Révision cee0424c
Ajouté par Assos Assos il y a plus de 3 ans
drupal7/modules/simpletest/tests/file.test | ||
---|---|---|
706 | 706 |
$edit = array( |
707 | 707 |
'file_test_replace' => FILE_EXISTS_REPLACE, |
708 | 708 |
'files[file_test_upload]' => drupal_realpath($this->image->uri), |
709 |
'allow_all_extensions' => TRUE,
|
|
709 |
'allow_all_extensions' => 'empty_array',
|
|
710 | 710 |
); |
711 | 711 |
$this->drupalPost('file-test/upload', $edit, t('Submit')); |
712 | 712 |
$this->assertResponse(200, 'Received a 200 response for posted test file.'); |
... | ... | |
715 | 715 |
|
716 | 716 |
// Check that the correct hooks were called. |
717 | 717 |
$this->assertFileHooksCalled(array('validate', 'load', 'update')); |
718 |
|
|
719 |
// Reset the hook counters. |
|
720 |
file_test_reset(); |
|
721 |
|
|
722 |
// Now tell file_save_upload() to allow any extension and try and upload a |
|
723 |
// malicious file. |
|
724 |
$edit = array( |
|
725 |
'file_test_replace' => FILE_EXISTS_REPLACE, |
|
726 |
'files[file_test_upload]' => drupal_realpath($this->phpfile->uri), |
|
727 |
'is_image_file' => FALSE, |
|
728 |
'allow_all_extensions' => 'empty_array', |
|
729 |
); |
|
730 |
$this->drupalPost('file-test/upload', $edit, t('Submit')); |
|
731 |
$this->assertResponse(200, 'Received a 200 response for posted test file.'); |
|
732 |
$message = t('For security reasons, your upload has been renamed to') . ' <em class="placeholder">' . $this->phpfile->filename . '_.txt' . '</em>'; |
|
733 |
$this->assertRaw($message, 'Dangerous file was renamed.'); |
|
734 |
$this->assertText('File name is php-2.php_.txt.'); |
|
735 |
$this->assertRaw(t('File MIME type is text/plain.'), "Dangerous file's MIME type was changed."); |
|
736 |
$this->assertRaw(t('You WIN!'), 'Found the success message.'); |
|
737 |
// Check that the correct hooks were called. |
|
738 |
$this->assertFileHooksCalled(array('validate', 'insert')); |
|
718 | 739 |
} |
719 | 740 |
|
720 | 741 |
/** |
721 | 742 |
* Test dangerous file handling. |
722 | 743 |
*/ |
723 | 744 |
function testHandleDangerousFile() { |
724 |
// Allow the .php extension and make sure it gets renamed to .txt for
|
|
725 |
// safety. Also check to make sure its MIME type was changed. |
|
745 |
// Allow the .php extension and make sure it gets munged and given a .txt
|
|
746 |
// extension for safety. Also check to make sure its MIME type was changed.
|
|
726 | 747 |
$edit = array( |
727 | 748 |
'file_test_replace' => FILE_EXISTS_REPLACE, |
728 | 749 |
'files[file_test_upload]' => drupal_realpath($this->phpfile->uri), |
... | ... | |
732 | 753 |
|
733 | 754 |
$this->drupalPost('file-test/upload', $edit, t('Submit')); |
734 | 755 |
$this->assertResponse(200, 'Received a 200 response for posted test file.'); |
735 |
$message = t('For security reasons, your upload has been renamed to') . ' <em class="placeholder">' . $this->phpfile->filename . '.txt' . '</em>'; |
|
756 |
$message = t('For security reasons, your upload has been renamed to') . ' <em class="placeholder">' . $this->phpfile->filename . '_.txt' . '</em>';
|
|
736 | 757 |
$this->assertRaw($message, 'Dangerous file was renamed.'); |
758 |
$this->assertRaw('File name is php-2.php_.txt.'); |
|
737 | 759 |
$this->assertRaw(t('File MIME type is text/plain.'), "Dangerous file's MIME type was changed."); |
738 | 760 |
$this->assertRaw(t('You WIN!'), 'Found the success message.'); |
739 | 761 |
|
... | ... | |
755 | 777 |
// Check that the correct hooks were called. |
756 | 778 |
$this->assertFileHooksCalled(array('validate', 'insert')); |
757 | 779 |
|
758 |
// Turn off insecure uploads. |
|
780 |
// Reset the hook counters. |
|
781 |
file_test_reset(); |
|
782 |
|
|
783 |
// Even with insecure uploads allowed, the .php file should not be uploaded |
|
784 |
