Thijs/wiki.techinc.nl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
wiki.techinc.nl/tests/phpunit/includes/upload/UploadBaseTest.php

386 lines
16 KiB
PHP
Raw Normal View History

Per wikitech-l discussion: Move tests from maintenance/tests/ to tests/. They're not strictly maintenance scripts, and some people want to do a selective checkout that doesn't include the tests. There's still debate on whether we should include these in the release downloads, but we had a pretty firm consensus to move this.
2010-12-14 16:26:35 +00:00
<?php
Add @covers tags for more tests Change-Id: Iff3af78e9b41c445b7f066b6c0d0f4a87d2d6c4e
2013-10-21 08:46:11 +00:00
Per wikitech-l discussion: Move tests from maintenance/tests/ to tests/. They're not strictly maintenance scripts, and some people want to do a selective checkout that doesn't include the tests. There's still debate on whether we should include these in the release downloads, but we had a pretty firm consensus to move this.
2010-12-14 16:26:35 +00:00
/**
* @group Upload
*/
Renaming files to follow name conventions And renamed the inner class name. Change-Id: I2ed94a61214439d5c70d04bd1dbddd68754b595e
2013-05-25 17:27:45 +00:00
class UploadBaseTest extends MediaWikiTestCase {
Per wikitech-l discussion: Move tests from maintenance/tests/ to tests/. They're not strictly maintenance scripts, and some people want to do a selective checkout that doesn't include the tests. There's still debate on whether we should include these in the release downloads, but we had a pretty firm consensus to move this.
2010-12-14 16:26:35 +00:00
Add @covers tags for more tests Change-Id: Iff3af78e9b41c445b7f066b6c0d0f4a87d2d6c4e
2013-10-21 08:46:11 +00:00
/** @var UploadTestHandler */
protected $upload;
Per wikitech-l discussion: Move tests from maintenance/tests/ to tests/. They're not strictly maintenance scripts, and some people want to do a selective checkout that doesn't include the tests. There's still debate on whether we should include these in the release downloads, but we had a pretty firm consensus to move this.
2010-12-14 16:26:35 +00:00
Clean and repair many phpunit tests (+ fix implied configuration) This commit depends on the introduction of MediaWikiTestCase::setMwGlobals in change Iccf6ea81f4. Various tests already set their globals, but forgot to restore them afterwards, or forgot to call the parent setUp, tearDown... Either way they won't have to anymore with setMwGlobals. Consistent use of function characteristics: * protected function setUp * protected function tearDown * public static function (provide..) (Matching the function signature with PHPUnit/Framework/TestCase.php) Replaces: * public function (setUp|tearDown)\( * protected function $1( * \tfunction (setUp|tearDown)\( * \tprotected function $1( * \tfunction (data|provide)\( * \tpublic static function $1\( Also renamed a few "data#", "provider#" and "provides#" functions to "provide#" for consistency. This also removes confusion where the /media tests had a few private methods called dataFile(), which were sometimes expected to be data providers. Fixes: TimestampTest often failed due to a previous test setting a different language (it tests "1 hour ago" so need to make sure it is set to English). MWNamespaceTest became a lot cleaner now that it executes with a known context. Though the now-redundant code that was removed didn't work anyway because wgContentNamespaces isn't keyed by namespace id, it had them was values... FileBackendTest: * Fixed: "PHP Fatal: Using $this when not in object context" HttpTest * Added comment about: "PHP Fatal: Call to protected MWHttpRequest::__construct()" (too much unrelated code to fix in this commit) ExternalStoreTest * Add an assertTrue as well, without it the test is useless because regardless of whether wgExternalStores is true or false it only uses it if it is an array. Change-Id: I9d2b148e57bada64afeb7d5a99bec0e58f8e1561
2012-10-08 10:56:20 +00:00
protected function setUp() {
Readd r90538, this time with the missing global $wgHooks;
2011-06-22 21:02:07 +00:00
global $wgHooks;
Per wikitech-l discussion: Move tests from maintenance/tests/ to tests/. They're not strictly maintenance scripts, and some people want to do a selective checkout that doesn't include the tests. There's still debate on whether we should include these in the release downloads, but we had a pretty firm consensus to move this.
2010-12-14 16:26:35 +00:00
parent::setUp();
Readd r90538, this time with the missing global $wgHooks;
2011-06-22 21:02:07 +00:00
Per wikitech-l discussion: Move tests from maintenance/tests/ to tests/. They're not strictly maintenance scripts, and some people want to do a selective checkout that doesn't include the tests. There's still debate on whether we should include these in the release downloads, but we had a pretty firm consensus to move this.
