2 namespace TYPO3\CMS\Felogin\Tests\Unit\Controller
;
4 /***************************************************************
7 * (c) 2012-2013 Helmut Hummel <helmut@typo3.org>
11 * This script is part of the TYPO3 project. The TYPO3 project is
12 * free software; you can redistribute it and/or modify
13 * it under the terms of the GNU General Public License as published by
14 * the Free Software Foundation; either version 2 of the License, or
15 * (at your option) any later version.
17 * The GNU General Public License can be found at
18 * http://www.gnu.org/copyleft/gpl.html.
20 * This script is distributed in the hope that it will be useful,
21 * but WITHOUT ANY WARRANTY; without even the implied warranty of
22 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
23 * GNU General Public License for more details.
25 * This copyright notice MUST APPEAR in all copies of the script!
27 * The code was adapted from newloginbox, see manual for detailed description
28 ***************************************************************/
31 * Testcase for URL validation in class FrontendLoginController
33 * @author Helmut Hummel <helmut@typo3.org>
35 class FrontendLoginTest
extends \TYPO3\CMS\Core\Tests\UnitTestCase
{
38 * @var \TYPO3\CMS\Felogin\Controller\FrontendLoginController|\TYPO3\CMS\Core\Tests\AccessibleObjectInterface
40 protected $accessibleFixture;
45 protected $testHostName;
50 protected $testSitePath;
55 private $testTableName;
60 public function setUp() {
61 $this->testTableName
= 'sys_domain';
62 $this->testHostName
= 'hostname.tld';
63 $this->testSitePath
= '/';
64 $this->accessibleFixture
= $this->getAccessibleMock('TYPO3\\CMS\\Felogin\\Controller\\FrontendLoginController', array('dummy'));
65 $this->accessibleFixture
->cObj
= $this->getMock('TYPO3\\CMS\\Frontend\\ContentObject\\ContentObjectRenderer');
66 $GLOBALS['TSFE'] = $this->getMock('TYPO3\\CMS\\Frontend\\Controller\\TypoScriptFrontendController', array(), array(), '', FALSE);
67 $this->setUpFakeSitePathAndHost();
73 public function tearDown() {
74 $this->accessibleFixture
= NULL;
78 * Set up a fake site path and host
80 protected function setUpFakeSitePathAndHost() {
81 $_SERVER['ORIG_PATH_INFO'] = $_SERVER['PATH_INFO'] = $_SERVER['ORIG_SCRIPT_NAME'] = $_SERVER['SCRIPT_NAME'] = $this->testSitePath
. TYPO3_mainDir
;
82 $_SERVER['HTTP_HOST'] = $this->testHostName
;
88 protected function setUpDatabaseMock() {
89 $GLOBALS['TYPO3_DB'] = $this->getMock('TYPO3\\CMS\\Core\\Database\\DatabaseConnection', array('exec_SELECTgetRows'));
91 ->expects($this->any())
92 ->method('exec_SELECTgetRows')
93 ->will($this->returnCallback(array($this, 'getDomainRecordsCallback')));
97 * Callback method for pageIdCanBeDetermined test cases.
98 * Simulates TYPO3_DB->exec_SELECTgetRows().
100 * @param string $fields
101 * @param string $table
102 * @param string $where
104 * @see setUpDatabaseMock
106 public function getDomainRecordsCallback($fields, $table, $where) {
107 if ($table !== $this->testTableName
) {
111 array('domainName' => 'domainhostname.tld'),
112 array('domainName' => 'otherhostname.tld/path'),
113 array('domainName' => 'sub.domainhostname.tld/path/')
120 public function typo3SitePathEqualsStubSitePath() {
121 $this->assertEquals(\TYPO3\CMS\Core\Utility\GeneralUtility
::getIndpEnv('TYPO3_SITE_PATH'), $this->testSitePath
);
127 public function typo3SiteUrlEqualsStubSiteUrl() {
128 $this->assertEquals(\TYPO3\CMS\Core\Utility\GeneralUtility
::getIndpEnv('TYPO3_SITE_URL'), ('http://' . $this->testHostName
) . $this->testSitePath
);
134 public function typo3SitePathEqualsStubSitePathAfterChangingInTest() {
135 $this->testHostName
= 'somenewhostname.com';
136 $this->testSitePath
= '/somenewpath/';
137 $this->setUpFakeSitePathAndHost();
138 $this->assertEquals(\TYPO3\CMS\Core\Utility\GeneralUtility
::getIndpEnv('TYPO3_SITE_PATH'), $this->testSitePath
);
144 public function typo3SiteUrlEqualsStubSiteUrlAfterChangingInTest() {
145 $this->testHostName
