Thijs/wiki.techinc.nl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
wiki.techinc.nl/tests/phpunit/includes/upload/UploadBaseTest.php

424 lines
19 KiB
PHP
Raw Normal View History

Per wikitech-l discussion: Move tests from maintenance/tests/ to tests/. They're not strictly maintenance scripts, and some people want to do a selective checkout that doesn't include the tests. There's still debate on whether we should include these in the release downloads, but we had a pretty firm consensus to move this.
2010-12-14 16:26:35 +00:00
<?php
Add @covers tags for more tests Change-Id: Iff3af78e9b41c445b7f066b6c0d0f4a87d2d6c4e
2013-10-21 08:46:11 +00:00
Per wikitech-l discussion: Move tests from maintenance/tests/ to tests/. They're not strictly maintenance scripts, and some people want to do a selective checkout that doesn't include the tests. There's still debate on whether we should include these in the release downloads, but we had a pretty firm consensus to move this.
2010-12-14 16:26:35 +00:00
/**
* @group Upload
*/
Renaming files to follow name conventions And renamed the inner class name. Change-Id: I2ed94a61214439d5c70d04bd1dbddd68754b595e
2013-05-25 17:27:45 +00:00
class UploadBaseTest extends MediaWikiTestCase {
Per wikitech-l discussion: Move tests from maintenance/tests/ to tests/. They're not strictly maintenance scripts, and some people want to do a selective checkout that doesn't include the tests. There's still debate on whether we should include these in the release downloads, but we had a pretty firm consensus to move this.
2010-12-14 16:26:35 +00:00
Add @covers tags for more tests Change-Id: Iff3af78e9b41c445b7f066b6c0d0f4a87d2d6c4e
2013-10-21 08:46:11 +00:00
/** @var UploadTestHandler */
protected $upload;
Per wikitech-l discussion: Move tests from maintenance/tests/ to tests/. They're not strictly maintenance scripts, and some people want to do a selective checkout that doesn't include the tests. There's still debate on whether we should include these in the release downloads, but we had a pretty firm consensus to move this.
2010-12-14 16:26:35 +00:00
Clean and repair many phpunit tests (+ fix implied configuration) This commit depends on the introduction of MediaWikiTestCase::setMwGlobals in change Iccf6ea81f4. Various tests already set their globals, but forgot to restore them afterwards, or forgot to call the parent setUp, tearDown... Either way they won't have to anymore with setMwGlobals. Consistent use of function characteristics: * protected function setUp * protected function tearDown * public static function (provide..) (Matching the function signature with PHPUnit/Framework/TestCase.php) Replaces: * public function (setUp|tearDown)\( * protected function $1( * \tfunction (setUp|tearDown)\( * \tprotected function $1( * \tfunction (data|provide)\( * \tpublic static function $1\( Also renamed a few "data#", "provider#" and "provides#" functions to "provide#" for consistency. This also removes confusion where the /media tests had a few private methods called dataFile(), which were sometimes expected to be data providers. Fixes: TimestampTest often failed due to a previous test setting a different language (it tests "1 hour ago" so need to make sure it is set to English). MWNamespaceTest became a lot cleaner now that it executes with a known context. Though the now-redundant code that was removed didn't work anyway because wgContentNamespaces isn't keyed by namespace id, it had them was values... FileBackendTest: * Fixed: "PHP Fatal: Using $this when not in object context" HttpTest * Added comment about: "PHP Fatal: Call to protected MWHttpRequest::__construct()" (too much unrelated code to fix in this commit) ExternalStoreTest * Add an assertTrue as well, without it the test is useless because regardless of whether wgExternalStores is true or false it only uses it if it is an array. Change-Id: I9d2b148e57bada64afeb7d5a99bec0e58f8e1561
2012-10-08 10:56:20 +00:00
protected function setUp() {
Per wikitech-l discussion: Move tests from maintenance/tests/ to tests/. They're not strictly maintenance scripts, and some people want to do a selective checkout that doesn't include the tests. There's still debate on whether we should include these in the release downloads, but we had a pretty firm consensus to move this.
2010-12-14 16:26:35 +00:00
parent::setUp();
Readd r90538, this time with the missing global $wgHooks;
2011-06-22 21:02:07 +00:00
Per wikitech-l discussion: Move tests from maintenance/tests/ to tests/. They're not strictly maintenance scripts, and some people want to do a selective checkout that doesn't include the tests. There's still debate on whether we should include these in the release downloads, but we had a pretty firm consensus to move this.
2010-12-14 16:26:35 +00:00
$this->upload = new UploadTestHandler;
Add some missing parent::tearDown() Change-Id: Ibcdf5d440043cef25b4aa9fb08b61ec4a2c558d1
2012-12-31 12:54:06 +00:00
Convert all array() syntax to [] Per wikitech-l consensus: https://lists.wikimedia.org/pipermail/wikitech-l/2016-February/084821.html Notes: * Disabled CallTimePassByReference due to false positives (T127163) Change-Id: I2c8ce713ce6600a0bb7bf67537c87044c7a45c4b
2016-02-17 09:09:32 +00:00
$this->setMwGlobals( 'wgHooks', [
'InterwikiLoadPrefix' => [
UploadBaseTest: Use setMwGlobals() instead of juggling globals Abstracts the logic for restoration into the built-in teardown() handler. Also purify the test configuration by setting wgHooks and wgFileExtensions to otherwise empty arrays instead of extending existing ones. Change-Id: Ied65ee62f658dd650c603a54e72cd19965867a8f
2014-10-07 03:13:32 +00:00
function ( $prefix, &$data ) {
return false;
}
Convert all array() syntax to [] Per wikitech-l consensus: https://lists.wikimedia.org/pipermail/wikitech-l/2016-February/084821.html Notes: * Disabled CallTimePassByReference due to false positives (T127163) Change-Id: I2c8ce713ce6600a0bb7bf67537c87044c7a45c4b
2016-02-17 09:09:32 +00:00
],
] );
Per wikitech-l discussion: Move tests from maintenance/tests/ to tests/. They're not strictly maintenance scripts, and some people want to do a selective checkout that doesn't include the tests. There's still debate on whether we should include these in the release downloads, but we had a pretty firm consensus to move this.