2010-12-14 16:26:35 +00:00
$this->upload = new UploadTestHandler;
Kill var_dump from r90603
2011-06-22 21:32:42 +00:00
$this->hooks = $wgHooks;
Update formatting 11 of n. Change-Id: Ifdaf198b16bf72e1e0a3d3802c041d239096ae28
2013-02-15 11:38:53 +00:00
$wgHooks['InterwikiLoadPrefix'][] = function ( $prefix, &$data ) {
Move method to its using test class rather then having a public static thing in the base test class Change-Id: Id82225d0fb65dcd30b5724ee4f2d7838dfcb5ea6
2012-08-12 19:47:06 +00:00
return false;
};
Readd r90538, this time with the missing global $wgHooks;
2011-06-22 21:02:07 +00:00
}
Clean and repair many phpunit tests (+ fix implied configuration) This commit depends on the introduction of MediaWikiTestCase::setMwGlobals in change Iccf6ea81f4. Various tests already set their globals, but forgot to restore them afterwards, or forgot to call the parent setUp, tearDown... Either way they won't have to anymore with setMwGlobals. Consistent use of function characteristics: * protected function setUp * protected function tearDown * public static function (provide..) (Matching the function signature with PHPUnit/Framework/TestCase.php) Replaces: * public function (setUp|tearDown)\( * protected function $1( * \tfunction (setUp|tearDown)\( * \tprotected function $1( * \tfunction (data|provide)\( * \tpublic static function $1\( Also renamed a few "data#", "provider#" and "provides#" functions to "provide#" for consistency. This also removes confusion where the /media tests had a few private methods called dataFile(), which were sometimes expected to be data providers. Fixes: TimestampTest often failed due to a previous test setting a different language (it tests "1 hour ago" so need to make sure it is set to English). MWNamespaceTest became a lot cleaner now that it executes with a known context. Though the now-redundant code that was removed didn't work anyway because wgContentNamespaces isn't keyed by namespace id, it had them was values... FileBackendTest: * Fixed: "PHP Fatal: Using $this when not in object context" HttpTest * Added comment about: "PHP Fatal: Call to protected MWHttpRequest::__construct()" (too much unrelated code to fix in this commit) ExternalStoreTest * Add an assertTrue as well, without it the test is useless because regardless of whether wgExternalStores is true or false it only uses it if it is an array. Change-Id: I9d2b148e57bada64afeb7d5a99bec0e58f8e1561
2012-10-08 10:56:20 +00:00
protected function tearDown() {
Readd r90538, this time with the missing global $wgHooks;
2011-06-22 21:02:07 +00:00
global $wgHooks;
$wgHooks = $this->hooks;
Add some missing parent::tearDown() Change-Id: Ibcdf5d440043cef25b4aa9fb08b61ec4a2c558d1
2012-12-31 12:54:06 +00:00
parent::tearDown();
Per wikitech-l discussion: Move tests from maintenance/tests/ to tests/. They're not strictly maintenance scripts, and some people want to do a selective checkout that doesn't include the tests. There's still debate on whether we should include these in the release downloads, but we had a pretty firm consensus to move this.
2010-12-14 16:26:35 +00:00
}
/**
Use data providers
2011-09-29 19:08:08 +00:00
* First checks the return code
* of UploadBase::getTitle() and then the actual returned title
Update formatting 11 of n. Change-Id: Ifdaf198b16bf72e1e0a3d3802c041d239096ae28
2013-02-15 11:38:53 +00:00
*
Clean and repair many phpunit tests (+ fix implied configuration) This commit depends on the introduction of MediaWikiTestCase::setMwGlobals in change Iccf6ea81f4. Various tests already set their globals, but forgot to restore them afterwards, or forgot to call the parent setUp, tearDown... Either way they won't have to anymore with setMwGlobals. Consistent use of function characteristics: * protected function setUp * protected function tearDown * public static function (provide..) (Matching the function signature with PHPUnit/Framework/TestCase.php) Replaces: * public function (setUp|tearDown)\( * protected function $1( * \tfunction (setUp|tearDown)\( * \tprotected function $1( * \tfunction (data|provide)\( * \tpublic static function $1\( Also renamed a few "data#", "provider#" and "provides#" functions to "provide#" for consistency. This also removes confusion where the /media tests had a few private methods called dataFile(), which were sometimes expected to be data providers. Fixes: TimestampTest often failed due to a previous test setting a different language (it tests "1 hour ago" so need to make sure it is set to English). MWNamespaceTest became a lot cleaner now that it executes with a known context. Though the now-redundant code that was removed didn't work anyway because wgContentNamespaces isn't keyed by namespace id, it had them was values... FileBackendTest: * Fixed: "PHP Fatal: Using $this when not in object context" HttpTest * Added comment about: "PHP Fatal: Call to protected MWHttpRequest::__construct()" (too much unrelated code to fix in this commit) ExternalStoreTest * Add an assertTrue as well, without it the test is useless because regardless of whether wgExternalStores is true or false it only uses it if it is an array. Change-Id: I9d2b148e57bada64afeb7d5a99bec0e58f8e1561
2012-10-08 10:56:20 +00:00
* @dataProvider provideTestTitleValidation
Add @covers tags for more tests Change-Id: Iff3af78e9b41c445b7f066b6c0d0f4a87d2d6c4e
2013-10-21 08:46:11 +00:00
* @covers UploadBase::getTitle
Per wikitech-l discussion: Move tests from maintenance/tests/ to tests/. They're not strictly maintenance scripts, and some people want to do a selective checkout that doesn't include the tests. There's still debate on whether we should include these in the release downloads, but we had a pretty firm consensus to move this.
