518e4f5cebf607222724d8d4cfd4f89087278c30
[Packages/TYPO3.CMS.git] / typo3 / sysext / felogin / Tests / Unit / Controller / FrontendLoginControllerTest.php
1 <?php
2 namespace TYPO3\CMS\Felogin\Tests\Unit\Controller;
3
4 /*
5 * This file is part of the TYPO3 CMS project.
6 *
7 * It is free software; you can redistribute it and/or modify it under
8 * the terms of the GNU General Public License, either version 2
9 * of the License, or any later version.
10 *
11 * For the full copyright and license information, please read the
12 * LICENSE.txt file that was distributed with this source code.
13 *
14 * The TYPO3 project - inspiring people to share!
15 */
16
17 use TYPO3\CMS\Frontend\Controller\TypoScriptFrontendController;
18
19 /**
20 * Test case
21 */
22 class FrontendLoginControllerTest extends \TYPO3\CMS\Core\Tests\UnitTestCase {
23
24 /**
25 * @var \TYPO3\CMS\Felogin\Controller\FrontendLoginController|\TYPO3\CMS\Core\Tests\AccessibleObjectInterface
26 */
27 protected $accessibleFixture;
28
29 /**
30 * @var string
31 */
32 protected $testHostName;
33
34 /**
35 * @var string
36 */
37 protected $testSitePath;
38
39 /**
40 * @var string
41 */
42 protected $testTableName;
43
44 /**
45 * Set up
46 */
47 protected function setUp() {
48 $this->testTableName = 'sys_domain';
49 $this->testHostName = 'hostname.tld';
50 $this->testSitePath = '/';
51 $this->accessibleFixture = $this->getAccessibleMock(\TYPO3\CMS\Felogin\Controller\FrontendLoginController::class, array('dummy'));
52 $this->accessibleFixture->cObj = $this->getMock(\TYPO3\CMS\Frontend\ContentObject\ContentObjectRenderer::class);
53 $this->accessibleFixture->_set('frontendController', $this->getMock(\TYPO3\CMS\Frontend\Controller\TypoScriptFrontendController::class, array(), array(), '', FALSE));
54 $this->setUpFakeSitePathAndHost();
55 }
56
57 /**
58 * Set up a fake site path and host
59 */
60 protected function setUpFakeSitePathAndHost() {
61 $_SERVER['ORIG_PATH_INFO'] = $_SERVER['PATH_INFO'] = $_SERVER['ORIG_SCRIPT_NAME'] = $_SERVER['SCRIPT_NAME'] = $this->testSitePath . TYPO3_mainDir;
62 $_SERVER['HTTP_HOST'] = $this->testHostName;
63 }
64
65 /**
66 * Mock database
67 */
68 protected function setUpDatabaseMock() {
69 $db = $this->getMock(\TYPO3\CMS\Core\Database\DatabaseConnection::class, array('exec_SELECTgetRows'));
70 $db
71 ->expects($this->any())
72 ->method('exec_SELECTgetRows')
73 ->will($this->returnCallback(array($this, 'getDomainRecordsCallback')));
74 $this->accessibleFixture->_set('databaseConnection', $db);
75 }
76
77 /**
78 * Callback method for pageIdCanBeDetermined test cases.
79 * Simulates TYPO3_DB->exec_SELECTgetRows().
80 *
81 * @param string $fields
82 * @param string $table
83 * @param string $where
84 * @return mixed
85 * @see setUpDatabaseMock
86 */
87 public function getDomainRecordsCallback($fields, $table, $where) {
88 if ($table !== $this->testTableName) {
89 return FALSE;
90 }
91 return array(
92 array('domainName' => 'domainhostname.tld'),
93 array('domainName' => 'otherhostname.tld/path'),
94 array('domainName' => 'sub.domainhostname.tld/path/')
95 );
96 }
97
98 /**
99 * @test
100 */
101 public function typo3SitePathEqualsStubSitePath() {
102 $this->assertEquals(\TYPO3\CMS\Core\Utility\GeneralUtility::getIndpEnv('TYPO3_SITE_PATH'), $this->testSitePath);
103 }
104
105 /**
106 * @test
107 */
108 public function typo3SiteUrlEqualsStubSiteUrl() {
109 $this->assertEquals(\TYPO3\CMS\Core\Utility\GeneralUtility::getIndpEnv('TYPO3_SITE_URL'), ('http://' . $this->testHostName) . $this->testSitePath);
110 }
111
112 /**
113 * @test
114 */
115 public function typo3SitePathEqualsStubSitePathAfterChangingInTest() {
116 $this->testHostName = 'somenewhostname.com';
117 $this->testSitePath = '/somenewpath/';
118 $this->setUpFakeSitePathAndHost();
119 $this->assertEquals(\TYPO3\CMS\Core\Utility\GeneralUtility::getIndpEnv('TYPO3_SITE_PATH'), $this->testSitePath);
120 }
121
122 /**
123 * @test
124 */
125 public function typo3SiteUrlEqualsStubSiteUrlAfterChangingInTest() {
126 $this->testHostName = 'somenewhostname.com';
