mirror/php-phpbb
1
0
Fork 0
mirror of https://github.com/phpbb/phpbb.git synced 2025-07-31 14:00:31 +02:00
Code Issues Releases Wiki Activity

[ticket/security/244] Add missing form parameters to tests

Browse Source 
SECURITY-244
This commit is contained in:
Marc Alexander
2019-07-21 16:03:19 +02:00
parent 6c8d006336
commit 59f489c01f
3 changed files with 55 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

51
tests/test_framework/phpbb_functional_test_case.php
View File

@@ -1166,24 +1166,14 @@ class phpbb_functional_test_case extends phpbb_test_case
'error' => UPLOAD_ERR_OK,
);
$crawler = self::$client->request('POST', $posting_url, array('add_file' => $this->lang('ADD_FILE')), array('fileupload' => $file));
$file_form_data = array_merge(['add_file' => $this->lang('ADD_FILE')], $this->get_hidden_fields($crawler, $posting_url));
$crawler = self::$client->request('POST', $posting_url, $file_form_data, array('fileupload' => $file));
}
unset($form_data['upload_files']);
}
$hidden_fields = array(
$crawler->filter('[type="hidden"]')->each(function ($node, $i) {
return array('name' => $node->attr('name'), 'value' => $node->attr('value'));
}),
);
foreach ($hidden_fields as $fields)
{
foreach($fields as $field)
{
$form_data[$field['name']] = $field['value'];
}
}
$form_data = array_merge($form_data, $this->get_hidden_fields($crawler, $posting_url));
// I use a request because the form submission method does not allow you to send data that is not
// contained in one of the actual form fields that the browser sees (i.e. it ignores "hidden" inputs)
@@ -1314,4 +1304,37 @@ class phpbb_functional_test_case extends phpbb_test_case
return self::request('GET', substr($link, strpos($link, 'mcp.')));
}
/**
* Get hidden fields for URL
*
* @param Symfony\Component\DomCrawler\Crawler|null $crawler Crawler instance or null
* @param string $url Request URL
*
* @return array Hidden form fields array
*/
protected function get_hidden_fields($crawler, $url)
{
if (!$crawler)
{
$crawler = self::$client->request('GET', $url);
}
$hidden_fields = [
$crawler->filter('[type="hidden"]')->each(function ($node, $i) {
return ['name' => $node->attr('name'), 'value' => $node->attr('value')];
}),
];
$file_form_data = [];
foreach ($hidden_fields as $fields)
{
foreach($fields as $field)
{
$file_form_data[$field['name']] = $field['value'];
}
}
return $file_form_data;
}
}