lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

More phpunit test

Browse Source
This commit is contained in:
Laurent Destailleur 2012-02-29 11:48:03 +01:00
parent 099d8ee06b
commit 6550ba53f6
3 changed files with 15 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
htdocs/categories/fiche.php
View File

@ -38,7 +38,6 @@ $action = GETPOST('action','alpha');
$cancel = GETPOST('cancel','alpha');
$origin = GETPOST('origin','alpha');
$catorigin = GETPOST('catorigin','int');
$nbcats = (GETPOST('choix') ? GETPOST('choix') : 1); // TODO not use ?
$type = GETPOST('type','alpha');
$urlfrom = GETPOST('urlfrom','alpha');

14
htdocs/core/lib/functions.lib.php
View File

@ -249,18 +249,20 @@ function GETPOST($paramname,$check='',$method=0)
elseif ($method==1) $out = isset($_GET[$paramname])?$_GET[$paramname]:'';
elseif ($method==2) $out = isset($_POST[$paramname])?$_POST[$paramname]:'';
elseif ($method==3) $out = isset($_POST[$paramname])?$_POST[$paramname]:(isset($_GET[$paramname])?$_GET[$paramname]:'');
else return 'BadParameter';
if (! empty($check))
{
$out=trim($out);
// Check if numeric
if ($check == 'int' && ! preg_match('/^[-\.,0-9]+$/i',trim($out))) $out='';
if ($check == 'int' && ! preg_match('/^[-\.,0-9]+$/i',$out)) $out='';
// Check if alpha
//if ($check == 'alpha' && ! preg_match('/^[ =:@#\/\\\(\)\-\._a-z0-9]+$/i',trim($out))) $out='';
// '"' is dangerous because param in url can close the href= or src= and add javascript functions.
if ($check == 'alpha')
elseif ($check == 'alpha')
{
if (preg_match('/"/',trim($out))) $out='';
else if (preg_match('/(\.\.\/)+/',trim($out))) $out='';
// '"' is dangerous because param in url can close the href= or src= and add javascript functions.
// '../' is dangerous because it allows dir transversals
if (preg_match('/"/',$out)) $out='';
else if (preg_match('/\.\.\//',$out)) $out='';
}
}

9
test/phpunit/SecurityTest.php
View File

@ -144,6 +144,7 @@ class SecurityTest extends PHPUnit_Framework_TestCase
$_POST["param1"]="333";
$_GET["param2"]='a/b#e(pr)qq-rr\cc';
$_GET["param3"]='"a/b#e(pr)qq-rr\cc'; // Same than param2 + "
$_GET["param4"]='../dir';
$result=GETPOST('id','int'); // Must return nothing
print __METHOD__." result=".$result."\n";
@ -161,11 +162,15 @@ class SecurityTest extends PHPUnit_Framework_TestCase
print __METHOD__." result=".$result."\n";
$this->assertEquals($result,$_GET["param2"]);
$result=GETPOST("param3",'alpha'); // Must return '' as there is a forbidden char
$result=GETPOST("param3",'alpha'); // Must return '' as there is a forbidden char "
print __METHOD__." result=".$result."\n";
$this->assertEquals($result,'');
return $result;
$result=GETPOST("param4",'alpha'); // Must return '' as there is a forbidden char ../
print __METHOD__." result=".$result."\n";
$this->assertEquals($result,'');
return $result;
}
/**