Create some basic unit tests based in simpletest.org
parent
f54a3a6d41
commit
63d4b12172
@ -0,0 +1,110 @@
|
||||
<?php
|
||||
|
||||
/**
|
||||
* Test class to test steps/mail/func.inc functions
|
||||
*
|
||||
* @package Tests
|
||||
*/
|
||||
class rcube_test_mailfunc extends UnitTestCase
|
||||
{
|
||||
|
||||
function __construct()
|
||||
{
|
||||
$this->UnitTestCase('Mail body rendering tests');
|
||||
|
||||
// simulate environment to successfully include func.inc
|
||||
$GLOBALS['RCMAIL'] = $RCMAIL = rcmail::get_instance();
|
||||
$GLOBALS['OUTPUT'] = $OUTPUT = $RCMAIL->load_gui();
|
||||
$RCMAIL->action = 'spell';
|
||||
$IMAP = $RCMAIL->imap;
|
||||
|
||||
require_once 'steps/mail/func.inc';
|
||||
}
|
||||
|
||||
/**
|
||||
* Helper method to create a HTML message part object
|
||||
*/
|
||||
function get_html_part($body)
|
||||
{
|
||||
$part = new rcube_message_part;
|
||||
$part->ctype_primary = 'text';
|
||||
$part->ctype_secondary = 'html';
|
||||
$part->body = file_get_contents(TESTS_DIR . $body);
|
||||
$part->replaces = array();
|
||||
return $part;
|
||||
}
|
||||
|
||||
/**
|
||||
* Test sanitization of a "normal" html message
|
||||
*/
|
||||
function test_html()
|
||||
{
|
||||
$part = $this->get_html_part('src/htmlbody.txt');
|
||||
$part->replaces = array('ex1.jpg' => 'part_1.2.jpg', 'ex2.jpg' => 'part_1.2.jpg');
|
||||
|
||||
// render HTML in normal mode
|
||||
$html = rcmail_print_body($part, array('safe' => false));
|
||||
|
||||
$this->assertPattern('/src="'.$part->replaces['ex1.jpg'].'"/', $html, "Replace reference to inline image");
|
||||
$this->assertPattern('#background="./program/blocked.gif"#', $html, "Replace external background image");
|
||||
$this->assertNoPattern('/ex3.jpg/', $html, "No references to external images");
|
||||
$this->assertNoPattern('/<meta [^>]+>/', $html, "No meta tags allowed");
|
||||
$this->assertNoPattern('/<style [^>]+>/', $html, "No style tags allowed");
|
||||
$this->assertNoPattern('/<form [^>]+>/', $html, "No form tags allowed");
|
||||
$this->assertPattern('/Subscription form/', $html, "Include <form> contents");
|
||||
$this->assertPattern('/<!-- input not allowed -->/', $html, "No input elements allowed");
|
||||
$this->assertPattern('/<a[^>]+ target="_blank">/', $html, "Set target to _blank");
|
||||
$this->assertTrue($GLOBALS['REMOTE_OBJECTS'], "Remote object detected");
|
||||
|
||||
// render HTML in safe mode
|
||||
$html2 = rcmail_print_body($part, array('safe' => true));
|
||||
|
||||
$this->assertPattern('/<style [^>]+>/', $html2, "Allow styles in safe mode");
|
||||
$this->assertPattern('#src="http://evilsite.net/mailings/ex3.jpg"#', $html2, "Allow external images in HTML (safe mode)");
|
||||
$this->assertPattern("#url\('http://evilsite.net/newsletter/image/bg/bg-64.jpg'\)#", $html2, "Allow external images in CSS (safe mode)");
|
||||
}
|
||||
|
||||
/**
|
||||
* Test the elimination of some trivial XSS vulnerabilities
|
||||
*/
|
||||
function test_html_xss()
|
||||
{
|
||||
$part = $this->get_html_part('src/htmlxss.txt');
|
||||
$washed = rcmail_print_body($part, array('safe' => true));
|
||||
|
||||
$this->assertNoPattern('/src="skins/', $washed, "Remove local references");
