[BUGFIX] Don't preserve piVars in felogin links
[Packages/TYPO3.CMS.git] / typo3 / sysext / felogin / Tests / Unit / Controller / FrontendLoginControllerTest.php
1 <?php
2 namespace TYPO3\CMS\Felogin\Tests\Unit\Controller;
3
4 /***************************************************************
5 * Copyright notice
6 *
7 * (c) 2012-2013 Helmut Hummel <helmut@typo3.org>
8 *
9 * All rights reserved
10 *
11 * This script is part of the TYPO3 project. The TYPO3 project is
12 * free software; you can redistribute it and/or modify
13 * it under the terms of the GNU General Public License as published by
14 * the Free Software Foundation; either version 2 of the License, or
15 * (at your option) any later version.
16 *
17 * The GNU General Public License can be found at
18 * http://www.gnu.org/copyleft/gpl.html.
19 *
20 * This script is distributed in the hope that it will be useful,
21 * but WITHOUT ANY WARRANTY; without even the implied warranty of
22 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
23 * GNU General Public License for more details.
24 *
25 * This copyright notice MUST APPEAR in all copies of the script!
26 *
27 * The code was adapted from newloginbox, see manual for detailed description
28 ***************************************************************/
29
30 /**
31 * Testcase for URL validation in class FrontendLoginController
32 *
33 * @author Helmut Hummel <helmut@typo3.org>
34 */
35 class FrontendLoginTest extends \TYPO3\CMS\Core\Tests\UnitTestCase {
36
37 /**
38 * @var \TYPO3\CMS\Felogin\Controller\FrontendLoginController|\TYPO3\CMS\Core\Tests\AccessibleObjectInterface
39 */
40 protected $accessibleFixture;
41
42 /**
43 * @var string
44 */
45 protected $testHostName;
46
47 /**
48 * @var string
49 */
50 protected $testSitePath;
51
52 /**
53 * @var string
54 */
55 private $testTableName;
56
57 /**
58 * Set up
59 */
60 public function setUp() {
61 $this->testTableName = 'sys_domain';
62 $this->testHostName = 'hostname.tld';
63 $this->testSitePath = '/';
64 $this->accessibleFixture = $this->getAccessibleMock('TYPO3\\CMS\\Felogin\\Controller\\FrontendLoginController', array('dummy'));
65 $this->accessibleFixture->cObj = $this->getMock('TYPO3\\CMS\\Frontend\\ContentObject\\ContentObjectRenderer');
66 $GLOBALS['TSFE'] = $this->getMock('TYPO3\\CMS\\Frontend\\Controller\\TypoScriptFrontendController', array(), array(), '', FALSE);
67 $this->setUpFakeSitePathAndHost();
68 }
69
70 /**
71 * Tear down
72 */
73 public function tearDown() {
74 $this->accessibleFixture = NULL;
75 }
76
77 /**
78 * Set up a fake site path and host
79 */
80 protected function setUpFakeSitePathAndHost() {
81 $_SERVER['ORIG_PATH_INFO'] = $_SERVER['PATH_INFO'] = $_SERVER['ORIG_SCRIPT_NAME'] = $_SERVER['SCRIPT_NAME'] = $this->testSitePath . TYPO3_mainDir;
82 $_SERVER['HTTP_HOST'] = $this->testHostName;
83 }
84
85 /**
86 * Mock database
87 */
88 protected function setUpDatabaseMock() {
89 $GLOBALS['TYPO3_DB'] = $this->getMock('TYPO3\\CMS\\Core\\Database\\DatabaseConnection', array('exec_SELECTgetRows'));
90 $GLOBALS['TYPO3_DB']
91 ->expects($this->any())
92 ->method('exec_SELECTgetRows')
93 ->will($this->returnCallback(array($this, 'getDomainRecordsCallback')));
94 }
95
96 /**
97 * Callback method for pageIdCanBeDetermined test cases.
98 * Simulates TYPO3_DB->exec_SELECTgetRows().
99 *
100 * @param string $fields
101 * @param string $table
102 * @param string $where
103 * @return mixed
104 * @see setUpDatabaseMock
105 */
106 public function getDomainRecordsCallback($fields, $table, $where) {
107 if ($table !== $this->testTableName) {
108 return FALSE;
109 }
110 return array(
111 array('domainName' => 'domainhostname.tld'),
112 array('domainName' => 'otherhostname.tld/path'),
113 array('domainName' => 'sub.domainhostname.tld/path/')
114 );
115 }
116
117 /**
118 * @test
119 */
120 public function typo3SitePathEqualsStubSitePath() {
121 $this->assertEquals(\TYPO3\CMS\Core\Utility\GeneralUtility::getIndpEnv('TYPO3_SITE_PATH'), $this->testSitePath);
122 }
123
124 /**
125 * @test
126 */
127 public function typo3SiteUrlEqualsStubSiteUrl() {
128 $this->assertEquals(\TYPO3\CMS\Core\Utility\GeneralUtility::getIndpEnv('TYPO3_SITE_URL'), ('http://' . $this->testHostName) . $this->testSitePath);
129 }
130
131 /**
132 * @test
133 */
134 public function typo3SitePathEqualsStubSitePathAfterChangingInTest() {
135 $this->testHostName = 'somenewhostname.com';
136 $this->testSitePath = '/somenewpath/';
137 $this->setUpFakeSitePathAndHost();
138 $this->assertEquals(\TYPO3\CMS\Core\Utility\GeneralUtility::getIndpEnv('TYPO3_SITE_PATH'), $this->testSitePath);
139 }
140
141 /**
142 * @test
143 */
144 public function typo3SiteUrlEqualsStubSiteUrlAfterChangingInTest() {
145 $this->testHostName = 'somenewhostname.com';
146 $this->testSitePath = '/somenewpath/';
147 $this->setUpFakeSitePathAndHost();
148 $this->assertEquals(\TYPO3\CMS\Core\Utility\GeneralUtility::getIndpEnv('TYPO3_SITE_URL'), ('http://' . $this->testHostName) . $this->testSitePath);
149 }
150
151 /**
152 * Data provider for validateRedirectUrlClearsUrl
153 *
154 * @return array
155 */
156 public function validateRedirectUrlClearsUrlDataProvider() {
157 return array(
158 'absolute URL, hostname not in sys_domain, trailing slash' => array('http://badhost.tld/'),
159 'absolute URL, hostname not in sys_domain, no trailing slash' => array('http://badhost.tld'),
160 'absolute URL, subdomain in sys_domain, but main domain not, trailing slash' => array('http://domainhostname.tld.badhost.tld/'),
161 'absolute URL, subdomain in sys_domain, but main domain not, no trailing slash' => array('http://domainhostname.tld.badhost.tld'),
162 'non http absolute URL 1' => array('its://domainhostname.tld/itunes/'),
163 'non http absolute URL 2' => array('ftp://domainhostname.tld/download/'),
164 'XSS attempt 1' => array('javascript:alert(123)'),
165 'XSS attempt 2' => array('" onmouseover="alert(123)"'),
166 'invalid URL, HTML break out attempt' => array('" >blabuubb'),
167 'invalid URL, UNC path' => array('\\\\foo\\bar\\'),
168 'invalid URL, backslashes in path' => array('http://domainhostname.tld\\bla\\blupp'),
169 'invalid URL, linefeed in path' => array('http://domainhostname.tld/bla/blupp' . LF),
170 'invalid URL, only one slash after scheme' => array('http:/domainhostname.tld/bla/blupp'),
171 'invalid URL, illegal chars' => array('http://(<>domainhostname).tld/bla/blupp'),
172 );
173 }
174
175 /**
176 * @test
177 * @dataProvider validateRedirectUrlClearsUrlDataProvider
178 * @param string $url Invalid Url
179 */
180 public function validateRedirectUrlClearsUrl($url) {
181 $this->setUpDatabaseMock();
182 $this->assertEquals('', $this->accessibleFixture->_call('validateRedirectUrl', $url));
183 }
184
185 /**
186 * Data provider for validateRedirectUrlKeepsCleanUrl
187 *
188 * @return array
189 */
190 public function validateRedirectUrlKeepsCleanUrlDataProvider() {
191 return array(
192 'sane absolute URL' => array('http://domainhostname.tld/'),
