class MTimeProtectedFileStorageTest

Tests the directory mtime based PHP loader implementation.

Hierarchy

Expanded class hierarchy of MTimeProtectedFileStorageTest

File

drupal/core/modules/system/lib/Drupal/system/Tests/PhpStorage/MTimeProtectedFileStorageTest.php, line 15
Definition of Drupal\system\Tests\PhpStorage\MTimeProtectedFileStorageTest.

Namespace

Drupal\system\Tests\PhpStorage
View source
class MTimeProtectedFileStorageTest extends PhpStorageTestBase {

  /**
   * The expected test results for the security test.
   *
   * The default implementation protects against even the filemtime change so
   * both iterations will return FALSE.
   */
  protected $expected = array(
    FALSE,
    FALSE,
  );
  protected $storageClass = 'Drupal\\Component\\PhpStorage\\MTimeProtectedFileStorage';
  public static function getInfo() {
    return array(
      'name' => 'MTime protected file storage',
      'description' => 'Tests the MTimeProtectedFileStorage implementation.',
      'group' => 'PHP Storage',
    );
  }
  function setUp() {
    global $conf;
    parent::setUp();
    $this->secret = $this
      ->randomName();
    $conf['php_storage']['simpletest'] = array(
      'class' => $this->storageClass,
      'directory' => DRUPAL_ROOT . '/' . variable_get('file_public_path', conf_path() . '/files') . '/php',
      'secret' => $this->secret,
    );
  }

  /**
   * Tests basic load/save/delete operations.
   */
  function testCRUD() {
    $php = $this->storageFactory
      ->get('simpletest');
    $this
      ->assertIdentical(get_class($php), $this->storageClass);
    $this
      ->assertCRUD($php);
  }

  /**
   * Tests the security of the MTimeProtectedFileStorage implementation.
   *
   * We test two attacks: first changes the file mtime, then the directory
   * mtime too.
   */
  function testSecurity() {
    $php = $this->storageFactory
      ->get('simpletest');
    $name = 'simpletest.php';
    $php
      ->save($name, '<?php');
    $expected_root_directory = DRUPAL_ROOT . '/' . variable_get('file_public_path', conf_path() . '/files') . '/php/simpletest';
    $expected_directory = $expected_root_directory . '/' . $name;
    $directory_mtime = filemtime($expected_directory);
    $expected_filename = $expected_directory . '/' . hash_hmac('sha256', $name, $this->secret . $directory_mtime) . '.php';

    // Ensure the file exists and that it and the containing directory have
    // minimal permissions. fileperms() can return high bits unrelated to
    // permissions, so mask with 0777.
    $this
      ->assertTrue(file_exists($expected_filename));
    $this
      ->assertIdentical(fileperms($expected_filename) & 0777, 0400);
    $this
      ->assertIdentical(fileperms($expected_directory) & 0777, 0100);

    // Ensure the root directory for the bin has a .htaccess file denying web
    // access.
    $this
      ->assertIdentical(file_get_contents($expected_root_directory . '/.htaccess'), "SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006\nDeny from all\nOptions None\nOptions +FollowSymLinks");

    // Ensure that if the file is replaced with an untrusted one (due to another
    // script's file upload vulnerability), it does not get loaded. Since mtime
    // granularity is 1 second, we cannot prevent an attack that happens within
    // a second of the initial save().
    sleep(1);
    for ($i = 0; $i < 2; $i++) {
      $storageFactory = new PhpStorageFactory();
      $php = $this->storageFactory
        ->get('simpletest');
      $GLOBALS['hacked'] = FALSE;
      $untrusted_code = "<?php\n" . '$GLOBALS["hacked"] = TRUE;';
      chmod($expected_directory, 0700);
      chmod($expected_filename, 0700);
      if ($i) {

        // Now try to write the file in such a way that the directory mtime
        // changes and invalidates the hash.
        file_put_contents($expected_filename . '.tmp', $untrusted_code);
        rename($expected_filename . '.tmp', $expected_filename);
      }
      else {

        // On the first try do not change the directory mtime but the filemtime
        // is now larger than the directory mtime.
        file_put_contents($expected_filename, $untrusted_code);
      }
      chmod($expected_filename, 0400);
      chmod($expected_directory, 0100);
      $this
        ->assertIdentical(file_get_contents($expected_filename), $untrusted_code);
      $this
        ->assertIdentical($php
        ->exists($name), $this->expected[$i]);
      $this
        ->assertIdentical($php
        ->load($name), $this->expected[$i]);
      $this
        ->assertIdentical($GLOBALS['hacked'], $this->expected[$i]);
    }
  }

