'IP address and HTTP_HOST test', 'description' => 'Get the IP address from the current visitor from the server variables, check hostname validation.', 'group' => 'Bootstrap' ); } function setUp() { $this->oldserver = $_SERVER; $this->remote_ip = '127.0.0.1'; $this->proxy_ip = '127.0.0.2'; $this->proxy2_ip = '127.0.0.3'; $this->forwarded_ip = '127.0.0.4'; $this->cluster_ip = '127.0.0.5'; $this->untrusted_ip = '0.0.0.0'; drupal_static_reset('ip_address'); $_SERVER['REMOTE_ADDR'] = $this->remote_ip; unset($_SERVER['HTTP_X_FORWARDED_FOR']); unset($_SERVER['HTTP_X_CLUSTER_CLIENT_IP']); parent::setUp(); } function tearDown() { $_SERVER = $this->oldserver; drupal_static_reset('ip_address'); parent::tearDown(); } /** * test IP Address and hostname */ function testIPAddressHost() { // Test the normal IP address. $this->assertTrue( ip_address() == $this->remote_ip, 'Got remote IP address.' ); // Proxy forwarding on but no proxy addresses defined. variable_set('reverse_proxy', 1); $this->assertTrue( ip_address() == $this->remote_ip, 'Proxy forwarding without trusted proxies got remote IP address.' ); // Proxy forwarding on and proxy address not trusted. variable_set('reverse_proxy_addresses', array($this->proxy_ip, $this->proxy2_ip)); drupal_static_reset('ip_address'); $_SERVER['REMOTE_ADDR'] = $this->untrusted_ip; $this->assertTrue( ip_address() == $this->untrusted_ip, 'Proxy forwarding with untrusted proxy got remote IP address.' ); // Proxy forwarding on and proxy address trusted. $_SERVER['REMOTE_ADDR'] = $this->proxy_ip; $_SERVER['HTTP_X_FORWARDED_FOR'] = $this->forwarded_ip; drupal_static_reset('ip_address'); $this->assertTrue( ip_address() == $this->forwarded_ip, 'Proxy forwarding with trusted proxy got forwarded IP address.' ); // Multi-tier architecture with comma separated values in header. $_SERVER['REMOTE_ADDR'] = $this->proxy_ip; $_SERVER['HTTP_X_FORWARDED_FOR'] = implode(', ', array($this->untrusted_ip, $this->forwarded_ip, $this->proxy2_ip)); drupal_static_reset('ip_address'); $this->assertTrue( ip_address() == $this->forwarded_ip, 'Proxy forwarding with trusted 2-tier proxy got forwarded IP address.' ); // Custom client-IP header. variable_set('reverse_proxy_header', 'HTTP_X_CLUSTER_CLIENT_IP'); $_SERVER['HTTP_X_CLUSTER_CLIENT_IP'] = $this->cluster_ip; drupal_static_reset('ip_address'); $this->assertTrue( ip_address() == $this->cluster_ip, 'Cluster environment got cluster client IP.' ); // Verifies that drupal_valid_http_host() prevents invalid characters. $this->assertFalse(drupal_valid_http_host('security/.drupal.org:80'), 'HTTP_HOST with / is invalid'); $this->assertFalse(drupal_valid_http_host('security\\.drupal.org:80'), 'HTTP_HOST with \\ is invalid'); $this->assertFalse(drupal_valid_http_host('security<.drupal.org:80'), 'HTTP_HOST with < is invalid'); $this->assertFalse(drupal_valid_http_host('security..drupal.org:80'), 'HTTP_HOST with .. is invalid'); // Verifies that host names are shorter than 1000 characters. $this->assertFalse(drupal_valid_http_host(str_repeat('x', 1001)), 'HTTP_HOST with more than 1000 characters is invalid.'); $this->assertFalse(drupal_valid_http_host(str_repeat('.', 101)), 'HTTP_HOST with more than 100 subdomains is invalid.'); $this->assertFalse(drupal_valid_http_host(str_repeat(':', 101)), 'HTTP_HOST with more than 100 portseparators is invalid.'); // IPv6 loopback address $this->assertTrue(drupal_valid_http_host('[::1]:80'), 'HTTP_HOST containing IPv6 loopback is valid'); } } class BootstrapPageCacheTestCase extends DrupalWebTestCase { public static function getInfo() { return array( 'name' => 'Page cache test', 'description' => 'Enable the page cache and test it with various HTTP requests.', 'group' => 'Bootstrap' ); } function setUp() { parent::setUp('system_test'); } /** * Test support for requests containing If-Modified-Since and