2010-12-14 16:26:35 +00:00
}
/**
Use data providers
2011-09-29 19:08:08 +00:00
* First checks the return code
* of UploadBase::getTitle() and then the actual returned title
Update formatting 11 of n. Change-Id: Ifdaf198b16bf72e1e0a3d3802c041d239096ae28
2013-02-15 11:38:53 +00:00
*
Clean and repair many phpunit tests (+ fix implied configuration) This commit depends on the introduction of MediaWikiTestCase::setMwGlobals in change Iccf6ea81f4. Various tests already set their globals, but forgot to restore them afterwards, or forgot to call the parent setUp, tearDown... Either way they won't have to anymore with setMwGlobals. Consistent use of function characteristics: * protected function setUp * protected function tearDown * public static function (provide..) (Matching the function signature with PHPUnit/Framework/TestCase.php) Replaces: * public function (setUp|tearDown)\( * protected function $1( * \tfunction (setUp|tearDown)\( * \tprotected function $1( * \tfunction (data|provide)\( * \tpublic static function $1\( Also renamed a few "data#", "provider#" and "provides#" functions to "provide#" for consistency. This also removes confusion where the /media tests had a few private methods called dataFile(), which were sometimes expected to be data providers. Fixes: TimestampTest often failed due to a previous test setting a different language (it tests "1 hour ago" so need to make sure it is set to English). MWNamespaceTest became a lot cleaner now that it executes with a known context. Though the now-redundant code that was removed didn't work anyway because wgContentNamespaces isn't keyed by namespace id, it had them was values... FileBackendTest: * Fixed: "PHP Fatal: Using $this when not in object context" HttpTest * Added comment about: "PHP Fatal: Call to protected MWHttpRequest::__construct()" (too much unrelated code to fix in this commit) ExternalStoreTest * Add an assertTrue as well, without it the test is useless because regardless of whether wgExternalStores is true or false it only uses it if it is an array. Change-Id: I9d2b148e57bada64afeb7d5a99bec0e58f8e1561
2012-10-08 10:56:20 +00:00
* @dataProvider provideTestTitleValidation
Add @covers tags for more tests Change-Id: Iff3af78e9b41c445b7f066b6c0d0f4a87d2d6c4e
2013-10-21 08:46:11 +00:00
* @covers UploadBase::getTitle
Per wikitech-l discussion: Move tests from maintenance/tests/ to tests/. They're not strictly maintenance scripts, and some people want to do a selective checkout that doesn't include the tests. There's still debate on whether we should include these in the release downloads, but we had a pretty firm consensus to move this.
2010-12-14 16:26:35 +00:00
*/
Use data providers
2011-09-29 19:08:08 +00:00
public function testTitleValidation( $srcFilename, $dstFilename, $code, $msg ) {
Per wikitech-l discussion: Move tests from maintenance/tests/ to tests/. They're not strictly maintenance scripts, and some people want to do a selective checkout that doesn't include the tests. There's still debate on whether we should include these in the release downloads, but we had a pretty firm consensus to move this.
2010-12-14 16:26:35 +00:00
/* Check the result code */
$this->assertEquals( $code,
$this->upload->testTitleValidation( $srcFilename ),
"$msg code" );
/* If we expect a valid title, check the title itself. */
Properly qualify usage of class constants
2010-12-22 00:25:16 +00:00
if ( $code == UploadBase::OK ) {
Per wikitech-l discussion: Move tests from maintenance/tests/ to tests/. They're not strictly maintenance scripts, and some people want to do a selective checkout that doesn't include the tests. There's still debate on whether we should include these in the release downloads, but we had a pretty firm consensus to move this.
2010-12-14 16:26:35 +00:00
$this->assertEquals( $dstFilename,
$this->upload->getTitle()->getText(),
"$msg text" );
}
}
Update formatting 11 of n. Change-Id: Ifdaf198b16bf72e1e0a3d3802c041d239096ae28
2013-02-15 11:38:53 +00:00
Use data providers
2011-09-29 19:08:08 +00:00
/**
* Test various forms of valid and invalid titles that can be supplied.