2010-12-14 16:26:35 +00:00
*/
Use data providers
2011-09-29 19:08:08 +00:00
public function testTitleValidation( $srcFilename, $dstFilename, $code, $msg ) {
Per wikitech-l discussion: Move tests from maintenance/tests/ to tests/. They're not strictly maintenance scripts, and some people want to do a selective checkout that doesn't include the tests. There's still debate on whether we should include these in the release downloads, but we had a pretty firm consensus to move this.
2010-12-14 16:26:35 +00:00
/* Check the result code */
$this->assertEquals( $code,
$this->upload->testTitleValidation( $srcFilename ),
"$msg code" );
/* If we expect a valid title, check the title itself. */
Properly qualify usage of class constants
2010-12-22 00:25:16 +00:00
if ( $code == UploadBase::OK ) {
Per wikitech-l discussion: Move tests from maintenance/tests/ to tests/. They're not strictly maintenance scripts, and some people want to do a selective checkout that doesn't include the tests. There's still debate on whether we should include these in the release downloads, but we had a pretty firm consensus to move this.
2010-12-14 16:26:35 +00:00
$this->assertEquals( $dstFilename,
$this->upload->getTitle()->getText(),
"$msg text" );
}
}
Update formatting 11 of n. Change-Id: Ifdaf198b16bf72e1e0a3d3802c041d239096ae28
2013-02-15 11:38:53 +00:00
Use data providers
2011-09-29 19:08:08 +00:00
/**
* Test various forms of valid and invalid titles that can be supplied.
*/
Clean and repair many phpunit tests (+ fix implied configuration) This commit depends on the introduction of MediaWikiTestCase::setMwGlobals in change Iccf6ea81f4. Various tests already set their globals, but forgot to restore them afterwards, or forgot to call the parent setUp, tearDown... Either way they won't have to anymore with setMwGlobals. Consistent use of function characteristics: * protected function setUp * protected function tearDown * public static function (provide..) (Matching the function signature with PHPUnit/Framework/TestCase.php) Replaces: * public function (setUp|tearDown)\( * protected function $1( * \tfunction (setUp|tearDown)\( * \tprotected function $1( * \tfunction (data|provide)\( * \tpublic static function $1\( Also renamed a few "data#", "provider#" and "provides#" functions to "provide#" for consistency. This also removes confusion where the /media tests had a few private methods called dataFile(), which were sometimes expected to be data providers. Fixes: TimestampTest often failed due to a previous test setting a different language (it tests "1 hour ago" so need to make sure it is set to English). MWNamespaceTest became a lot cleaner now that it executes with a known context. Though the now-redundant code that was removed didn't work anyway because wgContentNamespaces isn't keyed by namespace id, it had them was values... FileBackendTest: * Fixed: "PHP Fatal: Using $this when not in object context" HttpTest * Added comment about: "PHP Fatal: Call to protected MWHttpRequest::__construct()" (too much unrelated code to fix in this commit) ExternalStoreTest * Add an assertTrue as well, without it the test is useless because regardless of whether wgExternalStores is true or false it only uses it if it is an array. Change-Id: I9d2b148e57bada64afeb7d5a99bec0e58f8e1561
2012-10-08 10:56:20 +00:00
public static function provideTestTitleValidation() {
Use data providers
2011-09-29 19:08:08 +00:00
return array(
/* Test a valid title */
Update formatting 11 of n. Change-Id: Ifdaf198b16bf72e1e0a3d3802c041d239096ae28
2013-02-15 11:38:53 +00:00
array( 'ValidTitle.jpg', 'ValidTitle.jpg', UploadBase::OK,
Use data providers
2011-09-29 19:08:08 +00:00
'upload valid title' ),
/* A title with a slash */
Update formatting 11 of n. Change-Id: Ifdaf198b16bf72e1e0a3d3802c041d239096ae28
2013-02-15 11:38:53 +00:00
array( 'A/B.jpg', 'B.jpg', UploadBase::OK,
Use data providers
2011-09-29 19:08:08 +00:00
'upload title with slash' ),
/* A title with illegal char */
Update formatting 11 of n. Change-Id: Ifdaf198b16bf72e1e0a3d3802c041d239096ae28
2013-02-15 11:38:53 +00:00
array( 'A:B.jpg', 'A-B.jpg', UploadBase::OK,
Use data providers
2011-09-29 19:08:08 +00:00
'upload title with colon' ),
/* Stripping leading File: prefix */