127 $this->testSitePath = '/somenewpath/';
128 $this->setUpFakeSitePathAndHost();
129 $this->assertEquals(\TYPO3\CMS\Core\Utility\GeneralUtility::getIndpEnv('TYPO3_SITE_URL'), ('http://' . $this->testHostName) . $this->testSitePath);
130 }
131
132 /**
133 * Data provider for validateRedirectUrlClearsUrl
134 *
135 * @return array
136 */
137 public function validateRedirectUrlClearsUrlDataProvider() {
138 return array(
139 'absolute URL, hostname not in sys_domain, trailing slash' => array('http://badhost.tld/'),
140 'absolute URL, hostname not in sys_domain, no trailing slash' => array('http://badhost.tld'),
141 'absolute URL, subdomain in sys_domain, but main domain not, trailing slash' => array('http://domainhostname.tld.badhost.tld/'),
142 'absolute URL, subdomain in sys_domain, but main domain not, no trailing slash' => array('http://domainhostname.tld.badhost.tld'),
143 'non http absolute URL 1' => array('its://domainhostname.tld/itunes/'),
144 'non http absolute URL 2' => array('ftp://domainhostname.tld/download/'),
145 'XSS attempt 1' => array('javascript:alert(123)'),
146 'XSS attempt 2' => array('" onmouseover="alert(123)"'),
147 'invalid URL, HTML break out attempt' => array('" >blabuubb'),
148 'invalid URL, UNC path' => array('\\\\foo\\bar\\'),
149 'invalid URL, backslashes in path' => array('http://domainhostname.tld\\bla\\blupp'),
150 'invalid URL, linefeed in path' => array('http://domainhostname.tld/bla/blupp' . LF),
151 'invalid URL, only one slash after scheme' => array('http:/domainhostname.tld/bla/blupp'),
152 'invalid URL, illegal chars' => array('http://(<>domainhostname).tld/bla/blupp'),
153 );
154 }
155
156 /**
157 * @test
158 * @dataProvider validateRedirectUrlClearsUrlDataProvider
159 * @param string $url Invalid Url
160 */
161 public function validateRedirectUrlClearsUrl($url) {
162 $this->setUpDatabaseMock();
163 $this->assertEquals('', $this->accessibleFixture->_call('validateRedirectUrl', $url));
164 }
165
166 /**
167 * Data provider for validateRedirectUrlKeepsCleanUrl
168 *
169 * @return array
170 */
171 public function validateRedirectUrlKeepsCleanUrlDataProvider() {
172 return array(
173 'sane absolute URL' => array('http://domainhostname.tld/'),
174 'sane absolute URL with script' => array('http://domainhostname.tld/index.php?id=1'),
175 'sane absolute URL with realurl' => array('http://domainhostname.tld/foo/bar/foo.html'),
176 'sane absolute URL with homedir' => array('http://domainhostname.tld/~user/'),
177 'sane absolute URL with some strange chars encoded' => array('http://domainhostname.tld/~user/a%cc%88o%cc%88%c3%9fa%cc%82/foo.html'),
178 'sane absolute URL (domain record with path)' => array('http://otherhostname.tld/path/'),
179 'sane absolute URL with script (domain record with path)' => array('http://otherhostname.tld/path/index.php?id=1'),
180 'sane absolute URL with realurl (domain record with path)' => array('http://otherhostname.tld/path/foo/bar/foo.html'),
181 'sane absolute URL (domain record with path and slash)' => array('http://sub.domainhostname.tld/path/'),
182 'sane absolute URL with script (domain record with path slash)' => array('http://sub.domainhostname.tld/path/index.php?id=1'),
183 'sane absolute URL with realurl (domain record with path slash)' => array('http://sub.domainhostname.tld/path/foo/bar/foo.html'),
184 'relative URL, no leading slash 1' => array('index.php?id=1'),
185 'relative URL, no leading slash 2' => array('foo/bar/index.php?id=2'),
186 'relative URL, leading slash, no realurl' => array('/index.php?id=1'),
187 'relative URL, leading slash, realurl' => array('/de/service/imprint.html'),
188 );
189 }
190
191 /**
192 * @test
193 * @dataProvider validateRedirectUrlKeepsCleanUrlDataProvider
194 * @param string $url Clean URL to test
195 */
196 public function validateRedirectUrlKeepsCleanUrl($url) {
197 $this->setUpDatabaseMock();
198 $this->assertEquals($url, $this->accessibleFixture->_call('validateRedirectUrl', $url));
199 }
200
201 /**
202 * Data provider for validateRedirectUrlClearsInvalidUrlInSubdirectory
203 *
204 * @return array
