diff options
| author | Dries Buytaert <dries@buytaert.net> | 2008-11-24 06:12:46 +0000 |
|---|---|---|
| committer | Dries Buytaert <dries@buytaert.net> | 2008-11-24 06:12:46 +0000 |
| commit | 96dc47665ef84588874200aec2a5a61e4b93e19f (patch) | |
| tree | 55a44d3fd694e53e4eb4b79798eb30210fa89d6a /modules/simpletest/tests/session.test | |
| parent | bd9554952c02b4ea70103a87d3b7ef51af29f9d4 (diff) | |
| download | brdo-96dc47665ef84588874200aec2a5a61e4b93e19f.tar.gz brdo-96dc47665ef84588874200aec2a5a61e4b93e19f.tar.bz2 | |
- Patch #280934 by pwolanin, swentel, et al: harden session regeneration. It took a while, but it comes with tests and extra features now.
Diffstat (limited to 'modules/simpletest/tests/session.test')
| -rw-r--r-- | modules/simpletest/tests/session.test | 52 |
1 files changed, 50 insertions, 2 deletions
diff --git a/modules/simpletest/tests/session.test b/modules/simpletest/tests/session.test index 5e2533988..751917f12 100644 --- a/modules/simpletest/tests/session.test +++ b/modules/simpletest/tests/session.test @@ -7,6 +7,9 @@ */ class SessionTestCase extends DrupalWebTestCase { + + protected $saved_cookie; + /** * Implementation of getInfo(). */ @@ -24,16 +27,61 @@ class SessionTestCase extends DrupalWebTestCase { function setUp() { parent::setUp('session_test'); } + /** + * Implementation of curlHeaderCallback(). + */ + protected function curlHeaderCallback($ch, $header) { + // Look for a Set-Cookie header. + if (preg_match('/^Set-Cookie.+$/i', $header, $matches)) { + $this->saved_cookie = $header; + } + + return parent::curlHeaderCallback($ch, $header); + } /** - * Tests for drupal_save_session(). + * Tests for drupal_save_session() and drupal_session_regenerate(). */ - function testSessionSaveSession() { + function testSessionSaveRegenerate() { $this->assertTrue(drupal_save_session(), t('drupal_save_session() correctly returns TRUE when initially called with no arguments.'), t('Session')); $this->assertFalse(drupal_save_session(FALSE), t('drupal_save_session() correctly returns FALSE when called with FALSE.'), t('Session')); $this->assertFalse(drupal_save_session(), t('drupal_save_session() correctly returns FALSE when saving has been disabled.'), t('Session')); $this->assertTrue(drupal_save_session(TRUE), t('drupal_save_session() correctly returns TRUE when called with TRUE.'), t('Session')); $this->assertTrue(drupal_save_session(), t('drupal_save_session() correctly returns TRUE when saving has been enabled.'), t('Session')); + + // Test session hardening code from SA-2008-044. + $user = $this->drupalCreateUser(array('access content')); + // Enable sessions. + $this->sessionReset($user->uid); + // Make sure the session cookie is set as HttpOnly. + $this->drupalLogin($user); + $this->assertTrue(preg_match('/HttpOnly/i', $this->saved_cookie), t('Session cookie is set as HttpOnly.')); + $this->drupalLogout(); + // Verify that the session is regenerated if a module calls exit + // in hook_user_login(). + user_save($user, array('name' => 'session_test_user')); + $user->name = 'session_test_user'; + $this->drupalGet('session-test/id'); + $matches = array(); + preg_match('/\s*session_id:(.*)\n/', $this->drupalGetContent(), $matches); + $this->assertTrue(!empty($matches[1]) , t('Found session ID before logging in.')); + $original_session = $matches[1]; + // We cannot use $this->drupalLogin($user); because we exit in + // session_test_user_login() which breaks a normal assertion. + $edit = array( + 'name' => $user->name, + 'pass' => $user->pass_raw + ); + $this->drupalPost('user', $edit, t('Log in')); + $this->drupalGet('node'); + $pass = $this->assertText($user->name, t('Found name: %name', array('%name' => $user->name)), t('User login')); + $this->_logged_in = $pass; + + $this->drupalGet('session-test/id'); + $matches = array(); + preg_match('/\s*session_id:(.*)\n/', $this->drupalGetContent(), $matches); + $this->assertTrue(!empty($matches[1]) , t('Found session ID after logging in.')); + $this->assertTrue($matches[1] != $original_session, t('Session ID changed after login.')); } /** |