// if it is not explicitly included in the list of allowed extensions. |
|
785 |
$edit['extensions'] = 'foo'; |
|
786 |
$this->drupalPost('file-test/upload', $edit, t('Submit')); |
|
787 |
$this->assertResponse(200, 'Received a 200 response for posted test file.'); |
|
788 |
$message = t('Only files with the following extensions are allowed:') . ' <em class="placeholder">' . $edit['extensions'] . '</em>'; |
|
789 |
$this->assertRaw($message, 'Cannot upload a disallowed extension'); |
|
790 |
$this->assertRaw(t('Epic upload FAIL!'), 'Found the failure message.'); |
|
791 |
|
|
792 |
// Check that the correct hooks were called. |
|
793 |
$this->assertFileHooksCalled(array('validate')); |
|
794 |
|
|
795 |
// Reset the hook counters. |
|
796 |
file_test_reset(); |
|
797 |
|
|
798 |
// Turn off insecure uploads, then try the same thing as above (ensure that |
|
799 |
// the .php file is still rejected since it's not in the list of allowed |
|
800 |
// extensions). |
|
759 | 801 |
variable_set('allow_insecure_uploads', 0); |
802 |
$this->drupalPost('file-test/upload', $edit, t('Submit')); |
|
803 |
$this->assertResponse(200, 'Received a 200 response for posted test file.'); |
|
804 |
$message = t('Only files with the following extensions are allowed:') . ' <em class="placeholder">' . $edit['extensions'] . '</em>'; |
|
805 |
$this->assertRaw($message, 'Cannot upload a disallowed extension'); |
|
806 |
$this->assertRaw(t('Epic upload FAIL!'), 'Found the failure message.'); |
|
807 |
|
|
808 |
// Check that the correct hooks were called. |
|
809 |
$this->assertFileHooksCalled(array('validate')); |
|
810 |
|
|
811 |
// Reset the hook counters. |
|
812 |
file_test_reset(); |
|
760 | 813 |
} |
761 | 814 |
|
762 | 815 |
/** |
... | ... | |
765 | 818 |
function testHandleFileMunge() { |
766 | 819 |
// Ensure insecure uploads are disabled for this test. |
767 | 820 |
variable_set('allow_insecure_uploads', 0); |
821 |
$original_image_uri = $this->image->uri; |
|
768 | 822 |
$this->image = file_move($this->image, $this->image->uri . '.foo.' . $this->image_extension); |
769 | 823 |
|
770 | 824 |
// Reset the hook counters to get rid of the 'move' we just called. |
... | ... | |
789 | 843 |
// Check that the correct hooks were called. |
790 | 844 |
$this->assertFileHooksCalled(array('validate', 'insert')); |
791 | 845 |
|
846 |
// Reset the hook counters. |
|
847 |
file_test_reset(); |
|
848 |
|
|
849 |
// Ensure we don't munge the .foo extension if it is in the list of allowed |
|
850 |
// extensions. |
|
851 |
$extensions = 'foo ' . $this->image_extension; |
|
852 |
$edit = array( |
|
853 |
'files[file_test_upload]' => drupal_realpath($this->image->uri), |
|
854 |
'extensions' => $extensions, |
|
855 |
); |
|
856 |
|
|
857 |
$this->drupalPost('file-test/upload', $edit, t('Submit')); |
|
858 |
$this->assertResponse(200, 'Received a 200 response for posted test file.'); |
|
859 |
$this->assertNoRaw(t('For security reasons, your upload has been renamed'), 'Found no security message.'); |
|
860 |
$this->assertRaw(t('File name is @filename', array('@filename' => 'image-test.png.foo.png')), 'File was not munged when all extensions within it are allowed.'); |
|
861 |
$this->assertRaw(t('You WIN!'), 'Found the success message.'); |
|
862 |
|
|
863 |
// Check that the correct hooks were called. |
|
864 |
$this->assertFileHooksCalled(array('validate', 'insert')); |
|
865 |
|
|
792 | 866 |
// Ensure we don't munge files if we're allowing any extension. |
793 | 867 |
// Reset the hook counters. |
794 | 868 |
file_test_reset(); |
795 | 869 |
|
796 | 870 |
$edit = array( |
797 | 871 |
'files[file_test_upload]' => drupal_realpath($this->image->uri), |
798 |
'allow_all_extensions' => TRUE,
|
|
872 |
'allow_all_extensions' => 'empty_array',
|
|
799 | 873 |
); |
800 | 874 |
|
801 | 875 |
$this->drupalPost('file-test/upload', $edit, t('Submit')); |
