diff options
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/mailfunc.php | 119 | ||||
| -rw-r--r-- | tests/modcss.php | 45 | ||||
| -rwxr-xr-x | tests/runtests.sh | 53 | ||||
| -rw-r--r-- | tests/src/BID-26800.txt | 52 | ||||
| -rw-r--r-- | tests/src/htmlbody.txt | 51 | ||||
| -rw-r--r-- | tests/src/htmlxss.txt | 22 | ||||
| -rw-r--r-- | tests/src/plainbody.txt | 37 | ||||
| -rw-r--r-- | tests/src/valid.css | 30 |
8 files changed, 0 insertions, 409 deletions
diff --git a/tests/mailfunc.php b/tests/mailfunc.php deleted file mode 100644 index ae35c5d77..000000000 --- a/tests/mailfunc.php +++ /dev/null @@ -1,119 +0,0 @@ -<?php - -/** - * Test class to test steps/mail/func.inc functions - * - * @package Tests - */ -class rcube_test_mailfunc extends UnitTestCase -{ - - function __construct() - { - $this->UnitTestCase('Mail body rendering tests'); - - // simulate environment to successfully include func.inc - $GLOBALS['RCMAIL'] = $RCMAIL = rcmail::get_instance(); - $GLOBALS['OUTPUT'] = $OUTPUT = $RCMAIL->load_gui(); - $RCMAIL->action = 'spell'; - $IMAP = $RCMAIL->imap; - - require_once 'steps/mail/func.inc'; - - $GLOBALS['EMAIL_ADDRESS_PATTERN'] = $EMAIL_ADDRESS_PATTERN; - } - - /** - * Helper method to create a HTML message part object - */ - function get_html_part($body) - { - $part = new rcube_message_part; - $part->ctype_primary = 'text'; - $part->ctype_secondary = 'html'; - $part->body = file_get_contents(TESTS_DIR . $body); - $part->replaces = array(); - return $part; - } - - /** - * Test sanitization of a "normal" html message - */ - function test_html() - { - $part = $this->get_html_part('src/htmlbody.txt'); - $part->replaces = array('ex1.jpg' => 'part_1.2.jpg', 'ex2.jpg' => 'part_1.2.jpg'); - - // render HTML in normal mode - $html = rcmail_html4inline(rcmail_print_body($part, array('safe' => false)), 'foo'); - - $this->assertPattern('/src="'.$part->replaces['ex1.jpg'].'"/', $html, "Replace reference to inline image"); - $this->assertPattern('#background="./program/blocked.gif"#', $html, "Replace external background image"); - $this->assertNoPattern('/ex3.jpg/', $html, "No references to external images"); - $this->assertNoPattern('/<meta [^>]+>/', $html, "No meta tags allowed"); - $this->assertNoPattern('/<style [^>]+>/', $html, "No style tags allowed"); - $this->assertNoPattern('/<form [^>]+>/', $html, "No form tags allowed"); - $this->assertPattern('/Subscription form/', $html, "Include <form> contents"); - $this->assertPattern('/<!-- input not allowed -->/', $html, "No input elements allowed"); - $this->assertPattern('/<!-- link not allowed -->/', $html, "No external links allowed"); - $this->assertPattern('/<a[^>]+ target="_blank">/', $html, "Set target to _blank"); - $this->assertTrue($GLOBALS['REMOTE_OBJECTS'], "Remote object detected"); - - // render HTML in safe mode - $html2 = rcmail_html4inline(rcmail_print_body($part, array('safe' => true)), 'foo'); - - $this->assertPattern('/<style [^>]+>/', $html2, "Allow styles in safe mode"); - $this->assertPattern('#src="http://evilsite.net/mailings/ex3.jpg"#', $html2, "Allow external images in HTML (safe mode)"); - $this->assertPattern("#url\('http://evilsite.net/newsletter/image/bg/bg-64.jpg'\)#", $html2, "Allow external images in CSS (safe mode)"); - - $css = '<link rel="stylesheet" type="text/css" href="./bin/modcss.php?u='.urlencode('http://anysite.net/styles/mail.css').'&c=foo"'; - $this->assertPattern('#'.preg_quote($css).'