X-Git-Url: https://git.heureux-cyclage.org/?p=lhc%2Fweb%2Fwiklou.git;a=blobdiff_plain;f=tests%2Fphpunit%2Fincludes%2Fupload%2FUploadBaseTest.php;h=bc7493d5a9740a6a0afbc4c1765755ccf72df15a;hp=6be272fb617d2bf29f95b88d8160e8f3077c7797;hb=0c77841534d9139b0042696fe015a15d3e349ef5;hpb=37751ee23e7b7019307eafe36f18c8450bf2e420
diff --git a/tests/phpunit/includes/upload/UploadBaseTest.php b/tests/phpunit/includes/upload/UploadBaseTest.php
index 6be272fb61..bc7493d5a9 100644
--- a/tests/phpunit/includes/upload/UploadBaseTest.php
+++ b/tests/phpunit/includes/upload/UploadBaseTest.php
@@ -103,6 +103,8 @@ class UploadBaseTest extends MediaWikiTestCase {
}
/**
+ * @covers UploadBase::verifyUpload
+ *
* test uploading a 100 bytes file with $wgMaxUploadSize = 100
*
* This method should be abstracted so we can test different settings.
@@ -126,12 +128,13 @@ class UploadBaseTest extends MediaWikiTestCase {
}
/**
+ * @covers UploadBase::checkSvgScriptCallback
* @dataProvider provideCheckSvgScriptCallback
*/
public function testCheckSvgScriptCallback( $svg, $wellFormed, $filterMatch, $message ) {
list( $formed, $match ) = $this->upload->checkSvgString( $svg );
- $this->assertSame( $wellFormed, $formed, $message );
- $this->assertSame( $filterMatch, $match, $message );
+ $this->assertSame( $wellFormed, $formed, $message . " (well-formed)" );
+ $this->assertSame( $filterMatch, $match, $message . " (filter match)" );
}
public static function provideCheckSvgScriptCallback() {
@@ -254,10 +257,16 @@ class UploadBaseTest extends MediaWikiTestCase {
],
[
' ]> ',
- true,
+ false,
true,
'SVG with embedded stylesheet (http://html5sec.org/#125)'
],
+ [
+ ' ',
+ true,
+ true,
+ 'SVG with embedded stylesheet no doctype'
+ ],
[
'',
true,
@@ -297,31 +306,31 @@ class UploadBaseTest extends MediaWikiTestCase {
' ',
true,
true,
- 'SVG with non-local image href (bug 65839)'
+ 'SVG with non-local image href (T67839)'
],
[
' ',
true,
true,
- 'SVG with remote stylesheet (bug 57550)'
+ 'SVG with remote stylesheet (T59550)'
],
[
'',
true,
true,
- 'SVG with rembeded iframe (bug 60771)'
+ 'SVG with rembeded iframe (T62771)'
],
[
'',
true,
true,
- 'SVG with @import in style element (bug 69008)'
+ 'SVG with @import in style element (T71008)'
],
[
'',
true,
true,
- 'SVG with @import in style element and child element (bug 69008#c11)'
+ 'SVG with @import in style element and child element (T71008#c11)'
],
[
'',
@@ -333,19 +342,19 @@ class UploadBaseTest extends MediaWikiTestCase {
'',
true,
true,
- 'SVG with remote background image (bug 69008)'
+ 'SVG with remote background image (T71008)'
],
[
'',
true,
true,
- 'SVG with remote background image, encoded (bug 69008)'
+ 'SVG with remote background image, encoded (T71008)'
],
[
'',
true,
true,
- 'SVG with remote background image, in style element (bug 69008)'
+ 'SVG with remote background image, in style element (T71008)'
],
[
// This currently doesn't seem to work in any browsers, but in case
@@ -353,7 +362,7 @@ class UploadBaseTest extends MediaWikiTestCase {
'',
true,
true,
- 'SVG with remote background image using image() (bug 69008)'
+ 'SVG with remote background image using image() (T71008)'
],
[
// As reported by Cure53
@@ -364,7 +373,7 @@ class UploadBaseTest extends MediaWikiTestCase {
],
[
' ]> ',
- true,
+ false,
true,
'SVG with encoded script tag in internal entity (reported by Beyond Security)'
],
@@ -374,6 +383,16 @@ class UploadBaseTest extends MediaWikiTestCase {
false,
'SVG with external entity'
],
+ [
+ // The base64 = . If for some reason
+ // entities actually do get loaded, this should trigger
+ // filterMatch to be true. So this test verifies that we
+ // are not loading external entities.
