68bc21353a
Improves #306 Relates to #335 & #336 Duplicated by #339 Issues: - PHP regenerates the session ID if it is not compliant - the regex checking the session ID does not cover all cases - different algorithms: md5, sha1, sha256, etc. - bit representations: 4, 5, 6 Fix: - `index.php`: - remove `uniqid()` usage - call `session_regenerate_id()` if an invalid cookie is detected - regex: support all possible characters - '[a-zA-Z,-]{2,128}' - tests: add coverage for all algorithms & bit representations See: - http://php.net/manual/en/session.configuration.php#ini.session.hash-function - https://secure.php.net/manual/en/session.configuration.php#ini.session.hash-bits-per-character - http://php.net/manual/en/function.session-id.php - http://php.net/manual/en/function.session-regenerate-id.php - http://php.net/manual/en/function.hash-algos.php Signed-off-by: VirtualTam <virtualtam@flibidi.net>
219 lines
6.2 KiB
PHP
Executable file
219 lines
6.2 KiB
PHP
Executable file
<?php
|
|
/**
|
|
* Utilities' tests
|
|
*/
|
|
|
|
require_once 'application/Utils.php';
|
|
require_once 'tests/utils/ReferenceSessionIdHashes.php';
|
|
|
|
// Initialize reference data before PHPUnit starts a session
|
|
ReferenceSessionIdHashes::genAllHashes();
|
|
|
|
|
|
/**
|
|
* Unitary tests for Shaarli utilities
|
|
*/
|
|
class UtilsTest extends PHPUnit_Framework_TestCase
|
|
{
|
|
// Session ID hashes
|
|
protected static $sidHashes = null;
|
|
|
|
/**
|
|
* Assign reference data
|
|
*/
|
|
public static function setUpBeforeClass()
|
|
{
|
|
self::$sidHashes = ReferenceSessionIdHashes::getHashes();
|
|
}
|
|
|
|
/**
|
|
* Represent a link by its hash
|
|
*/
|
|
public function testSmallHash()
|
|
{
|
|
$this->assertEquals('CyAAJw', smallHash('http://test.io'));
|
|
$this->assertEquals(6, strlen(smallHash('https://github.com')));
|
|
}
|
|
|
|
/**
|
|
* Look for a substring at the beginning of a string
|
|
*/
|
|
public function testStartsWithCaseInsensitive()
|
|
{
|
|
$this->assertTrue(startsWith('Lorem ipsum', 'lorem', false));
|
|
$this->assertTrue(startsWith('Lorem ipsum', 'LoReM i', false));
|
|
}
|
|
|
|
/**
|
|
* Look for a substring at the beginning of a string (case-sensitive)
|
|
*/
|
|
public function testStartsWithCaseSensitive()
|
|
{
|
|
$this->assertTrue(startsWith('Lorem ipsum', 'Lorem', true));
|
|
$this->assertFalse(startsWith('Lorem ipsum', 'lorem', true));
|
|
$this->assertFalse(startsWith('Lorem ipsum', 'LoReM i', true));
|
|
}
|
|
|
|
/**
|
|
* Look for a substring at the beginning of a string (Unicode)
|
|
*/
|
|
public function testStartsWithSpecialChars()
|
|
{
|
|
$this->assertTrue(startsWith('å!ùµ', 'å!', false));
|
|
$this->assertTrue(startsWith('µ$åù', 'µ$', true));
|
|
}
|
|
|
|
/**
|
|
* Look for a substring at the end of a string
|
|
*/
|
|
public function testEndsWithCaseInsensitive()
|
|
{
|
|
$this->assertTrue(endsWith('Lorem ipsum', 'ipsum', false));
|
|
$this->assertTrue(endsWith('Lorem ipsum', 'm IpsUM', false));
|
|
}
|
|
|
|
/**
|
|
* Look for a substring at the end of a string (case-sensitive)
|
|
*/
|
|
public function testEndsWithCaseSensitive()
|
|
{
|
|
$this->assertTrue(endsWith('lorem Ipsum', 'Ipsum', true));
|
|
$this->assertFalse(endsWith('lorem Ipsum', 'ipsum', true));
|
|
$this->assertFalse(endsWith('lorem Ipsum', 'M IPsuM', true));
|
|
}
|
|
|
|
/**
|
|
* Look for a substring at the end of a string (Unicode)
|
|
*/
|
|
public function testEndsWithSpecialChars()
|
|
{
|
|
$this->assertTrue(endsWith('å!ùµ', 'ùµ', false));
|
|
$this->assertTrue(endsWith('µ$åù', 'åù', true));
|
|
}
|
|
|
|
/**
|
|
* Check valid date strings, according to a DateTime format
|
|
*/
|
|
public function testCheckValidDateFormat()
|
|
{
|
|
$this->assertTrue(checkDateFormat('Ymd', '20150627'));
|
|
$this->assertTrue(checkDateFormat('Y-m-d', '2015-06-27'));
|
|
}
|
|
|
|
/**
|
|
* Check erroneous date strings, according to a DateTime format
|
|
*/
|
|
public function testCheckInvalidDateFormat()
|
|
{
|
|
$this->assertFalse(checkDateFormat('Ymd', '2015'));
|
|
$this->assertFalse(checkDateFormat('Y-m-d', '2015-06'));
|
|
$this->assertFalse(checkDateFormat('Ymd', 'DeLorean'));
|
|
}
|
|
|
|
/**
|
|
* Test generate location with valid data.
