From 6c89bb88789257d1dfe4c2ce6eb14e64fe87507c Mon Sep 17 00:00:00 2001 From: Andy Staudacher Date: Mon, 15 Feb 2010 13:51:32 -0800 Subject: Update of reviewed XSS audit data. --- modules/gallery/tests/xss_data.txt | 56 ++++++++++++++++++-------------------- 1 file changed, 27 insertions(+), 29 deletions(-) (limited to 'modules/gallery/tests') diff --git a/modules/gallery/tests/xss_data.txt b/modules/gallery/tests/xss_data.txt index e53502ee..44233459 100644 --- a/modules/gallery/tests/xss_data.txt +++ b/modules/gallery/tests/xss_data.txt @@ -32,8 +32,8 @@ modules/comment/views/comment.mrss.php 29 DIRTY $child modules/comment/views/comment.mrss.php 34 DIRTY_ATTR $child->thumb_url modules/comment/views/comment.mrss.php 35 DIRTY_ATTR $child->thumb_height modules/comment/views/comment.mrss.php 35 DIRTY_ATTR $child->thumb_width -modules/comment/views/comments.html.php 16 DIRTY_ATTR $comment->id -modules/comment/views/comments.html.php 19 DIRTY_ATTR $comment->author()->avatar_url(40,$theme->url(,true)) +modules/comment/views/comments.html.php 18 DIRTY_ATTR $comment->id +modules/comment/views/comments.html.php 21 DIRTY_ATTR $comment->author()->avatar_url(40,$theme->url(,true)) modules/comment/views/user_profile_comments.html.php 5 DIRTY_ATTR $comment->id modules/comment/views/user_profile_comments.html.php 10 DIRTY_JS $comment->item()->url() modules/comment/views/user_profile_comments.html.php 11 DIRTY $comment->item()->thumb_img(array(),50) @@ -81,19 +81,18 @@ modules/gallery/views/admin_maintenance.html.php 24 DIRTY_ATTR log: modules/gallery/views/admin_maintenance.html.php 25 DIRTY_ATTR log::severity_class($task->severity) modules/gallery/views/admin_maintenance.html.php 26 DIRTY $task->name modules/gallery/views/admin_maintenance.html.php 29 DIRTY $task->description -modules/gallery/views/admin_maintenance.html.php 33 DIRTY_JS "{$button->url}/$task->callback?csrf=$csrf" -modules/gallery/views/admin_maintenance.html.php 76 DIRTY_ATTR text::alternate("g-odd","g-even") -modules/gallery/views/admin_maintenance.html.php 76 DIRTY_ATTR $task->state=="stalled"?"g-warning":"" -modules/gallery/views/admin_maintenance.html.php 77 DIRTY_ATTR $task->state=="stalled"?"g-warning":"" -modules/gallery/views/admin_maintenance.html.php 78 DIRTY gallery::date_time($task->updated) -modules/gallery/views/admin_maintenance.html.php 81 DIRTY $task->name -modules/gallery/views/admin_maintenance.html.php 96 DIRTY $task->status -modules/gallery/views/admin_maintenance.html.php 147 DIRTY_ATTR text::alternate("g-odd","g-even") -modules/gallery/views/admin_maintenance.html.php 147 DIRTY_ATTR $task->state=="success"?"g-success":"g-error" -modules/gallery/views/admin_maintenance.html.php 148 DIRTY_ATTR $task->state=="success"?"g-success":"g-error" -modules/gallery/views/admin_maintenance.html.php 149 DIRTY gallery::date_time($task->updated) -modules/gallery/views/admin_maintenance.html.php 152 DIRTY $task->name -modules/gallery/views/admin_maintenance.html.php 164 DIRTY $task->status +modules/gallery/views/admin_maintenance.html.php 70 DIRTY_ATTR text::alternate("g-odd","g-even") +modules/gallery/views/admin_maintenance.html.php 70 DIRTY_ATTR $task->state=="stalled"?"g-warning":"" +modules/gallery/views/admin_maintenance.html.php 71 DIRTY_ATTR $task->state=="stalled"?"g-warning":"" +modules/gallery/views/admin_maintenance.html.php 72 DIRTY gallery::date_time($task->updated) +modules/gallery/views/admin_maintenance.html.php 75 DIRTY $task->name +modules/gallery/views/admin_maintenance.html.php 90 DIRTY $task->status +modules/gallery/views/admin_maintenance.html.php 141 DIRTY_ATTR text::alternate("g-odd","g-even") +modules/gallery/views/admin_maintenance.html.php 141 DIRTY_ATTR $task->state=="success"?"g-success":"g-error" +modules/gallery/views/admin_maintenance.html.php 142 DIRTY_ATTR $task->state=="success"?"g-success":"g-error" +modules/gallery/views/admin_maintenance.html.php 143 DIRTY gallery::date_time($task->updated) +modules/gallery/views/admin_maintenance.html.php 