From 9b05f19338e209f05386e5b13fe0a704c94062bb Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Mon, 27 Aug 2012 08:45:13 +0200
Subject: Restructured tests

---
 tests/Framework/Utils.php | 119 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 119 insertions(+)
 create mode 100644 tests/Framework/Utils.php

(limited to 'tests/Framework/Utils.php')

diff --git a/tests/Framework/Utils.php b/tests/Framework/Utils.php
new file mode 100644
index 000000000..b6cc5d577
--- /dev/null
+++ b/tests/Framework/Utils.php
@@ -0,0 +1,119 @@
+<?php
+
+/**
+ * Test class to test rcube_utils class
+ *
+ * @package Tests
+ */
+class Framework_Utils extends PHPUnit_Framework_TestCase
+{
+
+    /**
+     * Valid email addresses for test_valid_email()
+     */
+    function data_valid_email()
+    {
+        return array(
+            array('email@domain.com', 'Valid email'),
+            array('firstname.lastname@domain.com', 'Email contains dot in the address field'),
+            array('email@subdomain.domain.com', 'Email contains dot with subdomain'),
+            array('firstname+lastname@domain.com', 'Plus sign is considered valid character'),
+            array('email@[123.123.123.123]', 'Square bracket around IP address'),
+            array('email@[IPv6:::1]', 'Square bracket around IPv6 address (1)'),
+            array('email@[IPv6:::1.2.3.4]', 'Square bracket around IPv6 address (2)'),
+            array('email@[IPv6:2001:2d12:c4fe:5afe::1]', 'Square bracket around IPv6 address (3)'),
+            array('"email"@domain.com', 'Quotes around email is considered valid'),
+            array('1234567890@domain.com', 'Digits in address are valid'),
+            array('email@domain-one.com', 'Dash in domain name is valid'),
+            array('_______@domain.com', 'Underscore in the address field is valid'),
+            array('email@domain.name', '.name is valid Top Level Domain name'),
+            array('email@domain.co.jp', 'Dot in Top Level Domain name also considered valid (use co.jp as example here)'),
+            array('firstname-lastname@domain.com', 'Dash in address field is valid'),
+        );
+    }
+
+    /**
+     * Invalid email addresses for test_invalid_email()
+     */
+    function data_invalid_email()
+    {
+        return array(
+            array('plainaddress', 'Missing @ sign and domain'),
+            array('#@%^%#$@#$@#.com', 'Garbage'),
+            array('@domain.com', 'Missing username'),
+            array('Joe Smith <email@domain.com>', 'Encoded html within email is invalid'),
+            array('email.domain.com', 'Missing @'),
+            array('email@domain@domain.com', 'Two @ sign'),
+            array('.email@domain.com', 'Leading dot in address is not allowed'),
+            array('email.@domain.com', 'Trailing dot in address is not allowed'),
+            array('email..email@domain.com', 'Multiple dots'),
+            array('あいうえお@domain.com', 'Unicode char as address'),
+            array('email@domain.com (Joe Smith)', 'Text followed email is not allowed'),
+            array('email@domain', 'Missing top level domain (.com/.net/.org/etc)'),
+            array('email@-domain.com', 'Leading dash in front of domain is invalid'),
+//            array('email@domain.web', '.web is not a valid top level domain'),
+            array('email@123.123.123.123', 'IP address without brackets'),
+            array('email@2001:2d12:c4fe:5afe::1', 'IPv6 address without brackets'),
+            array('email@IPv6:2001:2d12:c4fe:5afe::1', 'IPv6 address without brackets (2)'),
+            array('email@[111.222.333.44444]', 'Invalid IP format'),
+            array('email@[111.222.255.257]', 'Invalid IP format (2)'),
+            array('email@[.222.255.257]', 'Invalid IP format (3)'),
+            array('email@[::1]', 'Invalid IPv6 format (1)'),
+            array('email@[IPv6:2001:23x2:1]', 'Invalid IPv6 format (2)'),
+            array('email@[IPv6:1111:2222:33333::4444:5555]', 'Invalid IPv6 format (3)'),
+            array('email@[IPv6:1111::3333::4444:5555]', 'Invalid IPv6 format (4)'),
+            array('email@domain..com', 'Multiple dot in the domain portion is invalid'),
+        );
+    }
+
+    /**
+     * @dataProvider data_valid_email
+     */
+    function test_valid_email($email, $title)
+    {
+        $this->assertTrue(rcube_utils::check_email($email, false), $title);
+    }
+
+    /**
+     * @dataProvider data_invalid_email
+     */
+    function test_invalid_email($email, $title)
+    {
+        $this->assertFalse(rcube_utils::check_email($email, false), $title);
+    }
+
+    /**
+     * rcube_utils::mod_css_styles()
+     */
+    function test_mod_css_styles()
+    {
+        $css = file_get_contents(TESTS_DIR . 'src/valid.css');
+        $mod = rcube_utils::mod_css_styles($css, 'rcmbody');
+
+        $this->assertRegExp('/#rcmbody\s+\{/', $mod, "Replace body style definition");
+        $this->assertRegExp('/#rcmbody h1\s\{/', $mod, "Prefix tag styles (single)");
+        $this->assertRegExp('/#rcmbody h1, #rcmbody h2, #rcmbody h3, #rcmbody textarea\s+\{/', $mod, "Prefix tag styles (multiple)");
+        $this->assertRegExp('/#rcmbody \.noscript\s+\{/', $mod, "Prefix class styles");
+    }
+
+    /**
+     * rcube_utils::mod_css_styles()
+     */
+    function test_mod_css_styles_xss()
+    {
+        $mod = rcube_utils::mod_css_styles("body.main2cols { background-image: url('../images/leftcol.png'); }", 'rcmbody');
+        $this->assertEquals("/* evil! */", $mod, "No url() values allowed");
+
+        $mod = rcube_utils::mod_css_styles("@import url('http://localhost/somestuff/css/master.css');", 'rcmbody');
+        $this->assertEquals("/* evil! */", $mod, "No import statements");
+
+        $mod = rcube_utils::mod_css_styles("left:expression(document.body.offsetWidth-20)", 'rcmbody');
+        $this->assertEquals("/* evil! */", $mod, "No expression properties");
+
+        $mod = rcube_utils::mod_css_styles("left:exp/*  */ression( alert(&#039;xss3&#039;) )", 'rcmbody');
+        $this->assertEquals("/* evil! */", $mod, "Don't allow encoding quirks");
+
+        $mod = rcube_utils::mod_css_styles("background:\\0075\\0072\\006c( javascript:alert(&#039;xss&#039;) )", 'rcmbody');
+        $this->assertEquals("/* evil! */", $mod, "Don't allow encoding quirks (2)");
+    }
+}
-- 
cgit v1.2.3


