Tests the directory mtime based PHP loader implementation.
Expanded class hierarchy of MTimeProtectedFileStorageTest
class MTimeProtectedFileStorageTest extends PhpStorageTestBase {
/**
* The expected test results for the security test.
*
* The default implementation protects against even the filemtime change so
* both iterations will return FALSE.
*/
protected $expected = array(
FALSE,
FALSE,
);
protected $storageClass = 'Drupal\\Component\\PhpStorage\\MTimeProtectedFileStorage';
public static function getInfo() {
return array(
'name' => 'MTime protected file storage',
'description' => 'Tests the MTimeProtectedFileStorage implementation.',
'group' => 'PHP Storage',
);
}
function setUp() {
global $conf;
parent::setUp();
$this->secret = $this
->randomName();
$conf['php_storage']['simpletest'] = array(
'class' => $this->storageClass,
'directory' => DRUPAL_ROOT . '/' . variable_get('file_public_path', conf_path() . '/files') . '/php',
'secret' => $this->secret,
);
}
/**
* Tests basic load/save/delete operations.
*/
function testCRUD() {
$php = $this->storageFactory
->get('simpletest');
$this
->assertIdentical(get_class($php), $this->storageClass);
$this
->assertCRUD($php);
}
/**
* Tests the security of the MTimeProtectedFileStorage implementation.
*
* We test two attacks: first changes the file mtime, then the directory
* mtime too.
*/
function testSecurity() {
$php = $this->storageFactory
->get('simpletest');
$name = 'simpletest.php';
$php
->save($name, '<?php');
$expected_root_directory = DRUPAL_ROOT . '/' . variable_get('file_public_path', conf_path() . '/files') . '/php/simpletest';
$expected_directory = $expected_root_directory . '/' . $name;
$directory_mtime = filemtime($expected_directory);
$expected_filename = $expected_directory . '/' . hash_hmac('sha256', $name, $this->secret . $directory_mtime) . '.php';
// Ensure the file exists and that it and the containing directory have
// minimal permissions. fileperms() can return high bits unrelated to
// permissions, so mask with 0777.
$this
->assertTrue(file_exists($expected_filename));
$this
->assertIdentical(fileperms($expected_filename) & 0777, 0400);
$this
->assertIdentical(fileperms($expected_directory) & 0777, 0100);
// Ensure the root directory for the bin has a .htaccess file denying web
// access.
$this
->assertIdentical(file_get_contents($expected_root_directory . '/.htaccess'), "SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006\nDeny from all\nOptions None\nOptions +FollowSymLinks");
// Ensure that if the file is replaced with an untrusted one (due to another
// script's file upload vulnerability), it does not get loaded. Since mtime
// granularity is 1 second, we cannot prevent an attack that happens within
// a second of the initial save().
sleep(1);
for ($i = 0; $i < 2; $i++) {
$storageFactory = new PhpStorageFactory();
$php = $this->storageFactory
->get('simpletest');
$GLOBALS['hacked'] = FALSE;
$untrusted_code = "<?php\n" . '$GLOBALS["hacked"] = TRUE;';
chmod($expected_directory, 0700);
chmod($expected_filename, 0700);
if ($i) {
// Now try to write the file in such a way that the directory mtime
// changes and invalidates the hash.
file_put_contents($expected_filename . '.tmp', $untrusted_code);
rename($expected_filename . '.tmp', $expected_filename);
}
else {
// On the first try do not change the directory mtime but the filemtime
// is now larger than the directory mtime.