*/
Clean and repair many phpunit tests (+ fix implied configuration) This commit depends on the introduction of MediaWikiTestCase::setMwGlobals in change Iccf6ea81f4. Various tests already set their globals, but forgot to restore them afterwards, or forgot to call the parent setUp, tearDown... Either way they won't have to anymore with setMwGlobals. Consistent use of function characteristics: * protected function setUp * protected function tearDown * public static function (provide..) (Matching the function signature with PHPUnit/Framework/TestCase.php) Replaces: * public function (setUp|tearDown)\( * protected function $1( * \tfunction (setUp|tearDown)\( * \tprotected function $1( * \tfunction (data|provide)\( * \tpublic static function $1\( Also renamed a few "data#", "provider#" and "provides#" functions to "provide#" for consistency. This also removes confusion where the /media tests had a few private methods called dataFile(), which were sometimes expected to be data providers. Fixes: TimestampTest often failed due to a previous test setting a different language (it tests "1 hour ago" so need to make sure it is set to English). MWNamespaceTest became a lot cleaner now that it executes with a known context. Though the now-redundant code that was removed didn't work anyway because wgContentNamespaces isn't keyed by namespace id, it had them was values... FileBackendTest: * Fixed: "PHP Fatal: Using $this when not in object context" HttpTest * Added comment about: "PHP Fatal: Call to protected MWHttpRequest::__construct()" (too much unrelated code to fix in this commit) ExternalStoreTest * Add an assertTrue as well, without it the test is useless because regardless of whether wgExternalStores is true or false it only uses it if it is an array. Change-Id: I9d2b148e57bada64afeb7d5a99bec0e58f8e1561
2012-10-08 10:56:20 +00:00
public static function provideTestTitleValidation() {
Convert all array() syntax to [] Per wikitech-l consensus: https://lists.wikimedia.org/pipermail/wikitech-l/2016-February/084821.html Notes: * Disabled CallTimePassByReference due to false positives (T127163) Change-Id: I2c8ce713ce6600a0bb7bf67537c87044c7a45c4b
2016-02-17 09:09:32 +00:00
return [
Use data providers
2011-09-29 19:08:08 +00:00
/* Test a valid title */
Convert all array() syntax to [] Per wikitech-l consensus: https://lists.wikimedia.org/pipermail/wikitech-l/2016-February/084821.html Notes: * Disabled CallTimePassByReference due to false positives (T127163) Change-Id: I2c8ce713ce6600a0bb7bf67537c87044c7a45c4b
2016-02-17 09:09:32 +00:00
[ 'ValidTitle.jpg', 'ValidTitle.jpg', UploadBase::OK,
'upload valid title' ],
Use data providers
2011-09-29 19:08:08 +00:00
/* A title with a slash */
Convert all array() syntax to [] Per wikitech-l consensus: https://lists.wikimedia.org/pipermail/wikitech-l/2016-February/084821.html Notes: * Disabled CallTimePassByReference due to false positives (T127163) Change-Id: I2c8ce713ce6600a0bb7bf67537c87044c7a45c4b
2016-02-17 09:09:32 +00:00
[ 'A/B.jpg', 'B.jpg', UploadBase::OK,
'upload title with slash' ],
Use data providers
2011-09-29 19:08:08 +00:00
/* A title with illegal char */
Convert all array() syntax to [] Per wikitech-l consensus: https://lists.wikimedia.org/pipermail/wikitech-l/2016-February/084821.html Notes: * Disabled CallTimePassByReference due to false positives (T127163) Change-Id: I2c8ce713ce6600a0bb7bf67537c87044c7a45c4b
2016-02-17 09:09:32 +00:00
[ 'A:B.jpg', 'A-B.jpg', UploadBase::OK,
'upload title with colon' ],
Use data providers
2011-09-29 19:08:08 +00:00
/* Stripping leading File: prefix */
Convert all array() syntax to [] Per wikitech-l consensus: https://lists.wikimedia.org/pipermail/wikitech-l/2016-February/084821.html Notes: * Disabled CallTimePassByReference due to false positives (T127163) Change-Id: I2c8ce713ce6600a0bb7bf67537c87044c7a45c4b
2016-02-17 09:09:32 +00:00
[ 'File:C.jpg', 'C.jpg', UploadBase::OK,
'upload title with File prefix' ],
Use data providers
2011-09-29 19:08:08 +00:00
/* Test illegal suggested title (r94601) */
Convert all array() syntax to [] Per wikitech-l consensus: https://lists.wikimedia.org/pipermail/wikitech-l/2016-February/084821.html Notes: * Disabled CallTimePassByReference due to false positives (T127163) Change-Id: I2c8ce713ce6600a0bb7bf67537c87044c7a45c4b
2016-02-17 09:09:32 +00:00
[ '%281%29.JPG', null, UploadBase::ILLEGAL_FILENAME,
'illegal title for upload' ],
Use data providers
2011-09-29 19:08:08 +00:00
/* A title without extension */
Convert all array() syntax to [] Per wikitech-l consensus: https://lists.wikimedia.org/pipermail/wikitech-l/2016-February/084821.html Notes: * Disabled CallTimePassByReference due to false positives (T127163) Change-Id: I2c8ce713ce6600a0bb7bf67537c87044c7a45c4b
2016-02-17 09:09:32 +00:00
[ 'A', null, UploadBase::FILETYPE_MISSING,
'upload title without extension' ],
Use data providers
2011-09-29 19:08:08 +00:00
/* A title with no basename */
Convert all array() syntax to [] Per wikitech-l consensus: https://lists.wikimedia.org/pipermail/wikitech-l/2016-February/084821.html Notes: * Disabled CallTimePassByReference due to false positives (T127163) Change-Id: I2c8ce713ce6600a0bb7bf67537c87044c7a45c4b
2016-02-17 09:09:32 +00:00
[ '.jpg', null, UploadBase::MIN_LENGTH_PARTNAME,
'upload title without basename' ],
Use data providers
2011-09-29 19:08:08 +00:00
/* A title that is longer than 255 bytes */
Convert all array() syntax to [] Per wikitech-l consensus: https://lists.wikimedia.org/pipermail/wikitech-l/2016-February/084821.html Notes: * Disabled CallTimePassByReference due to false positives (T127163) Change-Id: I2c8ce713ce6600a0bb7bf67537c87044c7a45c4b
2016-02-17 09:09:32 +00:00
[ str_repeat( 'a', 255 ) . '.jpg', null, UploadBase::FILENAME_TOO_LONG,
'upload title longer than 255 bytes' ],
Use data providers
2011-09-29 19:08:08 +00:00
/* A title that is longer than 240 bytes */
Convert all array() syntax to [] Per wikitech-l consensus: https://lists.wikimedia.org/pipermail/wikitech-l/2016-February/084821.html Notes: * Disabled CallTimePassByReference due to false positives (T127163) Change-Id: I2c8ce713ce6600a0bb7bf67537c87044c7a45c4b
2016-02-17 09:09:32 +00:00
[ str_repeat( 'a', 240 ) . '.jpg', null, UploadBase::FILENAME_TOO_LONG,
'upload title longer than 240 bytes' ],
];
Use data providers
2011-09-29 19:08:08 +00:00
}
Per wikitech-l discussion: Move tests from maintenance/tests/ to tests/. They're not strictly maintenance scripts, and some people want to do a selective checkout that doesn't include the tests. There's still debate on whether we should include these in the release downloads, but we had a pretty firm consensus to move this.