Update formatting 11 of n. Change-Id: Ifdaf198b16bf72e1e0a3d3802c041d239096ae28
2013-02-15 11:38:53 +00:00
array( 'File:C.jpg', 'C.jpg', UploadBase::OK,
Use data providers
2011-09-29 19:08:08 +00:00
'upload title with File prefix' ),
/* Test illegal suggested title (r94601) */
Update formatting 11 of n. Change-Id: Ifdaf198b16bf72e1e0a3d3802c041d239096ae28
2013-02-15 11:38:53 +00:00
array( '%281%29.JPG', null, UploadBase::ILLEGAL_FILENAME,
Use data providers
2011-09-29 19:08:08 +00:00
'illegal title for upload' ),
/* A title without extension */
Update formatting 11 of n. Change-Id: Ifdaf198b16bf72e1e0a3d3802c041d239096ae28
2013-02-15 11:38:53 +00:00
array( 'A', null, UploadBase::FILETYPE_MISSING,
Use data providers
2011-09-29 19:08:08 +00:00
'upload title without extension' ),
/* A title with no basename */
Update formatting 11 of n. Change-Id: Ifdaf198b16bf72e1e0a3d3802c041d239096ae28
2013-02-15 11:38:53 +00:00
array( '.jpg', null, UploadBase::MIN_LENGTH_PARTNAME,
Use data providers
2011-09-29 19:08:08 +00:00
'upload title without basename' ),
/* A title that is longer than 255 bytes */
Update formatting 11 of n. Change-Id: Ifdaf198b16bf72e1e0a3d3802c041d239096ae28
2013-02-15 11:38:53 +00:00
array( str_repeat( 'a', 255 ) . '.jpg', null, UploadBase::FILENAME_TOO_LONG,
Use data providers
2011-09-29 19:08:08 +00:00
'upload title longer than 255 bytes' ),
/* A title that is longer than 240 bytes */
Update formatting 11 of n. Change-Id: Ifdaf198b16bf72e1e0a3d3802c041d239096ae28
2013-02-15 11:38:53 +00:00
array( str_repeat( 'a', 240 ) . '.jpg', null, UploadBase::FILENAME_TOO_LONG,
Use data providers
2011-09-29 19:08:08 +00:00
'upload title longer than 240 bytes' ),
);
}
Per wikitech-l discussion: Move tests from maintenance/tests/ to tests/. They're not strictly maintenance scripts, and some people want to do a selective checkout that doesn't include the tests. There's still debate on whether we should include these in the release downloads, but we had a pretty firm consensus to move this.
2010-12-14 16:26:35 +00:00
/**
* Test the upload verification functions
Add @covers tags for more tests Change-Id: Iff3af78e9b41c445b7f066b6c0d0f4a87d2d6c4e
2013-10-21 08:46:11 +00:00
* @covers UploadBase::verifyUpload
Per wikitech-l discussion: Move tests from maintenance/tests/ to tests/. They're not strictly maintenance scripts, and some people want to do a selective checkout that doesn't include the tests. There's still debate on whether we should include these in the release downloads, but we had a pretty firm consensus to move this.
2010-12-14 16:26:35 +00:00
*/
public function testVerifyUpload() {
/* Setup with zero file size */
$this->upload->initializePathInfo( '', '', 0 );
$result = $this->upload->verifyUpload();
Properly qualify usage of class constants
2010-12-22 00:25:16 +00:00
$this->assertEquals( UploadBase::EMPTY_FILE,
Per wikitech-l discussion: Move tests from maintenance/tests/ to tests/. They're not strictly maintenance scripts, and some people want to do a selective checkout that doesn't include the tests. There's still debate on whether we should include these in the release downloads, but we had a pretty firm consensus to move this.
2010-12-14 16:26:35 +00:00
$result['status'],
'upload empty file' );
}
Test uploading a file of size $wgMaxUploadSize TODO: method testMaxUploadSize() shoud be able to use differents settings. The assertion could then get moved elsewhere in a nice helper.
2011-01-25 21:26:28 +00:00
// Helper used to create an empty file of size $size.
private function createFileOfSize( $size ) {
Do r82017 the right way. Fix pointed by Bryan.
2011-02-12 15:18:59 +00:00
$filename = tempnam( wfTempDir(), "mwuploadtest" );
Test uploading a file of size $wgMaxUploadSize TODO: method testMaxUploadSize() shoud be able to use differents settings. The assertion could then get moved elsewhere in a nice helper.
2011-01-25 21:26:28 +00:00
$fh = fopen( $filename, 'w' );
Fix for r80992. Remove posix extension requisite. Made to work in non-Unix systems. Replaced fseek+fwrite with ftruncate()
2011-02-10 10:48:02 +00:00
ftruncate( $fh, $size );
Test uploading a file of size $wgMaxUploadSize TODO: method testMaxUploadSize() shoud be able to use differents settings. The assertion could then get moved elsewhere in a nice helper.
