mirror/php-phpbb
1
0
Fork 0
mirror of https://github.com/phpbb/phpbb.git synced 2025-07-30 21:40:43 +02:00
Code Issues Releases Wiki Activity

[ticket/security-203] Fully validate version check data in version helper

Browse Source 
This will also take care of SECURITY-204 as it's the same underlying issue.
Admins still need to ensure they don't visit malicious sites for URLs
provided by extensions.

SECURITY-203
This commit is contained in:
Marc Alexander
2016-12-26 22:01:51 +01:00
parent 97a0f49be4
commit 658820654f
4 changed files with 185 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files

100
tests/version/version_helper_remote_test.php
View File

@@ -37,21 +37,21 @@ class version_helper_remote_test extends \phpbb_test_case
->will($this->returnValue(false));
$this->file_downloader = new phpbb_mock_file_downloader();
$this->user = new \phpbb\user('\phpbb\datetime');
$this->user->add_lang('acp/common');
$this->version_helper = new \phpbb\version_helper(
$this->cache,
$config,
$this->file_downloader,
new \phpbb\user('\phpbb\datetime')
$this->user
);
$this->user = new \phpbb\user('\phpbb\datetime');
$this->user->add_lang('acp/common');
}
public function provider_get_versions()
{
return array(
array('', false),
array('foobar', false),
array('', false, '', 'VERSIONCHECK_FAIL'),
array('foobar', false, '', 'VERSIONCHECK_FAIL'),
array('{
"stable": {
"1.0": {
@@ -92,7 +92,7 @@ class version_helper_remote_test extends \phpbb_test_case
"security": false
}
}
}', false),
}', false, '', 'VERSIONCHECK_FAIL'),
array('{
"stable": {
"1.0": {
@@ -103,26 +103,7 @@ class version_helper_remote_test extends \phpbb_test_case
"security": "<script>alert(\'foo\');</script>"
}
}
}', true, array (
'stable' => array (
'1.0' => array (
'current' => '1.0.1&lt;script&gt;alert(\'foo\');&lt;/script&gt;',
'download' => 'https://www.phpbb.com/customise/db/download/104136&lt;script&gt;alert(\'foo\');&lt;/script&gt;',
'announcement' => 'https://www.phpbb.com/customise/db/extension/boardrules/&lt;script&gt;alert(\'foo\');&lt;/script&gt;',
'eol' => '&lt;script&gt;alert(\'foo\');&lt;/script&gt;',
'security' => '&lt;script&gt;alert(\'foo\');&lt;/script&gt;',
),
),
'unstable' => array (
'1.0' => array (
'current' => '1.0.1&lt;script&gt;alert(\'foo\');&lt;/script&gt;',
'download' => 'https://www.phpbb.com/customise/db/download/104136&lt;script&gt;alert(\'foo\');&lt;/script&gt;',
'announcement' => 'https://www.phpbb.com/customise/db/extension/boardrules/&lt;script&gt;alert(\'foo\');&lt;/script&gt;',
'eol' => '&lt;script&gt;alert(\'foo\');&lt;/script&gt;',
'security' => '&lt;script&gt;alert(\'foo\');&lt;/script&gt;',
),
),
)),
}', false, null, 'VERSIONCHECK_INVALID_VERSION'),
array('{
"unstable": {
"1.0": {
@@ -133,25 +114,74 @@ class version_helper_remote_test extends \phpbb_test_case
"security": "<script>alert(\'foo\');</script>"
}
}
}', false, null, 'VERSIONCHECK_INVALID_VERSION'),
array('{
"unstable": {
"1.0<script>alert(\'foo\');</script>": {
"current": "1.0.1",
"download": "https://www.phpbb.com/customise/db/download/104136",
"announcement": "https://www.phpbb.com/customise/db/extension/boardrules/",
"eol": "",
"security": ""
}
}
}', false, array('stable' => array(), 'unstable' => array()), 'VERSIONCHECK_INVALID_VERSION'),
array('{
"\"\n<script>alert(\'foo\');</script>\n": "test",
"stable": {
"1.0": {
"current": "1.0.1",
"download": "https://www.phpbb.com/customise/db/download/104136",
"announcement": "https://www.phpbb.com/customise/db/extension/boardrules/",
"eol": null,
"security": false
}
}
}', true, array (
'unstable' => array (
'stable' => array (
'1.0' => array (
'current' => '1.0.1&lt;script&gt;alert(\'foo\');&lt;/script&gt;',
'download' => 'https://www.phpbb.com/customise/db/download/104136&lt;script&gt;alert(\'foo\');&lt;/script&gt;',
'announcement' => 'https://www.phpbb.com/customise/db/extension/boardrules/&lt;script&gt;alert(\'foo\');&lt;/script&gt;',
'eol' => '&lt;script&gt;alert(\'foo\');&lt;/script&gt;',
'security' => '&lt;script&gt;alert(\'foo\');&lt;/script&gt;',
'current' => '1.0.1',
'download' => 'https://www.phpbb.com/customise/db/download/104136',
'announcement' => 'https://www.phpbb.com/customise/db/extension/boardrules/',
'eol' => NULL,
'security' => false,
),
),
'unstable' => array (
'1.0' => array (
'current' => '1.0.1',
'download' => 'https://www.phpbb.com/customise/db/download/104136',
'announcement' => 'https://www.phpbb.com/customise/db/extension/boardrules/',
'eol' => NULL,
'security' => false,
),
),
'stable' => array(),
)),
array('{
"unstable": {
"1.0": {
"current": "1.0.1",
"download": "https://www.phpbb.com/customise/db/download/104136",
"announcement": "https://www.phpbb.com/customise/db/extension/boardrules/",
"eol": null,
"security": false,
"foobar": "<script>alert(\'test\');<script>"
}
}
}', true, array('stable' => array(), 'unstable' => array('1.0' => array(
'current' => '1.0.1',
'download' => 'https://www.phpbb.com/customise/db/download/104136',
'announcement' => 'https://www.phpbb.com/customise/db/extension/boardrules/',
'eol' => null,
'security' => false,
))), 'VERSIONCHECK_INVALID_ENTRY'),
);
}
/**
* @dataProvider provider_get_versions
*/
public function test_get_versions($input, $valid_data, $expected_return = '')
public function test_get_versions($input, $valid_data, $expected_return = '', $expected_exception = '')
{
$this->file_downloader->set($input);
@@ -160,7 +190,7 @@ class version_helper_remote_test extends \phpbb_test_case
try {
$return = $this->version_helper->get_versions();
} catch (\RuntimeException $e) {
$this->assertEquals((string)$e->getMessage(), $this->user->lang('VERSIONCHECK_FAIL'));
$this->assertEquals((string)$e->getMessage(), $this->user->lang($expected_exception));
}
}
else