Révision bceb9b7a
Ajouté par Florent Torregrosa il y a environ 9 ans
| drupal7/modules/user/user.test | ||
|---|---|---|
| 498 | 498 |
// To attempt an expired password reset, create a password reset link as if |
| 499 | 499 |
// its request time was 60 seconds older than the allowed limit of timeout. |
| 500 | 500 |
$bogus_timestamp = REQUEST_TIME - variable_get('user_password_reset_timeout', 86400) - 60;
|
| 501 |
$this->drupalGet("user/reset/$account->uid/$bogus_timestamp/" . user_pass_rehash($account->pass, $bogus_timestamp, $account->login));
|
|
| 501 |
$this->drupalGet("user/reset/$account->uid/$bogus_timestamp/" . user_pass_rehash($account->pass, $bogus_timestamp, $account->login, $account->uid));
|
|
| 502 | 502 |
$this->assertText(t('You have tried to use a one-time login link that has expired. Please request a new one using the form below.'), 'Expired password reset request rejected.');
|
| 503 | 503 |
} |
| 504 | 504 |
|
| ... | ... | |
| 519 | 519 |
$this->assertFieldByName('name', $edit['name'], 'User name found.');
|
| 520 | 520 |
} |
| 521 | 521 |
|
| 522 |
/** |
|
| 523 |
* Make sure that users cannot forge password reset URLs of other users. |
|
| 524 |
*/ |
|
| 525 |
function testResetImpersonation() {
|
|
| 526 |
// Make sure user 1 has a valid password, so it does not interfere with the |
|
| 527 |
// test user accounts that are created below. |
|
| 528 |
$account = user_load(1); |
|
| 529 |
user_save($account, array('pass' => user_password()));
|
|
| 530 |
|
|
| 531 |
// Create two identical user accounts except for the user name. They must |
|
| 532 |
// have the same empty password, so we can't use $this->drupalCreateUser(). |
|
| 533 |
$edit = array(); |
|
| 534 |
$edit['name'] = $this->randomName(); |
|
| 535 |
$edit['mail'] = $edit['name'] . '@example.com'; |
|
| 536 |
$edit['status'] = 1; |
|
| 537 |
|
|
| 538 |
$user1 = user_save(drupal_anonymous_user(), $edit); |
|
| 539 |
|
|
| 540 |
$edit['name'] = $this->randomName(); |
|
| 541 |
$user2 = user_save(drupal_anonymous_user(), $edit); |
|
| 542 |
|
|
| 543 |
// The password reset URL must not be valid for the second user when only |
|
| 544 |
// the user ID is changed in the URL. |
|
| 545 |
$reset_url = user_pass_reset_url($user1); |
|
| 546 |
$attack_reset_url = str_replace("user/reset/$user1->uid", "user/reset/$user2->uid", $reset_url);
|
|
| 547 |
$this->drupalGet($attack_reset_url); |
|
| 548 |
$this->assertNoText($user2->name, 'The invalid password reset page does not show the user name.'); |
|
| 549 |
$this->assertUrl('user/password', array(), 'The user is redirected to the password reset request page.');
|
|
| 550 |
$this->assertText('You have tried to use a one-time login link that has either been used or is no longer valid. Please request a new one using the form below.');
|
|
| 551 |
|
|
| 552 |
// When legacy code calls user_pass_rehash() without providing the $uid |
|
| 553 |
// parameter, neither password reset URL should be valid since it is |
|
| 554 |
// impossible for the system to determine which user account the token was |
|
| 555 |
// intended for. |
|
| 556 |
$timestamp = REQUEST_TIME; |
|
| 557 |
// Pass an explicit NULL for the $uid parameter of user_pass_rehash() |
|
| 558 |
// rather than not passing it at all, to avoid triggering PHP warnings in |
|
| 559 |
// the test. |
|
| 560 |
$reset_url_token = user_pass_rehash($user1->pass, $timestamp, $user1->login, NULL); |
|
| 561 |
$reset_url = url("user/reset/$user1->uid/$timestamp/$reset_url_token", array('absolute' => TRUE));
|
|
| 562 |
$this->drupalGet($reset_url); |
|
| 563 |
$this->assertNoText($user1->name, 'The invalid password reset page does not show the user name.'); |
|
| 564 |
$this->assertUrl('user/password', array(), 'The user is redirected to the password reset request page.');
