summaryrefslogtreecommitdiff
path: root/_test
diff options
context:
space:
mode:
authorChristopher Smith <chris@jalakai.co.uk>2013-04-07 12:43:02 -0700
committerChristopher Smith <chris@jalakai.co.uk>2013-04-07 12:43:02 -0700
commit892345cb7ab86c179f6cc30b504789133d354175 (patch)
treee8f498fe6c2a41acccf4c958a69c60aecad72142 /_test
parentf20dba3663b5307c29d9c535843b51157b540ef1 (diff)
parent3e8bad3a1f8b5d065e170bb12dd224bf18de6897 (diff)
downloadrpg-892345cb7ab86c179f6cc30b504789133d354175.tar.gz
rpg-892345cb7ab86c179f6cc30b504789133d354175.tar.bz2
Merge pull request #203 from splitbrain/fetchissues3
prevent third-party requests from using fetch
Diffstat (limited to '_test')
-rw-r--r--_test/core/TestRequest.php19
-rw-r--r--_test/core/TestResponse.php38
-rw-r--r--_test/tests/lib/exe/fetch_imagetoken.test.php99
-rw-r--r--_test/tests/test/basic.test.php67
4 files changed, 216 insertions, 7 deletions
diff --git a/_test/core/TestRequest.php b/_test/core/TestRequest.php
index 172821576..0a54910ed 100644
--- a/_test/core/TestRequest.php
+++ b/_test/core/TestRequest.php
@@ -18,6 +18,9 @@ function ob_start_callback($buffer) {
*/
class TestRequest {
+ private $valid_scripts = array('/doku.php', '/lib/exe/fetch.php', '/lib/exe/detail.php');
+ private $script;
+
private $server = array();
private $session = array();
private $get = array();
@@ -27,6 +30,7 @@ class TestRequest {
public function getSession($key) { return $this->session[$key]; }
public function getGet($key) { return $this->get[$key]; }
public function getPost($key) { return $this->post[$key]; }
+ public function getScript() { return $this->script; }
public function setServer($key, $value) { $this->server[$key] = $value; }
public function setSession($key, $value) { $this->session[$key] = $value; }
@@ -70,13 +74,13 @@ class TestRequest {
// now execute dokuwiki and grep the output
header_remove();
ob_start('ob_start_callback');
- include(DOKU_INC.'doku.php');
+ include(DOKU_INC.$this->script);
ob_end_flush();
// create the response object
$response = new TestResponse(
$output_buffer,
- headers_list()
+ (function_exists('xdebug_get_headers') ? xdebug_get_headers() : headers_list()) // cli sapi doesn't do headers, prefer xdebug_get_headers() which works under cli
);
// reset environment
@@ -102,14 +106,15 @@ class TestRequest {
* @todo make this work with other end points
*/
protected function setUri($uri){
- if(substr($uri,0,9) != '/doku.php'){
- throw new Exception("only '/doku.php' is supported currently");
+ if(!preg_match('#^('.join('|',$this->valid_scripts).')#',$uri)){
+ throw new Exception("$uri \n--- only ".join(', ',$this->valid_scripts)." are supported currently");
}
$params = array();
list($uri, $query) = explode('?',$uri,2);
if($query) parse_str($query, $params);
+ $this->script = substr($uri,1);
$this->get = array_merge($params, $this->get);
if(count($this->get)){
$query = '?'.http_build_query($this->get, '', '&');
@@ -129,7 +134,7 @@ class TestRequest {
* Simulate a POST request with the given variables
*
* @param array $post all the POST parameters to use
- * @param string $url end URL to simulate, needs to start with /doku.php currently
+ * @param string $url end URL to simulate, needs to start with /doku.php, /lib/exe/fetch.php or /lib/exe/detail.php currently
* @param return TestResponse
*/
public function post($post=array(), $uri='/doku.php') {
@@ -141,8 +146,8 @@ class TestRequest {
/**
* Simulate a GET request with the given variables
*
- * @param array $GET all the POST parameters to use
- * @param string $url end URL to simulate, needs to start with /doku.php currently
+ * @param array $GET all the GET parameters to use
+ * @param string $url end URL to simulate, needs to start with /doku.php, /lib/exe/fetch.php or /lib/exe/detail.php currently
* @param return TestResponse
*/
public function get($get=array(), $uri='/doku.php') {
