From 3b5c13d3e63441cc88e035ef2f2a00235fa6d2ea Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Wed, 24 Nov 2021 20:53:17 +0100
Subject: [PATCH] Add a test file. Disabling if on production.

---
 htdocs/public/test/badges.php           |  5 ++
 htdocs/public/test/buttons.php          |  5 ++
 htdocs/public/test/test_arrays.php      | 11 ++--
 htdocs/public/test/test_csrf.php        | 33 ++++++++++++
 htdocs/public/test/test_exec.php        | 72 +++++++++++++++++++++++++
 htdocs/public/test/test_forms.php       |  6 +++
 htdocs/public/test/test_sessionlock.php | 31 ++++++++---
 7 files changed, 152 insertions(+), 11 deletions(-)
 create mode 100644 htdocs/public/test/test_exec.php

diff --git a/htdocs/public/test/badges.php b/htdocs/public/test/badges.php
index 2190b96db7e..1090da5445a 100644
--- a/htdocs/public/test/badges.php
+++ b/htdocs/public/test/badges.php
@@ -28,11 +28,16 @@ session_cache_limiter('public');
 require_once '../../main.inc.php';
 require_once DOL_DOCUMENT_ROOT.'/core/lib/functions.lib.php';
 
+// Security
 if ($dolibarr_main_prod) {
 	accessforbidden();
 }
 
 
+/*
+ * View
+ */
+
 llxHeader('', 'Documentation and examples for theme');
 ?>
 		  <h1 class="bd-title" id="content">Badges</h1>
diff --git a/htdocs/public/test/buttons.php b/htdocs/public/test/buttons.php
index 9e0335e2913..4621ad0f340 100644
--- a/htdocs/public/test/buttons.php
+++ b/htdocs/public/test/buttons.php
@@ -28,11 +28,16 @@ session_cache_limiter('public');
 require_once '../../main.inc.php';
 require_once DOL_DOCUMENT_ROOT.'/core/lib/functions.lib.php';
 
+// Security
 if ($dolibarr_main_prod) {
 	accessforbidden();
 }
 
 
+/*
+ * View
+ */
+
 llxHeader('', 'Documentation and examples for theme');
 ?>
 <main  role="main"  >
diff --git a/htdocs/public/test/test_arrays.php b/htdocs/public/test/test_arrays.php
index b2a87a75480..05fc13c0dbc 100644
--- a/htdocs/public/test/test_arrays.php
+++ b/htdocs/public/test/test_arrays.php
@@ -22,19 +22,22 @@ if (!defined("NOLOGIN")) {
 	define("NOLOGIN", '1'); // If this page is public (can be called outside logged session)
 }
 
-
 require '../../main.inc.php';
 
+// Security
 if ($dolibarr_main_prod) {
 	accessforbidden();
 }
 
-$usedolheader = 1; // 1 = Test inside a dolibarr page, 0 = Use hard coded header
+
+
+/*
+ * View
+ */
 
 $form = new Form($db);
 
-
-
+$usedolheader = 1; // 1 = Test inside a dolibarr page, 0 = Use hard coded header
 
 // HEADER
 //--------
diff --git a/htdocs/public/test/test_csrf.php b/htdocs/public/test/test_csrf.php
index c66ac19c423..94d76469f81 100644
--- a/htdocs/public/test/test_csrf.php
+++ b/htdocs/public/test/test_csrf.php
@@ -1,5 +1,38 @@
 <?php
+//define("NOLOGIN",1);		// This means this output page does not require to be logged.
+//if (!defined('NOREQUIREUSER'))  define('NOREQUIREUSER', '1');
+//if (!defined('NOREQUIREDB'))    define('NOREQUIREDB', '1');
+if (!defined('NOREQUIRESOC')) {
+	define('NOREQUIRESOC', '1');
+}
+//if (!defined('NOREQUIRETRAN'))  define('NOREQUIRETRAN', '1');
+if (!defined('NOSTYLECHECK')) {
+	define('NOSTYLECHECK', '1'); // Do not check style html tag into posted data
+}
+if (!defined('NOCSRFCHECK')) {
+	define('NOCSRFCHECK', '1'); // Do not check anti CSRF attack test
+}
+if (!defined('NOTOKENRENEWAL')) {
+	define('NOTOKENRENEWAL', '1'); // Do not check anti POST attack test
+}
+//if (!defined('NOREQUIREMENU'))  define('NOREQUIREMENU', '1'); // If there is no need to load and show top and left menu
+//if (!defined('NOREQUIREHTML'))  define('NOREQUIREHTML', '1'); // If we don't need to load the html.form.class.php
+//if (!defined('NOREQUIREAJAX'))  define('NOREQUIREAJAX', '1'); // Do not load ajax.lib.php library
+if (!defined("NOLOGIN")) {
+	define("NOLOGIN", '1'); // If this page is public (can be called outside logged session)
+}
 
+require '../../main.inc.php';
+
+// Security
+if ($dolibarr_main_prod) {
+	accessforbidden();
+}
+
+
+/*
+ * View
+ */
 