193 'sane absolute URL with script' => array('http://domainhostname.tld/index.php?id=1'),
194 'sane absolute URL with realurl' => array('http://domainhostname.tld/foo/bar/foo.html'),
195 'sane absolute URL with homedir' => array('http://domainhostname.tld/~user/'),
196 'sane absolute URL with some strange chars encoded' => array('http://domainhostname.tld/~user/a%cc%88o%cc%88%c3%9fa%cc%82/foo.html'),
197 'sane absolute URL (domain record with path)' => array('http://otherhostname.tld/path/'),
198 'sane absolute URL with script (domain record with path)' => array('http://otherhostname.tld/path/index.php?id=1'),
199 'sane absolute URL with realurl (domain record with path)' => array('http://otherhostname.tld/path/foo/bar/foo.html'),
200 'sane absolute URL (domain record with path and slash)' => array('http://sub.domainhostname.tld/path/'),
201 'sane absolute URL with script (domain record with path slash)' => array('http://sub.domainhostname.tld/path/index.php?id=1'),
202 'sane absolute URL with realurl (domain record with path slash)' => array('http://sub.domainhostname.tld/path/foo/bar/foo.html'),
203 'relative URL, no leading slash 1' => array('index.php?id=1'),
204 'relative URL, no leading slash 2' => array('foo/bar/index.php?id=2'),
205 'relative URL, leading slash, no realurl' => array('/index.php?id=1'),
206 'relative URL, leading slash, realurl' => array('/de/service/imprint.html'),
207 );
208 }
209
210 /**
211 * @test
212 * @dataProvider validateRedirectUrlKeepsCleanUrlDataProvider
213 * @param string $url Clean URL to test
214 */
215 public function validateRedirectUrlKeepsCleanUrl($url) {
216 $this->setUpDatabaseMock();
217 $this->assertEquals($url, $this->accessibleFixture->_call('validateRedirectUrl', $url));
218 }
219
220 /**
221 * Data provider for validateRedirectUrlClearsInvalidUrlInSubdirectory
222 *
223 * @return array
224 */
225 public function validateRedirectUrlClearsInvalidUrlInSubdirectoryDataProvider() {
226 return array(
227 'absolute URL, missing subdirectory' => array('http://hostname.tld/'),
228 'absolute URL, wrong subdirectory' => array('http://hostname.tld/hacker/index.php'),
229 'absolute URL, correct subdirectory, no trailing slash' => array('http://hostname.tld/subdir'),
230 'absolute URL, correct subdirectory of sys_domain record, no trailing slash' => array('http://otherhostname.tld/path'),
231 'absolute URL, correct subdirectory of sys_domain record, no trailing slash, subdomain' => array('http://sub.domainhostname.tld/path'),
232 'relative URL, leading slash, no path' => array('/index.php?id=1'),
233 'relative URL, leading slash, wrong path' => array('/de/sub/site.html'),
234 'relative URL, leading slash, slash only' => array('/'),
235 );
236 }
237
238 /**
239 * @test
240 * @dataProvider validateRedirectUrlClearsInvalidUrlInSubdirectoryDataProvider
241 * @param string $url Invalid Url
242 */
243 public function validateRedirectUrlClearsInvalidUrlInSubdirectory($url) {
244 $this->testSitePath = '/subdir/';
245 $this->setUpFakeSitePathAndHost();
246 $this->setUpDatabaseMock();
247 $this->assertEquals('', $this->accessibleFixture->_call('validateRedirectUrl', $url));
248 }
249
250 /**
251 * Data provider for validateRedirectUrlKeepsCleanUrlInSubdirectory
252 *
253 * @return array
254 */
255 public function validateRedirectUrlKeepsCleanUrlInSubdirectoryDataProvider() {
256 return array(
257 'absolute URL, correct subdirectory' => array('http://hostname.tld/subdir/'),
258 'absolute URL, correct subdirectory, realurl' => array('http://hostname.tld/subdir/de/imprint.html'),
259 'absolute URL, correct subdirectory, no realurl' => array('http://hostname.tld/subdir/index.php?id=10'),
