Révision cee0424c
Ajouté par Assos Assos il y a plus de 3 ans
| drupal7/modules/simpletest/tests/file.test | ||
|---|---|---|
| 706 | 706 |
$edit = array( |
| 707 | 707 |
'file_test_replace' => FILE_EXISTS_REPLACE, |
| 708 | 708 |
'files[file_test_upload]' => drupal_realpath($this->image->uri), |
| 709 |
'allow_all_extensions' => TRUE,
|
|
| 709 |
'allow_all_extensions' => 'empty_array',
|
|
| 710 | 710 |
); |
| 711 | 711 |
$this->drupalPost('file-test/upload', $edit, t('Submit'));
|
| 712 | 712 |
$this->assertResponse(200, 'Received a 200 response for posted test file.'); |
| ... | ... | |
| 715 | 715 |
|
| 716 | 716 |
// Check that the correct hooks were called. |
| 717 | 717 |
$this->assertFileHooksCalled(array('validate', 'load', 'update'));
|
| 718 |
|
|
| 719 |
// Reset the hook counters. |
|
| 720 |
file_test_reset(); |
|
| 721 |
|
|
| 722 |
// Now tell file_save_upload() to allow any extension and try and upload a |
|
| 723 |
// malicious file. |
|
| 724 |
$edit = array( |
|
| 725 |
'file_test_replace' => FILE_EXISTS_REPLACE, |
|
| 726 |
'files[file_test_upload]' => drupal_realpath($this->phpfile->uri), |
|
| 727 |
'is_image_file' => FALSE, |
|
| 728 |
'allow_all_extensions' => 'empty_array', |
|
| 729 |
); |
|
| 730 |
$this->drupalPost('file-test/upload', $edit, t('Submit'));
|
|
| 731 |
$this->assertResponse(200, 'Received a 200 response for posted test file.'); |
|
| 732 |
$message = t('For security reasons, your upload has been renamed to') . ' <em class="placeholder">' . $this->phpfile->filename . '_.txt' . '</em>';
|
|
| 733 |
$this->assertRaw($message, 'Dangerous file was renamed.'); |
|
| 734 |
$this->assertText('File name is php-2.php_.txt.');
|
|
| 735 |
$this->assertRaw(t('File MIME type is text/plain.'), "Dangerous file's MIME type was changed.");
|
|
| 736 |
$this->assertRaw(t('You WIN!'), 'Found the success message.');
|
|
| 737 |
// Check that the correct hooks were called. |
|
| 738 |
$this->assertFileHooksCalled(array('validate', 'insert'));
|
|
| 718 | 739 |
} |
| 719 | 740 |
|
| 720 | 741 |
/** |
| 721 | 742 |
* Test dangerous file handling. |
| 722 | 743 |
*/ |
| 723 | 744 |
function testHandleDangerousFile() {
|
| 724 |
// Allow the .php extension and make sure it gets renamed to .txt for
|
|
| 725 |
// safety. Also check to make sure its MIME type was changed. |
|
| 745 |
// Allow the .php extension and make sure it gets munged and given a .txt
|
|
| 746 |
// extension for safety. Also check to make sure its MIME type was changed.
