summaryrefslogtreecommitdiff
path: root/tests
diff options
context:
space:
mode:
authorthomascube <thomas@roundcube.net>2009-07-27 15:04:35 +0000
committerthomascube <thomas@roundcube.net>2009-07-27 15:04:35 +0000
commitb5f3abeea96db8b98df9bbf4c3da7873b8a84e44 (patch)
tree5bf42d75fb4cb88bf703d0a2a8ac3321d290f7ff /tests
parent28f15eb597304d1761adeef4e22c202de42ef22d (diff)
Tagging files for 0.3-rc1v0.3-rc1
Diffstat (limited to 'tests')
-rw-r--r--tests/mailfunc.php119
-rw-r--r--tests/modcss.php45
-rwxr-xr-xtests/runtests.sh53
-rw-r--r--tests/src/BID-26800.txt52
-rw-r--r--tests/src/htmlbody.txt51
-rw-r--r--tests/src/htmlxss.txt22
-rw-r--r--tests/src/plainbody.txt37
-rw-r--r--tests/src/valid.css30
8 files changed, 0 insertions, 409 deletions
diff --git a/tests/mailfunc.php b/tests/mailfunc.php
deleted file mode 100644
index ae35c5d77..000000000
--- a/tests/mailfunc.php
+++ /dev/null
@@ -1,119 +0,0 @@
-<?php
-
-/**
- * Test class to test steps/mail/func.inc functions
- *
- * @package Tests
- */
-class rcube_test_mailfunc extends UnitTestCase
-{
-
- function __construct()
- {
- $this->UnitTestCase('Mail body rendering tests');
-
- // simulate environment to successfully include func.inc
- $GLOBALS['RCMAIL'] = $RCMAIL = rcmail::get_instance();
- $GLOBALS['OUTPUT'] = $OUTPUT = $RCMAIL->load_gui();
- $RCMAIL->action = 'spell';
- $IMAP = $RCMAIL->imap;
-
- require_once 'steps/mail/func.inc';
-
- $GLOBALS['EMAIL_ADDRESS_PATTERN'] = $EMAIL_ADDRESS_PATTERN;
- }
-
- /**
- * Helper method to create a HTML message part object
- */
- function get_html_part($body)
- {
- $part = new rcube_message_part;
- $part->ctype_primary = 'text';
- $part->ctype_secondary = 'html';
- $part->body = file_get_contents(TESTS_DIR . $body);
- $part->replaces = array();
- return $part;
- }
-
- /**
- * Test sanitization of a "normal" html message
- */
- function test_html()
- {
- $part = $this->get_html_part('src/htmlbody.txt');
- $part->replaces = array('ex1.jpg' => 'part_1.2.jpg', 'ex2.jpg' => 'part_1.2.jpg');
-
- // render HTML in normal mode
- $html = rcmail_html4inline(rcmail_print_body($part, array('safe' => false)), 'foo');
-
- $this->assertPattern('/src="'.$part->replaces['ex1.jpg'].'"/', $html, "Replace reference to inline image");
- $this->assertPattern('#background="./program/blocked.gif"#', $html, "Replace external background image");
- $this->assertNoPattern('/ex3.jpg/', $html, "No references to external images");
- $this->assertNoPattern('/<meta [^>]+>/', $html, "No meta tags allowed");
- $this->assertNoPattern('/<style [^>]+>/', $html, "No style tags allowed");
- $this->assertNoPattern('/<form [^>]+>/', $html, "No form tags allowed");
- $this->assertPattern('/Subscription form/', $html, "Include <form> contents");
- $this->assertPattern('/<!-- input not allowed -->/', $html, "No input elements allowed");
- $this->assertPattern('/<!-- link not allowed -->/', $html, "No external links allowed");
- $this->assertPattern('/<a[^>]+ target="_blank">/', $html, "Set target to _blank");
- $this->assertTrue($GLOBALS['REMOTE_OBJECTS'], "Remote object detected");
-
- // render HTML in safe mode
- $html2 = rcmail_html4inline(rcmail_print_body($part, array('safe' => true)), 'foo');