2011-01-25 21:26:28 +00:00
fclose( $fh );
return $filename;
}
/**
[Core JS] More fixing of global config variable usage * mw.config is the new way, and global config variable lookups are deprecated * Based on two phase3-wide quick searches: -- of " wg": http://toolserver.org/~krinkle/wikimedia-svn-search/view.php?id=321&hash=81700bf7486e4fee3b7bc1f83eb9eba6 -- of "!wg": http://toolserver.org/~krinkle/wikimedia-svn-search/view.php?id=327&hash=47c9d54a7a1d5d58a724dd834585f40d Related changes: * Changed some php comments mentioning "wg" variables to include the dollar sign, and a typo when the wf function prefix was meant. * Removed TODO comment in wikibits.js and made it use the JS equivalent of wfUrlencode, which we have now, mw.util.wikiUrlencode * SpecialUpload.php: use OutputPage::addJsConfigVars instead of creating a new script tag through OutputPage::addScript(Skin::makeVariablesScript(..)) * Renamed wgUploadSetup in upload.js and made it local. Not used anywhere in ./trunk/phase3 and ./trunk/extensions * Fix OutputPage::addJsConfigVars so that it can actually be called with an array instead of two arguments for key/value * Some minor whitespace/convention stuff around the same line
2011-12-31 21:25:00 +00:00
* test uploading a 100 bytes file with $wgMaxUploadSize = 100
Test uploading a file of size $wgMaxUploadSize TODO: method testMaxUploadSize() shoud be able to use differents settings. The assertion could then get moved elsewhere in a nice helper.
2011-01-25 21:26:28 +00:00
*
* This method should be abstracted so we can test different settings.
*/
public function testMaxUploadSize() {
global $wgMaxUploadSize;
$savedGlobal = $wgMaxUploadSize; // save global
global $wgFileExtensions;
$wgFileExtensions[] = 'txt';
$wgMaxUploadSize = 100;
$filename = $this->createFileOfSize( $wgMaxUploadSize );
Update formatting 11 of n. Change-Id: Ifdaf198b16bf72e1e0a3d3802c041d239096ae28
2013-02-15 11:38:53 +00:00
$this->upload->initializePathInfo( basename( $filename ) . '.txt', $filename, 100 );
Test uploading a file of size $wgMaxUploadSize TODO: method testMaxUploadSize() shoud be able to use differents settings. The assertion could then get moved elsewhere in a nice helper.
2011-01-25 21:26:28 +00:00
$result = $this->upload->verifyUpload();
unlink( $filename );
$this->assertEquals(
Tweak documentation Fix constant use in UploadTest
2011-02-27 21:11:45 +00:00
array( 'status' => UploadBase::OK ), $result );
Test uploading a file of size $wgMaxUploadSize TODO: method testMaxUploadSize() shoud be able to use differents settings. The assertion could then get moved elsewhere in a nice helper.
2011-01-25 21:26:28 +00:00
Update formatting 11 of n. Change-Id: Ifdaf198b16bf72e1e0a3d3802c041d239096ae28
2013-02-15 11:38:53 +00:00
$wgMaxUploadSize = $savedGlobal; // restore global
Test uploading a file of size $wgMaxUploadSize TODO: method testMaxUploadSize() shoud be able to use differents settings. The assertion could then get moved elsewhere in a nice helper.