If-None-Match headers. */ function testConditionalRequests() { variable_set('cache', 1); // Fill the cache. $this->drupalGet(''); $this->drupalHead(''); $this->assertEqual($this->drupalGetHeader('X-Drupal-Cache'), 'HIT', 'Page was cached.'); $etag = $this->drupalGetHeader('ETag'); $last_modified = $this->drupalGetHeader('Last-Modified'); $this->drupalGet('', array(), array('If-Modified-Since: ' . $last_modified, 'If-None-Match: ' . $etag)); $this->assertResponse(304, 'Conditional request returned 304 Not Modified.'); $this->drupalGet('', array(), array('If-Modified-Since: ' . gmdate(DATE_RFC822, strtotime($last_modified)), 'If-None-Match: ' . $etag)); $this->assertResponse(304, 'Conditional request with obsolete If-Modified-Since date returned 304 Not Modified.'); $this->drupalGet('', array(), array('If-Modified-Since: ' . gmdate(DATE_RFC850, strtotime($last_modified)), 'If-None-Match: ' . $etag)); $this->assertResponse(304, 'Conditional request with obsolete If-Modified-Since date returned 304 Not Modified.'); $this->drupalGet('', array(), array('If-Modified-Since: ' . $last_modified)); $this->assertResponse(200, 'Conditional request without If-None-Match returned 200 OK.'); $this->assertEqual($this->drupalGetHeader('X-Drupal-Cache'), 'HIT', 'Page was cached.'); $this->drupalGet('', array(), array('If-Modified-Since: ' . gmdate(DATE_RFC7231, strtotime($last_modified) + 1), 'If-None-Match: ' . $etag)); $this->assertResponse(200, 'Conditional request with new a If-Modified-Since date newer than Last-Modified returned 200 OK.'); $this->assertEqual($this->drupalGetHeader('X-Drupal-Cache'), 'HIT', 'Page was cached.'); $user = $this->drupalCreateUser(); $this->drupalLogin($user); $this->drupalGet('', array(), array('If-Modified-Since: ' . $last_modified, 'If-None-Match: ' . $etag)); $this->assertResponse(200, 'Conditional request returned 200 OK for authenticated user.'); $this->assertFalse($this->drupalGetHeader('X-Drupal-Cache'), 'Absense of Page was not cached.'); $this->assertFalse($this->drupalGetHeader('ETag'), 'ETag HTTP headers are not present for logged in users.'); $this->assertFalse($this->drupalGetHeader('Last-Modified'), 'Last-Modified HTTP headers are not present for logged in users.'); } /** * Test cache headers. */ function testPageCache() { variable_set('cache', 1); // Fill the cache. $this->drupalGet('system-test/set-header', array('query' => array('name' => 'Foo', 'value' => 'bar'))); $this->assertEqual($this->drupalGetHeader('X-Drupal-Cache'), 'MISS', 'Page was not cached.'); $this->assertEqual($this->drupalGetHeader('Vary'), 'Cookie,Accept-Encoding', 'Vary header was sent.'); $this->assertEqual($this->drupalGetHeader('Cache-Control'), 'public, max-age=0', 'Cache-Control header was sent.'); $this->assertEqual($this->drupalGetHeader('Expires'), 'Sun, 19 Nov 1978 05:00:00 GMT', 'Expires header was sent.'); $this->assertEqual($this->drupalGetHeader('Foo'), 'bar', 'Custom header was sent.'); // Check cache. $this->drupalGet('system-test/set-header', array('query' => array('name' => 'Foo', 'value' => 'bar'))); $this->assertEqual($this->drupalGetHeader('X-Drupal-Cache'), 'HIT', 'Page was cached.'); $this->assertEqual($this->drupalGetHeader('Vary'), 'Cookie,Accept-Encoding', 'Vary: Cookie header was sent.'); $this->assertEqual($this->drupalGetHeader('Cache-Control'), 'public, max-age=0', 'Cache-Control header was sent.'); $this->assertEqual($this->drupalGetHeader('Expires'), 'Sun, 19 Nov 1978 05:00:00 GMT', 'Expires header was sent.'); $this->assertEqual($this->drupalGetHeader('Foo'), 'bar', 'Custom header was sent.'); // Check replacing default headers. $this->drupalGet('system-test/set-header', array('query' => array('name' => 'Expires', 'value' => 'Fri, 19 Nov 2008 05:00:00 GMT'))); $this->assertEqual($this->drupalGetHeader('Expires'), 'Fri, 19 Nov 2008 05:00:00 