Update of /cvsroot/lxr/lxr/tests
In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv20331/lxr/tests
Added Files:
SecurityTest.pm
Log Message:
Fix for security vulnerability: malicious values in 'version' can reveal files outside the
source tree.
Fixes bug [ 1194360 ] directory traversal
--- NEW FILE: SecurityTest.pm ---
# Test cases for the various security exploits.
#
# Uses the associated lxr.conf file
package SecurityTest;
use strict;
use Test::Unit;
use lib "..";
use lib "../lib";
use LXR::Files;
use LXR::Config;
use LXR::Common qw(:html);
use Cwd;
use File::Spec;
use base qw(Test::Unit::TestCase);
use vars qw($root);
$config = new LXR::Config("http://test/lxr", "./lxr.conf");
sub new {
my $self = shift()->SUPER::new(@_);
# $self->{config} = {};
return $self;
}
# define tests
sub test_fixpaths {
my $self = shift;
$ENV{'SERVER_NAME'} = 'test';
$ENV{'SERVER_PORT'} = 80;
$ENV{'SCRIPT_NAME'} = '/lxr/source';
$ENV{'PATH_INFO'} = '/a/test/path';
# Need to preserve signal handlers round call to httpinit as
# it sets up the LXR signal handlers.
my $die = $SIG{'__DIE__'};
my $warn = $SIG{'__WARN__'};
httpinit;
my $node = "/../test/..//abit/./../././../........././";
$node = LXR::Common::fixpaths($node);
$SIG{'__DIE__'} = $die;
$SIG{'__WARN__'} = $warn;
$self->assert($node eq '/abit/./........././', "fixpaths is $node");
}
sub test_version_path_exploit {
# Check that the version string is properly scrubbed
# Should only be able to set version to the values
# defined in lxr.conf
my $self = shift;
$ENV{'SERVER_NAME'} = 'test';
$ENV{'SERVER_PORT'} = 80;
$ENV{'SCRIPT_NAME'} = '/lxr/source';
$ENV{'PATH_INFO'} = '/a/test/path';
$ENV{'QUERY_STRING'} = 'v=../../;virtroot=testpath;dbname=notapath';
# Need to preserve signal handlers round call to httpinit as
# it sets up the LXR signal handlers.
my $die = $SIG{'__DIE__'};
my $warn = $SIG{'__WARN__'};
httpinit;
$SIG{'__DIE__'} = $die;
$SIG{'__WARN__'} = $warn;
$self->assert($release eq '1.0.6', '$release not washed');
$self->assert($config->variable('v') eq '1.0.6', '$config->variable(v) not washed');
$ENV{'QUERY_STRING'} = '?v=hi%20hippy/../..;file=/some/path;version=../..';
$die = $SIG{'__DIE__'};
$warn = $SIG{'__WARN__'};
httpinit;
$SIG{'__DIE__'} = $die;
$SIG{'__WARN__'} = $warn;
$self->assert($release eq '1.0.6', '$release not washed');
$self->assert($config->variable('v') eq $release, '$release not washed');
$ENV{'QUERY_STRING'} = '?version=hi../..';
$die = $SIG{'__DIE__'};
$warn = $SIG{'__WARN__'};
httpinit;
$SIG{'__DIE__'} = $die;
$SIG{'__WARN__'} = $warn;
$self->assert($release eq '1.0.6', "release not washed, was $release");
$self->assert($config->variable('v') eq $release, "release not washed, was $release");
}
sub test_config {
# Check that parameters in URL cannot alter config variables
my $self = shift;
$ENV{'SERVER_NAME'} = 'test';
$ENV{'SERVER_PORT'} = 80;
$ENV{'SCRIPT_NAME'} = '/lxr/source';
$ENV{'PATH_INFO'} = '/a/test/path';
$ENV{'QUERY_STRING'} = 'v=../../;virtroot=testpath;dbname=notapath';
# Need to preserve signal handlers round call to httpinit as
# it sets up the LXR signal handlers.
my $die = $SIG{'__DIE__'};
my $warn = $SIG{'__WARN__'};
httpinit;
$SIG{'__DIE__'} = $die;
$SIG{'__WARN__'} = $warn;
$self->assert($config->{'dbname'} ne 'notapath', 'dbname messed');
$self->assert($config->{'virtroot'} eq '/lxr', 'virtroot set');
}
1;
|