-
- $this->assertPattern('/<style [^>]+>/', $html2, "Allow styles in safe mode");
- $this->assertPattern('#src="http://evilsite.net/mailings/ex3.jpg"#', $html2, "Allow external images in HTML (safe mode)");
- $this->assertPattern("#url\('http://evilsite.net/newsletter/image/bg/bg-64.jpg'\)#", $html2, "Allow external images in CSS (safe mode)");
-
- $css = '<link rel="stylesheet" type="text/css" href="./bin/modcss.php?u='.urlencode('http://anysite.net/styles/mail.css').'&amp;c=foo"';
- $this->assertPattern('#'.preg_quote($css).'#', $html2, "Filter external styleseehts with bin/modcss.php");
- }
-
- /**
- * Test the elimination of some trivial XSS vulnerabilities
- */
- function test_html_xss()
- {
- $part = $this->get_html_part('src/htmlxss.txt');
- $washed = rcmail_print_body($part, array('safe' => true));
-
- $this->assertNoPattern('/src="skins/', $washed, "Remove local references");
- $this->assertNoPattern('/\son[a-z]+/', $washed, "Remove on* attributes");
-
- $html = rcmail_html4inline($washed, 'foo');
- $this->assertNoPattern('/onclick="return rcmail.command(\'compose\',\'xss@somehost.net\',this)"/', $html, "Clean mailto links");
- $this->assertNoPattern('/alert/', $html, "Remove alerts");
- }
-
- /**
- * Test HTML sanitization to fix the CSS Expression Input Validation Vulnerability
- * reported at http://www.securityfocus.com/bid/26800/
- */
- function test_html_xss2()
- {
- $part = $this->get_html_part('src/BID-26800.txt');
- $washed = rcmail_print_body($part, array('safe' => true));
-
- $this->assertNoPattern('/alert|expression|javascript|xss/', $washed, "Remove evil style blocks");
- $this->assertNoPattern('/font-style:italic/', $washed, "Allow valid styles");
- }
-
- /**
- * Test links pattern replacements in plaintext messages
- */
- function test_plaintext()
- {
- $part = new rcube_message_part;
- $part->ctype_primary = 'text';
- $part->ctype_secondary = 'plain';
- $part->body = quoted_printable_decode(file_get_contents(TESTS_DIR . 'src/plainbody.txt'));
- $html = rcmail_print_body($part, array('safe' => true));
-
- $this->assertPattern('/<a href="mailto:nobody@roundcube.net" onclick="return rcmail.command\(\'compose\',\'nobody@roundcube.net\',this\)">nobody@roundcube.net<\/a>/', $html, "Mailto links with onclick");
- $this->assertPattern('#<a href="http://www.apple.com/legal/privacy/" target="_blank">http://www.apple.com/legal/privacy/</a>#', $html, "Links with target=_blank");
- }
-
-}
-
-?> \ No newline at end of file
diff --git a/tests/modcss.php b/tests/modcss.php
deleted file mode 100644
index f9271ff65..000000000
--- a/tests/modcss.php
+++ /dev/null
@@ -1,45 +0,0 @@
-<?php
-
-/**
- * Test class to test rcmail_mod_css_styles and XSS vulnerabilites
- *
- * @package Tests
- */
-class rcube_test_modcss extends UnitTestCase
-{
-
- function __construct()
- {
- $this->UnitTestCase('CSS modification and vulnerability tests');
- }
-
- function test_modcss()
- {
- $css = file_get_contents(TESTS_DIR . 'src/valid.css');
- $mod = rcmail_mod_css_styles($css, 'rcmbody');
-
- $this->assertPattern('/#rcmbody div.rcmBody\s+\{/', $mod, "Replace body style definition");