 ?>
 
diff --git a/htdocs/public/test/test_exec.php b/htdocs/public/test/test_exec.php
new file mode 100644
index 00000000000..8464ba2eb4f
--- /dev/null
+++ b/htdocs/public/test/test_exec.php
@@ -0,0 +1,72 @@
+<?php
+if (!defined('NOREQUIREUSER')) {
+	define('NOREQUIREUSER', '1');
+}
+if (!defined('NOREQUIREDB')) {
+	define('NOREQUIREDB', '1');
+}
+if (!defined('NOREQUIRESOC')) {
+	define('NOREQUIRESOC', '1');
+}
+if (!defined('NOREQUIRETRAN')) {
+	define('NOREQUIRETRAN', '1');
+}
+if (!defined('NOSTYLECHECK')) {
+	define('NOSTYLECHECK', '1'); // Do not check style html tag into posted data
+}
+if (!defined('NOCSRFCHECK')) {
+	define('NOCSRFCHECK', '1'); // Do not check anti CSRF attack test
+}
+if (!defined('NOTOKENRENEWAL')) {
+	define('NOTOKENRENEWAL', '1'); // Do not check anti POST attack test
+}
+if (!defined('NOREQUIREMENU')) {
+	define('NOREQUIREMENU', '1'); // If there is no need to load and show top and left menu
+}
+if (!defined('NOREQUIREHTML')) {
+	define('NOREQUIREHTML', '1'); // If we don't need to load the html.form.class.php
+}
+if (!defined('NOREQUIREAJAX')) {
+	define('NOREQUIREAJAX', '1'); // Do not load ajax.lib.php library
+}
+if (!defined("NOLOGIN")) {
+	define("NOLOGIN", '1'); // If this page is public (can be called outside logged session)
+}
+// If you don't need session management (can't be logged if no session used). You must also set
+// NOCSRFCHECK, NOTOKENRENEWAL, NOLOGIN
+// Disable module with GETPOST('disablemodules') won't work. Variable 'dol_...' will not be set.
+// $_SESSION are then simple vars if sessions are not active.
+// TODO We can close session with session_write_close() as soon as we just need read access everywhere in code.
+if (!defined("NOSESSION")) {
+	define("NOSESSION", '1');
+}
+
+print "Legend:<br>\n";
+print 'PHP_SESSION_DISABLED='.PHP_SESSION_DISABLED."<br>\n";
+print 'PHP_SESSION_NONE='.PHP_SESSION_NONE."<br>\n";
+print 'PHP_SESSION_ACTIVE='.PHP_SESSION_ACTIVE."<br>\n";
+print '<br>';
+
+print 'session_status='.session_status().' (before main.inc.php)';
+print '<br>';
+
+require '../../main.inc.php';
+
+// Security
+if ($dolibarr_main_prod) {
+	accessforbidden();
+}
+
+
+/*
+ * View
+ */
+
+print 'session_status='.session_status().' (after main.inc.php)';
+print '<br>';
+
+//print 'a'.$_SESSION['disablemodules'].'b';
+
+print "\n<br>This page is visible. It means you are not locked by another page called in same session.";
+
+//session_write_close();
diff --git a/htdocs/public/test/test_forms.php b/htdocs/public/test/test_forms.php
index d89e04e12a6..c025151bdb9 100644
--- a/htdocs/public/test/test_forms.php
+++ b/htdocs/public/test/test_forms.php
@@ -8,10 +8,16 @@ if (!defined('NOSESSION')) {
 require '../../main.inc.php';
 include_once DOL_DOCUMENT_ROOT.'/core/lib/date.lib.php';
 
+// Security
 if ($dolibarr_main_prod) {
 	accessforbidden();
 }
 
+
+/*
+ * View
+ */
+
 llxHeader();
 
 ?>
diff --git a/htdocs/public/test/test_sessionlock.php b/htdocs/public/test/test_sessionlock.php
index 18a1ef73d08..83d21f38aae 100644
--- a/htdocs/public/test/test_sessionlock.php
+++ b/htdocs/public/test/test_sessionlock.php
@@ -52,17 +52,34 @@ print '<br>';
 
 require '../../main.inc.php';
 
-/* No need for this.
+// Security
 if ($dolibarr_main_prod) {
 	accessforbidden();
 }
-*/
 
-print 'session_status='.session_status().' (after main.inc.php)';
-print '<br>';
 
-//print 'a'.$_SESSION['disablemodules'].'b';
+/*
+ * View
+ */
 
-print "\n<br>This page is visible. It means you are not locked by another page called in same session.";
+echo "Test\n";
+$out='';
+$ret=0;
 
-//session_write_close();
+$file = '/tmp/aaa';
+$f=fopen($file, 'r');
+if ($f) {
+	$s=fread($f, 4096);
+	print $s;
+	fclose($f);
+} else {
+	print "Failed to open file ".$file."\n";
+}
+
+exec('ls /dev/std*; sleep 1;', $out, $ret);
+var_dump($ret);
+var_dump($out);
+
+exec('/usr/bin/clamdscan --fdpass filethatdoesnotexists.php', $out, $ret);
+var_dump($ret);
+var_dump($out);