diff options
Diffstat (limited to 'modules/simpletest/tests/file.test')
| -rw-r--r-- | modules/simpletest/tests/file.test | 170 |
1 files changed, 165 insertions, 5 deletions
diff --git a/modules/simpletest/tests/file.test b/modules/simpletest/tests/file.test index e501f57d0..fe0ebc431 100644 --- a/modules/simpletest/tests/file.test +++ b/modules/simpletest/tests/file.test @@ -537,12 +537,17 @@ class FileSaveUploadTest extends FileHookTestCase { /** * An image file path for uploading. */ - var $image; + protected $image; + + /** + * A PHP file path for upload security testing. + */ + protected $phpfile; /** * The largest file id when the test starts. */ - var $maxFidBefore; + protected $maxFidBefore; public static function getInfo() { return array( @@ -558,14 +563,17 @@ class FileSaveUploadTest extends FileHookTestCase { $this->drupalLogin($account); $this->image = current($this->drupalGetTestFiles('image')); - $this->assertTrue(is_file($this->image->uri), t("The file we're going to upload exists.")); + $this->assertTrue(is_file($this->image->uri), t("The image file we're going to upload exists.")); + + $this->phpfile = current($this->drupalGetTestFiles('php')); + $this->assertTrue(is_file($this->phpfile->uri), t("The PHP file we're going to upload exists.")); $this->maxFidBefore = db_query('SELECT MAX(fid) AS fid FROM {file_managed}')->fetchField(); - // Upload with replace to gurantee there's something there. + // Upload with replace to guarantee there's something there. $edit = array( 'file_test_replace' => FILE_EXISTS_REPLACE, - 'files[file_test_upload]' => drupal_realpath($this->image->uri) + 'files[file_test_upload]' => drupal_realpath($this->image->uri), ); $this->drupalPost('file-test/upload', $edit, t('Submit')); $this->assertResponse(200, t('Received a 200 response for posted test file.')); @@ -631,6 +639,158 @@ class FileSaveUploadTest extends FileHookTestCase { } /** + * Test extension handling. + */ + function testHandleExtension() { + // The file being tested is a .gif which is in the default safe list + // of extensions to allow when the extension validator isn't used. This is + // implicitly tested at the testNormal() test. Here we tell + // file_save_upload() to only allow ".foo". + $extensions = 'foo'; + $edit = array( + 'file_test_replace' => FILE_EXISTS_REPLACE, + 'files[file_test_upload]' => drupal_realpath($this->image->uri), + 'extensions' => $extensions, + ); + + $this->drupalPost('file-test/upload', $edit, t('Submit')); + $this->assertResponse(200, t('Received a 200 response for posted test file.')); + $message = t('Only files with the following extensions are allowed: ') . '<em class="placeholder">' . $extensions . '</em>'; + $this->assertRaw($message, t('Can\'t upload a disallowed extension')); + $this->assertRaw(t('Epic upload FAIL!'), t('Found the failure message.')); + + // Check that the correct hooks were called. + $this->assertFileHooksCalled(array('validate')); + + // Reset the hook counters. + file_test_reset(); + + $extensions = 'foo gif'; + // Now tell file_save_upload() to allow ".gif". + $edit = array( + 'file_test_replace' => FILE_EXISTS_REPLACE, + 'files[file_test_upload]' => drupal_realpath($this->image->uri), + 'extensions' => $extensions, + ); + + $this->drupalPost('file-test/upload', $edit, t('Submit')); + $this->assertResponse(200, t('Received a 200 response for posted test file.')); + $this->assertNoRaw(t('Only files with the following extensions are allowed:'), t('Can upload an allowed extension.')); + $this->assertRaw(t('You WIN!'), t('Found the success message.')); + + // Check that the correct hooks were called. + $this->assertFileHooksCalled(array('validate', 'load', 'update')); + + // Reset the hook counters. + file_test_reset(); + + // Now tell file_save_upload() to allow any extension. + $edit = array( + 'file_test_replace' => FILE_EXISTS_REPLACE, + 'files[file_test_upload]' => drupal_realpath($this->image->uri), + 'allow_all_extensions' => TRUE, + ); + $this->drupalPost('file-test/upload', $edit, t('Submit')); + $this->assertResponse(200, t('Received a 200 response for posted test file.')); + $this->assertNoRaw(t('Only files with the following extensions are allowed:'), t('Can upload any extension.')); + $this->assertRaw(t('You