From 27a72017bda3f3ead65b24de9f0997a0242d3554 Mon Sep 17 00:00:00 2001
From: David Rothstein <drothstein@gmail.com>
Date: Mon, 4 May 2015 22:18:24 -0400
Subject: Issue #2399657 by klausi: Add session hijacking test cases for
 SA-CORE-2014-006

---
 modules/simpletest/tests/session.test | 50 +++++++++++++++++++++++++++++++++++
 1 file changed, 50 insertions(+)

(limited to 'modules')

diff --git a/modules/simpletest/tests/session.test b/modules/simpletest/tests/session.test
index 097503b67..893d03e9f 100644
--- a/modules/simpletest/tests/session.test
+++ b/modules/simpletest/tests/session.test
@@ -477,6 +477,56 @@ class SessionHttpsTestCase extends DrupalWebTestCase {
     $this->assertResponse(200);
   }
 
+  /**
+   * Tests that empty session IDs do not cause unrelated sessions to load.
+   */
+  public function testEmptySessionId() {
+    global $is_https;
+
+    if ($is_https) {
+      $secure_session_name = session_name();
+    }
+    else {
+      $secure_session_name = 'S' . session_name();
+    }
+
+    // Enable mixed mode for HTTP and HTTPS.
+    variable_set('https', TRUE);
+
+    $admin_user = $this->drupalCreateUser(array('access administration pages'));
+    $standard_user = $this->drupalCreateUser(array('access content'));
+
+    // First log in as the admin user on HTTP.
+    // We cannot use $this->drupalLogin() here because we need to use the
+    // special http.php URLs.
+    $edit = array(
+      'name' => $admin_user->name,
+      'pass' => $admin_user->pass_raw
+    );
+    $this->drupalGet('user');
+    $form = $this->xpath('//form[@id="user-login"]');
+    $form[0]['action'] = $this->httpUrl('user');
+    $this->drupalPost(NULL, $edit, t('Log in'));
+
+    $this->curlClose();
+
+    // Now start a session for the standard user on HTTPS.
+    $edit = array(
+      'name' => $standard_user->name,
+      'pass' => $standard_user->pass_raw
+    );
+    $this->drupalGet('user');
+    $form = $this->xpath('//form[@id="user-login"]');
+    $form[0]['action'] = $this->httpsUrl('user');
+    $this->drupalPost(NULL, $edit, t('Log in'));
+
+    // Make the secure session cookie blank.
+    curl_setopt($this->curlHandle, CURLOPT_COOKIE, "$secure_session_name=");
+    $this->drupalGet($this->httpsUrl('user'));
+    $this->assertNoText($admin_user->name, 'User is not logged in as admin');
+    $this->assertNoText($standard_user->name, "The user's own name is not displayed because the invalid session cookie has logged them out.");
+  }
+
   /**
    * Test that there exists a session with two specific session IDs.
    *
-- 
cgit v1.2.3