From a65ce5d3b07deb578cc4c4aba5695bcea8c07a87 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Mon, 27 Aug 2012 12:23:30 +0200
Subject: Rename ip_check to check_ip, add IP checking tests

---
 program/include/rcube_utils.php |  4 ++--
 tests/Framework/Utils.php       | 47 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 49 insertions(+), 2 deletions(-)

(limited to 'tests/Framework/Utils.php')

diff --git a/program/include/rcube_utils.php b/program/include/rcube_utils.php
index defb2aed1..aa748dc7f 100644
--- a/program/include/rcube_utils.php
+++ b/program/include/rcube_utils.php
@@ -94,7 +94,7 @@ class rcube_utils
 
         // Validate domain part
         if (preg_match('/^\[((IPv6:[0-9a-f:.]+)|([0-9.]+))\]$/i', $domain_part, $matches)) {
-            return self::ip_check(preg_replace('/^IPv6:/i', '', $matches[1])); // valid IPv4 or IPv6 address
+            return self::check_ip(preg_replace('/^IPv6:/i', '', $matches[1])); // valid IPv4 or IPv6 address
         }
         else {
             // If not an IP address
@@ -154,7 +154,7 @@ class rcube_utils
      *
      * @return bool True if the address is valid
      */
-    public static function ip_check($ip)
+    public static function check_ip($ip)
     {
         // IPv6, but there's no build-in IPv6 support
         if (strpos($ip, ':') !== false && !defined('AF_INET6')) {
diff --git a/tests/Framework/Utils.php b/tests/Framework/Utils.php
index b6cc5d577..503b69a4a 100644
--- a/tests/Framework/Utils.php
+++ b/tests/Framework/Utils.php
@@ -82,6 +82,53 @@ class Framework_Utils extends PHPUnit_Framework_TestCase
         $this->assertFalse(rcube_utils::check_email($email, false), $title);
     }
 
