diff options
| -rw-r--r-- | modules/gallery/helpers/p.php | 33 | ||||
| -rw-r--r-- | modules/gallery/tests/Xss_Security_Test.php | 138 |
2 files changed, 171 insertions, 0 deletions
diff --git a/modules/gallery/helpers/p.php b/modules/gallery/helpers/p.php new file mode 100644 index 00000000..69032840 --- /dev/null +++ b/modules/gallery/helpers/p.php @@ -0,0 +1,33 @@ +<?php defined("SYSPATH") or die("No direct script access."); +/** + * Gallery - a web based photo album viewer and editor + * Copyright (C) 2000-2009 Bharat Mediratta + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or (at + * your option) any later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA. + */ +class p_Core { + static function attr($dirty_html) { + // return $dirty_html; + return htmlentities($dirty_html, ENT_QUOTES); + // return str_replace('"', '"', $dirty_html); + // return str_replace('"', '"', Purify::instance()->purify($dirty_html)); + } + + function clean($dirty_html) { + // return $dirty_html; + return htmlentities($dirty_html, ENT_QUOTES); + // return Purify::instance()->purify($dirty_html); + } +} diff --git a/modules/gallery/tests/Xss_Security_Test.php b/modules/gallery/tests/Xss_Security_Test.php new file mode 100644 index 00000000..22c4a767 --- /dev/null +++ b/modules/gallery/tests/Xss_Security_Test.php @@ -0,0 +1,138 @@ +<?php defined("SYSPATH") or die("No direct script access."); +/** + * Gallery - a web based photo album viewer and editor + * Copyright (C) 2000-2009 Bharat Mediratta + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or (at + * your option) any later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA. + */ +class Xss_Security_Test extends Unit_Test_Case { + + static function scan_php_file($file, &$cache) { + $code = file_get_contents($file); + $raw_tokens = token_get_all($code); + unset($code); + + $tokens = array(); + $func_token_list = array("t" => array(), "t2" => array()); + $token_number = 0; + // Filter out HTML / whitespace, and build a lookup for global function calls. + foreach ($raw_tokens as $token) { + if ((!is_array($token)) || (($token[0] != T_WHITESPACE) && ($token[0] != T_INLINE_HTML))) { + if (is_array($token)) { + if ($token[0] == T_STRING && in_array($token[1], array("t", "t2"))) { + $func_token_list[$token[1]][] = $token_number; + } + } + $tokens[] = $token; + $token_number++; + } + } + unset($raw_tokens); + + if (!empty($func_token_list["t"])) { + l10n_scanner::_parse_t_calls($tokens, $func_token_list["t"], $cache); + } + if (!empty($func_token_list["t2"])) { + l10n_scanner::_parse_plural_calls($tokens, $func_token_list["t2"], $cache); + } + } + + public function find_unescaped_variables_in_views_test() { + // foreach (glob("*/*/views/*.php") as $view) { + foreach (array("modules/search/views/search.html.php") as $view) { + $expr = null; + $line = null; + $level = 0; + $php = 0; + $str = null; + $in_p_clean = 0; + foreach (token_get_all(file_get_contents($view)) as $token) { + if (false /* useful for debugging */) { + if (is_array($token)) { + printf("[$str] [$in_p_clean] %-15s %s\n", token_name($token[0]), $token[1]); + } else { + printf("[$str] [$in_p_clean] %-15s %s\n", "<char>", $token); + } + } + + // If we find a "(" after a "p::clean" then start counting levels of parens and assume + // that we're inside a p::clean() call until we find the matching close paren. + if ($token[0] == "(" && $str == "p::clean") { + $in_p_clean = 1; + } else if ($token[0] == "(" && $in_p_clean) { + $in_p_clean++; + } else if ($token[0] == ")" && $in_p_clean) { + $in_p_clean--; + } + + // Concatenate runs of strings for convenience, which we use above to figure out if we're + // inside a p::clean() call or not + if ($token[0] == T_STRING || $token[0] == T_DOUBLE_COLON) { + $str .= $token[1]; + } else { + $str = null; + } + + // Scan for any occurrences of < ? = $variable ? > and store it in $expr + if ($token[0] == T_OPEN_TAG_WITH_ECHO) { + $php++; + } else if ($php && $token[0] == T_CLOSE_TAG) { + $php--; + } else if ($php && $token[0] == T_VARIABLE) { + if (!$expr) { + $entry = array($token[2], $in_p_clean); + } + $expr .= $token[1]; + } else if ($expr) { + if ($token[0] == T_OBJECT_OPERATOR) { + $expr .= $token[1]; + } else if ($token[0] == T_STRING) { + $expr .= $token[1]; + } else if ($token == "(") { + $expr .= $token; + $level++; + } else if ($level > 0 && $token == ")") { + $expr .= $token; + $level--; + } else if ($level > 0) { + $expr .= is_array($token) ? $token[1] : $token; + } else { + $entry[] = $expr; + $found[$view][] = $entry; + $expr = null; + $entry = null; + } + } + } + } + + $canonical = MODPATH . "gallery/tests/xss_data.txt"; + $new = TMPPATH . "xss_data.txt"; + $fd = fopen($new, "wb"); + ksort($found); + foreach ($found as $view => $entries) { + foreach ($entries as $entry) { + fwrite($fd, + sprintf("%-60s %-3s %-9s %s\n", + $view, $entry[0], $entry[1] ? "CLEAN" : "NOT_CLEAN", $entry[2])); + } + } + fclose($fd); + + exec("diff $canonical $new", $output, $return_value); + $this->assert_false( + $return_value, "XSS golden file mismatch. Output:\n" . implode("\n", $output) ); + } +} |