146 DIRTY $task->name +modules/gallery/views/admin_maintenance.html.php 158 DIRTY $task->status modules/gallery/views/admin_maintenance_show_log.html.php 8 DIRTY_JS url::site("admin/maintenance/save_log/$task->id?csrf=$csrf") modules/gallery/views/admin_maintenance_show_log.html.php 13 DIRTY $task->name modules/gallery/views/admin_maintenance_task.html.php 55 DIRTY $task->name @@ -121,6 +120,7 @@ modules/gallery/views/admin_themes.html.php 62 DIRTY $theme modules/gallery/views/admin_themes.html.php 76 DIRTY $info->name modules/gallery/views/admin_themes.html.php 78 DIRTY $info->description modules/gallery/views/admin_themes_preview.html.php 7 DIRTY_ATTR $url +modules/gallery/views/error_404.html.php 14 DIRTY $login_form modules/gallery/views/form_uploadify.html.php 30 DIRTY_JS url::file("lib/uploadify/uploadify.swf") modules/gallery/views/form_uploadify.html.php 31 DIRTY_JS url::site("simple_uploader/add_photo/{$album->id}") modules/gallery/views/form_uploadify.html.php 35 DIRTY_JS url::file("lib/uploadify/cancel.png") @@ -128,8 +128,7 @@ modules/gallery/views/form_uploadify.html.php 36 DIRTY_JS $simul modules/gallery/views/in_place_edit.html.php 2 DIRTY form::open($action,array("method"=>"post","id"=>"g-in-place-edit-form","class"=>"g-short-form")) modules/gallery/views/in_place_edit.html.php 3 DIRTY access::csrf_form_field() modules/gallery/views/in_place_edit.html.php 6 DIRTY form::input("input",$form["input"]," class=\"textbox\"") -modules/gallery/views/kohana_error_page.php 102 DIRTY $message -modules/gallery/views/kohana_error_page.php 116 DIRTY $trace +modules/gallery/views/in_place_edit.html.php 14 DIRTY $errors["input"] modules/gallery/views/kohana_profiler.php 32 DIRTY $profile->render(); modules/gallery/views/l10n_client.html.php 21 DIRTY_ATTR $string["translation"]===""?"untranslated":"translated" modules/gallery/views/l10n_client.html.php 23 DIRTY $string["source"]["one"] @@ -148,18 +147,18 @@ modules/gallery/views/l10n_client.html.php 67 DIRTY form:: modules/gallery/views/login_ajax.html.php 6 DIRTY_JS url::site("password/reset") modules/gallery/views/login_ajax.html.php 37 DIRTY $form modules/gallery/views/maintenance.html.php 46 DIRTY auth::get_login_form("login/auth_html") -modules/gallery/views/menu.html.php 4 DIRTY isset($menu->css_id)?"id='$menu->css_id'":"" +modules/gallery/views/menu.html.php 4 DIRTY $menu->css_id?"id='$menu->css_id'":"" modules/gallery/views/menu.html.php 4 DIRTY_ATTR $menu->css_class modules/gallery/views/menu.html.php 6 DIRTY $element->render() modules/gallery/views/menu.html.php 18 DIRTY $element->render() -modules/gallery/views/menu_ajax_link.html.php 3 DIRTY_ATTR $menu->css_id +modules/gallery/views/menu_ajax_link.html.php 3 DIRTY $menu->css_id?"id='{$menu->css_id}'":"" modules/gallery/views/menu_ajax_link.html.php 4 DIRTY_ATTR $menu->css_class modules/gallery/views/menu_ajax_link.html.php 5 DIRTY_JS $menu->url modules/gallery/views/menu_ajax_link.html.php 7 DIRTY $menu->ajax_handler -modules/gallery/views/menu_dialog.html.php 3 DIRTY_ATTR $menu->css_id +modules/gallery/views/menu_dialog.html.php 3 DIRTY $menu->css_id?"id='{$menu->css_id}'":"" modules/gallery/views/menu_dialog.html.php 4 DIRTY_ATTR $menu->css_class modules/gallery/views/menu_dialog.html.php 5 DIRTY_JS $menu->url -modules/gallery/views/menu_link.html.php 3 DIRTY_ATTR $menu->css_id +modules/gallery/views/menu_link.html.php 3 DIRTY $menu->css_id?"id='{$menu->css_id}'":"" modules/gallery/views/menu_link.html.php 4 DIRTY_ATTR $menu->css_class modules/gallery/views/menu_link.html.php 5 DIRTY_JS $menu->url modules/gallery/views/move_browse.html.php 4 DIRTY_JS url::site("move/show_sub_tree/{$source->id}/__TARGETID__") @@ -209,6 +208,7 @@ modules/gallery/views/permissions_form.html.php 75 DIRTY_JS $item- modules/gallery/views/permissions_form.html.php 80 DIRTY_JS $group->id modules/gallery/views/permissions_form.html.php 80 DIRTY_JS $permission->id modules/gallery/views/permissions_form.html.php 80 DIRTY_JS $item->id +modules/gallery/views/reauthenticate.html.php 9 DIRTY $form modules/gallery/views/upgrader.html.php 57 DIRTY_ATTR $done?"muted":"" modules/gallery/views/upgrader.html.php 61 DIRTY_ATTR $done?"muted":"" modules/gallery/views/upgrader.html.php 69 DIRTY_ATTR $module->version==$module->code_version?"current":"upgradeable" @@ -239,15 +239,13 @@ modules/organize/views/organize_dialog.html.php 4 DIRTY_JS url::s modules/organize/views/organize_dialog.html.php 5 DIRTY_JS url::site("organize/sort_order/__ALBUM_ID__/__COL__/__DIR__?csrf=$csrf") modules/organize/views/organize_dialog.html.php 6 DIRTY_JS url::site("organize/tree/__ALBUM_ID__") modules/organize/views/organize_dialog.html.php 14 DIRTY $album_tree -modules/organize/views/organize_dialog.html.php 24 DIRTY $micro_thumb_grid +modules/organize/views/organize_dialog.html.php 23 DIRTY $micro_thumb_grid modules/organize/views/organize_dialog.html.php 32 DIRTY form::dropdown(array("id"=>"g-organize-sort-column"),album::get_sort_order_options(),$album->sort_column) -modules/organize/views/organize_dialog.html.php 33 DIRTY form::dropdown(array("id"=>"g-organize-sort-order"),array("ASC"=>"Ascending","DESC"=>"Descending"),$album->sort_order) -modules/organize/views/organize_thumb_grid.html.php 3 DIRTY_ATTR $child->id +modules/organize/views/organize_thumb_grid.html.php 3 DIRTY_ATTR $child->is_album()?"g-album":"g-photo" modules/organize/views/organize_thumb_grid.html.php 4 DIRTY_ATTR $child->id -modules/organize/views/organize_thumb_grid.html.php 5 DIRTY_ATTR $child->is_album()?"g-album":"g-photo" -modules/organize/views/organize_thumb_grid.html.php 6 DIRTY $child->thumb_img(array("class"=>"g-thumbnail","ref"=>$child->id),90,true) -modules/organize/views/organize_thumb_grid.html.php 7 DIRTY $child->is_album()?" class=\"ui-icon ui-icon-note\"":"" -modules/organize/views/organize_thumb_grid.html.php 15 DIRTY_JS url::site("organize/album/$album->id/".($offset+25)) +modules/organize/views/organize_thumb_grid.html.php 5 DIRTY $child->thumb_img(array("class"=>"g-thumbnail","ref"=>$child->id),90,true) +modules/organize/views/organize_thumb_grid.html.php 6 DIRTY $child->is_album()?" class=\"ui-icon ui-icon-note\"":"" +modules/organize/views/organize_thumb_grid.html.php 13 DIRTY_JS url::site("organize/album/$album->id/".($offset+25)) modules/organize/views/organize_tree.html.php 2 DIRTY_ATTR access::can("edit",$album)?"":"g-view-only" modules/organize/views/organize_tree.html.php 3 DIRTY_ATTR $album->id modules/organize/views/organize_tree.html.php 6 DIRTY_ATTR $selected&&$album->id==$selected->id?"ui-state-focus":"" @@ -255,6 +253,7 @@ modules/organize/views/organize_tree.html.php 7 DIRTY_ATTR $alb modules/organize/views/organize_tree.html.php 13 DIRTY View::factory("organize_tree.html",array("selected"=>$selected,"album"=>$child)); modules/organize/views/organize_tree.html.php 15 DIRTY_ATTR access::can("edit",$child)?"":"g-view-only" modules/organize/views/organize_tree.html.php 16 DIRTY_ATTR $child->id +modules/organize/views/organize_tree.html.php 18 DIRTY_ATTR $selected&&$child->id==$selected->id?"ui-state-focus":"" modules/organize/views/organize_tree.html.php 18 DIRTY_ATTR $child->id modules/recaptcha/views/admin_recaptcha.html.php 11 DIRTY $form modules/recaptcha/views/admin_recaptcha.html.php 23 DIRTY_JS $public_key @@ -323,7 +322,6 @@ modules/user/views/admin_users.html.php 123 DIRTY_ATTR ($gr modules/user/views/admin_users.html.php 125 DIRTY $v modules/user/views/admin_users_group.html.php 22 DIRTY_JS $user->id modules/user/views/admin_users_group.html.php 22 DIRTY_JS $group->id -modules/user/views/user_form.html.php 7 DIRTY $form modules/watermark/views/admin_watermarks.html.php 20 DIRTY_ATTR $width modules/watermark/views/admin_watermarks.html.php 20 DIRTY_ATTR $height modules/watermark/views/admin_watermarks.html.php 20 DIRTY_ATTR $url -- cgit v1.2.3 From 8ab580cec1909fb93ba01fb635e1392a76317623 Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Tue, 23 Feb 2010 11:50:39 -0800 Subject: Verified --- modules/gallery/tests/xss_data.txt | 41 +++++++++++++++++--------------------- 1 file changed, 18 insertions(+), 23 deletions(-) (limited to 'modules/gallery/tests') diff --git a/modules/gallery/tests/xss_data.txt b/modules/gallery/tests/xss_data.txt index 44233459..a3ca31f4 100644 --- a/modules/gallery/tests/xss_data.txt +++ b/modules/gallery/tests/xss_data.txt @@ -218,8 +218,8 @@ modules/gallery/views/upgrader.html.php 77 DIRTY $modul modules/gallery/views/upgrader.html.php 99 DIRTY_ATTR $done?"muted":"" modules/gallery/views/upgrader.html.php 102 DIRTY_ATTR $done?"muted":"" modules/gallery/views/user_languages_block.html.php 2 DIRTY form::dropdown("g-select-session-locale",$installed_locales,$selected) -modules/gallery/views/user_profile.html.php 36 DIRTY_ATTR $user->avatar_url(40,$theme->url(,true)) -modules/gallery/views/user_profile.html.php 47 DIRTY $info->view +modules/gallery/views/user_profile.html.php 34 DIRTY_ATTR $user->avatar_url(40,$theme->url(,true)) +modules/gallery/views/user_profile.html.php 43 DIRTY $info->view modules/image_block/views/image_block_block.html.php 3 DIRTY_JS $item->url() modules/image_block/views/image_block_block.html.php 4 DIRTY $item->thumb_img(array("class"=>"g-thumbnail")) modules/info/views/info_block.html.php 22 DIRTY date("M j, Y H:i:s",$item->captured) @@ -250,11 +250,11 @@ modules/organize/views/organize_tree.html.php 2 DIRTY_ATTR acce modules/organize/views/organize_tree.html.php 3 DIRTY_ATTR $album->id modules/organize/views/organize_tree.html.php 6 DIRTY_ATTR $selected&&$album->id==$selected->id?"ui-state-focus":"" modules/organize/views/organize_tree.html.php 7 DIRTY_ATTR $album->id -modules/organize/views/organize_tree.html.php 13 DIRTY View::factory("organize_tree.html",array("selected"=>$selected,"album"=>$child)); -modules/organize/views/organize_tree.html.php 15 DIRTY_ATTR access::can("edit",$child)?"":"g-view-only" -modules/organize/views/organize_tree.html.php 16 DIRTY_ATTR $child->id -modules/organize/views/organize_tree.html.php 18 DIRTY_ATTR $selected&&$child->id==$selected->id?"ui-state-focus":"" +modules/organize/views/organize_tree.html.php 15 DIRTY View::factory("organize_tree.html",array("selected"=>$selected,"album"=>$child)); +modules/organize/views/organize_tree.html.php 17 DIRTY_ATTR access::can("edit",$child)?"":"g-view-only" modules/organize/views/organize_tree.html.php 18 DIRTY_ATTR $child->id +modules/organize/views/organize_tree.html.php 20 DIRTY_ATTR $selected&&$child->id==$selected->id?"ui-state-focus":"" +modules/organize/views/organize_tree.html.php 20 DIRTY_ATTR $child->id modules/recaptcha/views/admin_recaptcha.html.php 11 DIRTY $form modules/recaptcha/views/admin_recaptcha.html.php 23 DIRTY_JS $public_key modules/recaptcha/views/form_recaptcha.html.php 7 DIRTY_JS $public_key @@ -274,21 +274,16 @@ modules/rss/views/feed.mrss.php 42 DIRTY_ATTR $chi modules/rss/views/feed.mrss.php 48 DIRTY_ATTR $child->thumb_url(true) modules/rss/views/feed.mrss.php 49 DIRTY_ATTR $child->thumb_height modules/rss/views/feed.mrss.php 50 DIRTY_ATTR $child->thumb_width -modules/rss/views/feed.mrss.php 54 DIRTY_ATTR $child->resize_url(true) -modules/rss/views/feed.mrss.php 55 DIRTY_ATTR @filesize($child->resize_path()) -modules/rss/views/feed.mrss.php 56 DIRTY_ATTR $child->mime_type -modules/rss/views/feed.mrss.php 57 DIRTY_ATTR $child->resize_height -modules/rss/views/feed.mrss.php 58 DIRTY_ATTR $child->resize_width -modules/rss/views/feed.mrss.php 61 DIRTY_ATTR $child->file_url(true) -modules/rss/views/feed.mrss.php 62 DIRTY_ATTR @filesize($child->file_path()) -modules/rss/views/feed.mrss.php 63 DIRTY_ATTR $child->mime_type -modules/rss/views/feed.mrss.php 64 DIRTY_ATTR $child->height -modules/rss/views/feed.mrss.php 65 DIRTY_ATTR $child->width -modules/rss/views/feed.mrss.php 70 DIRTY_ATTR $child->file_url(true) -modules/rss/views/feed.mrss.php 71 DIRTY_ATTR @filesize($child->file_path()) -modules/rss/views/feed.mrss.php 72 DIRTY_ATTR $child->height -modules/rss/views/feed.mrss.php 73 DIRTY_ATTR $child->width -modules/rss/views/feed.mrss.php 74 DIRTY_ATTR $child->mime_type +modules/rss/views/feed.mrss.php 57 DIRTY_ATTR $child->resize_url(true) +modules/rss/views/feed.mrss.php 58 DIRTY_ATTR @filesize($child->resize_path()) +modules/rss/views/feed.mrss.php 59 DIRTY_ATTR $child->mime_type +modules/rss/views/feed.mrss.php 60 DIRTY_ATTR $child->resize_height +modules/rss/views/feed.mrss.php 61 DIRTY_ATTR $child->resize_width +modules/rss/views/feed.mrss.php 65 DIRTY_ATTR $child->file_url(true) +modules/rss/views/feed.mrss.php 66 DIRTY_ATTR @filesize($child->file_path()) +modules/rss/views/feed.mrss.php 67 DIRTY_ATTR $child->mime_type +modules/rss/views/feed.mrss.php 68 DIRTY_ATTR $child->height +modules/rss/views/feed.mrss.php 69 DIRTY_ATTR $child->width modules/rss/views/rss_block.html.php 6 DIRTY_JS rss::url($url) modules/search/views/search.html.php 27 DIRTY_ATTR $item_class modules/search/views/search.html.php 28 DIRTY_JS $item->url() @@ -320,8 +315,8 @@ modules/user/views/admin_users.html.php 87 DIRTY ($user modules/user/views/admin_users.html.php 123 DIRTY_ATTR $group->id modules/user/views/admin_users.html.php 123 DIRTY_ATTR ($group->special?"g-default-group":"") modules/user/views/admin_users.html.php 125 DIRTY $v -modules/user/views/admin_users_group.html.php 22 DIRTY_JS $user->id -modules/user/views/admin_users_group.html.php 22 DIRTY_JS $group->id +modules/user/views/admin_users_group.html.php 24 DIRTY_JS $user->id +modules/user/views/admin_users_group.html.php 24 DIRTY_JS $group->id modules/watermark/views/admin_watermarks.html.php 20 DIRTY_ATTR $width modules/watermark/views/admin_watermarks.html.php 20 DIRTY_ATTR $height modules/watermark/views/admin_watermarks.html.php 20 DIRTY_ATTR $url -- cgit v1.2.3 From 212da35cdc5c68ad06ff2f0e5d820ccbcf328a89 Mon Sep 17 00:00:00 2001 From: Andy Staudacher Date: Tue, 23 Feb 2010 12:48:03 -0800 Subject: Fix Cache tests for recent Cache/Database.php driver fix. Cache::delete($arg) allows for scalars and arrays, but Cache drivers' delete($arg) function always expects an array. --- modules/gallery/tests/Cache_Test.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'modules/gallery/tests') diff --git a/modules/gallery/tests/Cache_Test.php b/modules/gallery/tests/Cache_Test.php index 1023568b..a942a292 100644 --- a/modules/gallery/tests/Cache_Test.php +++ b/modules/gallery/tests/Cache_Test.php @@ -118,7 +118,7 @@ class Cache_Test extends Gallery_Unit_Test_Case { $value3 = array("field5" => "value5", "field6" => "value6"); $this->_driver->set(array($id3 => $value3), array("tag3", "tag4"), 84600); - $this->_driver->delete($id1); + $this->_driver->delete(array($id1)); $this->assert_false($this->_driver->exists($id1), "$id1 should have been deleted"); $this->assert_true($this->_driver->exists($id2), "$id2 should not have been deleted"); @@ -138,7 +138,7 @@ class Cache_Test extends Gallery_Unit_Test_Case { $value3 = array("field5" => "value5", "field6" => "value6"); $this->_driver->set(array($id3 => $value3), array("tag3", "tag4"), 84600); - $data = $this->_driver->delete("tag3", true); + $data = $this->_driver->delete_tag(array("tag3")); $this->assert_true($this->_driver->exists($id1), "$id1 should not have been deleted"); $this->assert_false($this->_driver->exists($id2), "$id2 should have been deleted"); -- cgit v1.2.3 From d4423eb34970f0068af463ebea17a748910ca835 Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Tue, 23 Feb 2010 13:50:57 -0800 Subject: Reset the active user to admin in all test cases where we change the user to something else. --- modules/comment/tests/Comment_Model_Test.php | 3 +++ modules/gallery/tests/Access_Helper_Test.php | 9 +++++---- modules/gallery/tests/Item_Helper_Test.php | 3 +-- modules/gallery/tests/Item_Rest_Helper_Test.php | 4 ++++ modules/tag/tests/Tags_Rest_Helper_Test.php | 4 ++++ 5 files changed, 17 insertions(+), 6 deletions(-) (limited to 'modules/gallery/tests') diff --git