|
|
| 726 | 747 |
$edit = array( |
| 727 | 748 |
'file_test_replace' => FILE_EXISTS_REPLACE, |
| 728 | 749 |
'files[file_test_upload]' => drupal_realpath($this->phpfile->uri), |
| ... | ... | |
| 732 | 753 |
|
| 733 | 754 |
$this->drupalPost('file-test/upload', $edit, t('Submit'));
|
| 734 | 755 |
$this->assertResponse(200, 'Received a 200 response for posted test file.'); |
| 735 |
$message = t('For security reasons, your upload has been renamed to') . ' <em class="placeholder">' . $this->phpfile->filename . '.txt' . '</em>';
|
|
| 756 |
$message = t('For security reasons, your upload has been renamed to') . ' <em class="placeholder">' . $this->phpfile->filename . '_.txt' . '</em>';
|
|
| 736 | 757 |
$this->assertRaw($message, 'Dangerous file was renamed.'); |
| 758 |
$this->assertRaw('File name is php-2.php_.txt.');
|
|
| 737 | 759 |
$this->assertRaw(t('File MIME type is text/plain.'), "Dangerous file's MIME type was changed.");
|
| 738 | 760 |
$this->assertRaw(t('You WIN!'), 'Found the success message.');
|
| 739 | 761 |
|
| ... | ... | |
| 755 | 777 |
// Check that the correct hooks were called. |
| 756 | 778 |
$this->assertFileHooksCalled(array('validate', 'insert'));
|
| 757 | 779 |
|
| 758 |
// Turn off insecure uploads. |
|
| 780 |
// Reset the hook counters. |
|
| 781 |
file_test_reset(); |
|
| 782 |
|
|
| 783 |
// Even with insecure uploads allowed, the .php file should not be uploaded |
|
| 784 |
// if it is not explicitly included in the list of allowed extensions. |
|
| 785 |
$edit['extensions'] = 'foo'; |
|
| 786 |
$this->drupalPost('file-test/upload', $edit, t('Submit'));
|
|
| 787 |
$this->assertResponse(200, 'Received a 200 response for posted test file.'); |
|
| 788 |
$message = t('Only files with the following extensions are allowed:') . ' <em class="placeholder">' . $edit['extensions'] . '</em>';
|
|
| 789 |
$this->assertRaw($message, 'Cannot upload a disallowed extension'); |
|
| 790 |
$this->assertRaw(t('Epic upload FAIL!'), 'Found the failure message.');
|
|
| 791 |
|
|
| 792 |
// Check that the correct hooks were called. |
|
| 793 |
$this->assertFileHooksCalled(array('validate'));
|
|
| 794 |
|
|
| 795 |
// Reset the hook counters. |
|
| 796 |
file_test_reset(); |
|
| 797 |
|
|
| 798 |
// Turn off insecure uploads, then try the same thing as above (ensure that |
|
| 799 |
// the .php file is still rejected since it's not in the list of allowed |
|
| 800 |
// extensions). |
|
| 759 | 801 |
variable_set('allow_insecure_uploads', 0);
|
| 802 |
$this->drupalPost('file-test/upload', $edit, t('Submit'));
|
|
| 803 |
$this->assertResponse(200, 'Received a 200 response for posted test file.'); |
|
| 804 |
$message = t('Only files with the following extensions are allowed:') . ' <em class="placeholder">' . $edit['extensions'] . '</em>';
|
|
| 805 |
$this->assertRaw($message, 'Cannot upload a disallowed extension'); |
|
| 806 |
$this->assertRaw(t('Epic upload FAIL!'), 'Found the failure message.');
|
|
| 807 |
|
|
| 808 |
// Check that the correct hooks were called. |
|
| 809 |
$this->assertFileHooksCalled(array('validate'));
|
|
| 810 |
|
|
| 811 |
// Reset the hook counters. |
|
| 812 |
file_test_reset(); |
|
| 760 | 813 |
} |
| 761 | 814 |
|
| 762 | 815 |
/** |
| ... | ... | |
| 765 | 818 |
function testHandleFileMunge() {
|
| 766 | 819 |
// Ensure insecure uploads are disabled for this test. |
