X-Git-Url: https://git.heureux-cyclage.org/?a=blobdiff_plain;f=tests%2Fphpunit%2Fincludes%2Fupload%2FUploadBaseTest.php;h=3541091a68c3fc39981bd6d45e7eea685f8c7196;hb=526341516a91502ac7cfd2e5590e7432b3f50c5d;hp=a42c86c3a6cdd9f4c284a2a6fd85076a8c3dcefc;hpb=8bb5a6c461c31ee5ce6874548246fc2c520686f6;p=lhc%2Fweb%2Fwiklou.git
diff --git a/tests/phpunit/includes/upload/UploadBaseTest.php b/tests/phpunit/includes/upload/UploadBaseTest.php
index a42c86c3a6..3541091a68 100644
--- a/tests/phpunit/includes/upload/UploadBaseTest.php
+++ b/tests/phpunit/includes/upload/UploadBaseTest.php
@@ -103,6 +103,8 @@ class UploadBaseTest extends MediaWikiTestCase {
}
/**
+ * @covers UploadBase::verifyUpload
+ *
* test uploading a 100 bytes file with $wgMaxUploadSize = 100
*
* This method should be abstracted so we can test different settings.
@@ -126,16 +128,17 @@ class UploadBaseTest extends MediaWikiTestCase {
}
/**
+ * @covers UploadBase::checkSvgScriptCallback
* @dataProvider provideCheckSvgScriptCallback
*/
public function testCheckSvgScriptCallback( $svg, $wellFormed, $filterMatch, $message ) {
list( $formed, $match ) = $this->upload->checkSvgString( $svg );
- $this->assertSame( $wellFormed, $formed, $message );
- $this->assertSame( $filterMatch, $match, $message );
+ $this->assertSame( $wellFormed, $formed, $message . " (well-formed)" );
+ $this->assertSame( $filterMatch, $match, $message . " (filter match)" );
}
public static function provideCheckSvgScriptCallback() {
- // @codingStandardsIgnoreStart Generic.Files.LineLength
+ // phpcs:disable Generic.Files.LineLength
return [
// html5sec SVG vectors
[
@@ -254,10 +257,16 @@ class UploadBaseTest extends MediaWikiTestCase {
],
[
' ]> ',
- true,
+ false,
true,
'SVG with embedded stylesheet (http://html5sec.org/#125)'
],
+ [
+ ' ',
+ true,
+ true,
+ 'SVG with embedded stylesheet no doctype'
+ ],
[
'',
true,
@@ -364,7 +373,7 @@ class UploadBaseTest extends MediaWikiTestCase {
],
[
' ]> ',
- true,
+ false,
true,
'SVG with encoded script tag in internal entity (reported by Beyond Security)'
],
@@ -374,6 +383,16 @@ class UploadBaseTest extends MediaWikiTestCase {
false,
'SVG with external entity'
],
+ [
+ // The base64 = . If for some reason
+ // entities actually do get loaded, this should trigger
+ // filterMatch to be true. So this test verifies that we
+ // are not loading external entities.
+ ' ]> ',
+ false,
+ false, /* False verifies entities aren't getting loaded */
+ 'SVG with data: uri external entity'
+ ],
[
"",
true,
@@ -393,11 +412,110 @@ class UploadBaseTest extends MediaWikiTestCase {
false,
'SVG with local urls, including filter: in style'
],
+ [
+ ' ]> ',
+ false,
+ false,
+ 'SVG with evil default attribute values'
+ ],
+ [
+ '',
+ true,
+ true,
+ 'SVG with an evil external dtd'
+ ],
+ [
+ '',
+ true,
+ true,
+ 'SVG with random public doctype'
+ ],
+ [
+ '',
+ true,
+ true,
+ 'SVG with random SYSTEM doctype'
+ ],
+ [
+ '] >',
+ false,
+ false,
+ 'SVG with parameter entity'
+ ],
+ [
+ '',
+ false,
+ false,
+ 'SVG with entity referencing parameter entity'
+ ],
+ [
+ ' ] >',
+ false,
+ false,
+ 'SVG with long entity'
+ ],
+ [
+ ' ] >',
+ true,
+ false,
+ 'SVG with apostrophe quote entity'
+ ],
+ [
+ ' ] >',
+ false,
+ false,
+ 'SVG with recursive entity',
+ ],
+ [
+ ' ]> ',
+ true, /* well-formed */
+ false, /* filter-hit */
+ 'GraphViz-esque svg with #FIXED xlink ns (Should be allowed)'
+ ],
+ [
+ ' ]> ',
+ false,
+ false,
+ 'GraphViz ATLIST exception should match exactly'
+ ],
+ [
+ ' ]>',
+ true,
+ false,
+ 'DTD with comments (Should be allowed)'
+ ],
+ [
+ ' ]>',
+ false,
+ false,
+ 'DTD with invalid comment'
+ ],
+ [
+ ' ]>',
+ false,
+ false,
+ 'DTD with invalid comment 2'
+ ],
+ [
+ ' ]>',
+ true,
+ false,
+ 'DTD with aliased entities (Should be allowed)'
+ ],
+ [
+ ' ]>',
+ true,
+ false,
+ 'DTD with aliased entities apos (Should be allowed)'
+ ]
];
- // @codingStandardsIgnoreEnd
+ // phpcs:enable
}
/**
+ * @covers UploadBase::detectScriptInSvg
* @dataProvider provideDetectScriptInSvg
*/
public function testDetectScriptInSvg( $svg, $expected, $message ) {
@@ -438,6 +556,7 @@ class UploadBaseTest extends MediaWikiTestCase {
}
/**
+ * @covers UploadBase::checkXMLEncodingMissmatch
* @dataProvider provideCheckXMLEncodingMissmatch
*/
public function testCheckXMLEncodingMissmatch( $fileContents, $evil ) {
@@ -478,7 +597,10 @@ class UploadTestHandler extends UploadBase {
$svg,
[ $this, 'checkSvgScriptCallback' ],
false,
- [ 'processing_instruction_handler' => 'UploadBase::checkSvgPICallback' ]
+ [
+ 'processing_instruction_handler' => 'UploadBase::checkSvgPICallback',
+ 'external_dtd_handler' => 'UploadBase::checkSvgExternalDTD'
+ ]
);
return [ $check->wellFormed, $check->filterMatch ];
}