|
||||
$this->assertNoPattern('/\son[a-z]+/', $wahsed, "Remove on* attributes");
|
||||
$this->assertNoPattern('/alert/', $wahsed, "Remove alerts");
|
||||
}
|
||||
|
||||
/**
|
||||
* Test HTML sanitization to fix the CSS Expression Input Validation Vulnerability
|
||||
* reported at http://www.securityfocus.com/bid/26800/
|
||||
*/
|
||||
function test_html_xss2()
|
||||
{
|
||||
$part = $this->get_html_part('src/BID-26800.txt');
|
||||
$washed = rcmail_print_body($part, array('safe' => true));
|
||||
|
||||
$this->assertNoPattern('/alert|expression|javascript|xss/', $washed, "Remove evil style blocks");
|
||||
$this->assertNoPattern('/font-style:italic/', $washed, "Allow valid styles");
|
||||
}
|
||||
|
||||
/**
|
||||
* Test links pattern replacements in plaintext messages
|
||||
*/
|
||||
function test_plaintext()
|
||||
{
|
||||
$part = new rcube_message_part;
|
||||
$part->ctype_primary = 'text';
|
||||
$part->ctype_secondary = 'plain';
|
||||
$part->body = quoted_printable_decode(file_get_contents(TESTS_DIR . 'src/plainbody.txt'));
|
||||
$html = rcmail_print_body($part, array('safe' => true));
|
||||
|
||||
$this->assertPattern('/<a href="mailto:nobody@roundcube.net" onclick="return rcmail.command\(\'compose\',\'nobody@roundcube.net\',this\)">nobody@roundcube.net<\/a>/', $html, "Mailto links with onclick");
|
||||
$this->assertPattern('#<a href="http://www.apple.com/legal/privacy/" target="_blank">http://www.apple.com/legal/privacy/</a>#', $html, "Links with target=_blank");
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
?>
|
@ -0,0 +1,45 @@
|
||||
<?php
|
||||
|
||||
/**
|
||||
* Test class to test rcmail_mod_css_styles and XSS vulnerabilites
|
||||
*
|
||||
* @package Tests
|
||||
*/
|
||||
class rcube_test_modcss extends UnitTestCase
|
||||
{
|
||||
|
||||
function __construct()
|
||||
{
|
||||
$this->UnitTestCase('CSS modification and vulnerability tests');
|
||||
}
|
||||
|
||||
function test_modcss()
|
||||
{
|
||||
$css = file_get_contents(TESTS_DIR . 'src/valid.css');
|
||||
$mod = rcmail_mod_css_styles($css, 'rcmbody');
|
||||
|
||||
$this->assertPattern('/#rcmbody div.rcmBody\s+\{/', $mod, "Replace body style definition");
|
||||
$this->assertPattern('/#rcmbody h1\s\{/', $mod, "Prefix tag styles (single)");
|
||||
$this->assertPattern('/#rcmbody h1, #rcmbody h2, #rcmbody h3, #rcmbody textarea\s+\{/', $mod, "Prefix tag styles (multiple)");
|
||||
$this->assertPattern('/#rcmbody \.noscript\s+\{/', $mod, "Prefix class styles");
|
||||
}
|
||||
|
||||
function test_xss()
|
||||
{
|
||||
$mod = rcmail_mod_css_styles("body.main2cols { background-image: url('../images/leftcol.png'); }", 'rcmbody');
|
||||
$this->assertEqual("/* evil! */", $mod, "No url() values allowed");
|
||||
|
||||
$mod = rcmail_mod_css_styles("@import url('http://localhost/somestuff/css/master.css');", 'rcmbody');
|
||||
$this->assertEqual("/* evil! */", $mod, "No import statements");
|
||||
|
||||
$mod = rcmail_mod_css_styles("left:expression(document.body.offsetWidth-20)", 'rcmbody');
|
||||
$this->assertEqual("/* evil! */", $mod, "No expression properties");
|
||||
|
||||
$mod = rcmail_mod_css_styles("left:exp/* */ression( alert('xss3') )", 'rcmbody');
