From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)
---
tests/Framework/Utils.php | 75 +++++++++++++++++++++++++++++++++++++
1 files changed, 75 insertions(+), 0 deletions(-)
diff --git a/tests/Framework/Utils.php b/tests/Framework/Utils.php
index e588359..2e0d3cf 100644
--- a/tests/Framework/Utils.php
+++ b/tests/Framework/Utils.php
@@ -193,4 +193,79 @@
$mod = rcube_utils::mod_css_styles("background:\\0075\\0072\\006c( javascript:alert('xss') )", 'rcmbody');
$this->assertEquals("/* evil! */", $mod, "Don't allow encoding quirks (2)");
}
+
+ /**
+ * Check rcube_utils::explode_quoted_string() compat. with explode()
+ */
+ function test_explode_quoted_string_compat()
+ {
+ $data = array('', 'a,b,c', 'a', ',', ',a');
+
+ foreach ($data as $text) {
+ $result = rcube_utils::explode_quoted_string(',', $text);
+ $this->assertSame(explode(',', $text), $result);
+ }
+ }
+
+ /**
+ * rcube_utils::get_boolean()
+ */
+ function test_get_boolean()
+ {
+ $input = array(
+ false, 'false', '0', 'no', 'off', 'nein', 'FALSE', '', null,
+ );
+
+ foreach ($input as $idx => $value) {
+ $this->assertFalse(get_boolean($value), "Invalid result for $idx test item");
+ }
+
+ $input = array(
+ true, 'true', '1', 1, 'yes', 'anything', 1000,
+ );
+
+ foreach ($input as $idx => $value) {
+ $this->assertTrue(get_boolean($value), "Invalid result for $idx test item");
+ }
+ }
+
+ /**
+ * rcube:utils::strtotime()
+ */
+ function test_strtotime()
+ {
+ $test = array(
+ '1' => 1,
+ '' => 0,
+ '2013-04-22' => 1366581600,
+ '2013/04/22' => 1366581600,
+ '2013.04.22' => 1366581600,
+ '22-04-2013' => 1366581600,
+ '22/04/2013' => 1366581600,
+ '22.04.2013' => 1366581600,
+ '22.4.2013' => 1366581600,
+ '20130422' => 1366581600,
+ );
+
+ foreach ($test as $datetime => $ts) {
+ $result = rcube_utils::strtotime($datetime);
+ $this->assertSame($ts, $result, "Error parsing date: $datetime");
+ }
+ }
+
+ /**
+ * rcube:utils::normalize _string()
+ */
+ function test_normalize_string()
+ {
+ $test = array(
+ '' => '',
+ 'abc def' => 'abc def',
+ );
+
+ foreach ($test as $input => $output) {
+ $result = rcube_utils::normalize_string($input);
+ $this->assertSame($output, $result);
+ }
+ }
}
--
Gitblit v1.9.1