GMT', 'Default header was replaced.'); $this->drupalGet('system-test/set-header', array('query' => array('name' => 'Vary', 'value' => 'User-Agent'))); $this->assertEqual($this->drupalGetHeader('Vary'), 'User-Agent,Accept-Encoding', 'Default header was replaced.'); // Check that authenticated users bypass the cache. $user = $this->drupalCreateUser(); $this->drupalLogin($user); $this->drupalGet('system-test/set-header', array('query' => array('name' => 'Foo', 'value' => 'bar'))); $this->assertFalse($this->drupalGetHeader('X-Drupal-Cache'), 'Caching was bypassed.'); $this->assertTrue(strpos($this->drupalGetHeader('Vary'), 'Cookie') === FALSE, 'Vary: Cookie header was not sent.'); $this->assertEqual($this->drupalGetHeader('Cache-Control'), 'no-cache, must-revalidate, post-check=0, pre-check=0', 'Cache-Control header was sent.'); $this->assertEqual($this->drupalGetHeader('Expires'), 'Sun, 19 Nov 1978 05:00:00 GMT', 'Expires header was sent.'); $this->assertEqual($this->drupalGetHeader('Foo'), 'bar', 'Custom header was sent.'); } /** * Test page compression. * * The test should pass even if zlib.output_compression is enabled in php.ini, * .htaccess or similar, or if compression is done outside PHP, e.g. by the * mod_deflate Apache module. */ function testPageCompression() { variable_set('cache', 1); // Fill the cache and verify that output is compressed. $this->drupalGet('', array(), array('Accept-Encoding: gzip,deflate')); $this->assertEqual($this->drupalGetHeader('X-Drupal-Cache'), 'MISS', 'Page was not cached.'); $this->drupalSetContent(gzinflate(substr($this->drupalGetContent(), 10, -8))); $this->assertRaw('', 'Page was gzip compressed.'); // Verify that cached output is compressed. $this->drupalGet('', array(), array('Accept-Encoding: gzip,deflate')); $this->assertEqual($this->drupalGetHeader('X-Drupal-Cache'), 'HIT', 'Page was cached.'); $this->assertEqual($this->drupalGetHeader('Content-Encoding'), 'gzip', 'A Content-Encoding header was sent.'); $this->drupalSetContent(gzinflate(substr($this->drupalGetContent(), 10, -8))); $this->assertRaw('', 'Page was gzip compressed.'); // Verify that a client without compression support gets an uncompressed page. $this->drupalGet(''); $this->assertEqual($this->drupalGetHeader('X-Drupal-Cache'), 'HIT', 'Page was cached.'); $this->assertFalse($this->drupalGetHeader('Content-Encoding'), 'A Content-Encoding header was not sent.'); $this->assertTitle(t('Welcome to @site-name | @site-name', array('@site-name' => variable_get('site_name', 'Drupal'))), 'Site title matches.'); $this->assertRaw('', 'Page was not compressed.'); // Disable compression mode. variable_set('page_compression', FALSE); // Verify if cached page is still available for a client with compression support. $this->drupalGet('', array(), array('Accept-Encoding: gzip,deflate')); $this->drupalSetContent(gzinflate(substr($this->drupalGetContent(), 10, -8))); $this->assertRaw('', 'Page was delivered after compression mode is changed (compression support enabled).'); // Verify if cached page is still available for a client without compression support. $this->drupalGet(''); $this->assertRaw('', 'Page was delivered after compression mode is changed (compression support disabled).'); } } class BootstrapVariableTestCase extends DrupalWebTestCase { function setUp() { parent::setUp('system_test'); } public static function getInfo() { return array( 'name' => 'Variable test', 'description' => 'Make sure the variable system functions correctly.', 'group' => 'Bootstrap' ); } /** * testVariable */ function testVariable() { // Setting and retrieving values. $variable = $this->randomName(); variable_set('simpletest_bootstrap_variable_test', $variable); $this->assertIdentical($variable, variable_get('simpletest_bootstrap_variable_test'), 'Setting and retrieving values'); // Make sure the variable