diff --git a/_test/core/TestResponse.php b/_test/core/TestResponse.php
index 6d20afb28..7cc50ee4f 100644
--- a/_test/core/TestResponse.php
+++ b/_test/core/TestResponse.php
@@ -42,6 +42,44 @@ class TestResponse {
}
/**
+ * @param $name string, the name of the header without the ':', e.g. 'Content-Type', 'Pragma'
+ * @return mixed if exactly one header, the header (string); otherwise an array of headers, empty when no headers
+ */
+ public function getHeader($name) {
+ $result = array();
+ foreach ($this->headers as $header) {
+ if (substr($header,0,strlen($name)+1) == $name.':') {
+ $result[] = $header;
+ }
+ }
+
+ return count($result) == 1 ? $result[0] : $result;
+ }
+
+ /**
+ * @return int http status code
+ *
+ * in the test environment, only status codes explicitly set by dokuwiki are likely to be returned
+ * this means succcessful status codes (e.g. 200 OK) will not be present, but error codes will be
+ */
+ public function getStatusCode() {
+ $headers = $this->getHeader('Status');
+ $code = null;
+
+ if ($headers) {
+ // if there is more than one status header, use the last one
+ $status = is_array($headers) ? array_pop($headers) : $headers;
+ $matches = array();
+ preg_match('/^Status: ?(\d+)/',$status,$matches);
+ if ($matches){
+ $code = $matches[1];
+ }
+ }
+
+ return $code;
+ }
+
+ /**
* Query the response for a JQuery compatible CSS selector
*
* @link https://code.google.com/p/phpquery/wiki/Selectors
diff --git a/_test/tests/lib/exe/fetch_imagetoken.test.php b/_test/tests/lib/exe/fetch_imagetoken.test.php
new file mode 100644
index 000000000..9e5b6e4a2
--- /dev/null
+++ b/_test/tests/lib/exe/fetch_imagetoken.test.php
@@ -0,0 +1,99 @@
+<?php
+
+class fetch_imagetoken_test extends DokuWikiTest {
+
+ private $media = 'wiki:dokuwiki-128.png';
+ private $width = 200;
+ private $height = 0;
+
+ function setUp() {
+ // check we can carry out these tests
+ if (!file_exists(mediaFN($this->media))) {
+ $this->markTestSkipped('Source image required for test');
+ }
+
+ header('X-Test: check headers working');
+ $header_check = function_exists('xdebug_get_headers') ? xdebug_get_headers() : headers_list();
+ if (empty($header_check)) {
+ $this->markTestSkipped('headers not returned, perhaps your sapi does not return headers, try xdebug');
+ } else {
+ header_remove('X-Test');
+ }
+
+ parent::setUp();
+
+ global $conf;
+ $conf['sendfile'] = 0;
+
+ global $MIME, $EXT, $CACHE, $INPUT; // variables fetch creates in global scope -- should this be in fetch?
+ }
+
+ function getUri() {
+ $w = $this->width ? 'w='.$this->width.'&' : '';
+ $h = $this->height ? 'h='.$this->height.'&' : '';
+
+ return '/lib/exe/fetch.php?'.$w.$h.'{%token%}media='.$this->media;
+ }
+
+ function fetchResponse($token){
+ $request = new TestRequest();
+ return $request->get(array(),str_replace('{%token%}',$token,$this->getUri()));
+ }
+
+ /**
+ * modified image request with valid token
+ * expect: header with mime-type
+ * expect: content
+ * expect: no error response
+ */
+ function test_valid_token(){
+ $valid_token = 'tok='.media_get_token($this->media, $this->width, $this->height).'&';
+ $response = $this->fetchResponse($valid_token);
+ $this->assertTrue((bool)$response->getHeader('Content-Type'));
+ $this->assertTrue((bool)($response->getContent()));
+
+ $status_code = $response->getStatusCode();
+ $this->assertTrue(is_null($status_code) || (200 == $status_code));
+ }
+
+ /**
+ * modified image request with invalid token
+ * expect: 412 status code
+ */
+ function test_invalid_token(){
+ $invalid_token = 'tok='.media_get_token('junk',200,100).'&';
+ $this->assertEquals(412,$this->fetchResponse($invalid_token)->getStatusCode());
+ }
+
+ /**
+ * modified image request with no token
+ * expect: 412 status code
+ */
+ function test_missing_token(){
+ $no_token = '';
+ $this->assertEquals(412,$this->fetchResponse($notoken)->getStatusCode());
+ }
+
+ /**