#', $html2, "Filter external styleseehts with bin/modcss.php"); - } - - /** - * Test the elimination of some trivial XSS vulnerabilities - */ - function test_html_xss() - { - $part = $this->get_html_part('src/htmlxss.txt'); - $washed = rcmail_print_body($part, array('safe' => true)); - - $this->assertNoPattern('/src="skins/', $washed, "Remove local references"); - $this->assertNoPattern('/\son[a-z]+/', $washed, "Remove on* attributes"); - - $html = rcmail_html4inline($washed, 'foo'); - $this->assertNoPattern('/onclick="return rcmail.command(\'compose\',\'xss@somehost.net\',this)"/', $html, "Clean mailto links"); - $this->assertNoPattern('/alert/', $html, "Remove alerts"); - } - - /** - * Test HTML sanitization to fix the CSS Expression Input Validation Vulnerability - * reported at http://www.securityfocus.com/bid/26800/ - */ - function test_html_xss2() - { - $part = $this->get_html_part('src/BID-26800.txt'); - $washed = rcmail_print_body($part, array('safe' => true)); - - $this->assertNoPattern('/alert|expression|javascript|xss/', $washed, "Remove evil style blocks"); - $this->assertNoPattern('/font-style:italic/', $washed, "Allow valid styles"); - } - - /** - * Test links pattern replacements in plaintext messages - */ - function test_plaintext() - { - $part = new rcube_message_part; - $part->ctype_primary = 'text'; - $part->ctype_secondary = 'plain'; - $part->body = quoted_printable_decode(file_get_contents(TESTS_DIR . 'src/plainbody.txt')); - $html = rcmail_print_body($part, array('safe' => true)); - - $this->assertPattern('/<a href="mailto:nobody@roundcube.net" onclick="return rcmail.command\(\'compose\',\'nobody@roundcube.net\',this\)">nobody@roundcube.net<\/a>/', $html, "Mailto links with onclick"); - $this->assertPattern('#<a href="http://www.apple.com/legal/privacy/" target="_blank">http://www.apple.com/legal/privacy/</a>#', $html, "Links with target=_blank"); - } - -} - -?>
\ No newline at end of file diff --git a/tests/modcss.php b/tests/modcss.php deleted file mode 100644 index f9271ff65..000000000 --- a/tests/modcss.php +++ /dev/null @@ -1,45 +0,0 @@ -<?php - -/** - * Test class to test rcmail_mod_css_styles and XSS vulnerabilites - * - * @package Tests - */ -class rcube_test_modcss extends UnitTestCase -{ - - function __construct() - { - $this->UnitTestCase('CSS modification and vulnerability tests'); - } - - function test_modcss() - { - $css = file_get_contents(TESTS_DIR . 'src/valid.css'); - $mod = rcmail_mod_css_styles($css, 'rcmbody'); - - $this->assertPattern('/#rcmbody div.rcmBody\s+\{/', $mod, "Replace body style definition"); - $this->assertPattern('/#rcmbody h1\s\{/', $mod, "Prefix tag styles (single)"); - $this->assertPattern('/#rcmbody h1, #rcmbody h2, #rcmbody h3, #rcmbody textarea\s+\{/', $mod, "Prefix tag styles (multiple)"); - $this->assertPattern('/#rcmbody \.noscript\s+\{/', $mod, "Prefix class styles"); - } - - function test_xss() - { - $mod = rcmail_mod_css_styles("body.main2cols { background-image: url('../images/leftcol.png'); }", 'rcmbody'); - $this->assertEqual("/* evil! */", $mod, "No url() values allowed"); - - $mod = rcmail_mod_css_styles("@import url('http://localhost/somestuff/css/master.css');", 'rcmbody'); - $this->assertEqual("/* evil! */", $mod, "No import statements"); - - $mod = rcmail_mod_css_styles("left:expression(document.body.offsetWidth-20)", 'rcmbody'); - $this->assertEqual("/* evil! */", $mod, "No expression properties"); - - $mod = rcmail_mod_css_styles("left:exp/* */ression( alert('xss3') )", 'rcmbody'); - $this->assertEqual("/* evil! */", $mod, "Don't allow encoding quirks"); - - $mod = rcmail_mod_css_styles("background:\\0075\\0072\\006c( javascript:alert('xss') )", 'rcmbody'); - $this->assertEqual("/* evil! */", $mod, "Don't allow encoding quirks (2)"); - } - -}
