core security update
This commit is contained in:
Bachir Soussi Chiadmi
@@ -372,6 +372,65 @@ class CommonURLUnitTest extends DrupalWebTestCase {
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Tests url_is_external().
|
||||
*/
|
||||
class UrlIsExternalUnitTest extends DrupalUnitTestCase {
|
||||
|
||||
public static function getInfo() {
|
||||
return array(
|
||||
'name' => 'External URL checking',
|
||||
'description' => 'Performs tests on url_is_external().',
|
||||
'group' => 'System',
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
* Tests if each URL is external or not.
|
||||
*/
|
||||
function testUrlIsExternal() {
|
||||
foreach ($this->examples() as $path => $expected) {
|
||||
$this->assertIdentical(url_is_external($path), $expected, $path);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Provides data for testUrlIsExternal().
|
||||
*
|
||||
* @return array
|
||||
* An array of test data, keyed by a path, with the expected value where
|
||||
* TRUE is external, and FALSE is not external.
|
||||
*/
|
||||
protected function examples() {
|
||||
return array(
|
||||
// Simple external URLs.
|
||||
'http://example.com' => TRUE,
|
||||
'https://example.com' => TRUE,
|
||||
'http://drupal.org/foo/bar?foo=bar&bar=baz&baz#foo' => TRUE,
|
||||
'//drupal.org' => TRUE,
|
||||
// Some browsers ignore or strip leading control characters.
|
||||
"\x00//www.example.com" => TRUE,
|
||||
"\x08//www.example.com" => TRUE,
|
||||
"\x1F//www.example.com" => TRUE,
|
||||
"\n//www.example.com" => TRUE,
|
||||
// JSON supports decoding directly from UTF-8 code points.
|
||||
json_decode('"\u00AD"') . "//www.example.com" => TRUE,
|
||||
json_decode('"\u200E"') . "//www.example.com" => TRUE,
|
||||
json_decode('"\uE0020"') . "//www.example.com" => TRUE,
|
||||
json_decode('"\uE000"') . "//www.example.com" => TRUE,
|
||||
// Backslashes should be normalized to forward.
|
||||
'\\\\example.com' => TRUE,
|
||||
// Local URLs.
|
||||
'node' => FALSE,
|
||||
'/system/ajax' => FALSE,
|
||||
'?q=foo:bar' => FALSE,
|
||||
'node/edit:me' => FALSE,
|
||||
'/drupal.org' => FALSE,
|
||||
'<front>' => FALSE,
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Tests for check_plain(), filter_xss(), format_string(), and check_url().
|
||||
*/
|
||||
@@ -888,6 +947,31 @@ class DrupalHTMLIdentifierTestCase extends DrupalUnitTestCase {
|
||||
|
||||
// Verify that invalid characters (including non-breaking space) are stripped from the identifier.
|
||||
$this->assertIdentical(drupal_clean_css_identifier('invalid !"#$%&\'()*+,./:;<=>?@[\\]^`{|}~ identifier', array()), 'invalididentifier', 'Strip invalid characters.');
|
||||
|
||||
// Verify that double underscores are replaced in the identifier by default.
|
||||
$identifier = 'css__identifier__with__double__underscores';
|
||||
$expected = 'css--identifier--with--double--underscores';
|
||||
$this->assertIdentical(drupal_clean_css_identifier($identifier), $expected, 'Verify double underscores are replaced with double hyphens by default.');
|
||||
|
||||
// Verify that double underscores are preserved in the identifier if the
|
||||
// variable allow_css_double_underscores is set to TRUE.
|
||||
$this->setAllowCSSDoubleUnderscores(TRUE);
|
||||
$this->assertIdentical(drupal_clean_css_identifier($identifier), $identifier, 'Verify double underscores are preserved if the allow_css_double_underscores set to TRUE.');
|
||||
|
||||
// To avoid affecting other test cases, set the variable
|
||||
// allow_css_double_underscores to FALSE which is the default value.
|
||||
$this->setAllowCSSDoubleUnderscores(FALSE);
|
||||
}
|
||||
|
||||
/**
|
||||
* Set the variable allow_css_double_underscores and reset the cache.
|
||||
*
|
||||
* @param $value bool
|
||||
* A new value to be set to allow_css_double_underscores.
|
||||
*/
|
||||
function setAllowCSSDoubleUnderscores($value) {
|
||||
$GLOBALS['conf']['allow_css_double_underscores'] = $value;
|
||||
drupal_static_reset('drupal_clean_css_identifier:allow_css_double_underscores');
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -942,6 +1026,7 @@ class CascadingStylesheetsUnitTest extends DrupalUnitTestCase {
|
||||
* - Proper URLs in imported files. (https://drupal.org/node/265719)
|
||||
* - Retain pseudo-selectors. (https://drupal.org/node/460448)
|
||||
* - Don't adjust data URIs. (https://drupal.org/node/2142441)
|
||||
* - Files imported from external URLs. (https://drupal.org/node/2014851)
|
||||
*/
|
||||
function testLoadCssBasic() {
|
||||
// Array of files to test living in 'simpletest/files/css_test_files/'.
|
||||
@@ -1194,7 +1279,7 @@ class DrupalSetContentTestCase extends DrupalWebTestCase {
|
||||
function testRegions() {
|
||||
global $theme_key;
|
||||
|
||||
$block_regions = array_keys(system_region_list($theme_key));
|
||||
$block_regions = system_region_list($theme_key, REGIONS_ALL, FALSE);
|
||||
$delimiter = $this->randomName(32);
|
||||
$values = array();
|
||||
// Set some random content for each region available.