2010-12-14 16:26:35 +00:00
/**
* Test the upload verification functions
Add @covers tags for more tests Change-Id: Iff3af78e9b41c445b7f066b6c0d0f4a87d2d6c4e
2013-10-21 08:46:11 +00:00
* @covers UploadBase::verifyUpload
Per wikitech-l discussion: Move tests from maintenance/tests/ to tests/. They're not strictly maintenance scripts, and some people want to do a selective checkout that doesn't include the tests. There's still debate on whether we should include these in the release downloads, but we had a pretty firm consensus to move this.
2010-12-14 16:26:35 +00:00
*/
public function testVerifyUpload() {
/* Setup with zero file size */
$this->upload->initializePathInfo( '', '', 0 );
$result = $this->upload->verifyUpload();
Properly qualify usage of class constants
2010-12-22 00:25:16 +00:00
$this->assertEquals( UploadBase::EMPTY_FILE,
Per wikitech-l discussion: Move tests from maintenance/tests/ to tests/. They're not strictly maintenance scripts, and some people want to do a selective checkout that doesn't include the tests. There's still debate on whether we should include these in the release downloads, but we had a pretty firm consensus to move this.
2010-12-14 16:26:35 +00:00
$result['status'],
'upload empty file' );
}
Test uploading a file of size $wgMaxUploadSize TODO: method testMaxUploadSize() shoud be able to use differents settings. The assertion could then get moved elsewhere in a nice helper.
2011-01-25 21:26:28 +00:00
// Helper used to create an empty file of size $size.
private function createFileOfSize( $size ) {
Use MediaWikiTestCase methods for tempdir in unit tests * Use MediaWikiTestCase::getNewTempFile and getNewTempDirectory instead of wfTempDir(). The upload api tests wrote a tempnam() file directly (where wfTempDir() is typically shared with other systems and concurrent runs). Use MediaWikiTestCase::getNewTempFile and getNewTempDirectory instead. This also ensures its removal by the teardown handler without needing manual unlink() calls. And it doesn't rely on the test passing. (Many unlink calls where at the bottom of tests, which wouldn't be reached in case of failure). * For the upload test, the presistent storing of 'Oberaargletscher_from_Oberaar.jpg' (downloaded from Commons) was removed. Note that this didn't work for Jenkins builds anyway as Jenkins builds set $wgTmpDirectory to a unique directory in tmpfs associated with an individual build. * For filebackend tests, moved directory creation from the dataProvider to the main test. Implemented addTmpFiles() to allow subclasses to register additional files (created by other means) to be cleaned up also. Removed unused $tmpName and $toPath parameters in data provider for FileBackendTest::testStore. And fixed weird double $op2 variable name to be called $op3. * Skipped parserTest.inc, MockFileBackend.php, and UploadFromUrlTestSuite.php as those don't use MediaWikiTestCase. Change-Id: Ic7feb06ef0c1006eb99485470a1a59419f972545
2015-02-11 01:42:33 +00:00
$filename = $this->getNewTempFile();
Test uploading a file of size $wgMaxUploadSize TODO: method testMaxUploadSize() shoud be able to use differents settings. The assertion could then get moved elsewhere in a nice helper.
2011-01-25 21:26:28 +00:00
$fh = fopen( $filename, 'w' );
Fix for r80992. Remove posix extension requisite. Made to work in non-Unix systems. Replaced fseek+fwrite with ftruncate()
2011-02-10 10:48:02 +00:00
ftruncate( $fh, $size );
Test uploading a file of size $wgMaxUploadSize TODO: method testMaxUploadSize() shoud be able to use differents settings. The assertion could then get moved elsewhere in a nice helper.
2011-01-25 21:26:28 +00:00
fclose( $fh );
return $filename;
}
/**
[Core JS] More fixing of global config variable usage * mw.config is the new way, and global config variable lookups are deprecated * Based on two phase3-wide quick searches: -- of " wg": http://toolserver.org/~krinkle/wikimedia-svn-search/view.php?id=321&hash=81700bf7486e4fee3b7bc1f83eb9eba6 -- of "!wg": http://toolserver.org/~krinkle/wikimedia-svn-search/view.php?id=327&hash=47c9d54a7a1d5d58a724dd834585f40d Related changes: * Changed some php comments mentioning "wg" variables to include the dollar sign, and a typo when the wf function prefix was meant. * Removed TODO comment in wikibits.js and made it use the JS equivalent of wfUrlencode, which we have now, mw.util.wikiUrlencode * SpecialUpload.php: use OutputPage::addJsConfigVars instead of creating a new script tag through OutputPage::addScript(Skin::makeVariablesScript(..)) * Renamed wgUploadSetup in upload.js and made it local. Not used anywhere in ./trunk/phase3 and ./trunk/extensions * Fix OutputPage::addJsConfigVars so that it can actually be called with an array instead of two arguments for key/value * Some minor whitespace/convention stuff around the same line
2011-12-31 21:25:00 +00:00
* test uploading a 100 bytes file with $wgMaxUploadSize = 100
Test uploading a file of size $wgMaxUploadSize TODO: method testMaxUploadSize() shoud be able to use differents settings. The assertion could then get moved elsewhere in a nice helper.
2011-01-25 21:26:28 +00:00
*
* This method should be abstracted so we can test different settings.