\ No newline at end of file diff --git a/tests/runtests.sh b/tests/runtests.sh deleted file mode 100755 index 04a9a3745..000000000 --- a/tests/runtests.sh +++ /dev/null @@ -1,53 +0,0 @@ -#!/usr/bin/env php -<?php - -/* - +-----------------------------------------------------------------------+ - | tests/runtests.sh | - | | - | This file is part of the RoundCube Webmail client | - | Copyright (C) 2009, RoundCube Dev. - Switzerland | - | Licensed under the GNU GPL | - | | - | PURPOSE: | - | Run-script for unit tests based on http://simpletest.org | - | All .php files in this folder will be treated as tests | - +-----------------------------------------------------------------------+ - | Author: Thomas Bruederli <roundcube@gmail.com> | - +-----------------------------------------------------------------------+ - - $Id: $ - -*/ - -if (php_sapi_name() != 'cli') - die("Not in shell mode (php-cli)"); - -if (!defined('SIMPLETEST')) define('SIMPLETEST', '/www/simpletest/'); -if (!defined('INSTALL_PATH')) define('INSTALL_PATH', realpath(dirname(__FILE__) . '/..') . '/' ); - -define('TESTS_DIR', dirname(__FILE__) . '/'); - -require_once(SIMPLETEST . 'unit_tester.php'); -require_once(SIMPLETEST . 'reporter.php'); -require_once(INSTALL_PATH . 'program/include/iniset.php'); - -if (count($_SERVER['argv']) > 1) { - $testfiles = array(); - for ($i=1; $i < count($_SERVER['argv']); $i++) - $testfiles[] = realpath('./' . $_SERVER['argv'][$i]); -} -else { - $testfiles = glob(TESTS_DIR . '*.php'); -} - -$test = new TestSuite('RoundCube unit tests'); -$reporter = new TextReporter(); - -foreach ($testfiles as $fn) { - $test->addTestFile($fn); -} - -$test->run($reporter); - -?>
\ No newline at end of file diff --git a/tests/src/BID-26800.txt b/tests/src/BID-26800.txt deleted file mode 100644 index 513516c09..000000000 --- a/tests/src/BID-26800.txt +++ /dev/null @@ -1,52 +0,0 @@ -<html> -<head> -</head> -<body> -<h1>1 test</h1> -<p><style> block</p> -<style>input { left:expression( alert('expression!') ) }</style> -<style>div { background:url(alert('URL!') ) }</style> - -<h1>2 test</h1> -<p><div> block</p> -<div style="font-style:italic">valid css</div> -<div style="{ left:expression( alert('expression!') ) }"> -<div style="{ background:url( alert('URL!') ) }"> - -<h1>3 test</h1> -<p>Inject comment text</p> -<div style="{ left:exp/* */ression( alert('xss3') ) }"> -<div style="{ background:u/* */rl( alert('xssurl3') ) }"> - -<h1>4 test</h1> -<p>Using reverse solid to directe the codepoint</p> -<div style="{ left:\0065\0078pression( alert('xss4') ) }"> -<div style="{ background:\0075rl( alert('xssurl4') ) }"> - -<h1>5 test</h1> -<p>Character entity references</p> -<p>Character entity references is acceptable in "inline styles"</p> -<div style="{ left:expression( alert('xss') ) }"> -<div style="{ left:expression( alert('xss') ) }"> -<div style="{ background:url( alert('URL!') ) }"> -<div style="{ background:url( alert('URL!') ) }"> -<div style="{ left:expression( alert('xss') ) }"> - -<div style="{ left:..p.....o.( alert('xss') ) }"> -<div style="{ left:../**/pression( alert('xss') ) }"> -<div style="{ left:expʀessioɴ( alert('xss') ) }"> -<div style="{ left:\0065\0078pression( alert('xss') ) }"> -<div style="{ left:ex p ression( alert('xss') ) }"> - -<div style="{ background:...( javascript:alert('xss') ) }"> -<div style="{ background:u/**/rl( javascript:alert('xss') ) }"> -<div style="{ background:\0075\0072\006c( javascript:alert('xss') ) }"> -<div style="{ background:uʀʟ( javascript:alert('xss') ) -}"> -<div style="{ background:\0075\0280l( javascript:alert('xss') -) }"> -<div style="{ background:u r l( javascript:alert('xss') ) }"> - -</body> -</html> - diff --git a/tests/src/htmlbody.txt b/tests/src/htmlbody.txt deleted file mode 100644 index a10bfe10e..000000000 --- a/tests/src/htmlbody.txt +++ /dev/null @@ -1,51 +0,0 @@ -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> -<html> -<head> -<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1"> -<title>RoundCube Test Message</title> -<link rel="stylesheet" type="text/css" href="http://anysite.net/styles/mail.css"> -<style type="text/css"> - -p, a { - font-family: Arial, 'Bitstream Vera Sans', Helvetica; - margin-top: 