|
||||
$this->assertEqual("/* evil! */", $mod, "Don't allow encoding quirks");
|
||||
|
||||
$mod = rcmail_mod_css_styles("background:\\0075\\0072\\006c( javascript:alert('xss') )", 'rcmbody');
|
||||
$this->assertEqual("/* evil! */", $mod, "Don't allow encoding quirks (2)");
|
||||
}
|
||||
|
||||
}
|
@ -0,0 +1,53 @@
|
||||
#!/usr/bin/env php
|
||||
<?php
|
||||
|
||||
/*
|
||||
+-----------------------------------------------------------------------+
|
||||
| tests/runtests.sh |
|
||||
| |
|
||||
| This file is part of the RoundCube Webmail client |
|
||||
| Copyright (C) 2009, RoundCube Dev. - Switzerland |
|
||||
| Licensed under the GNU GPL |
|
||||
| |
|
||||
| PURPOSE: |
|
||||
| Run-script for unit tests based on http://simpletest.org |
|
||||
| All .php files in this folder will be treated as tests |
|
||||
+-----------------------------------------------------------------------+
|
||||
| Author: Thomas Bruederli <roundcube@gmail.com> |
|
||||
+-----------------------------------------------------------------------+
|
||||
|
||||
$Id: $
|
||||
|
||||
*/
|
||||
|
||||
if (php_sapi_name() != 'cli')
|
||||
die("Not in shell mode (php-cli)");
|
||||
|
||||
if (!defined('SIMPLETEST')) define('SIMPLETEST', '/www/simpletest/');
|
||||
if (!defined('INSTALL_PATH')) define('INSTALL_PATH', realpath(dirname(__FILE__) . '/..') . '/' );
|
||||
|
||||
define('TESTS_DIR', dirname(__FILE__) . '/');
|
||||
|
||||
require_once(SIMPLETEST . 'unit_tester.php');
|
||||
require_once(SIMPLETEST . 'reporter.php');
|
||||
require_once(INSTALL_PATH . 'program/include/iniset.php');
|
||||
|
||||
if (count($_SERVER['argv']) > 1) {
|
||||
$testfiles = array();
|
||||
for ($i=1; $i < count($_SERVER['argv']); $i++)
|
||||
$testfiles[] = realpath('./' . $_SERVER['argv'][$i]);
|
||||
}
|
||||
else {
|
||||
$testfiles = glob(TESTS_DIR . '*.php');
|
||||
}
|
||||
|
||||
$test = new TestSuite('RoundCube unit tests');
|
||||
$reporter = new TextReporter();
|
||||
|
||||
foreach ($testfiles as $fn) {
|
||||
$test->addTestFile($fn);
|
||||
}
|
||||
|
||||
$test->run($reporter);
|
||||
|
||||
?>
|
@ -0,0 +1,50 @@
|
||||
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
|
||||
<title>RoundCube Test Message</title>
|
||||
<style type="text/css">
|
||||
|
||||
p, a {
|
||||
font-family: Arial, 'Bitstream Vera Sans', Helvetica;
|
||||
margin-top: 0px;
|
||||
margin-bottom: 0px;
|
||||
padding-top: 0px;
|
||||
padding-bottom: 0px;
|
||||
}
|
||||
|
||||
</style>
|
||||
</head>
|
||||
<body style="margin: 0 0 0 0;">
|
||||
|
||||
<table width="100%" cellpadding="0" cellspacing="20" style="background-image:url(http://evilsite.net/newsletter/image/bg/bg-64.jpg);background-attachment:fixed;" background="http://evilsite.net/newsletter/image/bg/bg-64.jpg" border="0">
|
||||
<tr>
|
||||
<td>
|
||||
|
||||
<h1>This is a HTML message</h1>
|
||||
|
||||
<p>See nice pictures like the following:</p>
|
||||
|
||||
<div>
|
||||
<img src="ex1.jpg" width="320" height="320" alt="Example 1">
|
||||
<img src="ex2.jpg" width="320" height="320" alt="Example 2">
|
||||
<img src="http://evilsite.net/mailings/ex3.jpg" width="320" height="320" alt="Example 3">
|
||||
</div>
|
||||
|
||||