2011-01-25 21:26:28 +00:00
}
SECURITY: Enhance CSS filtering in SVG files * Filter <style> elements * Normalize style elements and attributes before filtering * Add checks for attributes that contain css * Add unit tests for html5sec and reported bugs Bug:69008 Change-Id: I732eece710f1bfaaeea1e5de541fcd4cfb375de7
2014-09-04 23:05:47 +00:00
/**
* @dataProvider provideCheckSvgScriptCallback
*/
public function testCheckSvgScriptCallback( $svg, $wellFormed, $filterMatch, $message ) {
list( $formed, $match ) = $this->upload->checkSvgString( $svg );
$this->assertSame( $wellFormed, $formed, $message );
$this->assertSame( $filterMatch, $match, $message );
}
public static function provideCheckSvgScriptCallback() {
return array(
// html5sec SVG vectors
array(
'<svg xmlns="http://www.w3.org/2000/svg"><script>alert(1)</script></svg>',
true,
true,
'Script tag in svg (http://html5sec.org/#47)'
),
array(
'<svg xmlns="http://www.w3.org/2000/svg"><g onload="javascript:alert(1)"></g></svg>',
true,
true,
'SVG with onload property (http://html5sec.org/#11)'
),
array(
'<svg onload="javascript:alert(1)" xmlns="http://www.w3.org/2000/svg"></svg>',
true,
true,
'SVG with onload property (http://html5sec.org/#65)'
),
array(
'<svg xmlns="http://www.w3.org/2000/svg"> <a xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="javascript:alert(1)"><rect width="1000" height="1000" fill="white"/></a> </svg>',
true,
true,
'SVG with javascript xlink (http://html5sec.org/#87)'
),
array(
'<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <animation xlink:href="javascript:alert(1)"/> </svg>',
true,
true,
'SVG with Opera animation xlink (http://html5sec.org/#88 - a)'
),
array(
'<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <animation xlink:href="data:text/xml,%3Csvg xmlns=\'http://www.w3.org/2000/svg\' onload=\'alert(1)\'%3E%3C/svg%3E"/> </svg>',
true,
true,
'SVG with Opera animation xlink (http://html5sec.org/#88 - b)'
),
array(
'<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <image xlink:href="data:image/svg+xml,%3Csvg xmlns=\'http://www.w3.org/2000/svg\' onload=\'alert(1)\'%3E%3C/svg%3E"/> </svg>',
true,
true,
'SVG with Opera image xlink (http://html5sec.org/#88 - c)'
),
array(
'<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <foreignObject xlink:href="javascript:alert(1)"/> </svg>',
true,
true,
'SVG with Opera foreignObject xlink (http://html5sec.org/#88 - d)'
),
array(
'<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <foreignObject xlink:href="data:text/xml,%3Cscript xmlns=\'http://www.w3.org/1999/xhtml\'%3Ealert(1)%3C/script%3E"/> </svg>',
true,
true,
'SVG with Opera foreignObject xlink (http://html5sec.org/#88 - e)'
),
array(
'<svg xmlns="http://www.w3.org/2000/svg"> <set attributeName="onmouseover" to="alert(1)"/> </svg>',
true,
true,
'SVG with event handler set (http://html5sec.org/#89 - a)'
),
array(
'<svg xmlns="http://www.w3.org/2000/svg"> <animate attributeName="onunload" to="alert(1)"/> </svg>',
true,
true,
'SVG with event handler animate (http://html5sec.org/#89 - a)'
),
array(
'<svg xmlns="http://www.w3.org/2000/svg"> <handler xmlns:ev="http://www.w3.org/2001/xml-events" ev:event="load">alert(1)</handler> </svg>',
true,
true,
'SVG with element handler (http://html5sec.org/#94)'
),
array(
'<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <feImage> <set attributeName="xlink:href" to="data:image/svg+xml;charset=utf-8;base64, PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjxzY3JpcHQ%2BYWxlcnQoMSk8L3NjcmlwdD48L3N2Zz4NCg%3D%3D"/> </feImage> </svg>',
true,
true,
'SVG with href to data: url (http://html5sec.org/#95)'
),
array(
'<svg xmlns="http://www.w3.org/2000/svg" id="foo"> <x xmlns="http://www.w3.org/2001/xml-events" event="load" observer="foo" handler="data:image/svg+xml,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%3E%0A%3Chandler%20xml%3Aid%3D%22bar%22%20type%3D%22application%2Fecmascript%22%3E alert(1) %3C%2Fhandler%3E%0A%3C%2Fsvg%3E%0A#bar"/> </svg>',
true,
true,
'SVG with Tiny handler (http://html5sec.org/#104)'
),
array(
'<svg xmlns="http://www.w3.org/2000/svg"> <a id="x"><rect fill="white" width="1000" height="1000"/></a> <rect fill="white" style="clip-path:url(test3.svg#a);fill:url(#b);filter:url(#c);marker:url(#d);mask:url(#e);stroke:url(#f);"/> </svg>',
true,
true,
'SVG with new CSS styles properties (http://html5sec.org/#109)'
),
array(
'<svg xmlns="http://www.w3.org/2000/svg"> <a id="x"><rect fill="white" width="1000" height="1000"/></a> <rect clip-path="url(test3.svg#a)" /> </svg>',
true,