*/
public function testMaxUploadSize() {
Convert all array() syntax to [] Per wikitech-l consensus: https://lists.wikimedia.org/pipermail/wikitech-l/2016-February/084821.html Notes: * Disabled CallTimePassByReference due to false positives (T127163) Change-Id: I2c8ce713ce6600a0bb7bf67537c87044c7a45c4b
2016-02-17 09:09:32 +00:00
$this->setMwGlobals( [
UploadBaseTest: Use setMwGlobals() instead of juggling globals Abstracts the logic for restoration into the built-in teardown() handler. Also purify the test configuration by setting wgHooks and wgFileExtensions to otherwise empty arrays instead of extending existing ones. Change-Id: Ied65ee62f658dd650c603a54e72cd19965867a8f
2014-10-07 03:13:32 +00:00
'wgMaxUploadSize' => 100,
Convert all array() syntax to [] Per wikitech-l consensus: https://lists.wikimedia.org/pipermail/wikitech-l/2016-February/084821.html Notes: * Disabled CallTimePassByReference due to false positives (T127163) Change-Id: I2c8ce713ce6600a0bb7bf67537c87044c7a45c4b
2016-02-17 09:09:32 +00:00
'wgFileExtensions' => [
UploadBaseTest: Use setMwGlobals() instead of juggling globals Abstracts the logic for restoration into the built-in teardown() handler. Also purify the test configuration by setting wgHooks and wgFileExtensions to otherwise empty arrays instead of extending existing ones. Change-Id: Ied65ee62f658dd650c603a54e72cd19965867a8f
2014-10-07 03:13:32 +00:00
'txt',
Convert all array() syntax to [] Per wikitech-l consensus: https://lists.wikimedia.org/pipermail/wikitech-l/2016-February/084821.html Notes: * Disabled CallTimePassByReference due to false positives (T127163) Change-Id: I2c8ce713ce6600a0bb7bf67537c87044c7a45c4b
2016-02-17 09:09:32 +00:00
],
] );
UploadBaseTest: Use setMwGlobals() instead of juggling globals Abstracts the logic for restoration into the built-in teardown() handler. Also purify the test configuration by setting wgHooks and wgFileExtensions to otherwise empty arrays instead of extending existing ones. Change-Id: Ied65ee62f658dd650c603a54e72cd19965867a8f
2014-10-07 03:13:32 +00:00
$filename = $this->createFileOfSize( 100 );
Update formatting 11 of n. Change-Id: Ifdaf198b16bf72e1e0a3d3802c041d239096ae28
2013-02-15 11:38:53 +00:00
$this->upload->initializePathInfo( basename( $filename ) . '.txt', $filename, 100 );
Test uploading a file of size $wgMaxUploadSize TODO: method testMaxUploadSize() shoud be able to use differents settings. The assertion could then get moved elsewhere in a nice helper.
2011-01-25 21:26:28 +00:00
$result = $this->upload->verifyUpload();
$this->assertEquals(
Convert all array() syntax to [] Per wikitech-l consensus: https://lists.wikimedia.org/pipermail/wikitech-l/2016-February/084821.html Notes: * Disabled CallTimePassByReference due to false positives (T127163) Change-Id: I2c8ce713ce6600a0bb7bf67537c87044c7a45c4b
2016-02-17 09:09:32 +00:00
[ 'status' => UploadBase::OK ],
UploadBaseTest: Use setMwGlobals() instead of juggling globals Abstracts the logic for restoration into the built-in teardown() handler. Also purify the test configuration by setting wgHooks and wgFileExtensions to otherwise empty arrays instead of extending existing ones. Change-Id: Ied65ee62f658dd650c603a54e72cd19965867a8f
2014-10-07 03:13:32 +00:00
$result
);
Test uploading a file of size $wgMaxUploadSize TODO: method testMaxUploadSize() shoud be able to use differents settings. The assertion could then get moved elsewhere in a nice helper.
2011-01-25 21:26:28 +00:00
}
SECURITY: Enhance CSS filtering in SVG files * Filter <style> elements * Normalize style elements and attributes before filtering * Add checks for attributes that contain css * Add unit tests for html5sec and reported bugs Bug:69008 Change-Id: I732eece710f1bfaaeea1e5de541fcd4cfb375de7
2014-09-04 23:05:47 +00:00
/**
* @dataProvider provideCheckSvgScriptCallback
*/
public function testCheckSvgScriptCallback( $svg, $wellFormed, $filterMatch, $message ) {
list( $formed, $match ) = $this->upload->checkSvgString( $svg );
$this->assertSame( $wellFormed, $formed, $message );
$this->assertSame( $filterMatch, $match, $message );
}
public static function provideCheckSvgScriptCallback() {
Fix Generic.Files.LineLength phpcs check in files under phpunit/includes Bug: T102614 Change-Id: Iee3df5f064f595ecebe8210cc936bc3d20a122c9
2015-10-03 13:04:51 +00:00
// @codingStandardsIgnoreStart Generic.Files.LineLength
Swap the rest of array() -> [] Change-Id: I76a7259ed952a0673a1941f08b39b545211fba07
2016-03-19 01:05:19 +00:00
return [
SECURITY: Enhance CSS filtering in SVG files * Filter <style> elements * Normalize style elements and attributes before filtering * Add checks for attributes that contain css * Add unit tests for html5sec and reported bugs Bug:69008 Change-Id: I732eece710f1bfaaeea1e5de541fcd4cfb375de7
2014-09-04 23:05:47 +00:00
// html5sec SVG vectors
Swap the rest of array() -> [] Change-Id: I76a7259ed952a0673a1941f08b39b545211fba07