|
|
*/
|
|
public function testGenerateLocation() {
|
|
$ref = 'http://localhost/?test';
|
|
$this->assertEquals($ref, generateLocation($ref, 'localhost'));
|
|
$ref = 'http://localhost:8080/?test';
|
|
$this->assertEquals($ref, generateLocation($ref, 'localhost:8080'));
|
|
}
|
|
|
|
/**
|
|
* Test generate location - anti loop.
|
|
*/
|
|
public function testGenerateLocationLoop() {
|
|
$ref = 'http://localhost/?test';
|
|
$this->assertEquals('?', generateLocation($ref, 'localhost', array('test')));
|
|
}
|
|
|
|
/**
|
|
* Test generate location - from other domain.
|
|
*/
|
|
public function testGenerateLocationOut() {
|
|
$ref = 'http://somewebsite.com/?test';
|
|
$this->assertEquals('?', generateLocation($ref, 'localhost'));
|
|
}
|
|
|
|
/**
|
|
* Check supported PHP versions
|
|
*/
|
|
public function testCheckSupportedPHPVersion()
|
|
{
|
|
$minVersion = '5.3';
|
|
checkPHPVersion($minVersion, '5.4.32');
|
|
checkPHPVersion($minVersion, '5.5');
|
|
checkPHPVersion($minVersion, '5.6.10');
|
|
}
|
|
|
|
/**
|
|
* Check a unsupported PHP version
|
|
* @expectedException Exception
|
|
* @expectedExceptionMessageRegExp /Your PHP version is obsolete/
|
|
*/
|
|
public function testCheckSupportedPHPVersion51()
|
|
{
|
|
checkPHPVersion('5.3', '5.1.0');
|
|
}
|
|
|
|
/**
|
|
* Check another unsupported PHP version
|
|
* @expectedException Exception
|
|
* @expectedExceptionMessageRegExp /Your PHP version is obsolete/
|
|
*/
|
|
public function testCheckSupportedPHPVersion52()
|
|
{
|
|
checkPHPVersion('5.3', '5.2');
|
|
}
|
|
|
|
/**
|
|
* Test is_session_id_valid with a valid ID - TEST ALL THE HASHES!
|
|
*
|
|
* This tests extensively covers all hash algorithms / bit representations
|
|
*/
|
|
public function testIsAnyHashSessionIdValid()
|
|
{
|
|
foreach (self::$sidHashes as $algo => $bpcs) {
|
|
foreach ($bpcs as $bpc => $hash) {
|
|
$this->assertTrue(is_session_id_valid($hash));
|
|
}
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Test is_session_id_valid with a valid ID - SHA-1 hashes
|
|
*/
|
|
public function testIsSha1SessionIdValid()
|
|
{
|
|
$this->assertTrue(is_session_id_valid(sha1('shaarli')));
|
|
}
|
|
|
|
/**
|
|
* Test is_session_id_valid with a valid ID - SHA-256 hashes
|
|
*/
|
|
public function testIsSha256SessionIdValid()
|
|
{
|
|
$this->assertTrue(is_session_id_valid(hash('sha256', 'shaarli')));
|
|
}
|
|
|
|
/**
|
|
* Test is_session_id_valid with a valid ID - SHA-512 hashes
|
|
*/
|
|
public function testIsSha512SessionIdValid()
|
|
{
|
|
$this->assertTrue(is_session_id_valid(hash('sha512', 'shaarli')));
|
|
}
|
|
|
|
/**
|
|
* Test is_session_id_valid with invalid IDs.
|
|
*/
|
|
public function testIsSessionIdInvalid()
|
|
{
|
|
$this->assertFalse(is_session_id_valid(''));
|
|
$this->assertFalse(is_session_id_valid(array()));
|
|
$this->assertFalse(
|
|
is_session_id_valid('c0ZqcWF3VFE2NmJBdm1HMVQ0ZHJ3UmZPbTFsNGhkNHI=')
|
|
);
|
|
}
|
|
}
|