| 767 | 820 |
variable_set('allow_insecure_uploads', 0);
|
| 821 |
$original_image_uri = $this->image->uri; |
|
| 768 | 822 |
$this->image = file_move($this->image, $this->image->uri . '.foo.' . $this->image_extension); |
| 769 | 823 |
|
| 770 | 824 |
// Reset the hook counters to get rid of the 'move' we just called. |
| ... | ... | |
| 789 | 843 |
// Check that the correct hooks were called. |
| 790 | 844 |
$this->assertFileHooksCalled(array('validate', 'insert'));
|
| 791 | 845 |
|
| 846 |
// Reset the hook counters. |
|
| 847 |
file_test_reset(); |
|
| 848 |
|
|
| 849 |
// Ensure we don't munge the .foo extension if it is in the list of allowed |
|
| 850 |
// extensions. |
|
| 851 |
$extensions = 'foo ' . $this->image_extension; |
|
| 852 |
$edit = array( |
|
| 853 |
'files[file_test_upload]' => drupal_realpath($this->image->uri), |
|
| 854 |
'extensions' => $extensions, |
|
| 855 |
); |
|
| 856 |
|
|
| 857 |
$this->drupalPost('file-test/upload', $edit, t('Submit'));
|
|
| 858 |
$this->assertResponse(200, 'Received a 200 response for posted test file.'); |
|
| 859 |
$this->assertNoRaw(t('For security reasons, your upload has been renamed'), 'Found no security message.');
|
|
| 860 |
$this->assertRaw(t('File name is @filename', array('@filename' => 'image-test.png.foo.png')), 'File was not munged when all extensions within it are allowed.');
|
|
| 861 |
$this->assertRaw(t('You WIN!'), 'Found the success message.');
|
|
| 862 |
|
|
| 863 |
// Check that the correct hooks were called. |
|
| 864 |
$this->assertFileHooksCalled(array('validate', 'insert'));
|
|
| 865 |
|
|
| 792 | 866 |
// Ensure we don't munge files if we're allowing any extension. |
| 793 | 867 |
// Reset the hook counters. |
| 794 | 868 |
file_test_reset(); |
| 795 | 869 |
|
| 796 | 870 |
$edit = array( |
| 797 | 871 |
'files[file_test_upload]' => drupal_realpath($this->image->uri), |
| 798 |
'allow_all_extensions' => TRUE,
|
|
| 872 |
'allow_all_extensions' => 'empty_array',
|
|
| 799 | 873 |
); |
| 800 | 874 |
|
| 801 | 875 |
$this->drupalPost('file-test/upload', $edit, t('Submit'));
|
| ... | ... | |
| 806 | 880 |
|
| 807 | 881 |
// Check that the correct hooks were called. |
| 808 | 882 |
$this->assertFileHooksCalled(array('validate', 'insert'));
|
| 883 |
|
|
| 884 |
// Test that a dangerous extension such as .php is munged even if it is in |
|
| 885 |
// the list of allowed extensions. |
|
| 886 |
$this->image = file_move($this->image, $original_image_uri . '.php.' . $this->image_extension); |
|
| 887 |
// Reset the hook counters. |
|
| 888 |
file_test_reset(); |
|
| 889 |
|
|
| 890 |
$extensions = 'php ' . $this->image_extension; |
|
| 891 |
$edit = array( |
|
| 892 |
'files[file_test_upload]' => drupal_realpath($this->image->uri), |
|
| 893 |
'extensions' => $extensions, |
|
| 894 |
); |
|
| 895 |
|
|
| 896 |
$munged_filename = $this->image->filename; |
|
| 897 |
$munged_filename = substr($munged_filename, 0, strrpos($munged_filename, '.')); |
|
| 898 |
$munged_filename .= '_.' . $this->image_extension; |
|
| 899 |
|
|
| 900 |
$this->drupalPost('file-test/upload', $edit, t('Submit'));
|
|
| 901 |
$this->assertResponse(200, 'Received a 200 response for posted test file.'); |
|
| 902 |
$this->assertRaw(t('For security reasons, your upload has been renamed'), 'Found security message.');
|
|
| 903 |