2016-03-19 01:05:19 +00:00
[
SECURITY: Enhance CSS filtering in SVG files * Filter <style> elements * Normalize style elements and attributes before filtering * Add checks for attributes that contain css * Add unit tests for html5sec and reported bugs Bug:69008 Change-Id: I732eece710f1bfaaeea1e5de541fcd4cfb375de7
2014-09-04 23:05:47 +00:00
'<svg xmlns="http://www.w3.org/2000/svg"><script>alert(1)</script></svg>',
true,
true,
'Script tag in svg (http://html5sec.org/#47)'
Swap the rest of array() -> [] Change-Id: I76a7259ed952a0673a1941f08b39b545211fba07
2016-03-19 01:05:19 +00:00
],
[
SECURITY: Enhance CSS filtering in SVG files * Filter <style> elements * Normalize style elements and attributes before filtering * Add checks for attributes that contain css * Add unit tests for html5sec and reported bugs Bug:69008 Change-Id: I732eece710f1bfaaeea1e5de541fcd4cfb375de7
2014-09-04 23:05:47 +00:00
'<svg xmlns="http://www.w3.org/2000/svg"><g onload="javascript:alert(1)"></g></svg>',
true,
true,
'SVG with onload property (http://html5sec.org/#11)'
Swap the rest of array() -> [] Change-Id: I76a7259ed952a0673a1941f08b39b545211fba07
2016-03-19 01:05:19 +00:00
],
[
SECURITY: Enhance CSS filtering in SVG files * Filter <style> elements * Normalize style elements and attributes before filtering * Add checks for attributes that contain css * Add unit tests for html5sec and reported bugs Bug:69008 Change-Id: I732eece710f1bfaaeea1e5de541fcd4cfb375de7
2014-09-04 23:05:47 +00:00
'<svg onload="javascript:alert(1)" xmlns="http://www.w3.org/2000/svg"></svg>',
true,
true,
'SVG with onload property (http://html5sec.org/#65)'
Swap the rest of array() -> [] Change-Id: I76a7259ed952a0673a1941f08b39b545211fba07
2016-03-19 01:05:19 +00:00
],
[
SECURITY: Enhance CSS filtering in SVG files * Filter <style> elements * Normalize style elements and attributes before filtering * Add checks for attributes that contain css * Add unit tests for html5sec and reported bugs Bug:69008 Change-Id: I732eece710f1bfaaeea1e5de541fcd4cfb375de7
2014-09-04 23:05:47 +00:00
'<svg xmlns="http://www.w3.org/2000/svg"> <a xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="javascript:alert(1)"><rect width="1000" height="1000" fill="white"/></a> </svg>',
true,
true,
'SVG with javascript xlink (http://html5sec.org/#87)'
Swap the rest of array() -> [] Change-Id: I76a7259ed952a0673a1941f08b39b545211fba07
2016-03-19 01:05:19 +00:00
],
[
SECURITY: Don't allow embedded application/xml in SVG's Fix for iSEC-WMF1214-11 and issue reported by Cure 53, which got around our blacklist on embedded href targets. Use a whitelist instead. Bug: T85850 Change-Id: I17b7ed65935b818695a83fd901fcaf90fffecf28
2015-01-13 01:00:45 +00:00
'<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><use xlink:href="data:application/xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIj4KPGRlZnM+CjxjaXJjbGUgaWQ9InRlc3QiIHI9IjUwIiBjeD0iMTAwIiBjeT0iMTAwIiBzdHlsZT0iZmlsbDogI0YwMCI+CjxzZXQgYXR0cmlidXRlTmFtZT0iZmlsbCIgYXR0cmlidXRlVHlwZT0iQ1NTIiBvbmJlZ2luPSdhbGVydChkb2N1bWVudC5jb29raWUpJwpvbmVuZD0nYWxlcnQoIm9uZW5kIiknIHRvPSIjMDBGIiBiZWdpbj0iMXMiIGR1cj0iNXMiIC8+CjwvY2lyY2xlPgo8L2RlZnM+Cjx1c2UgeGxpbms6aHJlZj0iI3Rlc3QiLz4KPC9zdmc+#test"/> </svg>',
true,
true,
'SVG with Opera image xlink (http://html5sec.org/#88 - c)'
Swap the rest of array() -> [] Change-Id: I76a7259ed952a0673a1941f08b39b545211fba07
2016-03-19 01:05:19 +00:00
],
[
SECURITY: Enhance CSS filtering in SVG files * Filter <style> elements * Normalize style elements and attributes before filtering * Add checks for attributes that contain css * Add unit tests for html5sec and reported bugs Bug:69008 Change-Id: I732eece710f1bfaaeea1e5de541fcd4cfb375de7
2014-09-04 23:05:47 +00:00
'<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <animation xlink:href="javascript:alert(1)"/> </svg>',
true,
true,
'SVG with Opera animation xlink (http://html5sec.org/#88 - a)'
Swap the rest of array() -> [] Change-Id: I76a7259ed952a0673a1941f08b39b545211fba07
2016-03-19 01:05:19 +00:00
],
[
SECURITY: Enhance CSS filtering in SVG files * Filter <style> elements * Normalize style elements and attributes before filtering * Add checks for attributes that contain css * Add unit tests for html5sec and reported bugs Bug:69008 Change-Id: I732eece710f1bfaaeea1e5de541fcd4cfb375de7
2014-09-04 23:05:47 +00:00
'<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <animation xlink:href="data:text/xml,%3Csvg xmlns=\'http://www.w3.org/2000/svg\' onload=\'alert(1)\'%3E%3C/svg%3E"/> </svg>',
true,
true,
'SVG with Opera animation xlink (http://html5sec.org/#88 - b)'
Swap the rest of array() -> [] Change-Id: I76a7259ed952a0673a1941f08b39b545211fba07
2016-03-19 01:05:19 +00:00
],
[
SECURITY: Enhance CSS filtering in SVG files * Filter <style> elements * Normalize style elements and attributes before filtering * Add checks for attributes that contain css * Add unit tests for html5sec and reported bugs Bug:69008 Change-Id: I732eece710f1bfaaeea1e5de541fcd4cfb375de7
