diff options
| author | Bharat Mediratta <bharat@menalto.com> | 2010-01-18 11:10:37 -0800 |
|---|---|---|
| committer | Bharat Mediratta <bharat@menalto.com> | 2010-01-18 11:10:37 -0800 |
| commit | 0dc184e99f0ca607774a68257432a9a981f4d5b7 (patch) | |
| tree | c80a6c2c24215bf31a3fbde974b509bd77f5e826 /modules/gallery/tests/Url_Security_Test.php | |
| parent | 2c2c77ea391a59f89449d07aff604bf11042515c (diff) | |
Overload url::current() and url::merge() to make the current url XSS
safe. Add tests to make sure that it doesn't relapse with future
Kohana changes. Fixes ticket #983.
Ref: http://gallery.menalto.com/node/93738
Diffstat (limited to 'modules/gallery/tests/Url_Security_Test.php')
| -rw-r--r-- | modules/gallery/tests/Url_Security_Test.php | 43 |
1 files changed, 43 insertions, 0 deletions
diff --git a/modules/gallery/tests/Url_Security_Test.php b/modules/gallery/tests/Url_Security_Test.php new file mode 100644 index 00000000..de25880f --- /dev/null +++ b/modules/gallery/tests/Url_Security_Test.php @@ -0,0 +1,43 @@ +<?php defined("SYSPATH") or die("No direct script access."); +/** + * Gallery - a web based photo album viewer and editor + * Copyright (C) 2000-2009 Bharat Mediratta + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or (at + * your option) any later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA. + */ +class Url_Security_Test extends Unit_Test_Case { + public function setup() { + $this->save = array(Router::$current_uri, Router::$complete_uri, $_GET); + } + + public function teardown() { + list(Router::$current_uri, Router::$complete_uri, $_GET) = $this->save; + } + + public function xss_in_current_url_test() { + Router::$current_uri = "foo/<xss>/bar"; + Router::$complete_uri = "foo/<xss>/bar?foo=bar"; + $this->assert_same("foo/<xss>/bar", url::current()); + $this->assert_same("foo/<xss>/bar?foo=bar", url::current(true)); + } + + public function xss_in_merged_url_test() { + Router::$current_uri = "foo/<xss>/bar"; + Router::$complete_uri = "foo/<xss>/bar?foo=bar"; + $_GET = array("foo" => "bar"); + $this->assert_same("foo/<xss>/bar?foo=bar", url::merge(array())); + $this->assert_same("foo/<xss>/bar?foo=bar&a=b", url::merge(array("a" => "b"))); + } +}
\ No newline at end of file |