[Lxr-commits] CVS: lxr/tests SecurityTest.pm,NONE,1.1
Brought to you by:
ajlittoz
Menu
▾
▴
[Lxr-commits] CVS: lxr/tests SecurityTest.pm,NONE,1.1
|
From: Malcolm B. <mb...@us...> - 2005-05-04 23:19:59
|
Update of /cvsroot/lxr/lxr/tests In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv20331/lxr/tests Added Files: SecurityTest.pm Log Message: Fix for security vulnerability: malicious values in 'version' can reveal files outside the source tree. Fixes bug [ 1194360 ] directory traversal --- NEW FILE: SecurityTest.pm --- # Test cases for the various security exploits. # # Uses the associated lxr.conf file package SecurityTest; use strict; use Test::Unit; use lib ".."; use lib "../lib"; use LXR::Files; use LXR::Config; use LXR::Common qw(:html); use Cwd; use File::Spec; use base qw(Test::Unit::TestCase); use vars qw($root); $config = new LXR::Config("http://test/lxr", "./lxr.conf"); sub new { my $self = shift()->SUPER::new(@_); # $self->{config} = {}; return $self; } # define tests sub test_fixpaths { my $self = shift; $ENV{'SERVER_NAME'} = 'test'; $ENV{'SERVER_PORT'} = 80; $ENV{'SCRIPT_NAME'} = '/lxr/source'; $ENV{'PATH_INFO'} = '/a/test/path'; # Need to preserve signal handlers round call to httpinit as # it sets up the LXR signal handlers. my $die = $SIG{'__DIE__'}; my $warn = $SIG{'__WARN__'}; httpinit; my $node = "/../test/..//abit/./../././../........././"; $node = LXR::Common::fixpaths($node); $SIG{'__DIE__'} = $die; $SIG{'__WARN__'} = $warn; $self->assert($node eq '/abit/./........././', "fixpaths is $node"); } sub test_version_path_exploit { # Check that the version string is properly scrubbed # Should only be able to set version to the values # defined in lxr.conf my $self = shift; $ENV{'SERVER_NAME'} = 'test'; $ENV{'SERVER_PORT'} = 80; $ENV{'SCRIPT_NAME'} = '/lxr/source'; $ENV{'PATH_INFO'} = '/a/test/path'; $ENV{'QUERY_STRING'} = 'v=../../;virtroot=testpath;dbname=notapath'; # Need to preserve signal handlers round call to httpinit as # it sets up the LXR signal handlers. my $die = $SIG{'__DIE__'}; my $warn = $SIG{'__WARN__'}; httpinit; $SIG{'__DIE__'} = $die; $SIG{'__WARN__'} = $warn; $self->assert($release eq '1.0.6', '$release not washed'); $self->assert($config->variable('v') eq '1.0.6', '$config->variable(v) not washed'); $ENV{'QUERY_STRING'} = '?v=hi%20hippy/../..;file=/some/path;version=../..'; $die = $SIG{'__DIE__'}; $warn = $SIG{'__WARN__'}; httpinit; $SIG{'__DIE__'} = $die; $SIG{'__WARN__'} = $warn; $self->assert($release eq '1.0.6', '$release not washed'); $self->assert($config->variable('v') eq $release, '$release not washed'); $ENV{'QUERY_STRING'} = '?version=hi../..'; $die = $SIG{'__DIE__'}; $warn = $SIG{'__WARN__'}; httpinit; $SIG{'__DIE__'} = $die; $SIG{'__WARN__'} = $warn; $self->assert($release eq '1.0.6', "release not washed, was $release"); $self->assert($config->variable('v') eq $release, "release not washed, was $release"); } sub test_config { # Check that parameters in URL cannot alter config variables my $self = shift; $ENV{'SERVER_NAME'} = 'test'; $ENV{'SERVER_PORT'} = 80; $ENV{'SCRIPT_NAME'} = '/lxr/source'; $ENV{'PATH_INFO'} = '/a/test/path'; $ENV{'QUERY_STRING'} = 'v=../../;virtroot=testpath;dbname=notapath'; # Need to preserve signal handlers round call to httpinit as # it sets up the LXR signal handlers. my $die = $SIG{'__DIE__'}; my $warn = $SIG{'__WARN__'}; httpinit; $SIG{'__DIE__'} = $die; $SIG{'__WARN__'} = $warn; $self->assert($config->{'dbname'} ne 'notapath', 'dbname messed'); $self->assert($config->{'virtroot'} eq '/lxr', 'virtroot set'); } 1; |