2014-09-04 23:05:47 +00:00
'<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <image xlink:href="data:image/svg+xml,%3Csvg xmlns=\'http://www.w3.org/2000/svg\' onload=\'alert(1)\'%3E%3C/svg%3E"/> </svg>',
true,
true,
'SVG with Opera image xlink (http://html5sec.org/#88 - c)'
Swap the rest of array() -> [] Change-Id: I76a7259ed952a0673a1941f08b39b545211fba07
2016-03-19 01:05:19 +00:00
],
[
SECURITY: Enhance CSS filtering in SVG files * Filter <style> elements * Normalize style elements and attributes before filtering * Add checks for attributes that contain css * Add unit tests for html5sec and reported bugs Bug:69008 Change-Id: I732eece710f1bfaaeea1e5de541fcd4cfb375de7
2014-09-04 23:05:47 +00:00
'<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <foreignObject xlink:href="javascript:alert(1)"/> </svg>',
true,
true,
'SVG with Opera foreignObject xlink (http://html5sec.org/#88 - d)'
Swap the rest of array() -> [] Change-Id: I76a7259ed952a0673a1941f08b39b545211fba07
2016-03-19 01:05:19 +00:00
],
[
SECURITY: Enhance CSS filtering in SVG files * Filter <style> elements * Normalize style elements and attributes before filtering * Add checks for attributes that contain css * Add unit tests for html5sec and reported bugs Bug:69008 Change-Id: I732eece710f1bfaaeea1e5de541fcd4cfb375de7
2014-09-04 23:05:47 +00:00
'<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <foreignObject xlink:href="data:text/xml,%3Cscript xmlns=\'http://www.w3.org/1999/xhtml\'%3Ealert(1)%3C/script%3E"/> </svg>',
true,
true,
'SVG with Opera foreignObject xlink (http://html5sec.org/#88 - e)'
Swap the rest of array() -> [] Change-Id: I76a7259ed952a0673a1941f08b39b545211fba07
2016-03-19 01:05:19 +00:00
],
[
SECURITY: Enhance CSS filtering in SVG files * Filter <style> elements * Normalize style elements and attributes before filtering * Add checks for attributes that contain css * Add unit tests for html5sec and reported bugs Bug:69008 Change-Id: I732eece710f1bfaaeea1e5de541fcd4cfb375de7
2014-09-04 23:05:47 +00:00
'<svg xmlns="http://www.w3.org/2000/svg"> <set attributeName="onmouseover" to="alert(1)"/> </svg>',
true,
true,
'SVG with event handler set (http://html5sec.org/#89 - a)'
Swap the rest of array() -> [] Change-Id: I76a7259ed952a0673a1941f08b39b545211fba07
2016-03-19 01:05:19 +00:00
],
[
SECURITY: Enhance CSS filtering in SVG files * Filter <style> elements * Normalize style elements and attributes before filtering * Add checks for attributes that contain css * Add unit tests for html5sec and reported bugs Bug:69008 Change-Id: I732eece710f1bfaaeea1e5de541fcd4cfb375de7
2014-09-04 23:05:47 +00:00
'<svg xmlns="http://www.w3.org/2000/svg"> <animate attributeName="onunload" to="alert(1)"/> </svg>',
true,
true,
'SVG with event handler animate (http://html5sec.org/#89 - a)'
Swap the rest of array() -> [] Change-Id: I76a7259ed952a0673a1941f08b39b545211fba07
2016-03-19 01:05:19 +00:00
],
[
SECURITY: Enhance CSS filtering in SVG files * Filter <style> elements * Normalize style elements and attributes before filtering * Add checks for attributes that contain css * Add unit tests for html5sec and reported bugs Bug:69008 Change-Id: I732eece710f1bfaaeea1e5de541fcd4cfb375de7
2014-09-04 23:05:47 +00:00
'<svg xmlns="http://www.w3.org/2000/svg"> <handler xmlns:ev="http://www.w3.org/2001/xml-events" ev:event="load">alert(1)</handler> </svg>',
true,
true,
'SVG with element handler (http://html5sec.org/#94)'
Swap the rest of array() -> [] Change-Id: I76a7259ed952a0673a1941f08b39b545211fba07
2016-03-19 01:05:19 +00:00
],
[
SECURITY: Enhance CSS filtering in SVG files * Filter <style> elements * Normalize style elements and attributes before filtering * Add checks for attributes that contain css * Add unit tests for html5sec and reported bugs Bug:69008 Change-Id: I732eece710f1bfaaeea1e5de541fcd4cfb375de7
2014-09-04 23:05:47 +00:00
'<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <feImage> <set attributeName="xlink:href" to="data:image/svg+xml;charset=utf-8;base64, PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjxzY3JpcHQ%2BYWxlcnQoMSk8L3NjcmlwdD48L3N2Zz4NCg%3D%3D"/> </feImage> </svg>',
true,
true,
'SVG with href to data: url (http://html5sec.org/#95)'
Swap the rest of array() -> [] Change-Id: I76a7259ed952a0673a1941f08b39b545211fba07
2016-03-19 01:05:19 +00:00
],
[
SECURITY: Enhance CSS filtering in SVG files * Filter <style> elements * Normalize style elements and attributes before filtering * Add checks for attributes that contain css * Add unit tests for html5sec and reported bugs Bug:69008 Change-Id: I732eece710f1bfaaeea1e5de541fcd4cfb375de7
2014-09-04 23:05:47 +00:00
'<svg xmlns="http://www.w3.org/2000/svg" id="foo"> <x xmlns="http://www.w3.org/2001/xml-events" event="load" observer="foo" handler="data:image/svg+xml,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%3E%0A%3Chandler%20xml%3Aid%3D%22bar%22%20type%3D%22application%2Fecmascript%22%3E alert(1) %3C%2Fhandler%3E%0A%3C%2Fsvg%3E%0A#bar"/> </svg>',
