Révision bceb9b7a
Ajouté par Florent Torregrosa il y a environ 9 ans
drupal7/modules/simpletest/tests/bootstrap.test | ||
---|---|---|
546 | 546 |
} |
547 | 547 |
} |
548 | 548 |
} |
549 |
|
|
550 |
/** |
|
551 |
* Tests for $_GET['destination'] and $_REQUEST['destination'] validation. |
|
552 |
*/ |
|
553 |
class BootstrapDestinationTestCase extends DrupalWebTestCase { |
|
554 |
|
|
555 |
public static function getInfo() { |
|
556 |
return array( |
|
557 |
'name' => 'URL destination validation', |
|
558 |
'description' => 'Test that $_GET[\'destination\'] and $_REQUEST[\'destination\'] cannot contain external URLs.', |
|
559 |
'group' => 'Bootstrap', |
|
560 |
); |
|
561 |
} |
|
562 |
|
|
563 |
function setUp() { |
|
564 |
parent::setUp('system_test'); |
|
565 |
} |
|
566 |
|
|
567 |
/** |
|
568 |
* Tests that $_GET/$_REQUEST['destination'] only contain internal URLs. |
|
569 |
* |
|
570 |
* @see _drupal_bootstrap_variables() |
|
571 |
* @see system_test_get_destination() |
|
572 |
* @see system_test_request_destination() |
|
573 |
*/ |
|
574 |
public function testDestination() { |
|
575 |
$test_cases = array( |
|
576 |
array( |
|
577 |
'input' => 'node', |
|
578 |
'output' => 'node', |
|
579 |
'message' => "Standard internal example node path is present in the 'destination' parameter.", |
|
580 |
), |
|
581 |
array( |
|
582 |
'input' => '/example.com', |
|
583 |
'output' => '/example.com', |
|
584 |
'message' => 'Internal path with one leading slash is allowed.', |
|
585 |
), |
|
586 |
array( |
|
587 |
'input' => '//example.com/test', |
|
588 |
'output' => '', |
|
589 |
'message' => 'External URL without scheme is not allowed.', |
|
590 |
), |
|
591 |
array( |
|
592 |
'input' => 'example:test', |
|
593 |
'output' => 'example:test', |
|
594 |
'message' => 'Internal URL using a colon is allowed.', |
|
595 |
), |
|
596 |
array( |
|
597 |
'input' => 'http://example.com', |
|
598 |
'output' => '', |
|
599 |
'message' => 'External URL is not allowed.', |
|
600 |
), |
|
601 |
array( |
|
602 |
'input' => 'javascript:alert(0)', |
|
603 |
'output' => 'javascript:alert(0)', |
|
604 |
'message' => 'Javascript URL is allowed because it is treated as an internal URL.', |
|
605 |
), |
|
606 |
); |
|
607 |
foreach ($test_cases as $test_case) { |
|
608 |
// Test $_GET['destination']. |
|
609 |
$this->drupalGet('system-test/get-destination', array('query' => array('destination' => $test_case['input']))); |
|
610 |
$this->assertIdentical($test_case['output'], $this->drupalGetContent(), $test_case['message']); |
|
611 |
// Test $_REQUEST['destination']. There's no form to submit to, so |
|
612 |
// drupalPost() won't work here; this just tests a direct $_POST request |
|
613 |
// instead. |
|
614 |
$curl_parameters = array( |
|
615 |
CURLOPT_URL => $this->getAbsoluteUrl('system-test/request-destination'), |
|
616 |
CURLOPT_POST => TRUE, |
|
617 |
CURLOPT_POSTFIELDS => 'destination=' . urlencode($test_case['input']), |
|
618 |
CURLOPT_HTTPHEADER => array(), |
|
619 |
); |
|
620 |
$post_output = $this->curlExec($curl_parameters); |
|
621 |
$this->assertIdentical($test_case['output'], $post_output, $test_case['message']); |
|
622 |
} |
|
623 |
|
|
624 |
// Make sure that 404 pages do not populate $_GET['destination'] with |
|
625 |
// external URLs. |
|
626 |
variable_set('site_404', 'system-test/get-destination'); |
|
627 |
$this->drupalGet('http://example.com', array('external' => FALSE)); |
|
628 |
$this->assertIdentical('', $this->drupalGetContent(), 'External URL is not allowed on 404 pages.'); |
|
629 |
} |
|
630 |
} |
Formats disponibles : Unified diff
Update core to 7.35