- $this->assertPattern('/#rcmbody h1\s\{/', $mod, "Prefix tag styles (single)");
- $this->assertPattern('/#rcmbody h1, #rcmbody h2, #rcmbody h3, #rcmbody textarea\s+\{/', $mod, "Prefix tag styles (multiple)");
- $this->assertPattern('/#rcmbody \.noscript\s+\{/', $mod, "Prefix class styles");
- }
-
- function test_xss()
- {
- $mod = rcmail_mod_css_styles("body.main2cols { background-image: url('../images/leftcol.png'); }", 'rcmbody');
- $this->assertEqual("/* evil! */", $mod, "No url() values allowed");
-
- $mod = rcmail_mod_css_styles("@import url('http://localhost/somestuff/css/master.css');", 'rcmbody');
- $this->assertEqual("/* evil! */", $mod, "No import statements");
-
- $mod = rcmail_mod_css_styles("left:expression(document.body.offsetWidth-20)", 'rcmbody');
- $this->assertEqual("/* evil! */", $mod, "No expression properties");
-
- $mod = rcmail_mod_css_styles("left:exp/* */ression( alert(&#039;xss3&#039;) )", 'rcmbody');
- $this->assertEqual("/* evil! */", $mod, "Don't allow encoding quirks");
-
- $mod = rcmail_mod_css_styles("background:\\0075\\0072\\006c( javascript:alert(&#039;xss&#039;) )", 'rcmbody');
- $this->assertEqual("/* evil! */", $mod, "Don't allow encoding quirks (2)");
- }
-
-} \ No newline at end of file
diff --git a/tests/runtests.sh b/tests/runtests.sh
deleted file mode 100755
index 04a9a3745..000000000
--- a/tests/runtests.sh
+++ /dev/null
@@ -1,53 +0,0 @@
-#!/usr/bin/env php
-<?php
-
-/*
- +-----------------------------------------------------------------------+
- | tests/runtests.sh |
- | |
- | This file is part of the RoundCube Webmail client |
- | Copyright (C) 2009, RoundCube Dev. - Switzerland |
- | Licensed under the GNU GPL |
- | |
- | PURPOSE: |
- | Run-script for unit tests based on http://simpletest.org |
- | All .php files in this folder will be treated as tests |
- +-----------------------------------------------------------------------+
- | Author: Thomas Bruederli <roundcube@gmail.com> |
- +-----------------------------------------------------------------------+
-
- $Id: $
-
-*/
-
-if (php_sapi_name() != 'cli')
- die("Not in shell mode (php-cli)");
-
-if (!defined('SIMPLETEST')) define('SIMPLETEST', '/www/simpletest/');
-if (!defined('INSTALL_PATH')) define('INSTALL_PATH', realpath(dirname(__FILE__) . '/..') . '/' );
-
-define('TESTS_DIR', dirname(__FILE__) . '/');
-
-require_once(SIMPLETEST . 'unit_tester.php');
-require_once(SIMPLETEST . 'reporter.php');
-require_once(INSTALL_PATH . 'program/include/iniset.php');
-
-if (count($_SERVER['argv']) > 1) {
- $testfiles = array();
- for ($i=1; $i < count($_SERVER['argv']); $i++)
- $testfiles[] = realpath('./' . $_SERVER['argv'][$i]);
-}
-else {
- $testfiles = glob(TESTS_DIR . '*.php');
-}
-
-$test = new TestSuite('RoundCube unit tests');
-$reporter = new TextReporter();
-
-foreach ($testfiles as $fn) {
- $test->addTestFile($fn);
-}
-
-$test->run($reporter);
-
-?> \ No newline at end of file
diff --git a/tests/src/BID-26800.txt b/tests/src/BID-26800.txt
deleted file mode 100644
index 513516c09..000000000
--- a/tests/src/BID-26800.txt
+++ /dev/null
@@ -1,52 +0,0 @@
-<html>
-<head>
-</head>
-<body>
-<h1>1 test</h1>
-<p>&lt;style&gt; block</p>
-<style>input { left:expression( alert(&#039;expression!&#039;) ) }</style>