260 'absolute URL, correct subdirectory of sys_domain record' => array('http://otherhostname.tld/path/'),
261 'absolute URL, correct subdirectory of sys_domain record, subdomain' => array('http://sub.domainhostname.tld/path/'),
262 'relative URL, no leading slash, realurl' => array('de/service/imprint.html'),
263 'relative URL, no leading slash, no realurl' => array('index.php?id=1'),
264 'relative nested URL, no leading slash, no realurl' => array('foo/bar/index.php?id=2')
265 );
266 }
267
268 /**
269 * @test
270 * @dataProvider validateRedirectUrlKeepsCleanUrlInSubdirectoryDataProvider
271 * @param string $url Invalid Url
272 */
273 public function validateRedirectUrlKeepsCleanUrlInSubdirectory($url) {
274 $this->testSitePath = '/subdir/';
275 $this->setUpFakeSitePathAndHost();
276 $this->setUpDatabaseMock();
277 $this->assertEquals($url, $this->accessibleFixture->_call('validateRedirectUrl', $url));
278 }
279
280
281 /*************************
282 * Test concerning getPreverveGetVars
283 *************************/
284
285 /**
286 * @return array
287 */
288 public function getPreserveGetVarsReturnsCorrectResultDataProvider() {
289 return array(
290 'special get var id is not preserved' => array(
291 array(
292 'id' => 42,
293 ),
294 '',
295 '',
296 ),
297 'simple additional parameter is not preserved if not specified in preservedGETvars' => array(
298 array(
299 'id' => 42,
300 'special' => 23,
301 ),
302 '',
303 '',
304 ),
305 'all params except ignored ones are preserved if preservedGETvars is set to "all"' => array(
306 array(
307 'id' => 42,
308 'special1' => 23,
309 'special2' => array(
310 'foo' => 'bar',
311 ),
312 'tx_felogin_pi1' => array(
313 'forgot' => 1,
314 ),
315 ),
316 'all',
317 '&special1=23&special2[foo]=bar',
318 ),
319 'preserve single parameter' => array(
320 array(
321 'L' => 42,
322 ),
323 'L',
324 '&L=42'
325 ),
326 'preserve whole parameter array' => array(
327 array(
328 'L' => 3,
329 'tx_someext' => array(
330 'foo' => 'simple',
331 'bar' => array(
332 'baz' => 'simple',
333 ),
334 ),
335 ),
336 'L,tx_someext',
337 '&L=3&tx_someext[foo]=simple&tx_someext[bar][baz]=simple',
338 ),
339 'preserve part of sub array' => array(
340 array(
341 'L' => 3,
342 'tx_someext' => array(
343 'foo' => 'simple',
344 'bar' => array(
345 'baz' => 'simple',
346 ),
347 ),
348 ),
349 'L,tx_someext[bar]',
350 '&L=3&tx_someext[bar][baz]=simple',
351 ),
352 'preserve keys on different levels' => array(
353 array(
354 'L' => 3,
355 'no-preserve' => 'whatever',
356 'tx_ext2' => array(
357 'foo' => 'simple',
358 ),
359 'tx_ext3' => array(
360 'bar' => array(
361 'baz' => 'simple',
362 ),
363 'go-away' => '',
364 ),
365 ),
366 'L,tx_ext2,tx_ext3[bar]',
367 '&L=3&tx_ext2[foo]=simple&tx_ext3[bar][baz]=simple',
368 ),
369 'preserved value that does not exist in get' => array(
370 array(),
371 'L,foo[bar]',
372 ''
373 ),
374 'url params are encoded' => array(
375 array('tx_ext1' => 'param with spaces and \\ %<>& /'),
376 'L,tx_ext1',
377 '&tx_ext1=param%20with%20spaces%20and%20%20%25%3C%3E%26%20%2F'
378 ),
379 );
380 }
381
382 /**
383 * @test
384 * @dataProvider getPreserveGetVarsReturnsCorrectResultDataProvider
385 * @param array $getArray
386 * @param string $preserveVars
387 * @param string $expected
388 * @return void
389 */
390 public function getPreserveGetVarsReturnsCorrectResult(array $getArray, $preserveVars, $expected) {
391 $_GET = $getArray;
392 $this->accessibleFixture->conf['preserveGETvars'] = $preserveVars;
393 $this->assertSame($expected, $this->accessibleFixture->_call('getPreserveGetVars'));
394 }
395 }
396
397 ?>