= 'somenewhostname.com';
146 $this->testSitePath
= '/somenewpath/';
147 $this->setUpFakeSitePathAndHost();
148 $this->assertEquals(\TYPO3\CMS\Core\Utility\GeneralUtility
::getIndpEnv('TYPO3_SITE_URL'), ('http://' . $this->testHostName
) . $this->testSitePath
);
152 * Data provider for validateRedirectUrlClearsUrl
156 public function validateRedirectUrlClearsUrlDataProvider() {
158 'absolute URL, hostname not in sys_domain, trailing slash' => array('http://badhost.tld/'),
159 'absolute URL, hostname not in sys_domain, no trailing slash' => array('http://badhost.tld'),
160 'absolute URL, subdomain in sys_domain, but main domain not, trailing slash' => array('http://domainhostname.tld.badhost.tld/'),
161 'absolute URL, subdomain in sys_domain, but main domain not, no trailing slash' => array('http://domainhostname.tld.badhost.tld'),
162 'non http absolute URL 1' => array('its://domainhostname.tld/itunes/'),
163 'non http absolute URL 2' => array('ftp://domainhostname.tld/download/'),
164 'XSS attempt 1' => array('javascript:alert(123)'),
165 'XSS attempt 2' => array('" onmouseover="alert(123)"'),
166 'invalid URL, HTML break out attempt' => array('" >blabuubb'),
167 'invalid URL, UNC path' => array('\\\\foo\\bar\\'),
168 'invalid URL, backslashes in path' => array('http://domainhostname.tld\\bla\\blupp'),
169 'invalid URL, linefeed in path' => array('http://domainhostname.tld/bla/blupp' . LF
),
170 'invalid URL, only one slash after scheme' => array('http:/domainhostname.tld/bla/blupp'),
171 'invalid URL, illegal chars' => array('http://(<>domainhostname).tld/bla/blupp'),
177 * @dataProvider validateRedirectUrlClearsUrlDataProvider
178 * @param string $url Invalid Url
180 public function validateRedirectUrlClearsUrl($url) {
181 $this->setUpDatabaseMock();
182 $this->assertEquals('', $this->accessibleFixture
->_call('validateRedirectUrl', $url));
186 * Data provider for validateRedirectUrlKeepsCleanUrl
190 public function validateRedirectUrlKeepsCleanUrlDataProvider() {
192 'sane absolute URL' => array('http://domainhostname.tld/'),
193 'sane absolute URL with script' => array('http://domainhostname.tld/index.php?id=1'),
194 'sane absolute URL with realurl' => array('http://domainhostname.tld/foo/bar/foo.html'),
195 'sane absolute URL with homedir' => array('http://domainhostname.tld/~user/'),
196 'sane absolute URL with some strange chars encoded' => array('http://domainhostname.tld/~user/a%cc%88o%cc%88%c3%9fa%cc%82/foo.html'),
197 'sane absolute URL (domain record with path)' => array('http://otherhostname.tld/path/'),
198 'sane absolute URL with script (domain record with path)' => array('http://otherhostname.tld/path/index.php?id=1'),
199 'sane absolute URL with realurl (domain record with path)' => array('http://otherhostname.tld/path/foo/bar/foo.html'),
200 'sane absolute URL (domain record with path and slash)' => array('http://sub.domainhostname.tld/path/'),
201 'sane absolute URL with script (domain record with path slash)' => array('http://sub.domainhostname.tld/path/index.php?id=1'),
202 'sane absolute URL with realurl (domain record with path slash)' => array('http://sub.domainhostname.tld/path/foo/bar/foo.html'),
203 'relative URL, no leading slash 1' => array('index.php?id=1'),
204 'relative URL, no leading slash 2' => array('foo/bar/index.php?id=2'),
205 'relative URL, leading slash, no realurl' => array('/index.php?id=1'),
206 'relative URL, leading slash, realurl' => array('/de/service/imprint.html'),
212 * @dataProvider validateRedirectUrlKeepsCleanUrlDataProvider
213 * @param string $url Clean URL to test
215 public function validateRedirectUrlKeepsCleanUrl($url) {
216 $this->setUpDatabaseMock();
217 $this->assertEquals($url, $this->accessibleFixture
->_call('validateRedirectUrl', $url));
221 * Data provider for validateRedirectUrlClearsInvalidUrlInSubdirectory
225 public function validateRedirectUrlClearsInvalidUrlInSubdirectoryDataProvider() {
227 'absolute URL, missing subdirectory' => array('http://hostname.tld/'),
