From 2d2eabff32582c3172a72bc17363b1f117e77053 Mon Sep 17 00:00:00 2001 From: gggeek Date: Thu, 9 Feb 2023 10:01:33 +0000 Subject: [PATCH] harden tests/index.php against accidental access --- src/Client.php | 1 - tests/07ClientTest.php | 8 ++++---- tests/08ServerTest.php | 15 ++++++++++----- tests/LoggerAwareTestCase.php | 4 ++-- tests/ServerAwareTestCase.php | 20 ++++++++++++++++++++ tests/WebTestCase.php | 5 ++++- tests/index.php | 10 ++++++++++ 7 files changed, 50 insertions(+), 13 deletions(-) diff --git a/src/Client.php b/src/Client.php index b0994c69..d1c34bae 100644 --- a/src/Client.php +++ b/src/Client.php @@ -1440,7 +1440,6 @@ class Client foreach ($opts['cookies'] as $name => $cookie) { $cookieHeader .= $name . '=' . $cookie['value'] . '; '; } -var_dump(substr($cookieHeader, 0, -2)); curl_setopt($curl, CURLOPT_COOKIE, substr($cookieHeader, 0, -2)); } diff --git a/tests/07ClientTest.php b/tests/07ClientTest.php index e147ab4e..c8a7bd09 100644 --- a/tests/07ClientTest.php +++ b/tests/07ClientTest.php @@ -1,11 +1,11 @@ client->server = $server[0]; $this->client->path = $this->args['HTTPURI']; - + $this->client->setCookie('PHPUNIT_RANDOM_TEST_ID', static::$randId); $r = $this->client->send($m, 5, 'http11'); $this->assertEquals(0, $r->faultCode()); $ro = $r->value(); diff --git a/tests/08ServerTest.php b/tests/08ServerTest.php index 07de870e..95712196 100644 --- a/tests/08ServerTest.php +++ b/tests/08ServerTest.php @@ -54,6 +54,12 @@ class ServerTest extends PhpXmlRpc_ServerAwareTestCase $this->client->setDebug($this->args['DEBUG']); $this->client->request_compression = $this->request_compression; $this->client->accepted_compression = $this->accepted_compression; + + $this->client->setCookie('PHPUNIT_RANDOM_TEST_ID', static::$randId); + + if ($this->collectCodeCoverageInformation) { + $this->client->setCookie('PHPUNIT_SELENIUM_TEST_ID', $this->testId); + } } /** @@ -64,10 +70,6 @@ class ServerTest extends PhpXmlRpc_ServerAwareTestCase */ protected function send($msg, $errorCode = 0, $returnResponse = false) { - if ($this->collectCodeCoverageInformation) { - $this->client->setCookie('PHPUNIT_SELENIUM_TEST_ID', $this->testId); - } - $r = $this->client->send($msg, $this->timeout, $this->method); // for multicall, return directly array of responses if (is_array($r)) { @@ -965,10 +967,13 @@ And turned it into nylon'; $v = $r->value(); $v = php_xmlrpc_decode($v); - // take care for the extra cookie used for coverage collection + // take care of the extra cookies used for coverage collection and test mechanics if (isset($v['PHPUNIT_SELENIUM_TEST_ID'])) { unset($v['PHPUNIT_SELENIUM_TEST_ID']); } + if (isset($v['PHPUNIT_RANDOM_TEST_ID'])) { + unset($v['PHPUNIT_RANDOM_TEST_ID']); + } // on IIS and Apache getallheaders returns something slightly different... $this->assertEquals($cookies, $v); diff --git a/tests/LoggerAwareTestCase.php b/tests/LoggerAwareTestCase.php index a23d9355..e5fe5540 100644 --- a/tests/LoggerAwareTestCase.php +++ b/tests/LoggerAwareTestCase.php @@ -16,7 +16,7 @@ abstract class PhpXmlRpc_LoggerAwareTestCase extends PhpXmlRpc_PolyfillTestCase protected $buffer = ''; /** - * hide debug messages and errors unless we either are in debug mode or the test fails + * Hide debug messages and errors unless we either are in debug mode or the test fails. * @return void */ protected function set_up() @@ -46,7 +46,7 @@ abstract class PhpXmlRpc_LoggerAwareTestCase extends PhpXmlRpc_PolyfillTestCase } } - // logger API + // logger API implementation public function debug($message, $context = array()) { diff --git a/tests/ServerAwareTestCase.php b/tests/ServerAwareTestCase.php index d6633834..a559ddca 100644 --- a/tests/ServerAwareTestCase.php +++ b/tests/ServerAwareTestCase.php @@ -16,6 +16,8 @@ abstract class PhpXmlRpc_ServerAwareTestCase extends PhpXmlRpc_LoggerAwareTestCa /** @var string */ protected $coverageScriptUrl; + protected static $randId; + /** * Reimplemented to allow us to collect code coverage info from the target server. * Code taken from PHPUnit_Extensions_Selenium2TestCase @@ -54,6 +56,24 @@ abstract class PhpXmlRpc_ServerAwareTestCase extends PhpXmlRpc_LoggerAwareTestCa return $result; } + public static function set_up_before_class() + { + parent::set_up_before_class(); + + // Set up a database connection or other fixture which needs to be available. + self::$randId = uniqid(); + file_put_contents(sys_get_temp_dir() . '/phpunit_rand_id.txt', self::$randId); + } + + public static function tear_down_after_class() + { + if (is_file(sys_get_temp_dir() . '/phpunit_rand_id.txt')) { + unlink(sys_get_temp_dir() . '/phpunit_rand_id.txt'); + } + + parent::tear_down_after_class(); + } + public function set_up() { parent::set_up(); diff --git a/tests/WebTestCase.php b/tests/WebTestCase.php index f2c9c414..4a0b19e8 100644 --- a/tests/WebTestCase.php +++ b/tests/WebTestCase.php @@ -29,6 +29,7 @@ abstract class PhpXmlRpc_WebTestCase extends PhpXmlRpc_ServerAwareTestCase CURLOPT_POSTFIELDS => $payload )); } + curl_setopt($ch, CURLOPT_COOKIE, 'PHPUNIT_RANDOM_TEST_ID=' . static::$randId); if ($this->collectCodeCoverageInformation) { curl_setopt($ch, CURLOPT_COOKIE, 'PHPUNIT_SELENIUM_TEST_ID='.$this->testId); @@ -50,7 +51,8 @@ abstract class PhpXmlRpc_WebTestCase extends PhpXmlRpc_ServerAwareTestCase } /** - * Build an xml-rpc client, tweaked if needed to collect code-coverage information of the server + * Build an xml-rpc client, tweaked if needed to collect code-coverage information of the server. + * @see also ServerTest::set_up * * @param string $path * @return \PhpXmlRpc\Client @@ -58,6 +60,7 @@ abstract class PhpXmlRpc_WebTestCase extends PhpXmlRpc_ServerAwareTestCase protected function newClient($path) { $client = new \PhpXmlRpc\Client($this->baseUrl . $path); + $client->setCookie('PHPUNIT_RANDOM_TEST_ID', static::$randId); if ($this->collectCodeCoverageInformation) { $client->setCookie('PHPUNIT_SELENIUM_TEST_ID', $this->testId); } diff --git a/tests/index.php b/tests/index.php index c1d63a2a..413fc486 100644 --- a/tests/index.php +++ b/tests/index.php @@ -4,6 +4,16 @@ // It makes all errors visible, triggers generation of code-coverage information, and runs the target file, // which is specified as GET param. +// In case this file is made available on an open-access server, avoid it being useable by anyone who can not also +// write a specific file to disk. +// NB: keep filename, cookie name in sync with the code within the TestCase classes sending http requests to this file +$idFile = sys_get_temp_dir() . '/phpunit_rand_id.txt'; +$randId = isset($_COOKIE['PHPUNIT_RANDOM_TEST_ID']) ? $_COOKIE['PHPUNIT_RANDOM_TEST_ID'] : ''; +$fileId = file_exists($idFile) ? file_get_contents($idFile) : ''; +if ($randId == '' || $fileId == '' || $fileId !== $randId) { + die('This url can only be accessed by the test suite'); +} + // Make errors visible ini_set('display_errors', true); error_reporting(E_ALL); -- 2.47.0