|
|
| 565 |
$this->assertText('You have tried to use a one-time login link that has either been used or is no longer valid. Please request a new one using the form below.');
|
|
| 566 |
$attack_reset_url = str_replace("user/reset/$user1->uid", "user/reset/$user2->uid", $reset_url);
|
|
| 567 |
$this->drupalGet($attack_reset_url); |
|
| 568 |
$this->assertNoText($user2->name, 'The invalid password reset page does not show the user name.'); |
|
| 569 |
$this->assertUrl('user/password', array(), 'The user is redirected to the password reset request page.');
|
|
| 570 |
$this->assertText('You have tried to use a one-time login link that has either been used or is no longer valid. Please request a new one using the form below.');
|
|
| 571 |
|
|
| 572 |
// To verify that user_pass_rehash() never returns a valid result in the |
|
| 573 |
// above situation (even if legacy code also called it to attempt to |
|
| 574 |
// validate the token, rather than just to generate the URL), check that a |
|
| 575 |
// second call with the same parameters produces a different result. |
|
| 576 |
$new_reset_url_token = user_pass_rehash($user1->pass, $timestamp, $user1->login, NULL); |
|
| 577 |
$this->assertNotEqual($reset_url_token, $new_reset_url_token); |
|
| 578 |
|
|
| 579 |
// However, when the duplicate account is removed, the password reset URL |
|
| 580 |
// should be valid. |
|
| 581 |
user_delete($user2->uid); |
|
| 582 |
$reset_url_token = user_pass_rehash($user1->pass, $timestamp, $user1->login, NULL); |
|
| 583 |
$reset_url = url("user/reset/$user1->uid/$timestamp/$reset_url_token", array('absolute' => TRUE));
|
|
| 584 |
$this->drupalGet($reset_url); |
|
| 585 |
$this->assertText($user1->name, 'The valid password reset page shows the user name.'); |
|
| 586 |
$this->assertUrl($reset_url, array(), 'The user remains on the password reset login page.'); |
|
| 587 |
$this->assertNoText('You have tried to use a one-time login link that has either been used or is no longer valid. Please request a new one using the form below.');
|
|
| 588 |
} |
|
| 589 |
|
|
| 522 | 590 |
} |
| 523 | 591 |
|
| 524 | 592 |
/** |
| ... | ... | |
| 558 | 626 |
|
| 559 | 627 |
// Attempt bogus account cancellation request confirmation. |
| 560 | 628 |
$timestamp = $account->login; |
| 561 |
$this->drupalGet("user/$account->uid/cancel/confirm/$timestamp/" . user_pass_rehash($account->pass, $timestamp, $account->login));
|
|
| 629 |
$this->drupalGet("user/$account->uid/cancel/confirm/$timestamp/" . user_pass_rehash($account->pass, $timestamp, $account->login, $account->uid));
|
|
| 562 | 630 |
$this->assertResponse(403, 'Bogus cancelling request rejected.'); |
| 563 | 631 |
$account = user_load($account->uid); |
| 564 | 632 |
$this->assertTrue($account->status == 1, 'User account was not canceled.'); |
| ... | ... | |
| 631 | 699 |
|
| 632 | 700 |
// Attempt bogus account cancellation request confirmation. |
| 633 | 701 |
$bogus_timestamp = $timestamp + 60; |
| 634 |
$this->drupalGet("user/$account->uid/cancel/confirm/$bogus_timestamp/" . user_pass_rehash($account->pass, $bogus_timestamp, $account->login));
|
|
| 702 |
$this->drupalGet("user/$account->uid/cancel/confirm/$bogus_timestamp/" . user_pass_rehash($account->pass, $bogus_timestamp, $account->login, $account->uid));
|
|
| 635 | 703 |
$this->assertText(t('You have tried to use an account cancellation link that has expired. Please request a new one using the form below.'), 'Bogus cancelling request rejected.');
|
| 636 | 704 |
$account = user_load($account->uid); |
| 637 | 705 |
$this->assertTrue($account->status == 1, 'User account was not canceled.'); |
| 638 | 706 |
|
| 639 | 707 |
// Attempt expired account cancellation request confirmation. |
| 640 | 708 |
