From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)
---
tests/Framework/Utils.php | 152 ++++++++++++++++++++++++++++++++++++++++++++++++++
1 files changed, 152 insertions(+), 0 deletions(-)
diff --git a/tests/Framework/Utils.php b/tests/Framework/Utils.php
index b6cc5d5..2e0d3cf 100644
--- a/tests/Framework/Utils.php
+++ b/tests/Framework/Utils.php
@@ -83,6 +83,83 @@
}
/**
+ * Valid IP addresses for test_valid_ip()
+ */
+ function data_valid_ip()
+ {
+ return array(
+ array('0.0.0.0'),
+ array('123.123.123.123'),
+ array('::'),
+ array('::1'),
+ array('::1.2.3.4'),
+ array('2001:2d12:c4fe:5afe::1'),
+ );
+ }
+
+ /**
+ * Valid IP addresses for test_invalid_ip()
+ */
+ function data_invalid_ip()
+ {
+ return array(
+ array(''),
+ array(0),
+ array('123.123.123.1234'),
+ array('1.1.1.1.1'),
+ array('::1.2.3.260'),
+ array('::1.0'),
+ array('2001::c4fe:5afe::1'),
+ );
+ }
+
+ /**
+ * @dataProvider data_valid_ip
+ */
+ function test_valid_ip($ip)
+ {
+ $this->assertTrue(rcube_utils::check_ip($ip));
+ }
+
+ /**
+ * @dataProvider data_invalid_ip
+ */
+ function test_invalid_ip($ip)
+ {
+ $this->assertFalse(rcube_utils::check_ip($ip));
+ }
+
+ /**
+ * Data for test_rep_specialchars_output()
+ */
+ function data_rep_specialchars_output()
+ {
+ return array(
+ array('', '', 'abc', 'abc'),
+ array('', '', '?', '?'),
+ array('', '', '"', '"'),
+ array('', '', '<', '<'),
+ array('', '', '>', '>'),
+ array('', '', '&', '&'),
+ array('', '', '&', '&amp;'),
+ array('', '', '<a>', '<a>'),
+ array('', 'remove', '<a>', ''),
+ );
+ }
+
+ /**
+ * Test for rep_specialchars_output
+ * @dataProvider data_rep_specialchars_output
+ */
+ function test_rep_specialchars_output($type, $mode, $str, $res)
+ {
+ $result = rcube_utils::rep_specialchars_output(
+ $str, $type ? $type : 'html', $mode ? $mode : 'strict');
+
+ $this->assertEquals($result, $res);
+ }
+
+ /**
* rcube_utils::mod_css_styles()
*/
function test_mod_css_styles()
@@ -116,4 +193,79 @@
$mod = rcube_utils::mod_css_styles("background:\\0075\\0072\\006c( javascript:alert('xss') )", 'rcmbody');
$this->assertEquals("/* evil! */", $mod, "Don't allow encoding quirks (2)");
}
+
+ /**
+ * Check rcube_utils::explode_quoted_string() compat. with explode()
+ */
+ function test_explode_quoted_string_compat()
+ {
+ $data = array('', 'a,b,c', 'a', ',', ',a');
+
+ foreach ($data as $text) {
+ $result = rcube_utils::explode_quoted_string(',', $text);
+ $this->assertSame(explode(',', $text), $result);
+ }
+ }
+
+ /**
+ * rcube_utils::get_boolean()
+ */
+ function test_get_boolean()
+ {
+ $input = array(
+ false, 'false', '0', 'no', 'off', 'nein', 'FALSE', '', null,
+ );
+
+ foreach ($input as $idx => $value) {
+ $this->assertFalse(get_boolean($value), "Invalid result for $idx test item");
+ }
+
+ $input = array(
+ true, 'true', '1', 1, 'yes', 'anything', 1000,
+ );
+
+ foreach ($input as $idx => $value) {
+ $this->assertTrue(get_boolean($value), "Invalid result for $idx test item");
+ }
+ }
+
+ /**
+ * rcube:utils::strtotime()
+ */
+ function test_strtotime()
+ {
+ $test = array(
+ '1' => 1,
+ '' => 0,
+ '2013-04-22' => 1366581600,
+ '2013/04/22' => 1366581600,
+ '2013.04.22' => 1366581600,
+ '22-04-2013' => 1366581600,
+ '22/04/2013' => 1366581600,
+ '22.04.2013' => 1366581600,
+ '22.4.2013' => 1366581600,
+ '20130422' => 1366581600,
+ );
+
+ foreach ($test as $datetime => $ts) {
+ $result = rcube_utils::strtotime($datetime);
+ $this->assertSame($ts, $result, "Error parsing date: $datetime");
+ }
+ }
+
+ /**
+ * rcube:utils::normalize _string()
+ */
+ function test_normalize_string()
+ {
+ $test = array(
+ '' => '',
+ 'abc def' => 'abc def',
+ );
+
+ foreach ($test as $input => $output) {
+ $result = rcube_utils::normalize_string($input);
+ $this->assertSame($output, $result);
+ }
+ }
}
--
Gitblit v1.9.1