tests/security/redirect.php

   1 <?php
   2 /**
   3 *
   4 * @package testing
   5 * @version $Id$
   6 * @copyright (c) 2008 phpBB Group
   7 * @license http://opensource.org/licenses/gpl-license.php GNU Public License
   8 *
   9 */
  10
  11 define('IN_PHPBB', true);
  12
  13 require_once 'PHPUnit/Framework.php';
  14 require_once 'PHPUnit/Extensions/OutputTestCase.php';
  15
  16 define('PHPBB_ROOT_PATH', './../phpBB/');
  17 define('PHP_EXT', 'php');
  18
  19 require_once '../phpBB/includes/functions.php';
  20 require_once '../phpBB/includes/session.php';
  21
  22 class phpbb_security_redirect_test extends PHPUnit_Extensions_OutputTestCase
  23 {
  24         protected $error_triggered = false;
  25
  26         public static function provider()
  27         {
  28                 // array(Input -> redirect(), expected triggered error (else false), expected returned result url (else false))
  29                 return array(
  30                         array('data://x', false, 'http://localhost/phpBB'),
  31                         array('http://www.otherdomain.com/somescript.php', false, 'http://localhost/phpBB'),
  32                         array("http://localhost/phpBB/memberlist.php\n\rConnection: close", 'Tried to redirect to potentially insecure url.', false),
  33                         array('javascript:test', false, 'http://localhost/phpBB/../tests/javascript:test'),
  34                         array('http://localhost/phpBB/index.php;url=', 'Tried to redirect to potentially insecure url.', false),
  35                 );
  36         }
  37
  38         /**
  39         * Own error handler to catch trigger_error() calls within phpBB
  40         */
  41         public function own_error_handler($errno, $errstr, $errfile, $errline)
  42         {
  43                 echo $errstr;
  44                 $this->error_triggered = true;
  45         }
  46
  47         /**
  48         * @dataProvider provider
  49         */
  50         public function test_redirect($test, $expected_error, $expected_result)
  51         {
  52                 global $user;
  53
  54                 set_error_handler(array($this, 'own_error_handler'));
  55                 $result = redirect($test, true);
  56
  57                 // If we expect no error and a returned result, we set the output string to be expected and check if an error was triggered (then fail instantly)
  58                 if ($expected_error === false)
  59                 {
  60                         $this->expectOutputString($expected_result);
  61                         print $result;
  62
  63                         if ($this->error_triggered)
  64                         {
  65                                 $this->fail();
  66                         }
  67                 }
  68                 // If we expect an error, we set the expected output string to the error and check if there was an error triggered.
  69                 else
  70                 {
  71                         $this->expectOutputString($expected_error);
  72
  73                         if (!$this->error_triggered)
  74                         {
  75                                 $this->fail();
  76                         }
  77
  78                         $this->error_triggered = false;
  79                 }
  80
  81                 restore_error_handler();
  82         }
  83 }
  84
  85 ?>