two new tests, added security suite and fixed utf8 tests.

git-svn-id: file:///svn/phpbb/trunk@8584 89ea8834-ac86-4346-8a33-228a782c2dd0

tests/all_tests.php

@@ -21,6 +21,7 @@ require_once 'PHPUnit/TextUI/TestRunner.php';
 require_once 'bbcode/all_tests.php';
 require_once 'utf/all_tests.php';
 require_once 'request/all_tests.php';
+require_once 'security/all_tests.php';
 
 // exclude the test directory from code coverage reports
 PHPUnit_Util_Filter::addDirectoryToFilter('./');
@@ -39,6 +40,7 @@ class phpbb_all_tests
 		$suite->addTest(phpbb_bbcode_all_tests::suite());
 		$suite->addTest(phpbb_utf_all_tests::suite());
 		$suite->addTest(phpbb_request_all_tests::suite());
+		$suite->addTest(phpbb_security_all_tests::suite());
 
 		return $suite;
 	}
@@ -48,4 +50,5 @@ if (PHPUnit_MAIN_METHOD == 'phpbb_all_tests::main')
 {
 	phpbb_all_tests::main();
 }
+
 ?>

tests/security/all_tests.php

@@ -0,0 +1,46 @@
+<?php
+/**
+*
+* @package testing
+* @version $Id: all_tests.php 8549 2008-05-04 22:54:16Z naderman $
+* @copyright (c) 2008 phpBB Group
+* @license http://opensource.org/licenses/gpl-license.php GNU Public License
+*
+*/
+
+define('IN_PHPBB', true);
+
+if (!defined('PHPUnit_MAIN_METHOD'))
+{
+	define('PHPUnit_MAIN_METHOD', 'phpbb_security_all_tests::main');
+}
+
+require_once 'PHPUnit/Framework.php';
+require_once 'PHPUnit/TextUI/TestRunner.php';
+
+require_once 'security/extract_current_page.php';
+require_once 'security/redirect.php';
+
+class phpbb_security_all_tests
+{
+	public static function main()
+	{
+		PHPUnit_TextUI_TestRunner::run(self::suite());
+	}
+
+	public static function suite()
+	{
+		$suite = new PHPUnit_Framework_TestSuite('phpBB Security Fixes');
+
+		$suite->addTestSuite('phpbb_security_extract_current_page_test');
+		$suite->addTestSuite('phpbb_security_redirect_test');
+
+		return $suite;
+	}
+}
+
+if (PHPUnit_MAIN_METHOD == 'phpbb_security_all_tests::main')
+{
+	phpbb_security_all_tests::main();
+}
+?>

tests/security/extract_current_page.php

@@ -0,0 +1,57 @@
+<?php
+/**
+*
+* @package testing
+* @version $Id: request_var.php 8549 2008-05-04 22:54:16Z naderman $
+* @copyright (c) 2008 phpBB Group
+* @license http://opensource.org/licenses/gpl-license.php GNU Public License
+*
+*/
+
+define('IN_PHPBB', true);
+
+require_once 'PHPUnit/Framework.php';
+
+require_once '../phpBB/includes/functions.php';
+require_once '../phpBB/includes/session.php';
+
+class phpbb_security_extract_current_page_test extends PHPUnit_Framework_TestCase
+{
+	public static function security_variables()
+	{
+		return array(
+			array('http://localhost/phpBB/index.php', 'mark=forums&x="><script>alert(/XSS/);</script>', 'mark=forums&x=%22%3E%3Cscript%3Ealert(/XSS/);%3C/script%3E'),
+			array('http://localhost/phpBB/index.php', 'mark=forums&x=%22%3E%3Cscript%3Ealert(/XSS/);%3C/script%3E', 'mark=forums&x=%22%3E%3Cscript%3Ealert(/XSS/);%3C/script%3E'),
+		);
+	}
+
+	/**
+	* @dataProvider security_variables
+	*/
+	public function test_query_string_php_self($url, $query_string, $expected)
+	{
+		$_SERVER['PHP_SELF'] = $url;
+		$_SERVER['QUERY_STRING'] = $query_string;
+
+		$result = session::extract_current_page('./');
+
+		$label = 'Running extract_current_page on ' . $query_string . ' with PHP_SELF filled.';
+		$this->assertEquals($expected, $result['query_string'], $label);
+	}
+
+	/**
+	* @dataProvider security_variables
+	*/
+	public function test_query_string_request_uri($url, $query_string, $expected)
+	{
+		$_SERVER['REQUEST_URI'] = $url . '?' . $query_string;
+		$_SERVER['QUERY_STRING'] = $query_string;
+
+		$result = session::extract_current_page('./');
+
+		$label = 'Running extract_current_page on ' . $query_string . ' with REQUEST_URI filled.';
+		$this->assertEquals($expected, $result['query_string'], $label);
+	}
+}
+
+?>

tests/security/redirect.php

@@ -0,0 +1,65 @@
+<?php
+/**
+*
+* @package testing
+* @version $Id: request_var.php 8549 2008-05-04 22:54:16Z naderman $
+* @copyright (c) 2008 phpBB Group
+* @license http://opensource.org/licenses/gpl-license.php GNU Public License
+*
+*/
+
+define('IN_PHPBB', true);
+
+require_once 'PHPUnit/Framework.php';
+require_once 'PHPUnit/Extensions/OutputTestCase.php';
+
+define('PHPBB_ROOT_PATH', './../phpBB/');
+define('PHP_EXT', 'php');
+
+// Functional phpBB Installation required... we are actually embedding phpBB here
+
+require_once '../phpBB/includes/functions.php';
+require_once '../phpBB/includes/session.php';
+
+class phpbb_security_redirect_test extends PHPUnit_Extensions_OutputTestCase
+{
+	public static function provider()
+	{
+		return array(
+			array('data://x', 'Tried to redirect to potentially insecure url.', 'data://x'),
+			array('javascript:test', '', 'http://../tests/javascript:test'),
+		);
+	}
+
+	/**
+	* Own error handler to catch trigger_error() calls within phpBB
+	*/
+	public function own_error_handler($errno, $errstr, $errfile, $errline)
+	{
+		echo $errstr;
+	}
+
+	/**
+	* @dataProvider provider
+	*/
+	public function test_redirect($test, $expected_output, $expected_result)
+	{
+		global $user;
+
+		// Set no user and trick a bit to circumvent errors
+		$user = new user();
+		$user->lang = true;
+		$user->page = session::extract_current_page(PHPBB_ROOT_PATH);
+
+		$this->expectOutputString($expected_output . '#' . $expected_result);
+
+		set_error_handler(array($this, 'own_error_handler'));
+
+		$result = redirect($test, true);
+		print "#" . $result;
+
+		restore_error_handler();
+	}
+}
+
+?>

tests/utf/utf8_clean_string_test.php

@@ -12,8 +12,8 @@ define('IN_PHPBB', true);
 
 require_once 'PHPUnit/Framework.php';
 
-$phpbb_root_path = '../phpBB/';
+define(PHPBB_ROOT_PATH, '../phpBB/');
-$phpEx = 'php';
+define(PHP_EXT, 'php');
 require_once '../phpBB/includes/utf/utf_tools.php';
 
 class phpbb_utf_utf8_clean_string_test extends PHPUnit_Framework_TestCase