Révision bceb9b7a
Ajouté par Florent Torregrosa il y a environ 9 ans
drupal7/modules/user/user.test | ||
---|---|---|
498 | 498 |
// To attempt an expired password reset, create a password reset link as if |
499 | 499 |
// its request time was 60 seconds older than the allowed limit of timeout. |
500 | 500 |
$bogus_timestamp = REQUEST_TIME - variable_get('user_password_reset_timeout', 86400) - 60; |
501 |
$this->drupalGet("user/reset/$account->uid/$bogus_timestamp/" . user_pass_rehash($account->pass, $bogus_timestamp, $account->login)); |
|
501 |
$this->drupalGet("user/reset/$account->uid/$bogus_timestamp/" . user_pass_rehash($account->pass, $bogus_timestamp, $account->login, $account->uid));
|
|
502 | 502 |
$this->assertText(t('You have tried to use a one-time login link that has expired. Please request a new one using the form below.'), 'Expired password reset request rejected.'); |
503 | 503 |
} |
504 | 504 |
|
... | ... | |
519 | 519 |
$this->assertFieldByName('name', $edit['name'], 'User name found.'); |
520 | 520 |
} |
521 | 521 |
|
522 |
/** |
|
523 |
* Make sure that users cannot forge password reset URLs of other users. |
|
524 |
*/ |
|
525 |
function testResetImpersonation() { |
|
526 |
// Make sure user 1 has a valid password, so it does not interfere with the |
|
527 |
// test user accounts that are created below. |
|
528 |
$account = user_load(1); |
|
529 |
user_save($account, array('pass' => user_password())); |
|
530 |
|
|
531 |
// Create two identical user accounts except for the user name. They must |
|
532 |
// have the same empty password, so we can't use $this->drupalCreateUser(). |
|
533 |
$edit = array(); |
|
534 |
$edit['name'] = $this->randomName(); |
|
535 |
$edit['mail'] = $edit['name'] . '@example.com'; |
|
536 |
$edit['status'] = 1; |
|
537 |
|
|
538 |
$user1 = user_save(drupal_anonymous_user(), $edit); |
|
539 |
|
|
540 |
$edit['name'] = $this->randomName(); |
|
541 |
$user2 = user_save(drupal_anonymous_user(), $edit); |
|
542 |
|
|
543 |
// The password reset URL must not be valid for the second user when only |
|
544 |
// the user ID is changed in the URL. |
|
545 |
$reset_url = user_pass_reset_url($user1); |
|
546 |
$attack_reset_url = str_replace("user/reset/$user1->uid", "user/reset/$user2->uid", $reset_url); |
|
547 |
$this->drupalGet($attack_reset_url); |
|
548 |
$this->assertNoText($user2->name, 'The invalid password reset page does not show the user name.'); |
|
549 |
$this->assertUrl('user/password', array(), 'The user is redirected to the password reset request page.'); |
|
550 |
$this->assertText('You have tried to use a one-time login link that has either been used or is no longer valid. Please request a new one using the form below.'); |
|
551 |
|
|
552 |
// When legacy code calls user_pass_rehash() without providing the $uid |
|
553 |
// parameter, neither password reset URL should be valid since it is |
|
554 |
// impossible for the system to determine which user account the token was |
|
555 |
// intended for. |
|
556 |
$timestamp = REQUEST_TIME; |
|
557 |
// Pass an explicit NULL for the $uid parameter of user_pass_rehash() |
|
558 |
// rather than not passing it at all, to avoid triggering PHP warnings in |
|
559 |
// the test. |
|
560 |
$reset_url_token = user_pass_rehash($user1->pass, $timestamp, $user1->login, NULL); |
|
561 |
$reset_url = url("user/reset/$user1->uid/$timestamp/$reset_url_token", array('absolute' => TRUE)); |
|
562 |
$this->drupalGet($reset_url); |
|
563 |
$this->assertNoText($user1->name, 'The invalid password reset page does not show the user name.'); |
|
564 |
$this->assertUrl('user/password', array(), 'The user is redirected to the password reset request page.'); |