}

Members

Namesort descending Modifiers Type Description Overrides
MTimeProtectedFileStorageTest::$expected protected property The expected test results for the security test. 1
MTimeProtectedFileStorageTest::$storageClass protected property 1
MTimeProtectedFileStorageTest::getInfo public static function 1
MTimeProtectedFileStorageTest::setUp function Overrides \Drupal\simpletest\UnitTestBase::setUp() Overrides PhpStorageTestBase::setUp
MTimeProtectedFileStorageTest::testCRUD function Tests basic load/save/delete operations.
MTimeProtectedFileStorageTest::testSecurity function Tests the security of the MTimeProtectedFileStorage implementation.
PhpStorageTestBase::$storageFactory protected property The storage factory object.
PhpStorageTestBase::assertCRUD public function Assert that a PHP storage controller's load/save/delete operations work.
TestBase::$assertions protected property Assertions thrown in that test case.
TestBase::$databasePrefix protected property The database prefix of this test run.
TestBase::$originalFileDirectory protected property The original file directory, before it was changed for testing purposes.
TestBase::$originalPrefix protected property The original database prefix when running inside Simpletest.
TestBase::$results public property Current results of this test case.
TestBase::$setup protected property Flag to indicate whether the test has been set up.
TestBase::$setupDatabasePrefix protected property
TestBase::$setupEnvironment protected property
TestBase::$skipClasses protected property This class is skipped when looking for the source of an assertion.
TestBase::$testId protected property The test run ID.
TestBase::$timeLimit protected property Time limit for the test.
TestBase::$verbose protected property TRUE if verbose debugging is enabled.
TestBase::$verboseClassName protected property Safe class name for use in verbose output filenames.
TestBase::$verboseDirectory protected property Directory where verbose output files are put.
TestBase::$verboseDirectoryUrl protected property URL to the verbose output file directory.
TestBase::$verboseId protected property Incrementing identifier for verbose output filenames.
TestBase::assert protected function Internal helper: stores the assert.
TestBase::assertEqual protected function Check to see if two values are equal.
TestBase::assertFalse protected function Check to see if a value is false (an empty string, 0, NULL, or FALSE).
TestBase::assertIdentical protected function Check to see if two values are identical.
TestBase::assertIdenticalObject protected function Checks to see if two objects are identical.
TestBase::assertNotEqual protected function Check to see if two values are not equal.
TestBase::assertNotIdentical protected function Check to see if two values are not identical.
TestBase::assertNotNull protected function Check to see if a value is not NULL.
TestBase::assertNull protected function Check to see if a value is NULL.
TestBase::assertTrue protected function Check to see if a value is not false (not an empty string, 0, NULL, or FALSE).
TestBase::changeDatabasePrefix protected function Changes the database connection to the prefixed one.
TestBase::checkRequirements protected function Checks the matching requirements for Test. 3
TestBase::deleteAssert public static function Delete an assertion record by message ID.
TestBase::error protected function Fire an error assertion. 1
TestBase::errorHandler public function Handle errors during test runs.
TestBase::exceptionHandler protected function Handle exceptions.
TestBase::fail protected function Fire an assertion that is always negative.
TestBase::filePreDeleteCallback public static function Ensures test files are deletable within file_unmanaged_delete_recursive().
TestBase::generatePermutations public static function Converts a list of possible parameters into a stack of permutations.
TestBase::getAssertionCall protected function Cycles through backtrace until the first non-assertion method is found.
TestBase::getDatabaseConnection public static function Returns the database connection to the site running Simpletest.
TestBase::insertAssert public static function Store an assertion from outside the testing context.
TestBase::pass protected function Fire an assertion that is always positive.
TestBase::prepareDatabasePrefix protected function Generates a database prefix for running tests.
TestBase::prepareEnvironment protected function Prepares the current environment for running the test.
TestBase::randomName public static function Generates a random string containing letters and numbers.
TestBase::randomObject public static function Generates a random PHP object.
TestBase::randomString public static function Generates a random string of ASCII characters of codes 32 to 126.
TestBase::rebuildContainer protected function Rebuild drupal_container().
TestBase::run public function Run all tests in this class.
TestBase::tearDown protected function Deletes created files, database tables, and reverts all environment changes. 10
TestBase::verbose protected function Logs verbose message in a text file.
UnitTestBase::$configDirectories protected property
UnitTestBase::__construct function Constructor for UnitTestBase. Overrides TestBase::__construct 6