diff options
author | David Rothstein <drothstein@gmail.com> | 2015-05-04 22:18:24 -0400 |
---|---|---|
committer | David Rothstein <drothstein@gmail.com> | 2015-05-04 22:18:24 -0400 |
commit | 27a72017bda3f3ead65b24de9f0997a0242d3554 (patch) | |
tree | 21e0ead046f71154adf9b1a0db3ad51565f1cefa /modules/simpletest | |
parent | b85b146a170ebcaf33e6a4b1923c3be6cb3f9cc2 (diff) | |
download | brdo-27a72017bda3f3ead65b24de9f0997a0242d3554.tar.gz brdo-27a72017bda3f3ead65b24de9f0997a0242d3554.tar.bz2 |
Issue #2399657 by klausi: Add session hijacking test cases for SA-CORE-2014-006
Diffstat (limited to 'modules/simpletest')
-rw-r--r-- | modules/simpletest/tests/session.test | 50 |
1 files changed, 50 insertions, 0 deletions
diff --git a/modules/simpletest/tests/session.test b/modules/simpletest/tests/session.test index 097503b67..893d03e9f 100644 --- a/modules/simpletest/tests/session.test +++ b/modules/simpletest/tests/session.test @@ -478,6 +478,56 @@ class SessionHttpsTestCase extends DrupalWebTestCase { } /** + * Tests that empty session IDs do not cause unrelated sessions to load. + */ + public function testEmptySessionId() { + global $is_https; + + if ($is_https) { + $secure_session_name = session_name(); + } + else { + $secure_session_name = 'S' . session_name(); + } + + // Enable mixed mode for HTTP and HTTPS. + variable_set('https', TRUE); + + $admin_user = $this->drupalCreateUser(array('access administration pages')); + $standard_user = $this->drupalCreateUser(array('access content')); + + // First log in as the admin user on HTTP. + // We cannot use $this->drupalLogin() here because we need to use the + // special http.php URLs. + $edit = array( + 'name' => $admin_user->name, + 'pass' => $admin_user->pass_raw + ); + $this->drupalGet('user'); + $form = $this->xpath('//form[@id="user-login"]'); + $form[0]['action'] = $this->httpUrl('user'); + $this->drupalPost(NULL, $edit, t('Log in')); + + $this->curlClose(); + + // Now start a session for the standard user on HTTPS. + $edit = array( + 'name' => $standard_user->name, + 'pass' => $standard_user->pass_raw + ); + $this->drupalGet('user'); + $form = $this->xpath('//form[@id="user-login"]'); + $form[0]['action'] = $this->httpsUrl('user'); + $this->drupalPost(NULL, $edit, t('Log in')); + + // Make the secure session cookie blank. + curl_setopt($this->curlHandle, CURLOPT_COOKIE, "$secure_session_name="); + $this->drupalGet($this->httpsUrl('user')); + $this->assertNoText($admin_user->name, 'User is not logged in as admin'); + $this->assertNoText($standard_user->name, "The user's own name is not displayed because the invalid session cookie has logged them out."); + } + + /** * Test that there exists a session with two specific session IDs. * * @param $sid |