<form action="http://evilsite.net/subscribe.php">
|
||||
<p>Subscription form</p>
|
||||
|
||||
E-Mail: <input type="text" name="mail" value=""><br/>
|
||||
<input type="submit" value="Subscribe">
|
||||
|
||||
</form>
|
||||
|
||||
<p>To unsubscribe click here <a href="http://evilsite.net/unsubscribe.php?mail=foo@bar.com"> or
|
||||
send a mail to <a href="mailto:unsubscribe@evilsite.net">unsubscribe@evilsite.net</a></p>
|
||||
|
||||
</td>
|
||||
</tr>
|
||||
</table>
|
||||
|
||||
</body>
|
||||
</html>
|
@ -0,0 +1,22 @@
|
||||
<html>
|
||||
<body>
|
||||
|
||||
<p><img onLoad.="alert(document.cookie)" src="skins/default/images/roundcube_logo.png" /></p>
|
||||
|
||||
<p><a href="javascript:alert(document.cookie)">mail me!</a>
|
||||
<a href="http://roundcube.net" target="_self">roundcube.net</a>
|
||||
<a href="http://roundcube.net" \onmouseover="alert('XSS')">roundcube.net (2)</a>
|
||||
|
||||
</p>
|
||||
|
||||
<div>Brilliant!</div>
|
||||
|
||||
<table><tbody><tr><td background="javascript:alert('XSS')">BBBBBB</td></tr></tbody></table>
|
||||
|
||||
<p>
|
||||
Have a nice Christmas time.<br />
|
||||
Thomas
|
||||
</p>
|
||||
|
||||
</body>
|
||||
</html>
|
@ -0,0 +1,37 @@
|
||||
From: iPhone Developer Program <noreply-iphonedev@apple.com>
|
||||
To: nobody@roundcube.net
|
||||
|
||||
*iPhone Developer Program*
|
||||
|
||||
-----------------------------------
|
||||
iPhone SDK 2.2.1 is now available
|
||||
https://daw.apple.com/cgi-bin/WebObjects/DSAuthWeb.woa/wa/login?appIdKey=3D=
|
||||
D635F5C417E087A3B9864DAC5D25920C4E9442C9339FA9277951628F0291F620&path=3D//i=
|
||||
phone/login.action
|
||||
|
||||
Log in to the iPhone Dev Center to download iPhone SDK for iPhone OS 2.2.1.=
|
||||
Installation of iPhone SDK 2.2.1 is required for development with devices =
|
||||
updated to iPhone OS 2.2.1. Please view the Read Me before installing the n=
|
||||
ew version of the iPhone SDK.
|
||||
|
||||
Log in now
|
||||
https://daw.apple.com/cgi-bin/WebObjects/DSAuthWeb.woa/wa/login?appIdKey=3D=
|
||||
D635F5C417E087A3B9864DAC5D25920C4E9442C9339FA9277951628F0291F620&path=3D//i=
|
||||
phone/login.action
|
||||
|
||||
-----------------------------------
|
||||
Copyright (c) 2009 Apple Inc. 1 Infinite Loop, MS 303-3DM, Cupertino, CA 95=
|
||||
014.
|
||||
|
||||
All Rights Reserved
|
||||
http://www.apple.com/legal/default.html
|
||||
|
||||
Keep Informed
|
||||
http://www.apple.com/enews/subscribe/
|
||||
|
||||
Privacy Policy
|
||||
http://www.apple.com/legal/privacy/
|
||||
|
||||
My Info
|
||||
https://myinfo.apple.com/cgi-bin/WebObjects/MyInfo
|
||||
|
@ -0,0 +1,30 @@
|
||||
/** Master style definitions **/
|
||||
|
||||
body, p, div, h1, h2, h3, textarea {
|
||||
font-family: "Lucida Grande", Helvetica, sans-serif;
|
||||
font-size: 8.8pt;
|
||||
color: #333;
|
||||
}
|
||||
|
||||
body {
|
||||
background-color: white;
|
||||
margin: 0;
|
||||
}
|
||||
|
||||
h1 {
|
||||
color: #1F519A;
|
||||
font-size: 1.7em;
|
||||
font-weight: normal;
|
||||
margin-top: 0;
|
||||
margin-bottom: 1em;
|
||||
}
|
||||
|
||||
.noscript {
|
||||
display: none;
|
||||
}
|
||||
|
||||
.hint, .username {
|
||||
color: #999;
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue