From 72e81af12dc8fa3b28551a3af281ce67b638f5b6 Mon Sep 17 00:00:00 2001
From: Dries Buytaert <dries@buytaert.net>
Date: Sun, 2 Nov 2008 10:56:35 +0000
Subject: - Patch #324875 by pwolanin, Damien Tournoud, goba: improved
 conf_path() header injection checking.

---
 modules/simpletest/tests/bootstrap.test | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

(limited to 'modules/simpletest/tests')

diff --git a/modules/simpletest/tests/bootstrap.test b/modules/simpletest/tests/bootstrap.test
index 8be13aaeb..638d6b89f 100644
--- a/modules/simpletest/tests/bootstrap.test
+++ b/modules/simpletest/tests/bootstrap.test
@@ -8,8 +8,8 @@ class BootstrapIPAddressTestCase extends DrupalWebTestCase {
    */
   function getInfo() {
     return array(
-      'name' => t('IP address test'),
-      'description' => t('Get the IP address from the current visitor from the server variables.'),
+      'name' => t('IP address and HTTP_HOST test'),
+      'description' => t('Get the IP address from the current visitor from the server variables, check hostname validation.'),
       'group' => t('Bootstrap')
     );
   }
@@ -42,9 +42,9 @@ class BootstrapIPAddressTestCase extends DrupalWebTestCase {
   }
 
   /**
-   * testIPAddress
+   * test IP Address and hostname
    */
-  function testIPAddress() {
+  function testIPAddressHost() {
     // Test the normal IP address.
     $this->assertTrue(
       ip_address(true) == $this->remote_ip,
@@ -80,6 +80,16 @@ class BootstrapIPAddressTestCase extends DrupalWebTestCase {
       ip_address(true) == $this->cluster_ip,
       t('Cluster environment got cluster client IP')
     );
+    $_SERVER['HTTP_HOST'] = 'security/.drupal.org:80';
+    $this->assertFalse(drupal_valid_http_host(), t('HTTP_HOST with / is invalid'));
+    $_SERVER['HTTP_HOST'] = 'security\\.drupal.org:80';
+    $this->assertFalse(drupal_valid_http_host(), t('HTTP_HOST with \\ is invalid'));
+    $_SERVER['HTTP_HOST'] = 'security<.drupal.org:80';
+    $this->assertFalse(drupal_valid_http_host(), t('HTTP_HOST with &lt; is invalid'));
+    $_SERVER['HTTP_HOST'] = 'security..drupal.org:80';
+    $this->assertFalse(drupal_valid_http_host(), t('HTTP_HOST with .. is invalid'));
+    $_SERVER['HTTP_HOST'] = '[::1]:80'; // IPv6 loopback address
+    $this->assertTrue(drupal_valid_http_host(), t('HTTP_HOST containing IPv6 loopback is valid'));
   }
 }
 
-- 
cgit v1.2.3