-<style>div { background:url(alert(&#039;URL!&#039;) ) }</style>
-
-<h1>2 test</h1>
-<p>&lt;div&gt; block</p>
-<div style="font-style:italic">valid css</div>
-<div style="{ left:expression( alert(&#039;expression!&#039;) ) }">
-<div style="{ background:url( alert(&#039;URL!&#039;) ) }">
-
-<h1>3 test</h1>
-<p>Inject comment text</p>
-<div style="{ left:exp/* */ression( alert(&#039;xss3&#039;) ) }">
-<div style="{ background:u/* */rl( alert(&#039;xssurl3&#039;) ) }">
-
-<h1>4 test</h1>
-<p>Using reverse solid to directe the codepoint</p>
-<div style="{ left:\0065\0078pression( alert(&#039;xss4&#039;) ) }">
-<div style="{ background:\0075rl( alert(&#039;xssurl4&#039;) ) }">
-
-<h1>5 test</h1>
-<p>Character entity references</p>
-<p>Character entity references is acceptable in "inline styles"</p>
-<div style="{ left:&#x0065;xpression( alert(&#039;xss&#039;) ) }">
-<div style="{ left:&#101;xpression( alert(&#039;xss&#039;) ) }">
-<div style="{ background:&#x0075;rl( alert(&#039;URL!&#039;) ) }">
-<div style="{ background:&#117;rl( alert(&#039;URL!&#039;) ) }">
-<div style="{ left:&#x0065xpression( alert(&#039;xss&#039;) ) }">
-
-<div style="{ left:..p.....o.( alert(&#039;xss&#039;) ) }">
-<div style="{ left:..&#x2f;**/pression( alert(&#039;xss&#039;) ) }">
-<div style="{ left:exp&#x0280;essio&#x0274;( alert(&#039;xss&#039;) ) }">
-<div style="{ left:&#x5c;0065&#x5c;0078pression( alert(&#039;xss&#039;) ) }">
-<div style="{ left:ex p ression( alert(&#039;xss&#039;) ) }">
-
-<div style="{ background:...( javascript:alert(&#039;xss&#039;) ) }">
-<div style="{ background:&#x0075;/**/rl( javascript:alert(&#039;xss&#039;) ) }">
-<div style="{ background:\0075\0072\006c( javascript:alert(&#039;xss&#039;) ) }">
-<div style="{ background:u&#x0280;&#x029F;( javascript:alert(&#039;xss&#039;) )
-}">
-<div style="{ background:&#x5c;0075&#x5c;0280l( javascript:alert(&#039;xss&#039;)
-) }">
-<div style="{ background:u r l( javascript:alert(&#039;xss&#039;) ) }">
-
-</body>
-</html>
-
diff --git a/tests/src/htmlbody.txt b/tests/src/htmlbody.txt
deleted file mode 100644
index a10bfe10e..000000000
--- a/tests/src/htmlbody.txt
+++ /dev/null
@@ -1,51 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<html>
-<head>
-<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
-<title>RoundCube Test Message</title>
-<link rel="stylesheet" type="text/css" href="http://anysite.net/styles/mail.css">
-<style type="text/css">
-
-p, a {
- font-family: Arial, 'Bitstream Vera Sans', Helvetica;
- margin-top: 0px;
- margin-bottom: 0px;
- padding-top: 0px;
- padding-bottom: 0px;
-}
-
-</style>
-</head>
-<body style="margin: 0 0 0 0;">
-
-<table width="100%" cellpadding="0" cellspacing="20" style="background-image:url(http://evilsite.net/newsletter/image/bg/bg-64.jpg);background-attachment:fixed;" background="http://evilsite.net/newsletter/image/bg/bg-64.jpg" border="0">
-<tr>
-<td>
-
-<h1>This is a HTML message</h1>
-
-<p>See nice pictures like the following:</p>
-
-<div>
- <img src="ex1.jpg" width="320" height="320" alt="Example 1">
- <img src="ex2.jpg" width="320" height="320" alt="Example 2">