WIN!'), t('Found the success message.')); + + // Check that the correct hooks were called. + $this->assertFileHooksCalled(array('validate', 'load', 'update')); + } + + /** + * Test dangerous file handling. + */ + function testHandleDangerousFile() { + // Allow the .php extension and make sure it gets renamed to .txt for + // safety. Also check to make sure its MIME type was changed. + $edit = array( + 'file_test_replace' => FILE_EXISTS_REPLACE, + 'files[file_test_upload]' => drupal_realpath($this->phpfile->uri), + 'is_image_file' => FALSE, + 'extensions' => 'php', + ); + + $this->drupalPost('file-test/upload', $edit, t('Submit')); + $this->assertResponse(200, t('Received a 200 response for posted test file.')); + $message = t('For security reasons, your upload has been renamed to ') . '<em class="placeholder">' . $this->phpfile->filename . '.txt' . '</em>'; + $this->assertRaw($message, t('Dangerous file was renamed.')); + $this->assertRaw(t('File MIME type is text/plain.'), t('Dangerous file\'s MIME type was changed.')); + $this->assertRaw(t('You WIN!'), t('Found the success message.')); + + // Check that the correct hooks were called. + $this->assertFileHooksCalled(array('validate', 'insert')); + + // Ensure dangerous files are not renamed when insecure uploads is TRUE. + // Turn on insecure uploads. + variable_set('allow_insecure_uploads', 1); + // Reset the hook counters. + file_test_reset(); + + $this->drupalPost('file-test/upload', $edit, t('Submit')); + $this->assertResponse(200, t('Received a 200 response for posted test file.')); + $this->assertNoRaw(t('For security reasons, your upload has been renamed'), t('Found no security message.')); + $this->assertRaw(t('File name is !filename', array('!filename' => $this->phpfile->filename)), t('Dangerous file was not renamed when insecure uploads is TRUE.')); + $this->assertRaw(t('You WIN!'), t('Found the success message.')); + + // Check that the correct hooks were called. + $this->assertFileHooksCalled(array('validate', 'insert')); + + // Turn off insecure uploads. + variable_set('allow_insecure_uploads', 0); + } + + /** + * Test file munge handling. + */ + function testHandleFileMunge() { + // Ensure insecure uploads are disabled for this test. + variable_set('allow_insecure_uploads', 0); + $this->image = file_move($this->image, $this->image->uri . '.foo.gif'); + + // Reset the hook counters to get rid of the 'move' we just called. + file_test_reset(); + + $extensions = 'gif'; + $edit = array( + 'files[file_test_upload]' => drupal_realpath($this->image->uri), + 'extensions' => $extensions, + ); + + $munged_filename = $this->image->filename; + $munged_filename = substr($munged_filename, 0, strrpos($munged_filename, '.')); + $munged_filename .= '_.gif'; + + $this->drupalPost('file-test/upload', $edit, t('Submit')); + $this->assertResponse(200, t('Received a 200 response for posted test file.')); + $this->assertRaw(t('For security reasons, your upload has been renamed'), t('Found security message.')); + $this->assertRaw(t('File name is !filename', array('!filename' => $munged_filename)), t('File was successfully munged.')); + $this->assertRaw(t('You WIN!'), t('Found the success message.')); + + // Check that the correct hooks were called. + $this->assertFileHooksCalled(array('validate', 'insert')); + + // Ensure we don't munge files if we're allowing any extension. + // Reset the hook counters. + file_test_reset(); + + $edit = array( + 'files[file_test_upload]' => drupal_realpath($this->image->uri), + 'allow_all_extensions' => TRUE, + ); + + $this->drupalPost('file-test/upload', $edit, t('Submit')); + $this->assertResponse(200, t('Received a 200 response for posted test file.')); + $this->assertNoRaw(t('For security reasons, your upload has been renamed'), t('Found no security message.')); + $this->assertRaw(t('File name is !filename', array('!filename' => $this->image->filename)), t('File was not munged when allowing any extension.')); + $this->assertRaw(t('You WIN!'), t('Found the success message.')); + + // Check that the correct hooks were called. + $this->assertFileHooksCalled(array('validate', 'insert')); + } + + /** * Test renaming when uploading over a file that already exists. */ function testExistingRename() { |