+    /**
+     * Valid IP addresses for test_valid_ip()
+     */
+    function data_valid_ip()
+    {
+        return array(
+            array('0.0.0.0'),
+            array('123.123.123.123'),
+            array('::'),
+            array('::1'),
+            array('::1.2.3.4'),
+            array('2001:2d12:c4fe:5afe::1'),
+        );
+    }
+
+    /**
+     * Valid IP addresses for test_invalid_ip()
+     */
+    function data_invalid_ip()
+    {
+        return array(
+            array(''),
+            array(0),
+            array('123.123.123.1234'),
+            array('1.1.1.1.1'),
+            array('::1.2.3.260'),
+            array('::1.0'),
+            array('2001::c4fe:5afe::1'),
+        );
+    }
+
+    /**
+     * @dataProvider data_valid_ip
+     */
+    function test_valid_ip($ip)
+    {
+        $this->assertTrue(rcube_utils::check_ip($ip));
+    }
+
+    /**
+     * @dataProvider data_invalid_ip
+     */
+    function test_invalid_ip($ip)
+    {
+        $this->assertFalse(rcube_utils::check_ip($ip));
+    }
+
     /**
      * rcube_utils::mod_css_styles()
      */
-- 
cgit v1.2.3


From 5f8097b9eba09302be561d67ce035275494043e3 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Mon, 27 Aug 2012 12:55:58 +0200
Subject: Added tests for specialchars quoting

---
 tests/Framework/Html.php  | 26 ++++++++++++++++++++++++++
 tests/Framework/Utils.php | 30 ++++++++++++++++++++++++++++++
 2 files changed, 56 insertions(+)

(limited to 'tests/Framework/Utils.php')

diff --git a/tests/Framework/Html.php b/tests/Framework/Html.php
index 107f82805..8a27baca8 100644
--- a/tests/Framework/Html.php
+++ b/tests/Framework/Html.php
@@ -17,4 +17,30 @@ class Framework_Html extends PHPUnit_Framework_TestCase
 
         $this->assertInstanceOf('html', $object, "Class constructor");
     }
+
+    /**
+     * Data for test_quote()
+     */
+    function data_quote()
+    {
+        return array(
+            array('abc', 'abc'),
+            array('?', '?'),
+            array('"', '&quot;'),
+            array('<', '&lt;'),
+            array('>', '&gt;'),
+            array('&', '&amp;'),
+            array('&amp;', '&amp;amp;'),
+            array('&amp;', '&amp;', true),
+        );
+    }
+
+    /**
+     * Test for quote()
+     * @dataProvider data_quote
+     */
+    function test_quote($str, $result, $validate = false)
+    {
+        $this->assertEquals(html::quote($str, $validate), $result);
+    }
 }
diff --git a/tests/Framework/Utils.php b/tests/Framework/Utils.php
index 503b69a4a..e58835956 100644
--- a/tests/Framework/Utils.php
+++ b/tests/Framework/Utils.php
@@ -129,6 +129,36 @@ class Framework_Utils extends PHPUnit_Framework_TestCase
         $this->assertFalse(rcube_utils::check_ip($ip));
     }
 
+    /**
+     * Data for test_rep_specialchars_output()
+     */
+    function data_rep_specialchars_output()
+    {
+        return array(
+            array('', '', 'abc', 'abc'),
+            array('', '', '?', '?'),
+            array('', '', '"', '&quot;'),
+            array('', '', '<', '&lt;'),
+            array('', '', '>', '&gt;'),
+            array('', '', '&', '&amp;'),
+            array('', '', '&amp;', '&amp;amp;'),
+            array('', '', '<a>', '&lt;a&gt;'),
+            array('', 'remove', '<a>', ''),
+        );
+    }
+
+    /**
+     * Test for rep_specialchars_output
+     * @dataProvider data_rep_specialchars_output
+     */
+    function test_rep_specialchars_output($type, $mode, $str, $res)
+    {
+        $result = rcube_utils::rep_specialchars_output(
+            $str, $type ? $type : 'html', $mode ? $mode : 'strict');
+
+        $this->assertEquals($result, $res);
+    }
+
     /**
      * rcube_utils::mod_css_styles()
      */
-- 
cgit v1.2.3