Révision bceb9b7a
Ajouté par Florent Torregrosa il y a environ 9 ans
| drupal7/modules/simpletest/tests/bootstrap.test | ||
|---|---|---|
| 546 | 546 |
} |
| 547 | 547 |
} |
| 548 | 548 |
} |
| 549 |
|
|
| 550 |
/** |
|
| 551 |
* Tests for $_GET['destination'] and $_REQUEST['destination'] validation. |
|
| 552 |
*/ |
|
| 553 |
class BootstrapDestinationTestCase extends DrupalWebTestCase {
|
|
| 554 |
|
|
| 555 |
public static function getInfo() {
|
|
| 556 |
return array( |
|
| 557 |
'name' => 'URL destination validation', |
|
| 558 |
'description' => 'Test that $_GET[\'destination\'] and $_REQUEST[\'destination\'] cannot contain external URLs.', |
|
| 559 |
'group' => 'Bootstrap', |
|
| 560 |
); |
|
| 561 |
} |
|
| 562 |
|
|
| 563 |
function setUp() {
|
|
| 564 |
parent::setUp('system_test');
|
|
| 565 |
} |
|
| 566 |
|
|
| 567 |
/** |
|
| 568 |
* Tests that $_GET/$_REQUEST['destination'] only contain internal URLs. |
|
| 569 |
* |
|
| 570 |
* @see _drupal_bootstrap_variables() |
|
| 571 |
* @see system_test_get_destination() |
|
| 572 |
* @see system_test_request_destination() |
|
| 573 |
*/ |
|
| 574 |
public function testDestination() {
|
|
| 575 |
$test_cases = array( |
|
| 576 |
array( |
|
| 577 |
'input' => 'node', |
|
| 578 |
'output' => 'node', |
|
| 579 |
'message' => "Standard internal example node path is present in the 'destination' parameter.", |
|
| 580 |
), |
|
| 581 |
array( |
|
| 582 |
'input' => '/example.com', |
|
| 583 |
'output' => '/example.com', |
|
| 584 |
'message' => 'Internal path with one leading slash is allowed.', |
|
| 585 |
), |
|
| 586 |
array( |
|
| 587 |
'input' => '//example.com/test', |
|
| 588 |
'output' => '', |
|
| 589 |
'message' => 'External URL without scheme is not allowed.', |
|
| 590 |
), |
|
| 591 |
array( |
|
| 592 |
'input' => 'example:test', |
|
| 593 |
'output' => 'example:test', |
|
| 594 |
'message' => 'Internal URL using a colon is allowed.', |
|
| 595 |
), |
|
| 596 |
array( |
|
| 597 |
'input' => 'http://example.com', |
|
| 598 |
'output' => '', |
|
| 599 |
'message' => 'External URL is not allowed.', |
|
| 600 |
), |
|
| 601 |
array( |
|
| 602 |
'input' => 'javascript:alert(0)', |
|
| 603 |
'output' => 'javascript:alert(0)', |
|
| 604 |
'message' => 'Javascript URL is allowed because it is treated as an internal URL.', |
|
| 605 |
), |
|
| 606 |
); |
|
| 607 |
foreach ($test_cases as $test_case) {
|
|
| 608 |
// Test $_GET['destination']. |
|
| 609 |
$this->drupalGet('system-test/get-destination', array('query' => array('destination' => $test_case['input'])));
|
|
| 610 |
$this->assertIdentical($test_case['output'], $this->drupalGetContent(), $test_case['message']); |
|
| 611 |
// Test $_REQUEST['destination']. There's no form to submit to, so |
|
| 612 |
// drupalPost() won't work here; this just tests a direct $_POST request |
|
| 613 |
// instead. |
|
| 614 |
$curl_parameters = array( |
|
| 615 |
CURLOPT_URL => $this->getAbsoluteUrl('system-test/request-destination'),
|
|
| 616 |
CURLOPT_POST => TRUE, |
|
| 617 |
CURLOPT_POSTFIELDS => 'destination=' . urlencode($test_case['input']), |
|
| 618 |
CURLOPT_HTTPHEADER => array(), |
|
| 619 |
); |
|
| 620 |
$post_output = $this->curlExec($curl_parameters); |
|
| 621 |
$this->assertIdentical($test_case['output'], $post_output, $test_case['message']); |
|
| 622 |
} |
|
| 623 |
|
|
| 624 |
// Make sure that 404 pages do not populate $_GET['destination'] with |
|
| 625 |
// external URLs. |
|
| 626 |
variable_set('site_404', 'system-test/get-destination');
|
|
| 627 |
$this->drupalGet('http://example.com', array('external' => FALSE));
|
|
| 628 |
$this->assertIdentical('', $this->drupalGetContent(), 'External URL is not allowed on 404 pages.');
|
|
| 629 |
} |
|
| 630 |
} |
|
Formats disponibles : Unified diff
Update core to 7.35