persists across multiple requests. $this->drupalGet('system-test/variable-get'); $this->assertText($variable, 'Variable persists across multiple requests'); // Deleting variables. $default_value = $this->randomName(); variable_del('simpletest_bootstrap_variable_test'); $variable = variable_get('simpletest_bootstrap_variable_test', $default_value); $this->assertIdentical($variable, $default_value, 'Deleting variables'); } /** * Makes sure that the default variable parameter is passed through okay. */ function testVariableDefaults() { // Tests passing nothing through to the default. $this->assertIdentical(NULL, variable_get('simpletest_bootstrap_variable_test'), 'Variables are correctly defaulting to NULL.'); // Tests passing 5 to the default parameter. $this->assertIdentical(5, variable_get('simpletest_bootstrap_variable_test', 5), 'The default variable parameter is passed through correctly.'); } } /** * Tests the auto-loading behavior of the code registry. */ class BootstrapAutoloadTestCase extends DrupalWebTestCase { public static function getInfo() { return array( 'name' => 'Code registry', 'description' => 'Test that the code registry functions correctly.', 'group' => 'Bootstrap', ); } function setUp() { parent::setUp('drupal_autoload_test'); } /** * Tests that autoloader name matching is not case sensitive. */ function testAutoloadCase() { // Test interface autoloader. $this->assertTrue(drupal_autoload_interface('drupalautoloadtestinterface'), 'drupal_autoload_interface() recognizes DrupalAutoloadTestInterface in lower case.'); // Test class autoloader. $this->assertTrue(drupal_autoload_class('drupalautoloadtestclass'), 'drupal_autoload_class() recognizes DrupalAutoloadTestClass in lower case.'); } } /** * Test hook_boot() and hook_exit(). */ class HookBootExitTestCase extends DrupalWebTestCase { public static function getInfo() { return array( 'name' => 'Boot and exit hook invocation', 'description' => 'Test that hook_boot() and hook_exit() are called correctly.', 'group' => 'Bootstrap', ); } function setUp() { parent::setUp('system_test', 'dblog'); } /** * Test calling of hook_boot() and hook_exit(). */ function testHookBootExit() { // Test with cache disabled. Boot and exit should always fire. variable_set('cache', 0); $this->drupalGet(''); $calls = 1; $this->assertEqual(db_query('SELECT COUNT(*) FROM {watchdog} WHERE type = :type AND message = :message', array(':type' => 'system_test', ':message' => 'hook_boot'))->fetchField(), $calls, t('hook_boot called with disabled cache.')); $this->assertEqual(db_query('SELECT COUNT(*) FROM {watchdog} WHERE type = :type AND message = :message', array(':type' => 'system_test', ':message' => 'hook_exit'))->fetchField(), $calls, t('hook_exit called with disabled cache.')); // Test with normal cache. Boot and exit should be called. variable_set('cache', 1); $this->drupalGet(''); $calls++; $this->assertEqual(db_query('SELECT COUNT(*) FROM {watchdog} WHERE type = :type AND message = :message', array(':type' => 'system_test', ':message' => 'hook_boot'))->fetchField(), $calls, t('hook_boot called with normal cache.')); $this->assertEqual(db_query('SELECT COUNT(*) FROM {watchdog} WHERE type = :type AND message = :message', array(':type' => 'system_test', ':message' => 'hook_exit'))->fetchField(), $calls, t('hook_exit called with normal cache.')); // Boot and exit should not fire since the page is cached. variable_set('page_cache_invoke_hooks', FALSE); $this->assertTrue(cache_get(url('', array('absolute' => TRUE)), 'cache_page'), t('Page has been cached.')); $this->drupalGet(''); $this->assertEqual(db_query('SELECT COUNT(*) FROM {watchdog} WHERE type = :type AND message = :message', array(':type' => 'system_test', ':message' => 'hook_boot'))->fetchField(), $calls, t('hook_boot not called with aggressive cache and a cached