diff options
| author | Angie Byron <webchick@24967.no-reply.drupal.org> | 2009-11-04 05:05:52 +0000 |
|---|---|---|
| committer | Angie Byron <webchick@24967.no-reply.drupal.org> | 2009-11-04 05:05:52 +0000 |
| commit | 36adc757f92c4290f73725aea6aa90cdd461ddd4 (patch) | |
| tree | 4f81e241435627a59ce8bf37eb3bd2f5e0fa5843 /modules/simpletest/tests/session.test | |
| parent | 59b7e23b566013829bf628c2c188e02f776c965d (diff) | |
| download | brdo-36adc757f92c4290f73725aea6aa90cdd461ddd4.tar.gz brdo-36adc757f92c4290f73725aea6aa90cdd461ddd4.tar.bz2 | |
#575280 follow-up by mfb and chx: Fixed impersonation attack when an https session exists.
Diffstat (limited to 'modules/simpletest/tests/session.test')
| -rw-r--r-- | modules/simpletest/tests/session.test | 54 |
1 files changed, 49 insertions, 5 deletions
diff --git a/modules/simpletest/tests/session.test b/modules/simpletest/tests/session.test index 72648656c..379b82733 100644 --- a/modules/simpletest/tests/session.test +++ b/modules/simpletest/tests/session.test @@ -272,18 +272,62 @@ class SessionHttpsTestCase extends DrupalWebTestCase { global $is_https; if ($is_https) { + $secure_session_name = session_name(); + $insecure_session_name = substr(session_name(), 1); + } + else { + $secure_session_name = 'S' . session_name(); + $insecure_session_name = session_name(); + } + + $user = $this->drupalCreateUser(array('access administration pages')); + + // Test HTTPS session handling by altering the form action to submit the + // login form through https.php, which creates a mock HTTPS request. + $this->drupalGet('user'); + $form = $this->xpath('//form[@id="user-login"]'); + $form[0]['action'] = $this->httpsUrl('user'); + $edit = array('name' => $user->name, 'pass' => $user->pass_raw); + $this->drupalPost(NULL, $edit, t('Log in')); + + // Test a second concurrent session. + $this->curlClose(); + $this->drupalGet('user'); + $form = $this->xpath('//form[@id="user-login"]'); + $form[0]['action'] = $this->httpsUrl('user'); + $this->drupalPost(NULL, $edit, t('Log in')); + + // Check secure cookie on secure page. + $this->assertTrue($this->cookies[$secure_session_name]['secure'], 'The secure cookie has the secure attribute'); + // Check insecure cookie is not set. + $this->assertFalse(isset($this->cookies[$insecure_session_name])); + $args = array_fill_keys(array(':sid', ':ssid'), $this->cookies[$secure_session_name]['value']); + $this->assertTrue(db_query('SELECT sid FROM {sessions} WHERE sid = :sid AND ssid = :ssid', $args)->fetchField(), 'Session has both SIDs'); + $cookie = $secure_session_name . '=' . $args[':ssid']; + + // Verify that user is logged in on secure URL. + $this->curlClose(); + $this->drupalGet($this->httpsUrl('admin'), array(), array('Cookie: ' . $cookie)); + $this->assertText(t('Administer')); + + // Verify that user is not logged in on non-secure URL. + if (!$is_https) { + $this->curlClose(); + $this->drupalGet('admin', array(), array('Cookie: ' . $cookie)); + $this->assertNoText(t('Administer')); + } + + // Clear browser cookie jar. + $this->cookies = array(); + + if ($is_https) { // The functionality does not make sense when running on https. return; } - $insecure_session_name = session_name(); - $secure_session_name = "S$insecure_session_name"; - // Enable secure pages. variable_set('https', TRUE); - $user = $this->drupalCreateUser(array('access administration pages')); - $this->curlClose(); $this->drupalGet('session-test/set/1'); // Check secure cookie on insecure page. |