true,
'SVG with new CSS styles properties as attributes'
),
array(
'<svg xmlns="http://www.w3.org/2000/svg"> <a id="x"> <rect fill="white" width="1000" height="1000"/> </a> <rect fill="url(http://html5sec.org/test3.svg#a)" /> </svg>',
true,
true,
'SVG with new CSS styles properties as attributes (2)'
),
array(
'<svg xmlns="http://www.w3.org/2000/svg"> <path d="M0,0" style="marker-start:url(test4.svg#a)"/> </svg>',
true,
true,
'SVG with path marker-start (http://html5sec.org/#110)'
),
array(
'<?xml version="1.0"?> <?xml-stylesheet type="text/xml" href="#stylesheet"?> <!DOCTYPE doc [ <!ATTLIST xsl:stylesheet id ID #REQUIRED>]> <svg xmlns="http://www.w3.org/2000/svg"> <xsl:stylesheet id="stylesheet" version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> <xsl:template match="/"> <iframe xmlns="http://www.w3.org/1999/xhtml" src="javascript:alert(1)"></iframe> </xsl:template> </xsl:stylesheet> <circle fill="red" r="40"></circle> </svg>',
true,
true,
'SVG with embedded stylesheet (http://html5sec.org/#125)'
),
array(
'<svg xmlns="http://www.w3.org/2000/svg" id="x"> <listener event="load" handler="#y" xmlns="http://www.w3.org/2001/xml-events" observer="x"/> <handler id="y">alert(1)</handler> </svg>',
true,
true,
'SVG with handler attribute (http://html5sec.org/#127)'
),
array(
// Haven't found a browser that accepts this particular example, but we
// don't want to allow embeded svgs, ever
'<svg> <image style=\'filter:url("data:image/svg+xml;charset=utf-8;base64, PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjxzY3JpcHQ/YWxlcnQoMSk8L3NjcmlwdD48L3N2Zz4NCg==")\' /> </svg>',
true,
true,
'SVG with image filter via style (http://html5sec.org/#129)'
),
array(
// This doesn't seem possible without embedding the svg, but just in case
'<svg> <a xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="?"> <circle r="400"></circle> <animate attributeName="xlink:href" begin="0" from="javascript:alert(1)" to="" /> </a></svg>',
true,
true,
'SVG with animate from (http://html5sec.org/#137)'
),
// Other hostile SVG's
array(
'<?xml version="1.0" encoding="UTF-8" standalone="no"?> <svg xmlns:xlink="http://www.w3.org/1999/xlink"> <image xlink:href="https://upload.wikimedia.org/wikipedia/commons/3/34/Bahnstrecke_Zeitz-Camburg_1930.png" /> </svg>',
true,
true,
'SVG with non-local image href (bug 65839)'
),
array(
'<?xml version="1.0" ?> <?xml-stylesheet type="text/xsl" href="/w/index.php?title=User:Jeeves/test.xsl&amp;action=raw&amp;format=xml" ?> <svg> <height>50</height> <width>100</width> </svg>',
true,
true,
'SVG with remote stylesheet (bug 57550)'
),
array(
'<svg xmlns="http://www.w3.org/2000/svg" viewbox="-1 -1 15 15"> <rect y="0" height="13" width="12" stroke="#179" rx="1" fill="#2ac"/> <text x="1.5" y="11" font-family="courier" stroke="white" font-size="16"><![CDATA[B]]></text> <iframe xmlns="http://www.w3.org/1999/xhtml" srcdoc="&#x3C;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3E;&#x61;&#x6C;&#x65;&#x72;&#x74;&#x28;&#x27;&#x58;&#x53;&#x53;&#x45;&#x44;&#x20;&#x3D;&#x3E;&#x20;&#x44;&#x6F;&#x6D;&#x61;&#x69;&#x6E;&#x28;&#x27;&#x2B;&#x74;&#x6F;&#x70;&#x2E;&#x64;&#x6F;&#x63;&#x75;&#x6D;&#x65;&#x6E;&#x74;&#x2E;&#x64;&#x6F;&#x6D;&#x61;&#x69;&#x6E;&#x2B;&#x27;&#x29;&#x27;&#x29;&#x3B;&#x3C;&#x2F;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3E;"></iframe> </svg>',
true,
true,
'SVG with rembeded iframe (bug 60771)'
),
array(
'<svg xmlns="http://www.w3.org/2000/svg" viewBox="6 3 177 153" xmlns:xlink="http://www.w3.org/1999/xlink"> <style>@import url("https://fonts.googleapis.com/css?family=Bitter:700&amp;text=WebPlatform.org");</style> <g transform="translate(-.5,-.5)"> <text fill="#474747" x="95" y="150" text-anchor="middle" font-family="Bitter" font-size="20" font-weight="bold">WebPlatform.org</text> </g> </svg>',
true,
true,
'SVG with @import in style element (bug 69008)'
),
array(
'<svg xmlns="http://www.w3.org/2000/svg" viewBox="6 3 177 153" xmlns:xlink="http://www.w3.org/1999/xlink"> <style>@import url("https://fonts.googleapis.com/css?family=Bitter:700&amp;text=WebPlatform.org");<foo/></style> <g transform="translate(-.5,-.5)"> <text fill="#474747" x="95" y="150" text-anchor="middle" font-family="Bitter" font-size="20" font-weight="bold">WebPlatform.org</text> </g> </svg>',
true,
true,
'SVG with @import in style element and child element (bug 69008#c11)'
),
array(
'<svg xmlns="http://www.w3.org/2000/svg"> <rect width="100" height="100" style="background-image:url(https://www.google.com/images/srpr/logo11w.png)"/> </svg>',