205 */
206 public function validateRedirectUrlClearsInvalidUrlInSubdirectoryDataProvider() {
207 return array(
208 'absolute URL, missing subdirectory' => array('http://hostname.tld/'),
209 'absolute URL, wrong subdirectory' => array('http://hostname.tld/hacker/index.php'),
210 'absolute URL, correct subdirectory, no trailing slash' => array('http://hostname.tld/subdir'),
211 'absolute URL, correct subdirectory of sys_domain record, no trailing slash' => array('http://otherhostname.tld/path'),
212 'absolute URL, correct subdirectory of sys_domain record, no trailing slash, subdomain' => array('http://sub.domainhostname.tld/path'),
213 'relative URL, leading slash, no path' => array('/index.php?id=1'),
214 'relative URL, leading slash, wrong path' => array('/de/sub/site.html'),
215 'relative URL, leading slash, slash only' => array('/'),
216 );
217 }
218
219 /**
220 * @test
221 * @dataProvider validateRedirectUrlClearsInvalidUrlInSubdirectoryDataProvider
222 * @param string $url Invalid Url
223 */
224 public function validateRedirectUrlClearsInvalidUrlInSubdirectory($url) {
225 $this->testSitePath = '/subdir/';
226 $this->setUpFakeSitePathAndHost();
227 $this->setUpDatabaseMock();
228 $this->assertEquals('', $this->accessibleFixture->_call('validateRedirectUrl', $url));
229 }
230
231 /**
232 * Data provider for validateRedirectUrlKeepsCleanUrlInSubdirectory
233 *
234 * @return array
235 */
236 public function validateRedirectUrlKeepsCleanUrlInSubdirectoryDataProvider() {
237 return array(
238 'absolute URL, correct subdirectory' => array('http://hostname.tld/subdir/'),
239 'absolute URL, correct subdirectory, realurl' => array('http://hostname.tld/subdir/de/imprint.html'),
240 'absolute URL, correct subdirectory, no realurl' => array('http://hostname.tld/subdir/index.php?id=10'),
241 'absolute URL, correct subdirectory of sys_domain record' => array('http://otherhostname.tld/path/'),
242 'absolute URL, correct subdirectory of sys_domain record, subdomain' => array('http://sub.domainhostname.tld/path/'),
243 'relative URL, no leading slash, realurl' => array('de/service/imprint.html'),
244 'relative URL, no leading slash, no realurl' => array('index.php?id=1'),
245 'relative nested URL, no leading slash, no realurl' => array('foo/bar/index.php?id=2')
246 );
247 }
248
249 /**
250 * @test
251 * @dataProvider validateRedirectUrlKeepsCleanUrlInSubdirectoryDataProvider
252 * @param string $url Invalid Url
253 */
254 public function validateRedirectUrlKeepsCleanUrlInSubdirectory($url) {
255 $this->testSitePath = '/subdir/';
256 $this->setUpFakeSitePathAndHost();
257 $this->setUpDatabaseMock();
258 $this->assertEquals($url, $this->accessibleFixture->_call('validateRedirectUrl', $url));
259 }
260
261
262 /*************************
263 * Test concerning getPreverveGetVars
264 *************************/
265
266 /**
267 * @return array
268 */
269 public function getPreserveGetVarsReturnsCorrectResultDataProvider() {
270 return array(
271 'special get var id is not preserved' => array(
272 array(
273 'id' => 42,
274 ),
275 '',
276 '',
277 ),
278 'simple additional parameter is not preserved if not specified in preservedGETvars' => array(
279 array(
280 'id' => 42,
281 'special' => 23,
282 ),
283 '',
284 '',
285 ),
286 'all params except ignored ones are preserved if preservedGETvars is set to "all"' => array(
287 array(
288 'id' => 42,
289 'special1' => 23,
290 'special2' => array(
291 'foo' => 'bar',
292 ),
293 'tx_felogin_pi1' => array(
294 'forgot' => 1,
295 ),
296 ),
297 'all',
298 '&special1=23&special2[foo]=bar',
299 ),
300 'preserve single parameter' => array(
301 array(
302 'L' => 42,
303 ),
304 'L',
305 '&L=42'
306 ),
307 'preserve whole parameter array' => array(
308 array(
309 'L' => 3,
310 'tx_someext' => array(
311 'foo' => 'simple',
312 'bar' => array(
313 'baz' => 'simple',
314 ),
315 ),
316 ),
317 'L,tx_someext',
318 '&L=3&tx_someext[foo]=simple&tx_someext[bar][baz]=simple',
319 ),
320 'preserve part of sub array' => array(
321 array(
322 'L' => 3,
323 'tx_someext' => array(
324 'foo' => 'simple',
