'] = $query_string; + + $result = session::extract_current_page('./'); + + $label = 'Running extract_current_page on ' . $query_string . ' with PHP_SELF filled.'; + $this->assertEquals($expected, $result['query_string'], $label); + } + + /** + * @dataProvider security_variables + */ + public function test_query_string_request_uri($url, $query_string, $expected) + { + $_SERVER['REQUEST_URI'] = $url . '?' . $query_string; + $_SERVER['QUERY_STRING'] = $query_string; + + $result = session::extract_current_page('./'); + + $label = 'Running extract_current_page on ' . $query_string . ' with REQUEST_URI filled.'; + $this->assertEquals($expected, $result['query_string'], $label); + } +} + +?> \ No newline at end of file diff --git a/tests/security/redirect.php b/tests/security/redirect.php new file mode 100644 index 0000000000..cc55c70920 --- /dev/null +++ b/tests/security/redirect.php @@ -0,0 +1,65 @@ +lang = true; + $user->page = session::extract_current_page(PHPBB_ROOT_PATH); + + $this->expectOutputString($expected_output . '#' . $expected_result); + + set_error_handler(array($this, 'own_error_handler')); + + $result = redirect($test, true); + print "#" . $result; + + restore_error_handler(); + } +} + +?> \ No newline at end of file diff --git a/tests/utf/utf8_clean_string_test.php b/tests/utf/utf8_clean_string_test.php index 7cd44465c5..8e1d9f16ac 100644 --- a/tests/utf/utf8_clean_string_test.php +++ b/tests/utf/utf8_clean_string_test.php @@ -12,8 +12,8 @@ define('IN_PHPBB', true); require_once 'PHPUnit/Framework.php'; -$phpbb_root_path = '../phpBB/'; -$phpEx = 'php'; +define(PHPBB_ROOT_PATH, '../phpBB/'); +define(PHP_EXT, 'php'); require_once '../phpBB/includes/utf/utf_tools.php'; class phpbb_utf_utf8_clean_string_test extends PHPUnit_Framework_TestCase