true,
true,
'SVG with remote background image (bug 69008)'
),
array(
'<svg xmlns="http://www.w3.org/2000/svg"> <rect width="100" height="100" style="background-image:\55rl(https://www.google.com/images/srpr/logo11w.png)"/> </svg>',
true,
true,
'SVG with remote background image, encoded (bug 69008)'
),
array(
'<svg xmlns="http://www.w3.org/2000/svg"> <style> #a { background-image:\55rl(\'https://www.google.com/images/srpr/logo11w.png\'); } </style> <rect width="100" height="100" id="a"/> </svg>',
true,
true,
'SVG with remote background image, in style element (bug 69008)'
),
array(
// This currently doesn't seem to work in any browsers, but in case
// http://www.w3.org/TR/css3-images/ is implemented for SVG files
'<svg xmlns="http://www.w3.org/2000/svg"> <rect width="100" height="100" style="background-image:image(\'sprites.svg#xywh=40,0,20,20\')"/> </svg>',
true,
true,
'SVG with remote background image using image() (bug 69008)'
),
// Test good, but strange files that we want to allow
array(
'<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <g> <a xlink:href="http://en.wikipedia.org/wiki/Main_Page"> <path transform="translate(0,496)" id="path6706" d="m 112.09375,107.6875 -5.0625,3.625 -4.3125,5.03125 -0.46875,0.5 -4.09375,3.34375 -9.125,5.28125 -8.625,-3.375 z" style="fill:#cccccc;fill-opacity:1;stroke:#6e6e6e;stroke-width:0.69999999;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;display:inline" /> </a> </g> </svg>',
true,
false,
'SVG with <a> link to a remote site'
),
array(
'<svg> <defs> <filter id="filter6226" x="-0.93243687" width="2.8648737" y="-0.24250539" height="1.4850108"> <feGaussianBlur stdDeviation="3.2344681" id="feGaussianBlur6228" /> </filter> <clipPath id="clipPath2436"> <path d="M 0,0 L 0,0 L 0,0 L 0,0 z" id="path2438" /> </clipPath> </defs> <g clip-path="url(#clipPath2436)" id="g2460"> <text id="text2466"> <tspan>12345</tspan> </text> </g> <path style="fill:#346733;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:round;stroke-linejoin:bevel;stroke-opacity:1;stroke-miterlimit:4;stroke-dasharray:1, 1;stroke-dashoffset:0;filter:url(\'#filter6226\');fill-opacity:1;opacity:0.79807692" d="M 236.82371,332.63732 C 236.92217,332.63732 z" id="path5618" /> </svg>',
true,
false,
'SVG with local urls, including filter: in style'
),
);
}
Per wikitech-l discussion: Move tests from maintenance/tests/ to tests/. They're not strictly maintenance scripts, and some people want to do a selective checkout that doesn't include the tests. There's still debate on whether we should include these in the release downloads, but we had a pretty firm consensus to move this.
2010-12-14 16:26:35 +00:00
}
class UploadTestHandler extends UploadBase {
Update code formatting Change-Id: I16a9b42651f1cfb1a70dffbb67b7b83dfeb90d03
2013-04-26 12:00:22 +00:00
public function initializeFromRequest( &$request ) {
}
Update formatting 11 of n. Change-Id: Ifdaf198b16bf72e1e0a3d3802c041d239096ae28
2013-02-15 11:38:53 +00:00
public function testTitleValidation( $name ) {
$this->mTitle = false;
$this->mDesiredDestName = $name;
$this->mTitleError = UploadBase::OK;
$this->getTitle();
Update code formatting Change-Id: I16a9b42651f1cfb1a70dffbb67b7b83dfeb90d03
2013-04-26 12:00:22 +00:00
Update formatting 11 of n. Change-Id: Ifdaf198b16bf72e1e0a3d3802c041d239096ae28
2013-02-15 11:38:53 +00:00
return $this->mTitleError;
}
SECURITY: Enhance CSS filtering in SVG files * Filter <style> elements * Normalize style elements and attributes before filtering * Add checks for attributes that contain css * Add unit tests for html5sec and reported bugs Bug:69008 Change-Id: I732eece710f1bfaaeea1e5de541fcd4cfb375de7
2014-09-04 23:05:47 +00:00
/**
* Almost the same as UploadBase::detectScriptInSvg, except it's
* public, works on an xml string instead of filename, and returns
* the result instead of interpreting them.
*/
public function checkSvgString( $svg ) {
$check = new XmlTypeCheck(
$svg,
array( $this, 'checkSvgScriptCallback' ),
false,
array( 'processing_instruction_handler' => 'UploadBase::checkSvgPICallback' )
);
return array( $check->wellFormed, $check->filterMatch );
}
Per wikitech-l discussion: Move tests from maintenance/tests/ to tests/. They're not strictly maintenance scripts, and some people want to do a selective checkout that doesn't include the tests. There's still debate on whether we should include these in the release downloads, but we had a pretty firm consensus to move this.
2010-12-14 16:26:35 +00:00
}
Reference in a new issue Copy permalink