file_put_contents($expected_filename, $untrusted_code);
}
chmod($expected_filename, 0400);
chmod($expected_directory, 0100);
$this
->assertIdentical(file_get_contents($expected_filename), $untrusted_code);
$this
->assertIdentical($php
->exists($name), $this->expected[$i]);
$this
->assertIdentical($php
->load($name), $this->expected[$i]);
$this
->assertIdentical($GLOBALS['hacked'], $this->expected[$i]);
}
}
}
Name | Modifiers | Type | Description | Overrides |
---|---|---|---|---|
MTimeProtectedFileStorageTest:: |
protected | property | The expected test results for the security test. | 1 |
MTimeProtectedFileStorageTest:: |
protected | property | 1 | |
MTimeProtectedFileStorageTest:: |
public static | function | 1 | |
MTimeProtectedFileStorageTest:: |
function |
Overrides \Drupal\simpletest\UnitTestBase::setUp() Overrides PhpStorageTestBase:: |
||
MTimeProtectedFileStorageTest:: |
function | Tests basic load/save/delete operations. | ||
MTimeProtectedFileStorageTest:: |
function | Tests the security of the MTimeProtectedFileStorage implementation. | ||
PhpStorageTestBase:: |
protected | property | The storage factory object. | |
PhpStorageTestBase:: |
public | function | Assert that a PHP storage controller's load/save/delete operations work. | |
TestBase:: |
protected | property | Assertions thrown in that test case. | |
TestBase:: |
protected | property | The database prefix of this test run. | |
TestBase:: |
protected | property | The original file directory, before it was changed for testing purposes. | |
TestBase:: |
protected | property | The original database prefix when running inside Simpletest. | |
TestBase:: |
public | property | Current results of this test case. | |
TestBase:: |
protected | property | Flag to indicate whether the test has been set up. | |
TestBase:: |
protected | property | ||
TestBase:: |
protected | property | ||
TestBase:: |
protected | property | This class is skipped when looking for the source of an assertion. | |
TestBase:: |
protected | property | The test run ID. | |
TestBase:: |
protected | property | Time limit for the test. | |
TestBase:: |
protected | property | TRUE if verbose debugging is enabled. | |
TestBase:: |
protected | property | Safe class name for use in verbose output filenames. | |
TestBase:: |
protected | property | Directory where verbose output files are put. | |
TestBase:: |
protected | property | URL to the verbose output file directory. | |
TestBase:: |
protected | property | Incrementing identifier for verbose output filenames. | |
TestBase:: |
protected | function | Internal helper: stores the assert. | |
TestBase:: |
protected | function | Check to see if two values are equal. | |
TestBase:: |
protected | function | Check to see if a value is false (an empty string, 0, NULL, or FALSE). | |
TestBase:: |
protected | function | Check to see if two values are identical. | |
TestBase:: |
protected | function | Checks to see if two objects are identical. | |
TestBase:: |
protected | function | Check to see if two values are not equal. | |
TestBase:: |
protected | function | Check to see if two values are not identical. | |
TestBase:: |
protected | function | Check to see if a value is not NULL. | |
TestBase:: |
protected | function | Check to see if a value is NULL. | |
TestBase:: |
protected | function | Check to see if a value is not false (not an empty string, 0, NULL, or FALSE). | |
TestBase:: |
protected | function | Changes the database connection to the prefixed one. | |
TestBase:: |
protected | function | Checks the matching requirements for Test. | 3 |
TestBase:: |
public static | function | Delete an assertion record by message ID. | |
TestBase:: |
protected | function | Fire an error assertion. | 1 |
TestBase:: |
public | function | Handle errors during test runs. | |
TestBase:: |
protected | function | Handle exceptions. | |
TestBase:: |
protected | function | Fire an assertion that is always negative. | |
TestBase:: |
public static | function | Ensures test files are deletable within file_unmanaged_delete_recursive(). | |
TestBase:: |
public static | function | Converts a list of possible parameters into a stack of permutations. | |
TestBase:: |
protected | function | Cycles through backtrace until the first non-assertion method is found. | |
TestBase:: |
public static | function | Returns the database connection to the site running Simpletest. | |
TestBase:: |
public static | function | Store an assertion from outside the testing context. | |
TestBase:: |
protected | function | Fire an assertion that is always positive. | |
TestBase:: |
protected | function | Generates a database prefix for running tests. | |
TestBase:: |
protected | function | Prepares the current environment for running the test. | |
TestBase:: |
public static | function | Generates a random string containing letters and numbers. | |
TestBase:: |
public static | function | Generates a random PHP object. | |
TestBase:: |
public static | function | Generates a random string of ASCII characters of codes 32 to 126. | |
TestBase:: |
protected | function | Rebuild drupal_container(). | |
TestBase:: |
public | function | Run all tests in this class. | |
TestBase:: |
protected | function | Deletes created files, database tables, and reverts all environment changes. | 10 |
TestBase:: |
protected | function | Logs verbose message in a text file. | |
UnitTestBase:: |
protected | property | ||
UnitTestBase:: |
function |
Constructor for UnitTestBase. Overrides TestBase:: |
6 |