$bogus_timestamp = $timestamp - 86400 - 60; |
| 641 |
$this->drupalGet("user/$account->uid/cancel/confirm/$bogus_timestamp/" . user_pass_rehash($account->pass, $bogus_timestamp, $account->login));
|
|
| 709 |
$this->drupalGet("user/$account->uid/cancel/confirm/$bogus_timestamp/" . user_pass_rehash($account->pass, $bogus_timestamp, $account->login, $account->uid));
|
|
| 642 | 710 |
$this->assertText(t('You have tried to use an account cancellation link that has expired. Please request a new one using the form below.'), 'Expired cancel account request rejected.');
|
| 643 | 711 |
$accounts = user_load_multiple(array($account->uid), array('status' => 1));
|
| 644 | 712 |
$this->assertTrue(reset($accounts), 'User account was not canceled.'); |
| ... | ... | |
| 675 | 743 |
$this->assertText(t('A confirmation request to cancel your account has been sent to your e-mail address.'), 'Account cancellation request mailed message displayed.');
|
| 676 | 744 |
|
| 677 | 745 |
// Confirm account cancellation request. |
| 678 |
$this->drupalGet("user/$account->uid/cancel/confirm/$timestamp/" . user_pass_rehash($account->pass, $timestamp, $account->login));
|
|
| 746 |
$this->drupalGet("user/$account->uid/cancel/confirm/$timestamp/" . user_pass_rehash($account->pass, $timestamp, $account->login, $account->uid));
|
|
| 679 | 747 |
$account = user_load($account->uid, TRUE); |
| 680 | 748 |
$this->assertTrue($account->status == 0, 'User has been blocked.'); |
| 681 | 749 |
|
| ... | ... | |
| 713 | 781 |
$this->assertText(t('A confirmation request to cancel your account has been sent to your e-mail address.'), 'Account cancellation request mailed message displayed.');
|
| 714 | 782 |
|
| 715 | 783 |
// Confirm account cancellation request. |
| 716 |
$this->drupalGet("user/$account->uid/cancel/confirm/$timestamp/" . user_pass_rehash($account->pass, $timestamp, $account->login));
|
|
| 784 |
$this->drupalGet("user/$account->uid/cancel/confirm/$timestamp/" . user_pass_rehash($account->pass, $timestamp, $account->login, $account->uid));
|
|
| 717 | 785 |
$account = user_load($account->uid, TRUE); |
| 718 | 786 |
$this->assertTrue($account->status == 0, 'User has been blocked.'); |
| 719 | 787 |
|
| ... | ... | |
| 763 | 831 |
$this->assertText(t('A confirmation request to cancel your account has been sent to your e-mail address.'), 'Account cancellation request mailed message displayed.');
|
| 764 | 832 |
|
| 765 | 833 |
// Confirm account cancellation request. |
| 766 |
$this->drupalGet("user/$account->uid/cancel/confirm/$timestamp/" . user_pass_rehash($account->pass, $timestamp, $account->login));
|
|
| 834 |
$this->drupalGet("user/$account->uid/cancel/confirm/$timestamp/" . user_pass_rehash($account->pass, $timestamp, $account->login, $account->uid));
|
|
| 767 | 835 |
$this->assertFalse(user_load($account->uid, TRUE), 'User is not found in the database.'); |
| 768 | 836 |
|
| 769 | 837 |
// Confirm that user's content has been attributed to anonymous user. |
| ... | ... | |
| 827 | 895 |
$this->assertText(t('A confirmation request to cancel your account has been sent to your e-mail address.'), 'Account cancellation request mailed message displayed.');
|
| 828 | 896 |
|
| 829 | 897 |
// Confirm account cancellation request. |
| 830 |
$this->drupalGet("user/$account->uid/cancel/confirm/$timestamp/" . user_pass_rehash($account->pass, $timestamp, $account->login));
|
|
| 898 |
$this->drupalGet("user/$account->uid/cancel/confirm/$timestamp/" . user_pass_rehash($account->pass, $timestamp, $account->login, $account->uid));
|
|
| 831 | 899 |
$this->assertFalse(user_load($account->uid, TRUE), 'User is not found in the database.'); |
| 832 | 900 |
|
| 833 | 901 |
// Confirm that user's content has been deleted. |
Formats disponibles : Unified diff
Update core to 7.35