- <img src="http://evilsite.net/mailings/ex3.jpg" width="320" height="320" alt="Example 3">
-</div>
-
-<form action="http://evilsite.net/subscribe.php">
- <p>Subscription form</p>
-
- E-Mail: <input type="text" name="mail" value=""><br/>
- <input type="submit" value="Subscribe">
-
-</form>
-
-<p>To unsubscribe click here <a href="http://evilsite.net/unsubscribe.php?mail=foo@bar.com"> or
- send a mail to <a href="mailto:unsubscribe@evilsite.net">unsubscribe@evilsite.net</a></p>
-
-</td>
-</tr>
-</table>
-
-</body>
-</html> \ No newline at end of file
diff --git a/tests/src/htmlxss.txt b/tests/src/htmlxss.txt
deleted file mode 100644
index f6c43e353..000000000
--- a/tests/src/htmlxss.txt
+++ /dev/null
@@ -1,22 +0,0 @@
-<html>
-<body>
-
-<p><img onLoad.="alert(document.cookie)" src="skins/default/images/roundcube_logo.png" /></p>
-
-<p><a href="mailto:xss@somehost.net') && alert(document.cookie) || ignore('">mail me!</a>
-<a href="http://roundcube.net" target="_self">roundcube.net</a>
-<a href="http://roundcube.net" \onmouseover="alert('XSS')">roundcube.net (2)</a>
-
-</p>
-
-<div>Brilliant!</div>
-
-<table><tbody><tr><td background="javascript:alert('XSS')">BBBBBB</td></tr></tbody></table>
-
-<p>
-Have a nice Christmas time.<br />
-Thomas
-</p>
-
-</body>
-</html>
diff --git a/tests/src/plainbody.txt b/tests/src/plainbody.txt
deleted file mode 100644
index 7ebfe429b..000000000
--- a/tests/src/plainbody.txt
+++ /dev/null
@@ -1,37 +0,0 @@
-From: iPhone Developer Program <noreply-iphonedev@apple.com>
-To: nobody@roundcube.net
-
-*iPhone Developer Program*
-
------------------------------------
-iPhone SDK 2.2.1 is now available
-https://daw.apple.com/cgi-bin/WebObjects/DSAuthWeb.woa/wa/login?appIdKey=3D=
-D635F5C417E087A3B9864DAC5D25920C4E9442C9339FA9277951628F0291F620&path=3D//i=
-phone/login.action
-
-Log in to the iPhone Dev Center to download iPhone SDK for iPhone OS 2.2.1.=
- Installation of iPhone SDK 2.2.1 is required for development with devices =
-updated to iPhone OS 2.2.1. Please view the Read Me before installing the n=
-ew version of the iPhone SDK.
-
-Log in now
-https://daw.apple.com/cgi-bin/WebObjects/DSAuthWeb.woa/wa/login?appIdKey=3D=
-D635F5C417E087A3B9864DAC5D25920C4E9442C9339FA9277951628F0291F620&path=3D//i=
-phone/login.action
-
------------------------------------
-Copyright (c) 2009 Apple Inc. 1 Infinite Loop, MS 303-3DM, Cupertino, CA 95=
-014.
-
-All Rights Reserved
-http://www.apple.com/legal/default.html
-
-Keep Informed
-http://www.apple.com/enews/subscribe/
-
-Privacy Policy
-http://www.apple.com/legal/privacy/
-
-My Info
-https://myinfo.apple.com/cgi-bin/WebObjects/MyInfo
-
diff --git a/tests/src/valid.css b/tests/src/valid.css
deleted file mode 100644
index 340fa9a87..000000000
--- a/tests/src/valid.css
+++ /dev/null
@@ -1,30 +0,0 @@
-/** Master style definitions **/
-
-body, p, div, h1, h2, h3, textarea {
- font-family: "Lucida Grande", Helvetica, sans-serif;
- font-size: 8.8pt;
- color: #333;
-}
-
-body {
- background-color: white;
- margin: 0;
-}
-
-h1 {
- color: #1F519A;
- font-size: 1.7em;
- font-weight: normal;
- margin-top: 0;
- margin-bottom: 1em;
-}
-
-.noscript {
- display: none;
-}
-
-.hint, .username {
- color: #999;
-}
-
-