0px; - margin-bottom: 0px; - padding-top: 0px; - padding-bottom: 0px; -} - -</style> -</head> -<body style="margin: 0 0 0 0;"> - -<table width="100%" cellpadding="0" cellspacing="20" style="background-image:url(http://evilsite.net/newsletter/image/bg/bg-64.jpg);background-attachment:fixed;" background="http://evilsite.net/newsletter/image/bg/bg-64.jpg" border="0"> -<tr> -<td> - -<h1>This is a HTML message</h1> - -<p>See nice pictures like the following:</p> - -<div> - <img src="ex1.jpg" width="320" height="320" alt="Example 1"> - <img src="ex2.jpg" width="320" height="320" alt="Example 2"> - <img src="http://evilsite.net/mailings/ex3.jpg" width="320" height="320" alt="Example 3"> -</div> - -<form action="http://evilsite.net/subscribe.php"> - <p>Subscription form</p> - - E-Mail: <input type="text" name="mail" value=""><br/> - <input type="submit" value="Subscribe"> - -</form> - -<p>To unsubscribe click here <a href="http://evilsite.net/unsubscribe.php?mail=foo@bar.com"> or - send a mail to <a href="mailto:unsubscribe@evilsite.net">unsubscribe@evilsite.net</a></p> - -</td> -</tr> -</table> - -</body> -</html>
\ No newline at end of file diff --git a/tests/src/htmlxss.txt b/tests/src/htmlxss.txt deleted file mode 100644 index f6c43e353..000000000 --- a/tests/src/htmlxss.txt +++ /dev/null @@ -1,22 +0,0 @@ -<html> -<body> - -<p><img onLoad.="alert(document.cookie)" src="skins/default/images/roundcube_logo.png" /></p> - -<p><a href="mailto:xss@somehost.net') && alert(document.cookie) || ignore('">mail me!</a> -<a href="http://roundcube.net" target="_self">roundcube.net</a> -<a href="http://roundcube.net" \onmouseover="alert('XSS')">roundcube.net (2)</a> - -</p> - -<div>Brilliant!</div> - -<table><tbody><tr><td background="javascript:alert('XSS')">BBBBBB</td></tr></tbody></table> - -<p> -Have a nice Christmas time.<br /> -Thomas -</p> - -</body> -</html> diff --git a/tests/src/plainbody.txt b/tests/src/plainbody.txt deleted file mode 100644 index 7ebfe429b..000000000 --- a/tests/src/plainbody.txt +++ /dev/null @@ -1,37 +0,0 @@ -From: iPhone Developer Program <noreply-iphonedev@apple.com> -To: nobody@roundcube.net - -*iPhone Developer Program* - ------------------------------------ -iPhone SDK 2.2.1 is now available -https://daw.apple.com/cgi-bin/WebObjects/DSAuthWeb.woa/wa/login?appIdKey=3D= -D635F5C417E087A3B9864DAC5D25920C4E9442C9339FA9277951628F0291F620&path=3D//i= -phone/login.action - -Log in to the iPhone Dev Center to download iPhone SDK for iPhone OS 2.2.1.= - Installation of iPhone SDK 2.2.1 is required for development with devices = -updated to iPhone OS 2.2.1. Please view the Read Me before installing the n= -ew version of the iPhone SDK. - -Log in now -https://daw.apple.com/cgi-bin/WebObjects/DSAuthWeb.woa/wa/login?appIdKey=3D= -D635F5C417E087A3B9864DAC5D25920C4E9442C9339FA9277951628F0291F620&path=3D//i= -phone/login.action - ------------------------------------ -Copyright (c) 2009 Apple Inc. 1 Infinite Loop, MS 303-3DM, Cupertino, CA 95= -014. - -All Rights Reserved -http://www.apple.com/legal/default.html - -Keep Informed -http://www.apple.com/enews/subscribe/ - -Privacy Policy -http://www.apple.com/legal/privacy/ - -My Info -https://myinfo.apple.com/cgi-bin/WebObjects/MyInfo - diff --git a/tests/src/valid.css b/tests/src/valid.css deleted file mode 100644 index 340fa9a87..000000000 --- a/tests/src/valid.css +++ /dev/null @@ -1,30 +0,0 @@ -/** Master style definitions **/ - -body, p, div, h1, h2, h3, textarea { - font-family: "Lucida Grande", Helvetica, sans-serif; - font-size: 8.8pt; - color: #333; -} - -body { - background-color: white; - margin: 0; -} - -h1 { - color: #1F519A; - font-size: 1.7em; - font-weight: normal; - margin-top: 0; - margin-bottom: 1em; -} - -.noscript { - display: none; -} - -.hint, .username { - color: #999; -} - - |