[SECURITY] Prevent information disclosure in tests bootstrap 20/43120/2
authorNicole Cordes <typo3@cordes.co>
Tue, 8 Sep 2015 08:56:16 +0000 (10:56 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 8 Sep 2015 08:56:29 +0000 (10:56 +0200)
Both, the UnitTestsBootstrap and FunctionalTestsBootstrap set
display_errors to 1 which shows errors and warnings by default. If you
call those scripts within web context the files can't be loaded and the
error message shows the website root path. The patch adds proper checks
before files are loaded and exits if an error occurs.

Resolves: #67900
Releases: 6.2
Security-Bulletin: TYPO3-CORE-SA-2015-008
Change-Id: I1e294bcd2f6cd7c2a32f54a890ca2d4a869c9fda
Reviewed-on: http://review.typo3.org/43120
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/core/Build/FunctionalTestsBootstrap.php
typo3/sysext/core/Build/UnitTestsBootstrap.php

index 3c0a35b..99a1bd6 100644 (file)
@@ -51,6 +51,9 @@ class FunctionalTestsBootstrap {
         */
        protected function loadClassFiles() {
                $testsDirectory = __DIR__ . '/../Tests/';
+               if (!class_exists('PHPUnit_Framework_TestCase')) {
+                       die('PHPUnit wasn\'t found. Please check your settings and command.');
+               }
                require_once($testsDirectory . 'BaseTestCase.php');
                require_once($testsDirectory . 'FunctionalTestCase.php');
                require_once($testsDirectory . 'FunctionalTestCaseBootstrapUtility.php');
@@ -122,6 +125,10 @@ class FunctionalTestsBootstrap {
        }
 }
 
+if (PHP_SAPI !== 'cli') {
+       die('This script supports command line usage only. Please check your command.');
+}
+
 $bootstrap = new FunctionalTestsBootstrap();
 $bootstrap->bootstrapSystem();
 unset($bootstrap);
index 859f5df..48981dd 100644 (file)
@@ -171,7 +171,11 @@ class UnitTestsBootstrap {
         * @return UnitTestsBootstrap fluent interface
         */
        protected function includeAndStartCoreBootstrap() {
-               require_once PATH_site . '/typo3/sysext/core/Classes/Core/Bootstrap.php';
+               $bootstrapPath = PATH_site . '/typo3/sysext/core/Classes/Core/Bootstrap.php';
+               if (!file_exists($bootstrapPath)) {
+                       die('Bootstrap can\'t be loaded. Please check your path or set an environment variable \'TYPO3_PATH_WEB\' to your root path.');
+               }
+               require_once $bootstrapPath;
 
                Bootstrap::getInstance()
                        ->baseSetup()
@@ -211,6 +215,10 @@ class UnitTestsBootstrap {
        }
 }
 
+if (PHP_SAPI !== 'cli') {
+       die('This script supports command line usage only. Please check your command.');
+}
+
 $bootstrap = new UnitTestsBootstrap();
 $bootstrap->bootstrapSystem();
 unset($bootstrap);