diff options
| author | Dries Buytaert <dries@buytaert.net> | 2010-11-05 19:05:02 +0000 |
|---|---|---|
| committer | Dries Buytaert <dries@buytaert.net> | 2010-11-05 19:05:02 +0000 |
| commit | e920fe34ef16d30af0f4fb8e33b565e572ab30c8 (patch) | |
| tree | 9282e247144413df5d94ddfa4863a02a9514672b /modules/simpletest/simpletest.test | |
| parent | 5f550ab80ca279706fd1681920e45172ab23748b (diff) | |
| download | brdo-e920fe34ef16d30af0f4fb8e33b565e572ab30c8.tar.gz brdo-e920fe34ef16d30af0f4fb8e33b565e572ab30c8.tar.bz2 | |
- Patch #575280 by mfb, carlos8f, chx, bleen18: impersonation when an https session exists.
Diffstat (limited to 'modules/simpletest/simpletest.test')
| -rw-r--r-- | modules/simpletest/simpletest.test | 42 |
1 files changed, 38 insertions, 4 deletions
diff --git a/modules/simpletest/simpletest.test b/modules/simpletest/simpletest.test index a457d1329..dbed36760 100644 --- a/modules/simpletest/simpletest.test +++ b/modules/simpletest/simpletest.test @@ -78,6 +78,43 @@ class SimpleTestFunctionalTest extends DrupalWebTestCase { } /** + * Test validation of the User-Agent header we use to perform test requests. + */ + function testUserAgentValidation() { + if (!$this->inCURL()) { + global $base_url; + $simpletest_path = $base_url . '/' . drupal_get_path('module', 'simpletest'); + $HTTP_path = $simpletest_path .'/tests/http.php?q=node'; + $https_path = $simpletest_path .'/tests/https.php?q=node'; + // Generate a valid simpletest User-Agent to pass validation. + $this->assertTrue(preg_match('/simpletest\d+/', $this->databasePrefix, $matches), t('Database prefix contains simpletest prefix.')); + $test_ua = drupal_generate_test_ua($matches[0]); + $this->additionalCurlOptions = array(CURLOPT_USERAGENT => $test_ua); + + // Test pages only available for testing. + $this->drupalGet($HTTP_path); + $this->assertResponse(200, t('Requesting http.php with a legitimate simpletest User-Agent returns OK.')); + $this->drupalGet($https_path); + $this->assertResponse(200, t('Requesting https.php with a legitimate simpletest User-Agent returns OK.')); + + // Now slightly modify the HMAC on the header, which should not validate. + $this->additionalCurlOptions = array(CURLOPT_USERAGENT => $test_ua . 'X'); + $this->drupalGet($HTTP_path); + $this->assertResponse(403, t('Requesting http.php with a bad simpletest User-Agent fails.')); + $this->drupalGet($https_path); + $this->assertResponse(403, t('Requesting https.php with a bad simpletest User-Agent fails.')); + + // Use a real User-Agent and verify that the special files http.php and + // https.php can't be accessed. + $this->additionalCurlOptions = array(CURLOPT_USERAGENT => 'Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'); + $this->drupalGet($HTTP_path); + $this->assertResponse(403, t('Requesting http.php with a normal User-Agent fails.')); + $this->drupalGet($https_path); + $this->assertResponse(403, t('Requesting https.php with a normal User-Agent fails.')); + } + } + + /** * Make sure that tests selected through the web interface are run and * that the results are displayed correctly. */ @@ -274,10 +311,7 @@ class SimpleTestFunctionalTest extends DrupalWebTestCase { * Check if the test is being run from inside a CURL request. */ function inCURL() { - // We cannot rely on drupal_static('drupal_test_info') here, because - // 'in_child_site' would be FALSE for the parent site when we are - // executing the tests. Default to direct detection of the HTTP headers. - return isset($_SERVER['HTTP_USER_AGENT']) && preg_match("/^simpletest\d+/", $_SERVER['HTTP_USER_AGENT']); + return (bool) drupal_valid_test_ua(); } } |