325 'bar' => array(
326 'baz' => 'simple',
327 ),
328 ),
329 ),
330 'L,tx_someext[bar]',
331 '&L=3&tx_someext[bar][baz]=simple',
332 ),
333 'preserve keys on different levels' => array(
334 array(
335 'L' => 3,
336 'no-preserve' => 'whatever',
337 'tx_ext2' => array(
338 'foo' => 'simple',
339 ),
340 'tx_ext3' => array(
341 'bar' => array(
342 'baz' => 'simple',
343 ),
344 'go-away' => '',
345 ),
346 ),
347 'L,tx_ext2,tx_ext3[bar]',
348 '&L=3&tx_ext2[foo]=simple&tx_ext3[bar][baz]=simple',
349 ),
350 'preserved value that does not exist in get' => array(
351 array(),
352 'L,foo[bar]',
353 ''
354 ),
355 'url params are encoded' => array(
356 array('tx_ext1' => 'param with spaces and \\ %<>& /'),
357 'L,tx_ext1',
358 '&tx_ext1=param%20with%20spaces%20and%20%5C%20%25%3C%3E%26%20%2F'
359 ),
360 );
361 }
362
363 /**
364 * @test
365 * @dataProvider getPreserveGetVarsReturnsCorrectResultDataProvider
366 * @param array $getArray
367 * @param string $preserveVars
368 * @param string $expected
369 * @return void
370 */
371 public function getPreserveGetVarsReturnsCorrectResult(array $getArray, $preserveVars, $expected) {
372 $_GET = $getArray;
373 $this->accessibleFixture->conf['preserveGETvars'] = $preserveVars;
374 $this->assertSame($expected, $this->accessibleFixture->_call('getPreserveGetVars'));
375 }
376
377
378 /**************************************************
379 * Tests concerning isInLocalDomain
380 **************************************************/
381
382 /**
383 * Dataprovider for isInCurrentDomainIgnoresScheme
384 *
385 * @return array
386 */
387 public function isInCurrentDomainIgnoresSchemeDataProvider() {
388 return array(
389 'url https, current host http' => array(
390 'example.com', // HTTP_HOST
391 '0', // HTTPS
392 'https://example.com/foo.html' // URL
393 ),
394 'url http, current host https' => array(
395 'example.com',
396 '1',
397 'http://example.com/foo.html'
398 ),
399 'url https, current host https' => array(
400 'example.com',
401 '1',
402 'https://example.com/foo.html'
403 ),
404 'url http, current host http' => array(
405 'example.com',
406 '0',
407 'http://example.com/foo.html'
408 )
409 );
410 }
411
412 /**
413 * @test
414 * @dataProvider isInCurrentDomainIgnoresSchemeDataProvider
415 * @param string $host $_SERVER['HTTP_HOST']
416 * @param string $https $_SERVER['HTTPS']
417 * @param string $url The url to test
418 */
419 public function isInCurrentDomainIgnoresScheme($host, $https, $url) {
420 $_SERVER['HTTP_HOST'] = $host;
421 $_SERVER['HTTPS'] = $https;
422 $this->assertTrue($this->accessibleFixture->_call('isInCurrentDomain', $url));
423 }
424
425 /**
426 * @return array
427 */
428 public function isInCurrentDomainReturnsFalseIfDomainsAreDifferentDataProvider() {
429 return array(
430 'simple difference' => array(
431 'example.com', // HTTP_HOST
432 'http://typo3.org/foo.html' // URL
433 ),
434 'subdomain different' => array(
435 'example.com',
436 'http://foo.example.com/bar.html'
437 )
438 );
439 }
440
441 /**
442 * @test
443 * @dataProvider isInCurrentDomainReturnsFalseIfDomainsAreDifferentDataProvider
444 * @param string $host $_SERVER['HTTP_HOST']
445 * @param string $url The url to test
446 */
447 public function isInCurrentDomainReturnsFalseIfDomainsAreDifferent($host, $url) {
448 $_SERVER['HTTP_HOST'] = $host;
449 $this->assertFalse($this->accessibleFixture->_call('isInCurrentDomain', $url));
450 }
451
452 /**
453 * @test
454 */
455 public function processRedirectReferrerDomainsMatchesDomains() {
456 $conf = array(
457 'redirectMode' => 'refererDomains',
458 'domains' => 'example.com'
459 );
460
461 $this->accessibleFixture->_set('conf', $conf);
462 $this->accessibleFixture->_set('logintype', 'login');
463 $this->accessibleFixture->_set('referer', 'http://www.example.com/snafu');
464 /** @var TypoScriptFrontendController $tsfe */
465 $tsfe = $this->accessibleFixture->_get('frontendController');
466 $tsfe->loginUser = TRUE;
467 $this->assertSame(array('http://www.example.com/snafu'), $this->accessibleFixture->_call('processRedirect'));
468 }
469
470 }