... | ... | |
806 | 880 |
|
807 | 881 |
// Check that the correct hooks were called. |
808 | 882 |
$this->assertFileHooksCalled(array('validate', 'insert')); |
883 |
|
|
884 |
// Test that a dangerous extension such as .php is munged even if it is in |
|
885 |
// the list of allowed extensions. |
|
886 |
$this->image = file_move($this->image, $original_image_uri . '.php.' . $this->image_extension); |
|
887 |
// Reset the hook counters. |
|
888 |
file_test_reset(); |
|
889 |
|
|
890 |
$extensions = 'php ' . $this->image_extension; |
|
891 |
$edit = array( |
|
892 |
'files[file_test_upload]' => drupal_realpath($this->image->uri), |
|
893 |
'extensions' => $extensions, |
|
894 |
); |
|
895 |
|
|
896 |
$munged_filename = $this->image->filename; |
|
897 |
$munged_filename = substr($munged_filename, 0, strrpos($munged_filename, '.')); |
|
898 |
$munged_filename .= '_.' . $this->image_extension; |
|
899 |
|
|
900 |
$this->drupalPost('file-test/upload', $edit, t('Submit')); |
|
901 |
$this->assertResponse(200, 'Received a 200 response for posted test file.'); |
|
902 |
$this->assertRaw(t('For security reasons, your upload has been renamed'), 'Found security message.'); |
|
903 |
$this->assertRaw(t('File name is @filename', array('@filename' => $munged_filename)), 'File was successfully munged.'); |
|
904 |
$this->assertRaw(t('You WIN!'), 'Found the success message.'); |
|
905 |
|
|
906 |
// Check that the correct hooks were called. |
|
907 |
$this->assertFileHooksCalled(array('validate', 'insert')); |
|
908 |
|
|
909 |
// Reset the hook counters. |
|
910 |
file_test_reset(); |
|
911 |
|
|
912 |
// Dangerous extensions are munged even when all extensions are allowed. |
|
913 |
$edit = array( |
|
914 |
'files[file_test_upload]' => drupal_realpath($this->image->uri), |
|
915 |
'allow_all_extensions' => 'empty_array', |
|
916 |
); |
|
917 |
|
|
918 |
$munged_filename = $this->image->filename; |
|
919 |
$munged_filename = substr($munged_filename, 0, strrpos($munged_filename, '.')); |
|
920 |
$munged_filename .= '_.' . $this->image_extension; |
|
921 |
|
|
922 |
$this->drupalPost('file-test/upload', $edit, t('Submit')); |
|
923 |
$this->assertResponse(200, 'Received a 200 response for posted test file.'); |
|
924 |
$this->assertRaw(t('For security reasons, your upload has been renamed'), 'Found security message.'); |
|
925 |
$this->assertRaw(t('File name is @filename.', array('@filename' => 'image-test.png_.php_.png_.txt')), 'File was successfully munged.'); |
|
926 |
$this->assertRaw(t('You WIN!'), 'Found the success message.'); |
|
927 |
|
|
928 |
// Check that the correct hooks were called. |
|
929 |
$this->assertFileHooksCalled(array('validate', 'insert')); |
|
930 |
|
|
931 |
// Dangerous extensions are munged if is renamed to end in .txt. |
|
932 |
$this->image = file_move($this->image, $original_image_uri . '.cgi.' . $this->image_extension . '.txt'); |
|
933 |
// Reset the hook counters. |
|
934 |
file_test_reset(); |
|
935 |
|
|
936 |
$edit = array( |
|
937 |
'files[file_test_upload]' => drupal_realpath($this->image->uri), |
|
938 |
'allow_all_extensions' => 'empty_array', |
|
939 |
); |
|
940 |
|
|
941 |
$munged_filename = $this->image->filename; |
|
942 |
$munged_filename = substr($munged_filename, 0, strrpos($munged_filename, '.')); |
|
943 |
$munged_filename .= '_.' . $this->image_extension; |
|
944 |
|
|
945 |
$this->drupalPost('file-test/upload', $edit, t('Submit')); |
|
946 |
$this->assertResponse(200, 'Received a 200 response for posted test file.'); |
|
947 |
$this->assertRaw(t('For security reasons, your upload has been renamed'), 'Found security message.'); |
|
948 |
$this->assertRaw(t('File name is @filename.', array('@filename' => 'image-test.png_.cgi_.png_.txt')), 'File was successfully munged.'); |
|
949 |