228 'absolute URL, wrong subdirectory' => array('http://hostname.tld/hacker/index.php'),
229 'absolute URL, correct subdirectory, no trailing slash' => array('http://hostname.tld/subdir'),
230 'absolute URL, correct subdirectory of sys_domain record, no trailing slash' => array('http://otherhostname.tld/path'),
231 'absolute URL, correct subdirectory of sys_domain record, no trailing slash, subdomain' => array('http://sub.domainhostname.tld/path'),
232 'relative URL, leading slash, no path' => array('/index.php?id=1'),
233 'relative URL, leading slash, wrong path' => array('/de/sub/site.html'),
234 'relative URL, leading slash, slash only' => array('/'),
240 * @dataProvider validateRedirectUrlClearsInvalidUrlInSubdirectoryDataProvider
241 * @param string $url Invalid Url
243 public function validateRedirectUrlClearsInvalidUrlInSubdirectory($url) {
244 $this->testSitePath
= '/subdir/';
245 $this->setUpFakeSitePathAndHost();
246 $this->setUpDatabaseMock();
247 $this->assertEquals('', $this->accessibleFixture
->_call('validateRedirectUrl', $url));
251 * Data provider for validateRedirectUrlKeepsCleanUrlInSubdirectory
255 public function validateRedirectUrlKeepsCleanUrlInSubdirectoryDataProvider() {
257 'absolute URL, correct subdirectory' => array('http://hostname.tld/subdir/'),
258 'absolute URL, correct subdirectory, realurl' => array('http://hostname.tld/subdir/de/imprint.html'),
259 'absolute URL, correct subdirectory, no realurl' => array('http://hostname.tld/subdir/index.php?id=10'),
260 'absolute URL, correct subdirectory of sys_domain record' => array('http://otherhostname.tld/path/'),
261 'absolute URL, correct subdirectory of sys_domain record, subdomain' => array('http://sub.domainhostname.tld/path/'),
262 'relative URL, no leading slash, realurl' => array('de/service/imprint.html'),
263 'relative URL, no leading slash, no realurl' => array('index.php?id=1'),
264 'relative nested URL, no leading slash, no realurl' => array('foo/bar/index.php?id=2')
270 * @dataProvider validateRedirectUrlKeepsCleanUrlInSubdirectoryDataProvider
271 * @param string $url Invalid Url
273 public function validateRedirectUrlKeepsCleanUrlInSubdirectory($url) {
274 $this->testSitePath
= '/subdir/';
275 $this->setUpFakeSitePathAndHost();
276 $this->setUpDatabaseMock();
277 $this->assertEquals($url, $this->accessibleFixture
->_call('validateRedirectUrl', $url));
281 /*************************
282 * Test concerning getPreverveGetVars
283 *************************/
288 public function getPreserveGetVarsReturnsCorrectResultDataProvider() {
290 'special get var id is not preserved' => array(
297 'simple additional parameter is not preserved if not specified in preservedGETvars' => array(
305 'all params except ignored ones are preserved if preservedGETvars is set to "all"' => array(
314 '&special1=23&special2[foo]=bar',
316 'preserve single parameter' => array(
323 'preserve whole parameter array' => array(
326 'tx_someext' => array(
334 '&L=3&tx_someext[foo]=simple&tx_someext[bar][baz]=simple',
336 'preserve part of sub array' => array(
339 'tx_someext' => array(
347 '&L=3&tx_someext[bar][baz]=simple',
349 'preserve keys on different levels' => array(
352 'no-preserve' => 'whatever',
363 'L,tx_ext2,tx_ext3[bar]',
364 '&L=3&tx_ext2[foo]=simple&tx_ext3[bar][baz]=simple',
366 'preserved value that does not exist in get' => array(
371 'url params are encoded' => array(
372 array('tx_ext1' => 'param with spaces and \\ %<>& /'),
374 '&tx_ext1=param%20with%20spaces%20and%20%20%25%3C%3E%26%20%2F'
381 * @dataProvider getPreserveGetVarsReturnsCorrectResultDataProvider
382 * @param array $getArray
383 * @param string $preserveVars
384 * @param string $expected
387 public function getPreserveGetVarsReturnsCorrectResult(array $getArray, $preserveVars, $expected) {
389 $this->accessibleFixture
->conf
['preserveGETvars'] = $preserveVars;
390 $this->assertSame($expected, $this->accessibleFixture
->_call('getPreserveGetVars'));