diff options
author | Luke Shumaker <lukeshu@sbcglobal.net> | 2016-08-02 16:31:15 -0400 |
---|---|---|
committer | Luke Shumaker <lukeshu@sbcglobal.net> | 2016-08-02 16:31:15 -0400 |
commit | 7099c40bcc035e3b96ddd3e976d1cdbcfbf09398 (patch) | |
tree | 2fbc86f9c4cba01c0a266b7fefdd38b1ec3b5c01 /tests/phpunit | |
parent | a5f917bbc55e295896b8084f6657eb8b6abaf8a8 (diff) | |
parent | b5e7f46db0fcb6f251206eaf36339ad3ad589f8b (diff) |
Merge branch 'archwiki' into lukeshu/masterHEADproductionmaster
Diffstat (limited to 'tests/phpunit')
-rw-r--r-- | tests/phpunit/includes/api/ApiMainTest.php | 27 | ||||
-rw-r--r-- | tests/phpunit/includes/api/format/ApiFormatJsonTest.php | 4 | ||||
-rw-r--r-- | tests/phpunit/includes/upload/UploadBaseTest.php | 6 |
3 files changed, 35 insertions, 2 deletions
diff --git a/tests/phpunit/includes/api/ApiMainTest.php b/tests/phpunit/includes/api/ApiMainTest.php index 94b741dc..a2bc7aed 100644 --- a/tests/phpunit/includes/api/ApiMainTest.php +++ b/tests/phpunit/includes/api/ApiMainTest.php @@ -248,4 +248,31 @@ class ApiMainTest extends ApiTestCase { ); } + /** + * @covers ApiMain::lacksSameOriginSecurity + */ + public function testLacksSameOriginSecurity() { + // Basic test + $main = new ApiMain( new FauxRequest( array( 'action' => 'query', 'meta' => 'siteinfo' ) ) ); + $this->assertFalse( $main->lacksSameOriginSecurity(), 'Basic test, should have security' ); + + // JSONp + $main = new ApiMain( + new FauxRequest( array( 'action' => 'query', 'format' => 'xml', 'callback' => 'foo' ) ) + ); + $this->assertTrue( $main->lacksSameOriginSecurity(), 'JSONp, should lack security' ); + + // Header + $request = new FauxRequest( array( 'action' => 'query', 'meta' => 'siteinfo' ) ); + $request->setHeader( 'TrEaT-As-UnTrUsTeD', '' ); // With falsey value! + $main = new ApiMain( $request ); + $this->assertTrue( $main->lacksSameOriginSecurity(), 'Header supplied, should lack security' ); + + // Hook + $this->mergeMwGlobalArrayValue( 'wgHooks', array( + 'RequestHasSameOriginSecurity' => array( function () { return false; } ) + ) ); + $main = new ApiMain( new FauxRequest( array( 'action' => 'query', 'meta' => 'siteinfo' ) ) ); + $this->assertTrue( $main->lacksSameOriginSecurity(), 'Hook, should lack security' ); + } } diff --git a/tests/phpunit/includes/api/format/ApiFormatJsonTest.php b/tests/phpunit/includes/api/format/ApiFormatJsonTest.php index 3dfcaf0f..8d599b08 100644 --- a/tests/phpunit/includes/api/format/ApiFormatJsonTest.php +++ b/tests/phpunit/includes/api/format/ApiFormatJsonTest.php @@ -61,7 +61,7 @@ class ApiFormatJsonTest extends ApiFormatTestBase { array( array( 1 ), '/**/myCallback([1])', array( 'callback' => 'myCallback' ) ), // Cross-domain mangling - array( array( '< Cross-Domain-Policy >' ), '["\u003C Cross-Domain-Policy \u003E"]' ), + array( array( '< Cross-Domain-Policy >' ), '["\u003C Cross-Domain-Policy >"]' ), ) ), self::addFormatVersion( 2, array( // Basic types @@ -102,7 +102,7 @@ class ApiFormatJsonTest extends ApiFormatTestBase { array( array( 1 ), '/**/myCallback([1])', array( 'callback' => 'myCallback' ) ), // Cross-domain mangling - array( array( '< Cross-Domain-Policy >' ), '["\u003C Cross-Domain-Policy \u003E"]' ), + array( array( '< Cross-Domain-Policy >' ), '["\u003C Cross-Domain-Policy >"]' ), ) ) ); } diff --git a/tests/phpunit/includes/upload/UploadBaseTest.php b/tests/phpunit/includes/upload/UploadBaseTest.php index 9441b77f..a3f8ae48 100644 --- a/tests/phpunit/includes/upload/UploadBaseTest.php +++ b/tests/phpunit/includes/upload/UploadBaseTest.php @@ -374,6 +374,12 @@ class UploadBaseTest extends MediaWikiTestCase { false, 'SVG with external entity' ), + array( + "<svg xmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\"> <g> <a xlink:href=\"javascript:alert('1 https://google.com')\"> <rect width=\"300\" height=\"100\" style=\"fill:rgb(0,0,255);stroke-width:1;stroke:rgb(0,0,2)\" /> </a> </g> </svg>", + true, + true, + 'SVG with javascript <a> link with newline (T122653)' + ), // Test good, but strange files that we want to allow array( |