|
565 |
$this->assertText('You have tried to use a one-time login link that has either been used or is no longer valid. Please request a new one using the form below.'); |
|
566 |
$attack_reset_url = str_replace("user/reset/$user1->uid", "user/reset/$user2->uid", $reset_url); |
|
567 |
$this->drupalGet($attack_reset_url); |
|
568 |
$this->assertNoText($user2->name, 'The invalid password reset page does not show the user name.'); |
|
569 |
$this->assertUrl('user/password', array(), 'The user is redirected to the password reset request page.'); |
|
570 |
$this->assertText('You have tried to use a one-time login link that has either been used or is no longer valid. Please request a new one using the form below.'); |
|
571 |
|
|
572 |
// To verify that user_pass_rehash() never returns a valid result in the |
|
573 |
// above situation (even if legacy code also called it to attempt to |
|
574 |
// validate the token, rather than just to generate the URL), check that a |
|
575 |
// second call with the same parameters produces a different result. |
|
576 |
$new_reset_url_token = user_pass_rehash($user1->pass, $timestamp, $user1->login, NULL); |
|
577 |
$this->assertNotEqual($reset_url_token, $new_reset_url_token); |
|
578 |
|
|
579 |
// However, when the duplicate account is removed, the password reset URL |
|
580 |
// should be valid. |
|
581 |
user_delete($user2->uid); |
|
582 |
$reset_url_token = user_pass_rehash($user1->pass, $timestamp, $user1->login, NULL); |
|
583 |
$reset_url = url("user/reset/$user1->uid/$timestamp/$reset_url_token", array('absolute' => TRUE)); |
|
584 |
$this->drupalGet($reset_url); |
|
585 |
$this->assertText($user1->name, 'The valid password reset page shows the user name.'); |
|
586 |
$this->assertUrl($reset_url, array(), 'The user remains on the password reset login page.'); |
|
587 |
$this->assertNoText('You have tried to use a one-time login link that has either been used or is no longer valid. Please request a new one using the form below.'); |
|
588 |
} |
|
589 |
|
|
522 | 590 |
} |
523 | 591 |
|
524 | 592 |
/** |
... | ... | |
558 | 626 |
|
559 | 627 |
// Attempt bogus account cancellation request confirmation. |
560 | 628 |
$timestamp = $account->login; |
561 |
$this->drupalGet("user/$account->uid/cancel/confirm/$timestamp/" . user_pass_rehash($account->pass, $timestamp, $account->login)); |
|
629 |
$this->drupalGet("user/$account->uid/cancel/confirm/$timestamp/" . user_pass_rehash($account->pass, $timestamp, $account->login, $account->uid));
|
|
562 | 630 |
$this->assertResponse(403, 'Bogus cancelling request rejected.'); |
563 | 631 |
$account = user_load($account->uid); |
564 | 632 |
$this->assertTrue($account->status == 1, 'User account was not canceled.'); |
... | ... | |
631 | 699 |
|
632 | 700 |
// Attempt bogus account cancellation request confirmation. |
633 | 701 |
$bogus_timestamp = $timestamp + 60; |
634 |
$this->drupalGet("user/$account->uid/cancel/confirm/$bogus_timestamp/" . user_pass_rehash($account->pass, $bogus_timestamp, $account->login)); |
|
702 |
$this->drupalGet("user/$account->uid/cancel/confirm/$bogus_timestamp/" . user_pass_rehash($account->pass, $bogus_timestamp, $account->login, $account->uid));
|
|
635 | 703 |
$this->assertText(t('You have tried to use an account cancellation link that has expired. Please request a new one using the form below.'), 'Bogus cancelling request rejected.'); |
636 | 704 |
$account = user_load($account->uid); |
637 | 705 |
$this->assertTrue($account->status == 1, 'User account was not canceled.'); |
638 | 706 |
|
639 | 707 |
// Attempt expired account cancellation request confirmation. |
640 | 708 |
$bogus_timestamp = $timestamp - 86400 - 60; |
641 |
$this->drupalGet("user/$account->uid/cancel/confirm/$bogus_timestamp/" . user_pass_rehash($account->pass, $bogus_timestamp, $account->login)); |
|
709 |
$this->drupalGet("user/$account->uid/cancel/confirm/$bogus_timestamp/" . user_pass_rehash($account->pass, $bogus_timestamp, $account->login, $account->uid));
|
|
642 | 710 |
$this->assertText(t('You have tried to use an account cancellation link that has expired. Please request a new one using the form below.'), 'Expired cancel account request rejected.'); |
643 | 711 |
$accounts = user_load_multiple(array($account->uid), array('status' => 1)); |
644 | 712 |
$this->assertTrue(reset($accounts), 'User account was not canceled.'); |
... | ... | |
675 | 743 |
$this->assertText(t('A confirmation request to cancel your account has been sent to your e-mail address.'), 'Account cancellation request mailed message displayed.'); |
676 | 744 |
|
677 | 745 |
// Confirm account cancellation request. |
678 |
$this->drupalGet("user/$account->uid/cancel/confirm/$timestamp/" . user_pass_rehash($account->pass, $timestamp, $account->login)); |
|
746 |
$this->drupalGet("user/$account->uid/cancel/confirm/$timestamp/" . user_pass_rehash($account->pass, $timestamp, $account->login, $account->uid));
|
|
679 | 747 |
$account = user_load($account->uid, TRUE); |
680 | 748 |
$this->assertTrue($account->status == 0, 'User has been blocked.'); |
681 | 749 |
|
... | ... | |
713 | 781 |
$this->assertText(t('A confirmation request to cancel your account has been sent to your e-mail address.'), 'Account cancellation request mailed message displayed.'); |
714 | 782 |
|
715 | 783 |
// Confirm account cancellation request. |
716 |
$this->drupalGet("user/$account->uid/cancel/confirm/$timestamp/" . user_pass_rehash($account->pass, $timestamp, $account->login)); |
|
784 |
$this->drupalGet("user/$account->uid/cancel/confirm/$timestamp/" . user_pass_rehash($account->pass, $timestamp, $account->login, $account->uid));
|
|
717 | 785 |
$account = user_load($account->uid, TRUE); |
718 | 786 |
$this->assertTrue($account->status == 0, 'User has been blocked.'); |
719 | 787 |
|
... | ... | |
763 | 831 |
$this->assertText(t('A confirmation request to cancel your account has been sent to your e-mail address.'), 'Account cancellation request mailed message displayed.'); |
764 | 832 |
|
765 | 833 |
// Confirm account cancellation request. |
766 |
$this->drupalGet("user/$account->uid/cancel/confirm/$timestamp/" . user_pass_rehash($account->pass, $timestamp, $account->login)); |
|
834 |
$this->drupalGet("user/$account->uid/cancel/confirm/$timestamp/" . user_pass_rehash($account->pass, $timestamp, $account->login, $account->uid));
|
|
767 | 835 |
$this->assertFalse(user_load($account->uid, TRUE), 'User is not found in the database.'); |
768 | 836 |
|
769 | 837 |
// Confirm that user's content has been attributed to anonymous user. |
... | ... | |
827 | 895 |
$this->assertText(t('A confirmation request to cancel your account has been sent to your e-mail address.'), 'Account cancellation request mailed message displayed.'); |
828 | 896 |
|
829 | 897 |
// Confirm account cancellation request. |
830 |
$this->drupalGet("user/$account->uid/cancel/confirm/$timestamp/" . user_pass_rehash($account->pass, $timestamp, $account->login)); |
|
898 |
$this->drupalGet("user/$account->uid/cancel/confirm/$timestamp/" . user_pass_rehash($account->pass, $timestamp, $account->login, $account->uid));
|
|
831 | 899 |
$this->assertFalse(user_load($account->uid, TRUE), 'User is not found in the database.'); |
832 | 900 |
|
833 | 901 |
// Confirm that user's content has been deleted. |
Formats disponibles : Unified diff
Update core to 7.35