$this->assertRaw(t('You WIN!'), 'Found the success message.'); |
|
950 |
|
|
951 |
// Check that the correct hooks were called. |
|
952 |
$this->assertFileHooksCalled(array('validate', 'insert')); |
|
953 |
|
|
954 |
// Reset the hook counters. |
|
955 |
file_test_reset(); |
|
956 |
|
|
957 |
// Ensure that setting $validators['file_validate_extensions'] = array('') |
|
958 |
// rejects all files without munging or renaming. |
|
959 |
$edit = array( |
|
960 |
'files[file_test_upload]' => drupal_realpath($this->image->uri), |
|
961 |
'allow_all_extensions' => 'empty_string', |
|
962 |
); |
|
963 |
|
|
964 |
$this->drupalPost('file-test/upload', $edit, t('Submit')); |
|
965 |
$this->assertResponse(200, 'Received a 200 response for posted test file.'); |
|
966 |
$this->assertNoRaw(t('For security reasons, your upload has been renamed'), 'Found security message.'); |
|
967 |
$this->assertRaw(t('Epic upload FAIL!'), 'Found the failure message.'); |
|
968 |
|
|
969 |
// Check that the correct hooks were called. |
|
970 |
$this->assertFileHooksCalled(array('validate')); |
|
809 | 971 |
} |
810 | 972 |
|
811 | 973 |
/** |
... | ... | |
2192 | 2354 |
$this->assertEqual(file_validate($file, $failing), array('Failed', 'Badly', 'Epic fail'), 'Validating returns errors.'); |
2193 | 2355 |
$this->assertFileHooksCalled(array('validate')); |
2194 | 2356 |
} |
2357 |
|
|
2358 |
/** |
|
2359 |
* Tests hard-coded security check in file_validate(). |
|
2360 |
*/ |
|
2361 |
public function testInsecureExtensions() { |
|
2362 |
$file = $this->createFile('test.php', 'Invalid PHP'); |
|
2363 |
|
|
2364 |
// Test that file_validate() will check for insecure extensions by default. |
|
2365 |
$errors = file_validate($file, array()); |
|
2366 |
$this->assertEqual('For security reasons, your upload has been rejected.', $errors[0]); |
|
2367 |
$this->assertFileHooksCalled(array('validate')); |
|
2368 |
file_test_reset(); |
|
2369 |
|
|
2370 |
// Test that the 'allow_insecure_uploads' is respected. |
|
2371 |
variable_set('allow_insecure_uploads', 1); |
|
2372 |
$errors = file_validate($file, array()); |
|
2373 |
$this->assertEqual(array(), $errors); |
|
2374 |
$this->assertFileHooksCalled(array('validate')); |
|
2375 |
} |
|
2195 | 2376 |
} |
2196 | 2377 |
|
2197 | 2378 |
/** |
... | ... | |
2561 | 2742 |
|
2562 | 2743 |
function setUp() { |
2563 | 2744 |
parent::setUp(); |
2564 |
$this->bad_extension = 'php';
|
|
2745 |
$this->bad_extension = 'foo';
|
|
2565 | 2746 |
$this->name = $this->randomName() . '.' . $this->bad_extension . '.txt'; |
2566 | 2747 |
$this->name_with_uc_ext = $this->randomName() . '.' . strtoupper($this->bad_extension) . '.txt'; |
2567 | 2748 |
} |
... | ... | |
2610 | 2791 |
$this->assertIdentical($munged_name, $this->name, format_string('The new filename (%munged) matches the original (%original) also when the whitelisted extension is in uppercase.', array('%munged' => $munged_name, '%original' => $this->name))); |
2611 | 2792 |
} |
2612 | 2793 |
|
2794 |
/** |
|
2795 |
* Tests unsafe extensions are munged by file_munge_filename(). |
|
2796 |
*/ |
|
2797 |
public function testMungeUnsafe() { |
|
2798 |
$prefix = $this->randomName(); |
|
2799 |
$name = "$prefix.php.txt"; |
|
2800 |
// Put the php extension in the allowed list, but since it is in the unsafe |
|
2801 |
// extension list, it should still be munged. |
|
2802 |
$munged_name = file_munge_filename($name, 'php txt'); |
|
2803 |
$this->assertIdentical($munged_name, "$prefix.php_.txt", format_string('The filename (%munged) has been modified from the original (%original) if the allowed extension is also on the unsafe list.', array('%munged' => $munged_name, '%original' => $name))); |
|
2804 |
} |
|
2805 |
|
|
2613 | 2806 |
/** |
2614 | 2807 |
* Ensure that unmunge gets your name back. |
2615 | 2808 |
*/ |
Formats disponibles : Unified diff
-a