X-Git-Url: https://git.heureux-cyclage.org/?p=lhc%2Fweb%2Fwiklou.git;a=blobdiff_plain;f=tests%2Fphpunit%2Fincludes%2Fupload%2FUploadBaseTest.php;h=dd68cdcab796bdc221e675ceb1c338244d93b1f5;hp=a42c86c3a6cdd9f4c284a2a6fd85076a8c3dcefc;hb=424251a2cb5842727756d96f877c787c443ea056;hpb=0c01f3a44ee13b9896d96164471538b4f1560b97
diff --git a/tests/phpunit/includes/upload/UploadBaseTest.php b/tests/phpunit/includes/upload/UploadBaseTest.php
index a42c86c3a6..dd68cdcab7 100644
--- a/tests/phpunit/includes/upload/UploadBaseTest.php
+++ b/tests/phpunit/includes/upload/UploadBaseTest.php
@@ -130,8 +130,8 @@ class UploadBaseTest extends MediaWikiTestCase {
*/
public function testCheckSvgScriptCallback( $svg, $wellFormed, $filterMatch, $message ) {
list( $formed, $match ) = $this->upload->checkSvgString( $svg );
- $this->assertSame( $wellFormed, $formed, $message );
- $this->assertSame( $filterMatch, $match, $message );
+ $this->assertSame( $wellFormed, $formed, $message . " (well-formed)" );
+ $this->assertSame( $filterMatch, $match, $message . " (filter match)" );
}
public static function provideCheckSvgScriptCallback() {
@@ -254,10 +254,16 @@ class UploadBaseTest extends MediaWikiTestCase {
],
[
' ]> ',
- true,
+ false,
true,
'SVG with embedded stylesheet (http://html5sec.org/#125)'
],
+ [
+ ' ',
+ true,
+ true,
+ 'SVG with embedded stylesheet no doctype'
+ ],
[
'',
true,
@@ -364,7 +370,7 @@ class UploadBaseTest extends MediaWikiTestCase {
],
[
' ]> ',
- true,
+ false,
true,
'SVG with encoded script tag in internal entity (reported by Beyond Security)'
],
@@ -374,6 +380,16 @@ class UploadBaseTest extends MediaWikiTestCase {
false,
'SVG with external entity'
],
+ [
+ // The base64 = . If for some reason
+ // entities actually do get loaded, this should trigger
+ // filterMatch to be true. So this test verifies that we
+ // are not loading external entities.
+ ' ]> ',
+ false,
+ false, /* False verifies entities aren't getting loaded */
+ 'SVG with data: uri external entity'
+ ],
[
"",
true,
@@ -393,6 +409,104 @@ class UploadBaseTest extends MediaWikiTestCase {
false,
'SVG with local urls, including filter: in style'
],
+ [
+ ' ]> ',
+ false,
+ false,
+ 'SVG with evil default attribute values'
+ ],
+ [
+ '',
+ true,
+ true,
+ 'SVG with an evil external dtd'
+ ],
+ [
+ '',
+ true,
+ true,
+ 'SVG with random public doctype'
+ ],
+ [
+ '',
+ true,
+ true,
+ 'SVG with random SYSTEM doctype'
+ ],
+ [
+ '] >',
+ false,
+ false,
+ 'SVG with parameter entity'
+ ],
+ [
+ '',
+ false,
+ false,
+ 'SVG with entity referencing parameter entity'
+ ],
+ [
+ ' ] >',
+ false,
+ false,
+ 'SVG with long entity'
+ ],
+ [
+ ' ] >',
+ true,
+ false,
+ 'SVG with apostrophe quote entity'
+ ],
+ [
+ ' ] >',
+ false,
+ false,
+ 'SVG with recursive entity',
+ ],
+ [
+ ' ]> ',
+ true, /* well-formed */
+ false, /* filter-hit */
+ 'GraphViz-esque svg with #FIXED xlink ns (Should be allowed)'
+ ],
+ [
+ ' ]> ',
+ false,
+ false,
+ 'GraphViz ATLIST exception should match exactly'
+ ],
+ [
+ ' ]>',
+ true,
+ false,
+ 'DTD with comments (Should be allowed)'
+ ],
+ [
+ ' ]>',
+ false,
+ false,
+ 'DTD with invalid comment'
+ ],
+ [
+ ' ]>',
+ false,
+ false,
+ 'DTD with invalid comment 2'
+ ],
+ [
+ ' ]>',
+ true,
+ false,
+ 'DTD with aliased entities (Should be allowed)'
+ ],
+ [
+ ' ]>',
+ true,
+ false,
+ 'DTD with aliased entities apos (Should be allowed)'
+ ]
];
// @codingStandardsIgnoreEnd
}
@@ -478,7 +592,10 @@ class UploadTestHandler extends UploadBase {
$svg,
[ $this, 'checkSvgScriptCallback' ],
false,
- [ 'processing_instruction_handler' => 'UploadBase::checkSvgPICallback' ]
+ [
+ 'processing_instruction_handler' => 'UploadBase::checkSvgPICallback',
+ 'external_dtd_handler' => 'UploadBase::checkSvgExternalDTD'
+ ]
);
return [ $check->wellFormed, $check->filterMatch ];
}