a/modules/comment/tests/Comment_Model_Test.php b/modules/comment/tests/Comment_Model_Test.php index f0449c05..798e4f6d 100644 --- a/modules/comment/tests/Comment_Model_Test.php +++ b/modules/comment/tests/Comment_Model_Test.php @@ -18,6 +18,9 @@ * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA. */ class Comment_Model_Test extends Gallery_Unit_Test_Case { + public function teardown() { + identity::set_active_user(identity::admin_user()); + } public function cant_view_comments_for_unviewable_items_test() { $album = test::random_album(); diff --git a/modules/gallery/tests/Access_Helper_Test.php b/modules/gallery/tests/Access_Helper_Test.php index 5331117d..6eca396c 100644 --- a/modules/gallery/tests/Access_Helper_Test.php +++ b/modules/gallery/tests/Access_Helper_Test.php @@ -20,6 +20,10 @@ class Access_Helper_Test extends Gallery_Unit_Test_Case { private $_group; + public function setup() { + identity::set_active_user(identity::guest()); + } + public function teardown() { try { $group = identity::lookup_group_by_name("access_test"); @@ -41,10 +45,7 @@ class Access_Helper_Test extends Gallery_Unit_Test_Case { // Reset some permissions that we mangle below access::allow(identity::everybody(), "view", item::root()); - } - - public function setup() { - identity::set_active_user(identity::guest()); + identity::set_active_user(identity::admin_user()); } public function groups_and_permissions_are_bound_to_columns_test() { diff --git a/modules/gallery/tests/Item_Helper_Test.php b/modules/gallery/tests/Item_Helper_Test.php index 50587702..90106562 100644 --- a/modules/gallery/tests/Item_Helper_Test.php +++ b/modules/gallery/tests/Item_Helper_Test.php @@ -18,8 +18,7 @@ * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA. */ class Item_Helper_Test extends Gallery_Unit_Test_Case { - - public function setup() { + public function teardown() { identity::set_active_user(identity::admin_user()); } diff --git a/modules/gallery/tests/Item_Rest_Helper_Test.php b/modules/gallery/tests/Item_Rest_Helper_Test.php index 6d1dd864..7b86c153 100644 --- a/modules/gallery/tests/Item_Rest_Helper_Test.php +++ b/modules/gallery/tests/Item_Rest_Helper_Test.php @@ -18,6 +18,10 @@ * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA. */ class Item_Rest_Helper_Test extends Gallery_Unit_Test_Case { + public function teardown() { + identity::set_active_user(identity::admin_user()); + } + public function resolve_test() { $album = test::random_album(); $resolved = rest::resolve(rest::url("item", $album)); diff --git a/modules/tag/tests/Tags_Rest_Helper_Test.php b/modules/tag/tests/Tags_Rest_Helper_Test.php index cdf7bfdf..dbad0b02 100644 --- a/modules/tag/tests/Tags_Rest_Helper_Test.php +++ b/modules/tag/tests/Tags_Rest_Helper_Test.php @@ -26,6 +26,10 @@ class Tags_Rest_Helper_Test extends Gallery_Unit_Test_Case { } } + public function teardown() { + identity::set_active_user(identity::admin_user()); + } + public function get_test() { $t1 = tag::add(item::root(), "t1"); $t2 = tag::add(item::root(), "t2"); -- cgit v1.2.3 From d9707ae749df2770370dc4eeeeaddda28f092d4d Mon Sep 17 00:00:00 2001 From: Andy Staudacher Date: Sat, 27 Feb 2010 02:37:39 -0800 Subject: Fix for ticket #1036 - Don't echo any sensitive information such as passwords, hashes or personally identifiable information. --- modules/gallery/libraries/MY_Kohana_Exception.php | 57 ++++++++ modules/gallery/tests/Kohana_Exception_Test.php | 170 ++++++++++++++++++++++ modules/gallery/views/kohana/error.php | 4 +- 3 files changed, 229 insertions(+), 2 deletions(-) create mode 100644 modules/gallery/tests/Kohana_Exception_Test.php (limited to 'modules/gallery/tests') diff --git a/modules/gallery/libraries/MY_Kohana_Exception.php b/modules/gallery/libraries/MY_Kohana_Exception.php index d6f1f467..1712d895 100644 --- a/modules/gallery/libraries/MY_Kohana_Exception.php +++ b/modules/gallery/libraries/MY_Kohana_Exception.php @@ -92,4 +92,61 @@ class Kohana_Exception extends Kohana_Exception_Core { } print $view; } + + /** + * @see Kohana_Exception::dump() + */ + public static function dump($value, $length=128, $max_level=5) { + return self::safe_dump($value, null, $length, $max_level); + } + + /** + * A safer version of dump(), eliding sensitive information in the dumped + * data, such as session ids and passwords / hashes. + */ + public static function safe_dump($value, $key, $length=128, $max_level=5) { + return parent::dump(self::_sanitize_for_dump($value, $key), $length, $max_level); + } + + /** + * Elides sensitive data which shouldn't be echoed to the client, + * such as passwords, and other secrets. + */ + /* Visible for testing*/ static function _sanitize_for_dump($value, $key=null) { + // Better elide too much than letting something through. + // Note: unanchored match is intended. + $sensitive_info_pattern = + '/(password|pass|email|hash|private_key|session_id|session|g3sid|csrf|secret)/i'; + if (preg_match($sensitive_info_pattern, $key) || + (is_string($value) && preg_match('/[a-f0-9]{20,}/i', $value))) { + return 'removed for display'; + } else if (is_object($value)) { + if ($value instanceof Database) { + // Elide database password, host, name, user, etc. + return get_class($value) . ' object - details omitted for display'; + } else if ($value instanceof User_Model) { + return get_class($value) . ' object for "' . $value->name . '" - details omitted for display'; + } + return self::_sanitize_for_dump((array) $value, $key); + } else if (is_array($value)) { + $result = array(); + foreach ($value as $k => $v) { + $actual_key = $k; + $key_for_display = $k; + if ($k[0] === "\x00") { + // Remove the access level from the variable name + $actual_key = substr($k, strrpos($k, "\x00") + 1); + $access = $k[1] === '*' ? 'protected' : 'private'; + $key_for_display = "$access: $actual_key"; + } + if (is_object($v)) { + $key_for_display .= ' (type: ' . get_class($v) . ')'; + } + $result[$key_for_display] = self::_sanitize_for_dump($v, $actual_key); + } + } else { + $result = $value; + } + return $result; + } } \ No newline at end of file diff --git a/modules/gallery/tests/Kohana_Exception_Test.php b/modules/gallery/tests/Kohana_Exception_Test.php new file mode 100644 index 00000000..d2dbb4dc --- /dev/null +++ b/modules/gallery/tests/Kohana_Exception_Test.php @@ -0,0 +1,170 @@ +assert_equal('string(19) "removed for display"', + Kohana_Exception::dump("1a62761b836138c6198313911")); + $this->assert_equal('string(14) "original value"', + Kohana_Exception::dump("original value")); + } + + public function safe_dump_test() { + // Verify the delegation. + $this->assert_equal('string(19) "removed for display"', + Kohana_Exception::safe_dump("original value", "password")); + $this->assert_equal('string(14) "original value"', + Kohana_Exception::safe_dump("original value", "meow")); + } + + public function sanitize_for_dump_match_key_test() { + $this->assert_equal("removed for display", + Kohana_Exception::_sanitize_for_dump("original value", "password")); + $this->assert_equal("original value", + Kohana_Exception::_sanitize_for_dump("original value", "meow")); + } + + public function sanitize_for_dump_match_key_loosely_test() { + $this->assert_equal("removed for display", + Kohana_Exception::_sanitize_for_dump("original value", "this secret key")); + } + + public function sanitize_for_dump_match_value_test() { + // Looks like a hash / secret value. + $this->assert_equal("removed for display", + Kohana_Exception::_sanitize_for_dump("p$2a178b841c6391d6368f131", "meow")); + $this->assert_equal("original value", + Kohana_Exception::_sanitize_for_dump("original value", "meow")); + } + + public function sanitize_for_dump_array_test() { + $var = array("safe" => "original value 1", + "some hash" => "original value 2", + "three" => "2a3728788982938293b9292"); + $expected = array("safe" => "original value 1", + "some hash" => "removed for display", + "three" => "removed for display"); + + $this->assert_equal($expected, + Kohana_Exception::_sanitize_for_dump($var, "ignored")); + } + + public