$this->assertRaw(t('File name is @filename', array('@filename' => $munged_filename)), 'File was successfully munged.');
|
|
| 904 |
$this->assertRaw(t('You WIN!'), 'Found the success message.');
|
|
| 905 |
|
|
| 906 |
// Check that the correct hooks were called. |
|
| 907 |
$this->assertFileHooksCalled(array('validate', 'insert'));
|
|
| 908 |
|
|
| 909 |
// Reset the hook counters. |
|
| 910 |
file_test_reset(); |
|
| 911 |
|
|
| 912 |
// Dangerous extensions are munged even when all extensions are allowed. |
|
| 913 |
$edit = array( |
|
| 914 |
'files[file_test_upload]' => drupal_realpath($this->image->uri), |
|
| 915 |
'allow_all_extensions' => 'empty_array', |
|
| 916 |
); |
|
| 917 |
|
|
| 918 |
$munged_filename = $this->image->filename; |
|
| 919 |
$munged_filename = substr($munged_filename, 0, strrpos($munged_filename, '.')); |
|
| 920 |
$munged_filename .= '_.' . $this->image_extension; |
|
| 921 |
|
|
| 922 |
$this->drupalPost('file-test/upload', $edit, t('Submit'));
|
|
| 923 |
$this->assertResponse(200, 'Received a 200 response for posted test file.'); |
|
| 924 |
$this->assertRaw(t('For security reasons, your upload has been renamed'), 'Found security message.');
|
|
| 925 |
$this->assertRaw(t('File name is @filename.', array('@filename' => 'image-test.png_.php_.png_.txt')), 'File was successfully munged.');
|
|
| 926 |
$this->assertRaw(t('You WIN!'), 'Found the success message.');
|
|
| 927 |
|
|
| 928 |
// Check that the correct hooks were called. |
|
| 929 |
$this->assertFileHooksCalled(array('validate', 'insert'));
|
|
| 930 |
|
|
| 931 |
// Dangerous extensions are munged if is renamed to end in .txt. |
|
| 932 |
$this->image = file_move($this->image, $original_image_uri . '.cgi.' . $this->image_extension . '.txt'); |
|
| 933 |
// Reset the hook counters. |
|
| 934 |
file_test_reset(); |
|
| 935 |
|
|
| 936 |
$edit = array( |
|
| 937 |
'files[file_test_upload]' => drupal_realpath($this->image->uri), |
|
| 938 |
'allow_all_extensions' => 'empty_array', |
|
| 939 |
); |
|
| 940 |
|
|
| 941 |
$munged_filename = $this->image->filename; |
|
| 942 |
$munged_filename = substr($munged_filename, 0, strrpos($munged_filename, '.')); |
|
| 943 |
$munged_filename .= '_.' . $this->image_extension; |
|
| 944 |
|
|
| 945 |
$this->drupalPost('file-test/upload', $edit, t('Submit'));
|
|
| 946 |
$this->assertResponse(200, 'Received a 200 response for posted test file.'); |
|
| 947 |
$this->assertRaw(t('For security reasons, your upload has been renamed'), 'Found security message.');
|
|
| 948 |
$this->assertRaw(t('File name is @filename.', array('@filename' => 'image-test.png_.cgi_.png_.txt')), 'File was successfully munged.');
|
|
| 949 |
$this->assertRaw(t('You WIN!'), 'Found the success message.');
|
|
| 950 |
|
|
| 951 |
// Check that the correct hooks were called. |
|
| 952 |
$this->assertFileHooksCalled(array('validate', 'insert'));
|
|
| 953 |
|
|
| 954 |
// Reset the hook counters. |
|
| 955 |
file_test_reset(); |
|
| 956 |
|
|
| 957 |
// Ensure that setting $validators['file_validate_extensions'] = array('')
|
|
| 958 |
// rejects all files without munging or renaming. |
|
| 959 |
$edit = array( |
|
| 960 |
'files[file_test_upload]' => drupal_realpath($this->image->uri), |
|
| 961 |
'allow_all_extensions' => 'empty_string', |
|
| 962 |
); |
|
| 963 |
|
|
| 964 |
