summaryrefslogtreecommitdiff
path: root/tests/mailfunc.php
diff options
context:
space:
mode:
authorthomascube <thomas@roundcube.net>2009-03-02 14:46:12 +0000
committerthomascube <thomas@roundcube.net>2009-03-02 14:46:12 +0000
commit63d4b1217216f3d04894090026ed3f01aba9b385 (patch)
treef951e8fa1431f6dd27e255685b64628e3c49f271 /tests/mailfunc.php
parentf54a3a6d41e5700c45120091a57f2c73b804ae25 (diff)
Create some basic unit tests based in simpletest.org
Diffstat (limited to 'tests/mailfunc.php')
-rw-r--r--tests/mailfunc.php110
1 files changed, 110 insertions, 0 deletions
diff --git a/tests/mailfunc.php b/tests/mailfunc.php
new file mode 100644
index 000000000..bf9163b7d
--- /dev/null
+++ b/tests/mailfunc.php
@@ -0,0 +1,110 @@
+<?php
+
+/**
+ * Test class to test steps/mail/func.inc functions
+ *
+ * @package Tests
+ */
+class rcube_test_mailfunc extends UnitTestCase
+{
+
+ function __construct()
+ {
+ $this->UnitTestCase('Mail body rendering tests');
+
+ // simulate environment to successfully include func.inc
+ $GLOBALS['RCMAIL'] = $RCMAIL = rcmail::get_instance();
+ $GLOBALS['OUTPUT'] = $OUTPUT = $RCMAIL->load_gui();
+ $RCMAIL->action = 'spell';
+ $IMAP = $RCMAIL->imap;
+
+ require_once 'steps/mail/func.inc';
+ }
+
+ /**
+ * Helper method to create a HTML message part object
+ */
+ function get_html_part($body)
+ {
+ $part = new rcube_message_part;
+ $part->ctype_primary = 'text';
+ $part->ctype_secondary = 'html';
+ $part->body = file_get_contents(TESTS_DIR . $body);
+ $part->replaces = array();
+ return $part;
+ }
+
+ /**
+ * Test sanitization of a "normal" html message
+ */
+ function test_html()
+ {
+ $part = $this->get_html_part('src/htmlbody.txt');
+ $part->replaces = array('ex1.jpg' => 'part_1.2.jpg', 'ex2.jpg' => 'part_1.2.jpg');
+
+ // render HTML in normal mode
+ $html = rcmail_print_body($part, array('safe' => false));
+
+ $this->assertPattern('/src="'.$part->replaces['ex1.jpg'].'"/', $html, "Replace reference to inline image");
+ $this->assertPattern('#background="./program/blocked.gif"#', $html, "Replace external background image");
+ $this->assertNoPattern('/ex3.jpg/', $html, "No references to external images");
+ $this->assertNoPattern('/<meta [^>]+>/', $html, "No meta tags allowed");
+ $this->assertNoPattern('/<style [^>]+>/', $html, "No style tags allowed");
+ $this->assertNoPattern('/<form [^>]+>/', $html, "No form tags allowed");
+ $this->assertPattern('/Subscription form/', $html, "Include <form> contents");
+ $this->assertPattern('/<!-- input not allowed -->/', $html, "No input elements allowed");
+ $this->assertPattern('/<a[^>]+ target="_blank">/', $html, "Set target to _blank");
+ $this->assertTrue($GLOBALS['REMOTE_OBJECTS'], "Remote object detected");
+
+ // render HTML in safe mode
+ $html2 = rcmail_print_body($part, array('safe' => true));
+
+ $this->assertPattern('/<style [^>]+>/', $html2, "Allow styles in safe mode");
+ $this->assertPattern('#src="http://evilsite.net/mailings/ex3.jpg"#', $html2, "Allow external images in HTML (safe mode)");
+ $this->assertPattern("#url\('http://evilsite.net/newsletter/image/bg/bg-64.jpg'\)#", $html2, "Allow external images in CSS (safe mode)");
+ }
+
+ /**
+ * Test the elimination of some trivial XSS vulnerabilities
+ */
+ function test_html_xss()
+ {
+ $part = $this->get_html_part('src/htmlxss.txt');
+ $washed = rcmail_print_body($part, array('safe' => true));
+
+ $this->assertNoPattern('/src="skins/', $washed, "Remove local references");
+ $this->assertNoPattern('/\son[a-z]+/', $wahsed, "Remove on* attributes");
+ $this->assertNoPattern('/alert/', $wahsed, "Remove alerts");
+ }
+
+ /**
+ * Test HTML sanitization to fix the CSS Expression Input Validation Vulnerability
+ * reported at http://www.securityfocus.com/bid/26800/
+ */
+ function test_html_xss2()
+ {
+ $part = $this->get_html_part('src/BID-26800.txt');
+ $washed = rcmail_print_body($part, array('safe' => true));
+
+ $this->assertNoPattern('/alert|expression|javascript|xss/', $washed, "Remove evil style blocks");
+ $this->assertNoPattern('/font-style:italic/', $washed, "Allow valid styles");
+ }
+
+ /**
+ * Test links pattern replacements in plaintext messages
+ */
+ function test_plaintext()
+ {
+ $part = new rcube_message_part;
+ $part->ctype_primary = 'text';
+ $part->ctype_secondary = 'plain';
+ $part->body = quoted_printable_decode(file_get_contents(TESTS_DIR . 'src/plainbody.txt'));
+ $html = rcmail_print_body($part, array('safe' => true));
+
+ $this->assertPattern('/<a href="mailto:nobody@roundcube.net" onclick="return rcmail.command\(\'compose\',\'nobody@roundcube.net\',this\)">nobody@roundcube.net<\/a>/', $html, "Mailto links with onclick");
+ $this->assertPattern('#<a href="http://www.apple.com/legal/privacy/" target="_blank">http://www.apple.com/legal/privacy/</a>#', $html, "Links with target=_blank");
+ }
+
+}
+
+?> \ No newline at end of file