page.')); $this->assertEqual(db_query('SELECT COUNT(*) FROM {watchdog} WHERE type = :type AND message = :message', array(':type' => 'system_test', ':message' => 'hook_exit'))->fetchField(), $calls, t('hook_exit not called with aggressive cache and a cached page.')); // Test with page cache cleared, boot and exit should be called. $this->assertTrue(db_delete('cache_page')->execute(), t('Page cache cleared.')); $this->drupalGet(''); $calls++; $this->assertEqual(db_query('SELECT COUNT(*) FROM {watchdog} WHERE type = :type AND message = :message', array(':type' => 'system_test', ':message' => 'hook_boot'))->fetchField(), $calls, t('hook_boot called with aggressive cache and no cached page.')); $this->assertEqual(db_query('SELECT COUNT(*) FROM {watchdog} WHERE type = :type AND message = :message', array(':type' => 'system_test', ':message' => 'hook_exit'))->fetchField(), $calls, t('hook_exit called with aggressive cache and no cached page.')); } } /** * Test drupal_get_filename()'s availability. */ class BootstrapGetFilenameTestCase extends DrupalUnitTestCase { public static function getInfo() { return array( 'name' => 'Get filename test', 'description' => 'Test that drupal_get_filename() works correctly when the file is not found in the database.', 'group' => 'Bootstrap', ); } /** * Test that drupal_get_filename() works correctly when the file is not found in the database. */ function testDrupalGetFilename() { // Reset the static cache so we can test the "db is not active" code of // drupal_get_filename(). drupal_static_reset('drupal_get_filename'); // Retrieving the location of a module. $this->assertIdentical(drupal_get_filename('module', 'php'), 'modules/php/php.module', t('Retrieve module location.')); // Retrieving the location of a theme. $this->assertIdentical(drupal_get_filename('theme', 'stark'), 'themes/stark/stark.info', t('Retrieve theme location.')); // Retrieving the location of a theme engine. $this->assertIdentical(drupal_get_filename('theme_engine', 'phptemplate'), 'themes/engines/phptemplate/phptemplate.engine', t('Retrieve theme engine location.')); // Retrieving the location of a profile. Profiles are a special case with // a fixed location and naming. $this->assertIdentical(drupal_get_filename('profile', 'standard'), 'profiles/standard/standard.profile', t('Retrieve install profile location.')); // When a file is not found in the database cache, drupal_get_filename() // searches several locations on the filesystem, including the DRUPAL_ROOT // directory. We use the '.script' extension below because this is a // non-existent filetype that will definitely not exist in the database. // Since there is already a scripts directory, drupal_get_filename() will // automatically check there for 'script' files, just as it does for (e.g.) // 'module' files in modules. $this->assertIdentical(drupal_get_filename('script', 'test'), 'scripts/test.script', t('Retrieve test script location.')); } } class BootstrapTimerTestCase extends DrupalUnitTestCase { public static function getInfo() { return array( 'name' => 'Timer test', 'description' => 'Test that timer_read() works both when a timer is running and when a timer is stopped.', 'group' => 'Bootstrap', ); } /** * Test timer_read() to ensure it properly accumulates time when the timer * started and stopped multiple times. * @return */ function testTimer() { timer_start('test'); sleep(1); $this->assertTrue(timer_read('test') >= 1000, 'Timer measured 1 second of sleeping while running.'); sleep(1); timer_stop('test'); $this->assertTrue(timer_read('test') >= 2000, 'Timer measured 2 seconds of sleeping after being stopped.'); timer_start('test'); sleep(1); $this->assertTrue(timer_read('test') >= 3000, 'Timer measured 3 seconds of sleeping after being restarted.'); sleep(1); $timer = timer_stop('test'); $this->assertTrue(timer_read('test') >= 4000, 'Timer measured 4 seconds of sleeping after being stopped for a second time.'); $this->assertEqual($timer['count'], 2, 'Timer counted 2 instances of being started.'); } } /** * Test that resetting static variables works. */ class BootstrapResettableStaticTestCase extends DrupalUnitTestCase { public static function getInfo() { return array( 'name' => 'Resettable static variables test', 'description' => 'Test that drupal_static() and drupal_static_reset() work.', 'group' => 'Bootstrap', ); } /** * Test that a variable reference returned by drupal_static() gets reset when * drupal_static_reset() is called. */ function testDrupalStatic() { $name = __CLASS__ . '_' . __METHOD__; $var = &drupal_static($name, 'foo'); $this->assertEqual($var, 'foo', 'Variable returned by drupal_static() was set to its default.'); // Call the specific reset and the global reset each twice to ensure that // multiple resets can be issued without odd side effects. $var = 'bar'; drupal_static_reset($name); $this->assertEqual($var, 'foo', 'Variable was reset after first invocation of name-specific reset.'); $var = 'bar'; drupal_static_reset($name); $this->assertEqual($var, 'foo', 'Variable was reset after second invocation of name-specific reset.'); $var = 'bar'; drupal_static_reset(); $this->assertEqual($var, 'foo', 'Variable was reset after first invocation of global reset.'); $var = 'bar'; drupal_static_reset(); $this->assertEqual($var, 'foo', 'Variable was reset after second invocation of global reset.'); } } /** * Test miscellaneous functions in bootstrap.inc. */ class BootstrapMiscTestCase extends DrupalUnitTestCase { public static function getInfo() { return array( 'name' => 'Miscellaneous bootstrap unit tests', 'description' => 'Test miscellaneous functions in bootstrap.inc.', 'group' => 'Bootstrap', ); } /** * Test miscellaneous functions in bootstrap.inc. */ function testMisc() { // Test drupal_array_merge_deep(). $link_options_1 = array('fragment' => 'x', 'attributes' => array('title' => 'X', 'class' => array('a', 'b')), 'language' => 'en'); $link_options_2 = array('fragment' => 'y', 'attributes' => array('title' => 'Y', 'class' => array('c', 'd')), 'html' => TRUE); $expected = array('fragment' => 'y', 'attributes' => array('title' => 'Y', 'class' => array('a', 'b', 'c', 'd')), 'language' => 'en', 'html' => TRUE); $this->assertIdentical(drupal_array_merge_deep($link_options_1, $link_options_2), $expected, 'drupal_array_merge_deep() returned a properly merged array.'); } /** * Tests that the drupal_check_memory_limit() function works as expected. */ function testCheckMemoryLimit() { $memory_limit = ini_get('memory_limit'); // Test that a very reasonable amount of memory is available. $this->assertTrue(drupal_check_memory_limit('30MB'), '30MB of memory tested available.'); // Get the available memory and multiply it by two to make it unreasonably // high. $twice_avail_memory = ($memory_limit * 2) . 'MB'; // The function should always return true if the memory limit is set to -1. $this->assertTrue(drupal_check_memory_limit($twice_avail_memory, -1), 'drupal_check_memory_limit() returns TRUE when a limit of -1 (none) is supplied'); // Test that even though we have 30MB of memory available - the function // returns FALSE when given an upper limit for how much memory can be used. $this->assertFalse(drupal_check_memory_limit('30MB', '16MB'), 'drupal_check_memory_limit() returns FALSE with a 16MB upper limit on a 30MB requirement.'); // Test that an equal amount of memory to the amount requested returns TRUE. $this->assertTrue(drupal_check_memory_limit('30MB', '30MB'), 'drupal_check_memory_limit() returns TRUE when requesting 30MB on a 30MB requirement.'); } } /** * Tests for overriding server variables via the API. */ class BootstrapOverrideServerVariablesTestCase extends DrupalUnitTestCase { public static function getInfo() { return array( 'name' => 'Overriding server variables', 'description' => 'Test that drupal_override_server_variables() works correctly.', 'group' => 'Bootstrap', ); } /** * Test providing a direct URL to to drupal_override_server_variables(). */ function testDrupalOverrideServerVariablesProvidedURL() { $tests = array( 'http://example.com' => array( 'HTTP_HOST' => 'example.com', 'SCRIPT_NAME' => isset($_SERVER['SCRIPT_NAME']) ? $_SERVER['SCRIPT_NAME'] : NULL, ), 'http://example.com/index.php' => array( 'HTTP_HOST' => 'example.com', 'SCRIPT_NAME' => '/index.php', ), 'http://example.com/subdirectory/index.php' => array( 'HTTP_HOST' => 'example.com', 'SCRIPT_NAME' => '/subdirectory/index.php', ), ); foreach ($tests as $url => $expected_server_values) { // Remember the original value of $_SERVER, since the function call below // will modify it. $original_server = $_SERVER; // Call drupal_override_server_variables() and ensure that all expected // $_SERVER variables were modified correctly. drupal_override_server_variables(array('url' => $url)); foreach ($expected_server_values as $key => $value) { $this->assertIdentical($_SERVER[$key], $value); } // Restore the original value of $_SERVER. $_SERVER = $original_server; } } } /** * Tests for $_GET['destination'] and $_REQUEST['destination'] validation. */ class BootstrapDestinationTestCase extends DrupalWebTestCase { public static function getInfo() { return array( 'name' => 'URL destination validation', 'description' => 'Test that $_GET[\'destination\'] and $_REQUEST[\'destination\'] cannot contain external URLs.', 'group' => 'Bootstrap', ); } function setUp() { parent::setUp('system_test'); } /** * Tests that $_GET/$_REQUEST['destination'] only contain internal URLs. * * @see _drupal_bootstrap_variables() * @see system_test_get_destination() * @see system_test_request_destination() */ public function testDestination() { $test_cases = array( array( 'input' => 'node', 'output' => 'node', 'message' => "Standard internal example node path is present in the 'destination' parameter.", ), array( 'input' => '/example.com', 'output' => '/example.com', 'message' => 'Internal path with one leading slash is allowed.', ), array( 'input' => '//example.com/test', 'output' => '', 'message' => 'External URL without scheme is not allowed.', ), array( 'input' => 'example:test', 'output' => 'example:test', 'message' => 'Internal URL using a colon is allowed.', ), array( 'input' => 'http://example.com', 'output' => '', 'message' => 'External URL is not allowed.', ), array( 'input' => 'javascript:alert(0)', 'output' => 'javascript:alert(0)', 'message' => 'Javascript URL is allowed because it is treated as an internal URL.', ), ); foreach ($test_cases as $test_case) { // Test $_GET['destination']. $this->drupalGet('system-test/get-destination', array('query' => array('destination' => $test_case['input']))); $this->assertIdentical($test_case['output'], $this->drupalGetContent(), $test_case['message']); // Test $_REQUEST['destination']. There's no form to submit to, so // drupalPost() won't work here; this just tests a direct $_POST request // instead. $curl_parameters = array( CURLOPT_URL => $this->getAbsoluteUrl('system-test/request-destination'), CURLOPT_POST => TRUE, CURLOPT_POSTFIELDS => 'destination=' . urlencode($test_case['input']), CURLOPT_HTTPHEADER => array(), ); $post_output = $this->curlExec($curl_parameters); $this->assertIdentical($test_case['output'], $post_output, $test_case['message']); } // Make sure that 404 pages do not populate $_GET['destination'] with // external URLs. variable_set('site_404', 'system-test/get-destination'); $this->drupalGet('http://example.com', array('external' => FALSE)); $this->assertIdentical('', $this->drupalGetContent(), 'External URL is not allowed on 404 pages.'); } }