|
||||
@@ -1255,6 +1340,15 @@ class DrupalGotoTest extends DrupalWebTestCase {
|
||||
$this->assertText('drupal_goto', 'Drupal goto redirect succeeded.');
|
||||
$this->assertEqual($this->getUrl(), url('common-test/drupal_goto', array('query' => array('foo' => '123'), 'absolute' => TRUE)), 'Drupal goto redirected to expected URL.');
|
||||
|
||||
// Test that calling drupal_goto() on the current path is not dangerous.
|
||||
variable_set('common_test_redirect_current_path', TRUE);
|
||||
$this->drupalGet('', array('query' => array('q' => 'http://www.example.com/')));
|
||||
$headers = $this->drupalGetHeaders(TRUE);
|
||||
list(, $status) = explode(' ', $headers[0][':status'], 3);
|
||||
$this->assertEqual($status, 302, 'Expected response code was sent.');
|
||||
$this->assertNotEqual($this->getUrl(), 'http://www.example.com/', 'Drupal goto did not redirect to external URL.');
|
||||
$this->assertTrue(strpos($this->getUrl(), url('<front>', array('absolute' => TRUE))) === 0, 'Drupal redirected to itself.');
|
||||
variable_del('common_test_redirect_current_path');
|
||||
// Test that drupal_goto() respects ?destination=xxx. Use an complicated URL
|
||||
// to test that the path is encoded and decoded properly.
|
||||
$destination = 'common-test/drupal_goto/destination?foo=%2525&bar=123';
|
||||
@@ -2116,7 +2210,7 @@ class DrupalRenderTestCase extends DrupalWebTestCase {
|
||||
}
|
||||
|
||||
/**
|
||||
* Tests caching of an empty render item.
|
||||
* Tests caching of render items.
|
||||
*/
|
||||
function testDrupalRenderCache() {
|
||||
// Force a request via GET.
|
||||
@@ -2142,6 +2236,59 @@ class DrupalRenderTestCase extends DrupalWebTestCase {
|
||||
drupal_render($element);
|
||||
$this->assertFalse(isset($element['#printed']), 'Cache hit');
|
||||
|
||||
// Test that user 1 does not share the cache with other users who have the
|
||||
// same roles, even when DRUPAL_CACHE_PER_ROLE is used.
|
||||
$user1 = user_load(1);
|
||||
$first_authenticated_user = $this->drupalCreateUser();
|
||||
$second_authenticated_user = $this->drupalCreateUser();
|
||||
$user1->roles = array_intersect_key($user1->roles, array(DRUPAL_AUTHENTICATED_RID => TRUE));
|
||||
user_save($user1);
|
||||
// Load all the accounts again, to make sure we have complete account
|
||||
// objects.
|
||||
$user1 = user_load(1);
|
||||
$first_authenticated_user = user_load($first_authenticated_user->uid);
|
||||
$second_authenticated_user = user_load($second_authenticated_user->uid);
|
||||
$this->assertEqual($user1->roles, $first_authenticated_user->roles, 'User 1 has the same roles as an authenticated user.');
|
||||
// Impersonate user 1 and render content that only user 1 should have
|
||||
// permission to see.
|
||||
$original_user = $GLOBALS['user'];
|
||||
$original_session_state = drupal_save_session();
|
||||
drupal_save_session(FALSE);
|
||||
$GLOBALS['user'] = $user1;
|
||||
$test_element = array(
|
||||
'#cache' => array(
|
||||
'keys' => array('test'),
|
||||
'granularity' => DRUPAL_CACHE_PER_ROLE,
|
||||
),
|
||||
);
|
||||
$element = $test_element;
|
||||
$element['#markup'] = 'content for user 1';
|
||||
$output = drupal_render($element);
|
||||
$this->assertEqual($output, 'content for user 1');
|
||||
// Verify the cache is working by rendering the same element but with
|
||||
// different markup passed in; the result should be the same.
|
||||
$element = $test_element;
|
||||
$element['#markup'] = 'should not be used';
|
||||
$output = drupal_render($element);
|
||||
$this->assertEqual($output, 'content for user 1');
|
||||
// Verify that the first authenticated user does not see the same content
|
||||
// as user 1.
|
||||
$GLOBALS['user'] = $first_authenticated_user;
|
||||
$element = $test_element;
|
||||
$element['#markup'] = 'content for authenticated users';
|
||||
$output = drupal_render($element);
|
||||
$this->assertEqual($output, 'content for authenticated users');
|
||||
// Verify that the second authenticated user shares the cache with the
|
||||
// first authenticated user.
|
||||
$GLOBALS['user'] = $second_authenticated_user;
|
||||
$element = $test_element;
|
||||
$element['#markup'] = 'should not be used';
|
||||
$output = drupal_render($element);
|
||||
$this->assertEqual($output, 'content for authenticated users');
|
||||
// Restore the original logged-in user.
|
||||
$GLOBALS['user'] = $original_user;
|
||||
drupal_save_session($original_session_state);
|
||||
|
||||
// Restore the previous request method.
|
||||
$_SERVER['REQUEST_METHOD'] = $request_method;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user