From 1880a1d59a53f57b6fa5fafef9d7391d15961cf3 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 20 Nov 2010 15:25:08 +0000 Subject: [PATCH] Add more php units --- htdocs/lib/functions.lib.php | 4 +- test/phpunit/SecurityTest.php | 179 ++++++++++++++++++++++++++++++++++ 2 files changed, 181 insertions(+), 2 deletions(-) create mode 100755 test/phpunit/SecurityTest.php diff --git a/htdocs/lib/functions.lib.php b/htdocs/lib/functions.lib.php index 332cc45fe0f..ed5c34a1ec9 100644 --- a/htdocs/lib/functions.lib.php +++ b/htdocs/lib/functions.lib.php @@ -47,7 +47,7 @@ if (! defined('ADODB_DATE_VERSION')) include_once(DOL_DOCUMENT_ROOT."/includes/a function GETPOST($paramname,$check='',$method=0) { if ($method==1) $out = isset($_GET[$paramname])?$_GET[$paramname]:''; - else if ($method==2) isset($_POST[$paramname])?$_POST[$paramname]:''; + else if ($method==2) $out = isset($_POST[$paramname])?$_POST[$paramname]:''; else $out = isset($_GET[$paramname])?$_GET[$paramname]:(isset($_POST[$paramname])?$_POST[$paramname]:''); if (!empty($check)) @@ -55,7 +55,7 @@ function GETPOST($paramname,$check='',$method=0) // Check if integer if ($check == 'int' && ! is_numeric(trim($out))) $out=''; // Check if alpha - if ($check == 'alpha' && ! preg_match('/^[#\(\)\-\._a-z0-9]+$/i',trim($out))) $out=''; + if ($check == 'alpha' && ! preg_match('/^[#\/\\\(\)\-\._a-z0-9]+$/i',trim($out))) $out=''; } return $out; diff --git a/test/phpunit/SecurityTest.php b/test/phpunit/SecurityTest.php new file mode 100755 index 00000000000..45ab603d305 --- /dev/null +++ b/test/phpunit/SecurityTest.php @@ -0,0 +1,179 @@ + + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + */ + +/** + * \file test/phpunit/SecurityTest.php + * \ingroup test + * \brief PHPUnit test + * \version $Id$ + * \remarks To run this script as CLI: phpunit filename.php + */ + +global $conf,$user,$langs,$db; +//define('TEST_DB_FORCE_TYPE','mysql'); // This is to force using mysql driver +require_once 'PHPUnit/Framework.php'; +require_once dirname(__FILE__).'/../../htdocs/master.inc.php'; +require_once dirname(__FILE__).'/../../htdocs/lib/functions.lib.php'; + +if (! defined('NOREQUIREUSER')) define('NOREQUIREUSER','1'); +if (! defined('NOREQUIREDB')) define('NOREQUIREDB','1'); +if (! defined('NOREQUIRESOC')) define('NOREQUIRESOC','1'); +if (! defined('NOREQUIRETRAN')) define('NOREQUIRETRAN','1'); +if (! defined('NOCSRFCHECK')) define('NOCSRFCHECK','1'); +if (! defined('NOTOKENRENEWAL')) define('NOTOKENRENEWAL','1'); +if (! defined('NOREQUIREMENU')) define('NOREQUIREMENU','1'); // If there is no menu to show +if (! defined('NOREQUIREHTML')) define('NOREQUIREHTML','1'); // If we don't need to load the html.form.class.php +if (! defined('NOREQUIREAJAX')) define('NOREQUIREAJAX','1'); +if (! defined("NOLOGIN")) define("NOLOGIN",'1'); // If this page is public (can be called outside logged session) + + +/** + * @xcovers DoliDb + * @xcovers Translate + * @xcovers Conf + * @xcovers Interfaces + * @xcovers CommonObject + * @xcovers Adherent + * + * @backupGlobals disabled + * @backupStaticAttributes enabled + * @remarks backupGlobals must be disabled to have db,conf,user and lang not erased. + */ +class SecurityTest extends PHPUnit_Framework_TestCase +{ + protected $savconf; + protected $savuser; + protected $savlangs; + protected $savdb; + + /** + * Constructor + * We save global variables into local variables + * + * @return CMailFile + */ + function SecurityTest() + { + //$this->sharedFixture + global $conf,$user,$langs,$db; + $this->savconf=$conf; + $this->savuser=$user; + $this->savlangs=$langs; + $this->savdb=$db; + + print __METHOD__." db->type=".$db->type." user->id=".$user->id; + //print " - db ".$db->db; + print "\n"; + } + + // Static methods + public static function setUpBeforeClass() + { + global $conf,$user,$langs,$db; + $db->begin(); // This is to have all actions inside a transaction even if test launched without suite. + + print __METHOD__."\n"; + } + public static function tearDownAfterClass() + { + global $conf,$user,$langs,$db; + $db->rollback(); + + print __METHOD__."\n"; + } + + /** + */ + protected function setUp() + { + global $conf,$user,$langs,$db; + $conf=$this->savconf; + $user=$this->savuser; + $langs=$this->savlangs; + $db=$this->savdb; + + print __METHOD__."\n"; + } + /** + */ + protected function tearDown() + { + print __METHOD__."\n"; + } + + /** + */ + public function testGETPOST() + { + global $conf,$user,$langs,$db; + $conf=$this->savconf; + $user=$this->savuser; + $langs=$this->savlangs; + $db=$this->savdb; + + $_COOKIE["id"]=111; + $_GET["param1"]="222"; + $_POST["param1"]="333"; + $_GET["param2"]='a/b#e(pr)qq-rr\cc'; + $_GET["param3"]='"a/b#e(pr)qq-rr\cc'; // Same than param2 + " + + $result=GETPOST("id"); // Must return nothing + print __METHOD__." result=".$result."\n"; + $this->assertEquals($result,''); + + $result=GETPOST("param1",'int'); + print __METHOD__." result=".$result."\n"; + $this->assertEquals($result,222); + + $result=GETPOST("param1",'int',2); + print __METHOD__." result=".$result."\n"; + $this->assertEquals($result,333); + + $result=GETPOST("param2",'alpha'); + print __METHOD__." result=".$result."\n"; + $this->assertEquals($result,$_GET["param2"]); + + $result=GETPOST("param3",'alpha'); // Must return '' as there is a forbidden char + print __METHOD__." result=".$result."\n"; + $this->assertEquals($result,''); + + return $result; + } + + /** + */ +/* public function testAnalyseSqlAndScript() + { + global $conf,$user,$langs,$db; + $conf=$this->savconf; + $user=$this->savuser; + $langs=$this->savlangs; + $db=$this->savdb; + + $_GET["param1"]="azert"; + $_POST["param2"]="a/b#e(pr)qq-rr\cc"; + + $result=analyse_sql_and_script($_GET); + print __METHOD__." result=".$result."\n"; + $this->assertFalse($result); // False because mail send disabled + + return $result; + } +*/ +} +?> \ No newline at end of file