+ * native image request which doesn't require a token
+ * try: with a token & without a token
+ * expect: (for both) header with mime-type, content matching source image filesize & no error response
+ */
+ function test_no_token_required(){
+ $this->width = $this->height = 0; // no width & height, means image request at native dimensions
+ $any_token = 'tok='.media_get_token('junk',200,100).'&';
+ $no_token = '';
+ $bytes = filesize(mediaFN($this->media));
+
+ foreach(array($any_token, $no_token) as $token) {
+ $response = $this->fetchResponse($token);
+ $this->assertTrue((bool)$response->getHeader('Content-Type'));
+ $this->assertEquals(strlen($response->getContent()), $bytes);
+
+ $status_code = $response->getStatusCode();
+ $this->assertTrue(is_null($status_code) || (200 == $status_code));
+ }
+ }
+
+}
+//Setup VIM: ex: et ts=4 :
diff --git a/_test/tests/test/basic.test.php b/_test/tests/test/basic.test.php
index a0ea48a3a..05778ccf9 100644
--- a/_test/tests/test/basic.test.php
+++ b/_test/tests/test/basic.test.php
@@ -4,6 +4,24 @@
* @group integration
*/
class InttestsBasicTest extends DokuWikiTest {
+
+ private $some_headers = array(
+ 'Content-Type: image/png',
+ 'Date: Fri, 22 Mar 2013 16:10:01 GMT',
+ 'X-Powered-By: PHP/5.3.15',
+ 'Expires: Sat, 23 Mar 2013 17:03:46 GMT',
+ 'Cache-Control: public, proxy-revalidate, no-transform, max-age=86400',
+ 'Pragma: public',
+ 'Last-Modified: Fri, 22 Mar 2013 01:48:28 GMT',
+ 'ETag: "63daab733b38c30c337229b2e587f8fb"',
+ 'Content-Disposition: inline; filename="fe389b0db8c1088c336abb502d2f9ae7.media.200x200.png',
+ 'Accept-Ranges: bytes',
+ 'Content-Type: image/png',
+ 'Content-Length: 62315',
+ 'Status: 200 OK',
+ 'Status: 404 Not Found',
+ );
+
/**
* Execute the simplest possible request and expect
* a dokuwiki page which obviously has the word "DokuWiki"
@@ -101,5 +119,54 @@ class InttestsBasicTest extends DokuWikiTest {
$this->assertTrue(strpos($response->getContent(), 'Andreas Gohr') >= 0);
}
+ function testScripts() {
+ $request = new TestRequest();
+
+ // doku
+ $response = $request->get();
+ $this->assertEquals('doku.php',$request->getScript());
+
+ $response = $request->get(array(),'/doku.php?id=wiki:dokuwiki&test=foo');
+ $this->assertEquals('doku.php',$request->getScript());
+
+ // fetch
+ $response = $request->get(array(),'/lib/exe/fetch.php?media=wiki:dokuwiki-128.png');
+ $this->assertEquals('lib/exe/fetch.php',$request->getScript());
+
+ // detail
+ $response = $request->get(array(),'/lib/exe/detail.php?id=start&media=wiki:dokuwiki-128.png');
+ $this->assertEquals('lib/exe/detail.php',$request->getScript());
+ }
+
+ function testHeaders(){
+ header('X-Test: check headers working');
+ $header_check = function_exists('xdebug_get_headers') ? xdebug_get_headers() : headers_list();
+ if (empty($header_check)) {
+ $this->markTestSkipped('headers not returned, perhaps your sapi does not return headers, try xdebug');
+ } else {
+ header_remove('X-Test');
+ }
+
+ $request = new TestRequest();
+ $response = $request->get(array(),'/lib/exe/fetch.php?media=wiki:dokuwiki-128.png');
+ $headers = $response->getHeaders();
+ $this->assertTrue(!empty($headers));
+ }
+
+ function testGetHeader(){
+ $response = new TestResponse('',$this->some_headers);
+
+ $this->assertEquals('Pragma: public', $response->getHeader('Pragma'));
+ $this->assertEmpty($response->getHeader('Junk'));
+ $this->assertEquals(array('Content-Type: image/png','Content-Type: image/png'), $response->getHeader('Content-Type'));
+ }
+
+ function testGetStatus(){
+ $response = new TestResponse('',$this->some_headers);
+ $this->assertEquals(404, $response->getStatusCode());
+
+ $response = new TestResponse('',array_slice($this->some_headers,0,-2)); // slice off the last two headers to leave no status header
+ $this->assertNull($response->getStatusCode());
+ }
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-17 13:01:16 +0000