function sanitize_for_dump_nested_array_test() { + $var = array("safe" => "original value 1", + "safe 2" => array("some hash" => "original value 2")); + $expected = array("safe" => "original value 1", + "safe 2" => array("some hash" => "removed for display")); + $this->assert_equal($expected, + Kohana_Exception::_sanitize_for_dump($var, "ignored")); + } + + public function sanitize_for_dump_user_test() { + $user = new User_Model(); + $user->name = "john"; + $user->hash = "value 1"; + $user->email = "value 2"; + $user->full_name = "value 3"; + $this->assert_equal('User_Model object for "john" - details omitted for display', + Kohana_Exception::_sanitize_for_dump($user, "ignored")); + } + + public function sanitize_for_dump_database_test() { + $db = new Kohana_Exception_Test_Database( + array("connection" => array("user" => "john", "name" => "gallery_3"), + "cache" => array())); + $this->assert_equal("Kohana_Exception_Test_Database object - details omitted for display", + Kohana_Exception::_sanitize_for_dump($db, "ignored")); + } + + public function sanitize_for_dump_nested_database_test() { + $db = new Kohana_Exception_Test_Database( + array("connection" => array("user" => "john", "name" => "gallery_3"), + "cache" => array())); + $var = array("some" => "foo", + "bar" => $db); + $this->assert_equal( + array("some" => "foo", + "bar (type: Kohana_Exception_Test_Database)" => + "Kohana_Exception_Test_Database object - details omitted for display"), + Kohana_Exception::_sanitize_for_dump($var, "ignored")); + } + + public function sanitize_for_dump_object_test() { + $obj = new Kohana_Exception_Test_Class(); + $obj->password = "original value"; + $expected = array("var_1" => "val 1", + "protected: var_2" => "val 2", + "private: var_3" => "val 3", + "protected: hash" => "removed for display", + "private: email_address" => "removed for display", + "password" => "removed for display"); + $this->assert_equal($expected, + Kohana_Exception::_sanitize_for_dump($obj, "ignored")); + } + + public function sanitize_for_dump_nested_object_test() { + $user = new User_Model(); + $user->name = "john"; + $obj = new Kohana_Exception_Test_Class(); + $obj->meow = new Kohana_Exception_Test_Class(); + $obj->woof = "original value"; + $obj->foo = array("bar" => $user); + $expected = array("var_1" => "val 1", + "protected: var_2" => "val 2", + "private: var_3" => "val 3", + "protected: hash" => "removed for display", + "private: email_address" => "removed for display", + "meow (type: Kohana_Exception_Test_Class)" => + array("var_1" => "val 1", + "protected: var_2" => "val 2", + "private: var_3" => "val 3", + "protected: hash" => "removed for display", + "private: email_address" => "removed for display"), + "woof" => "original value", + "foo" => array("bar (type: User_Model)" => + 'User_Model object for "john" - details omitted for display')); + $this->assert_equal($expected, + Kohana_Exception::_sanitize_for_dump($obj, "ignored")); + } +} + +class Kohana_Exception_Test_Database extends Database { + function __construct($config) { parent::__construct($config); } + public function connect() {} + public function disconnect() {} + public function set_charset($charset) {} + public function query_execute($sql) {} + public function escape($value) {} + public function list_constraints($table) {} + public function list_fields($table) {} + public function list_tables() {} +} + +class Kohana_Exception_Test_Class { + public $var_1 = "val 1"; + protected $var_2 = "val 2"; + private $var_3 = "val 3"; + protected $hash = "val 4"; + private $email_address = "val 5"; + function __set($name, $val) { + $this->$name = $val; + } +} \ No newline at end of file diff --git a/modules/gallery/views/kohana/error.php b/modules/gallery/views/kohana/error.php index 26628cf2..d55105a0 100644 --- a/modules/gallery/views/kohana/error.php +++ b/modules/gallery/views/kohana/error.php @@ -204,7 +204,7 @@
-
+
@@ -265,7 +265,7 @@ -
+
-- cgit v1.2.3