+ ' ]> ',
+ false,
+ false, /* False verifies entities aren't getting loaded */
+ 'SVG with data: uri external entity'
+ ],
[
"",
true,
@@ -393,11 +412,110 @@ class UploadBaseTest extends MediaWikiTestCase {
false,
'SVG with local urls, including filter: in style'
],
+ [
+ ' ]> ',
+ false,
+ false,
+ 'SVG with evil default attribute values'
+ ],
+ [
+ '',
+ true,
+ true,
+ 'SVG with an evil external dtd'
+ ],
+ [
+ '',
+ true,
+ true,
+ 'SVG with random public doctype'
+ ],
+ [
+ '',
+ true,
+ true,
+ 'SVG with random SYSTEM doctype'
+ ],
+ [
+ '] >',
+ false,
+ false,
+ 'SVG with parameter entity'
+ ],
+ [
+ '',
+ false,
+ false,
+ 'SVG with entity referencing parameter entity'
+ ],
+ [
+ ' ] >',
+ false,
+ false,
+ 'SVG with long entity'
+ ],
+ [
+ ' ] >',
+ true,
+ false,
+ 'SVG with apostrophe quote entity'
+ ],
+ [
+ ' ] >',
+ false,
+ false,
+ 'SVG with recursive entity',
+ ],
+ [
+ ' ]> ',
+ true, /* well-formed */
+ false, /* filter-hit */
+ 'GraphViz-esque svg with #FIXED xlink ns (Should be allowed)'
+ ],
+ [
+ ' ]> ',
+ false,
+ false,
+ 'GraphViz ATLIST exception should match exactly'
+ ],
+ [
+ ' ]>',
+ true,
+ false,
+ 'DTD with comments (Should be allowed)'
+ ],
+ [
+ ' ]>',
+ false,
+ false,
+ 'DTD with invalid comment'
+ ],
+ [
+ ' ]>',
+ false,
+ false,
+ 'DTD with invalid comment 2'
+ ],
+ [
+ ' ]>',
+ true,
+ false,
+ 'DTD with aliased entities (Should be allowed)'
+ ],
+ [
+ ' ]>',
+ true,
+ false,
+ 'DTD with aliased entities apos (Should be allowed)'
+ ]
];
// @codingStandardsIgnoreEnd
}
/**
+ * @covers UploadBase::detectScriptInSvg
* @dataProvider provideDetectScriptInSvg
*/
public function testDetectScriptInSvg( $svg, $expected, $message ) {
@@ -438,6 +556,7 @@ class UploadBaseTest extends MediaWikiTestCase {
}
/**
+ * @covers UploadBase::checkXMLEncodingMissmatch
* @dataProvider provideCheckXMLEncodingMissmatch
*/
public function testCheckXMLEncodingMissmatch( $fileContents, $evil ) {
@@ -478,7 +597,10 @@ class UploadTestHandler extends UploadBase {
$svg,
[ $this, 'checkSvgScriptCallback' ],
false,
- [ 'processing_instruction_handler' => 'UploadBase::checkSvgPICallback' ]
+ [
+ 'processing_instruction_handler' => 'UploadBase::checkSvgPICallback',
+ 'external_dtd_handler' => 'UploadBase::checkSvgExternalDTD'
+ ]
);
return [ $check->wellFormed, $check->filterMatch ];
}