mirror of
https://github.com/phpbb/phpbb.git
synced 2025-10-04 19:51:39 +02:00
92 lines
3.0 KiB
PHP
92 lines
3.0 KiB
PHP
<?php
|
|
/**
|
|
*
|
|
* This file is part of the phpBB Forum Software package.
|
|
*
|
|
* @copyright (c) phpBB Limited <https://www.phpbb.com>
|
|
* @license GNU General Public License, version 2 (GPL-2.0)
|
|
*
|
|
* For full copyright and license information, please see
|
|
* the docs/CREDITS.txt file.
|
|
*
|
|
*/
|
|
|
|
require_once dirname(__FILE__) . '/base.php';
|
|
|
|
require_once dirname(__FILE__) . '/../../phpBB/includes/functions.php';
|
|
|
|
class phpbb_security_extract_current_page_test extends phpbb_security_test_base
|
|
{
|
|
public function security_variables()
|
|
{
|
|
return array(
|
|
array('http://localhost/phpBB/index.php', 'mark=forums&x="><script>alert(/XSS/);</script>', 'mark=forums&x=%22%3E%3Cscript%3Ealert(/XSS/);%3C/script%3E'),
|
|
array('http://localhost/phpBB/index.php', 'mark=forums&x=%22%3E%3Cscript%3Ealert(/XSS/);%3C/script%3E', 'mark=forums&x=%22%3E%3Cscript%3Ealert(/XSS/);%3C/script%3E'),
|
|
);
|
|
}
|
|
|
|
/**
|
|
* @dataProvider security_variables
|
|
*/
|
|
public function test_query_string_php_self($url, $query_string, $expected)
|
|
{
|
|
global $symfony_request, $request;
|
|
|
|
$symfony_request = $this->getMock("\phpbb\symfony_request", array(), array(
|
|
$request,
|
|
));
|
|
$symfony_request->expects($this->any())
|
|
->method('getScriptName')
|
|
->will($this->returnValue($this->sanitizer($url)));
|
|
$symfony_request->expects($this->any())
|
|
->method('getQueryString')
|
|
->will($this->returnValue($this->sanitizer($query_string)));
|
|
$symfony_request->expects($this->any())
|
|
->method('getBasePath')
|
|
->will($this->returnValue($server['REQUEST_URI']));
|
|
$symfony_request->expects($this->sanitizer($this->any()))
|
|
->method('getPathInfo')
|
|
->will($this->returnValue($this->sanitizer('/')));
|
|
$result = \phpbb\session::extract_current_page('./');
|
|
|
|
$label = 'Running extract_current_page on ' . $query_string . ' with PHP_SELF filled.';
|
|
$this->assertEquals($expected, $result['query_string'], $label);
|
|
}
|
|
|
|
/**
|
|
* @dataProvider security_variables
|
|
*/
|
|
public function test_query_string_request_uri($url, $query_string, $expected)
|
|
{
|
|
global $symfony_request, $request;
|
|
|
|
$symfony_request = $this->getMock("\phpbb\symfony_request", array(), array(
|
|
$request,
|
|
));
|
|
$symfony_request->expects($this->any())
|
|
->method('getScriptName')
|
|
->will($this->returnValue($this->sanitizer($url)));
|
|
$symfony_request->expects($this->any())
|
|
->method('getQueryString')
|
|
->will($this->returnValue($this->sanitizer($query_string)));
|
|
$symfony_request->expects($this->any())
|
|
->method('getBasePath')
|
|
->will($this->returnValue($this->sanitizer($server['REQUEST_URI'])));
|
|
$symfony_request->expects($this->any())
|
|
->method('getPathInfo')
|
|
->will($this->returnValue($this->sanitizer('/')));
|
|
|
|
$result = \phpbb\session::extract_current_page('./');
|
|
|
|
$label = 'Running extract_current_page on ' . $query_string . ' with REQUEST_URI filled.';
|
|
$this->assertEquals($expected, $result['query_string'], $label);
|
|
}
|
|
|
|
protected function sanitizer($value)
|
|
{
|
|
$type_cast_helper = new \phpbb\request\type_cast_helper();
|
|
$type_cast_helper->set_var($value, $value, gettype($value), true);
|
|
return $value;
|
|
}
|
|
}
|