$this->drupalPost('file-test/upload', $edit, t('Submit'));
|
|
| 965 |
$this->assertResponse(200, 'Received a 200 response for posted test file.'); |
|
| 966 |
$this->assertNoRaw(t('For security reasons, your upload has been renamed'), 'Found security message.');
|
|
| 967 |
$this->assertRaw(t('Epic upload FAIL!'), 'Found the failure message.');
|
|
| 968 |
|
|
| 969 |
// Check that the correct hooks were called. |
|
| 970 |
$this->assertFileHooksCalled(array('validate'));
|
|
| 809 | 971 |
} |
| 810 | 972 |
|
| 811 | 973 |
/** |
| ... | ... | |
| 2192 | 2354 |
$this->assertEqual(file_validate($file, $failing), array('Failed', 'Badly', 'Epic fail'), 'Validating returns errors.');
|
| 2193 | 2355 |
$this->assertFileHooksCalled(array('validate'));
|
| 2194 | 2356 |
} |
| 2357 |
|
|
| 2358 |
/** |
|
| 2359 |
* Tests hard-coded security check in file_validate(). |
|
| 2360 |
*/ |
|
| 2361 |
public function testInsecureExtensions() {
|
|
| 2362 |
$file = $this->createFile('test.php', 'Invalid PHP');
|
|
| 2363 |
|
|
| 2364 |
// Test that file_validate() will check for insecure extensions by default. |
|
| 2365 |
$errors = file_validate($file, array()); |
|
| 2366 |
$this->assertEqual('For security reasons, your upload has been rejected.', $errors[0]);
|
|
| 2367 |
$this->assertFileHooksCalled(array('validate'));
|
|
| 2368 |
file_test_reset(); |
|
| 2369 |
|
|
| 2370 |
// Test that the 'allow_insecure_uploads' is respected. |
|
| 2371 |
variable_set('allow_insecure_uploads', 1);
|
|
| 2372 |
$errors = file_validate($file, array()); |
|
| 2373 |
$this->assertEqual(array(), $errors); |
|
| 2374 |
$this->assertFileHooksCalled(array('validate'));
|
|
| 2375 |
} |
|
| 2195 | 2376 |
} |
| 2196 | 2377 |
|
| 2197 | 2378 |
/** |
| ... | ... | |
| 2561 | 2742 |
|
| 2562 | 2743 |
function setUp() {
|
| 2563 | 2744 |
parent::setUp(); |
| 2564 |
$this->bad_extension = 'php';
|
|
| 2745 |
$this->bad_extension = 'foo';
|
|
| 2565 | 2746 |
$this->name = $this->randomName() . '.' . $this->bad_extension . '.txt'; |
| 2566 | 2747 |
$this->name_with_uc_ext = $this->randomName() . '.' . strtoupper($this->bad_extension) . '.txt'; |
| 2567 | 2748 |
} |
| ... | ... | |
| 2610 | 2791 |
$this->assertIdentical($munged_name, $this->name, format_string('The new filename (%munged) matches the original (%original) also when the whitelisted extension is in uppercase.', array('%munged' => $munged_name, '%original' => $this->name)));
|
| 2611 | 2792 |
} |
| 2612 | 2793 |
|
| 2794 |
/** |
|
| 2795 |
* Tests unsafe extensions are munged by file_munge_filename(). |
|
| 2796 |
*/ |
|
| 2797 |
public function testMungeUnsafe() {
|
|
| 2798 |
$prefix = $this->randomName(); |
|
| 2799 |
$name = "$prefix.php.txt"; |
|
| 2800 |
// Put the php extension in the allowed list, but since it is in the unsafe |
|
| 2801 |
// extension list, it should still be munged. |
|
| 2802 |
$munged_name = file_munge_filename($name, 'php txt'); |
|
| 2803 |
$this->assertIdentical($munged_name, "$prefix.php_.txt", format_string('The filename (%munged) has been modified from the original (%original) if the allowed extension is also on the unsafe list.', array('%munged' => $munged_name, '%original' => $name)));
|
|
| 2804 |
} |
|
| 2805 |
|
|
| 2613 | 2806 |
/** |
| 2614 | 2807 |
* Ensure that unmunge gets your name back. |
| 2615 | 2808 |
*/ |
Formats disponibles : Unified diff
-a