true,
true,
'SVG with Tiny handler (http://html5sec.org/#104)'
Swap the rest of array() -> [] Change-Id: I76a7259ed952a0673a1941f08b39b545211fba07
2016-03-19 01:05:19 +00:00
],
[
SECURITY: Enhance CSS filtering in SVG files * Filter <style> elements * Normalize style elements and attributes before filtering * Add checks for attributes that contain css * Add unit tests for html5sec and reported bugs Bug:69008 Change-Id: I732eece710f1bfaaeea1e5de541fcd4cfb375de7
2014-09-04 23:05:47 +00:00
'<svg xmlns="http://www.w3.org/2000/svg"> <a id="x"><rect fill="white" width="1000" height="1000"/></a> <rect fill="white" style="clip-path:url(test3.svg#a);fill:url(#b);filter:url(#c);marker:url(#d);mask:url(#e);stroke:url(#f);"/> </svg>',
true,
true,
'SVG with new CSS styles properties (http://html5sec.org/#109)'
Swap the rest of array() -> [] Change-Id: I76a7259ed952a0673a1941f08b39b545211fba07
2016-03-19 01:05:19 +00:00
],
[
SECURITY: Enhance CSS filtering in SVG files * Filter <style> elements * Normalize style elements and attributes before filtering * Add checks for attributes that contain css * Add unit tests for html5sec and reported bugs Bug:69008 Change-Id: I732eece710f1bfaaeea1e5de541fcd4cfb375de7
2014-09-04 23:05:47 +00:00
'<svg xmlns="http://www.w3.org/2000/svg"> <a id="x"><rect fill="white" width="1000" height="1000"/></a> <rect clip-path="url(test3.svg#a)" /> </svg>',
true,
true,
'SVG with new CSS styles properties as attributes'
Swap the rest of array() -> [] Change-Id: I76a7259ed952a0673a1941f08b39b545211fba07
2016-03-19 01:05:19 +00:00
],
[
SECURITY: Enhance CSS filtering in SVG files * Filter <style> elements * Normalize style elements and attributes before filtering * Add checks for attributes that contain css * Add unit tests for html5sec and reported bugs Bug:69008 Change-Id: I732eece710f1bfaaeea1e5de541fcd4cfb375de7
2014-09-04 23:05:47 +00:00
'<svg xmlns="http://www.w3.org/2000/svg"> <a id="x"> <rect fill="white" width="1000" height="1000"/> </a> <rect fill="url(http://html5sec.org/test3.svg#a)" /> </svg>',
true,
true,
'SVG with new CSS styles properties as attributes (2)'
Swap the rest of array() -> [] Change-Id: I76a7259ed952a0673a1941f08b39b545211fba07
2016-03-19 01:05:19 +00:00
],
[
SECURITY: Enhance CSS filtering in SVG files * Filter <style> elements * Normalize style elements and attributes before filtering * Add checks for attributes that contain css * Add unit tests for html5sec and reported bugs Bug:69008 Change-Id: I732eece710f1bfaaeea1e5de541fcd4cfb375de7
2014-09-04 23:05:47 +00:00
'<svg xmlns="http://www.w3.org/2000/svg"> <path d="M0,0" style="marker-start:url(test4.svg#a)"/> </svg>',
true,
true,
'SVG with path marker-start (http://html5sec.org/#110)'
Swap the rest of array() -> [] Change-Id: I76a7259ed952a0673a1941f08b39b545211fba07
2016-03-19 01:05:19 +00:00
],
[
SECURITY: Enhance CSS filtering in SVG files * Filter <style> elements * Normalize style elements and attributes before filtering * Add checks for attributes that contain css * Add unit tests for html5sec and reported bugs Bug:69008 Change-Id: I732eece710f1bfaaeea1e5de541fcd4cfb375de7
2014-09-04 23:05:47 +00:00
'<?xml version="1.0"?> <?xml-stylesheet type="text/xml" href="#stylesheet"?> <!DOCTYPE doc [ <!ATTLIST xsl:stylesheet id ID #REQUIRED>]> <svg xmlns="http://www.w3.org/2000/svg"> <xsl:stylesheet id="stylesheet" version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> <xsl:template match="/"> <iframe xmlns="http://www.w3.org/1999/xhtml" src="javascript:alert(1)"></iframe> </xsl:template> </xsl:stylesheet> <circle fill="red" r="40"></circle> </svg>',
true,
true,
'SVG with embedded stylesheet (http://html5sec.org/#125)'
Swap the rest of array() -> [] Change-Id: I76a7259ed952a0673a1941f08b39b545211fba07
2016-03-19 01:05:19 +00:00
],
[
SECURITY: Enhance CSS filtering in SVG files * Filter <style> elements * Normalize style elements and attributes before filtering * Add checks for attributes that contain css * Add unit tests for html5sec and reported bugs Bug:69008 Change-Id: I732eece710f1bfaaeea1e5de541fcd4cfb375de7
2014-09-04 23:05:47 +00:00
'<svg xmlns="http://www.w3.org/2000/svg" id="x"> <listener event="load" handler="#y" xmlns="http://www.w3.org/2001/xml-events" observer="x"/> <handler id="y">alert(1)</handler> </svg>',
true,
true,
'SVG with handler attribute (http://html5sec.org/#127)'
Swap the rest of array() -> [] Change-Id: I76a7259ed952a0673a1941f08b39b545211fba07
2016-03-19 01:05:19 +00:00
],
[
SECURITY: Enhance CSS filtering in SVG files * Filter <style> elements * Normalize style elements and attributes before filtering * Add checks for attributes that contain css * Add unit tests for html5sec and reported bugs Bug:69008 Change-Id: I732eece710f1bfaaeea1e5de541fcd4cfb375de7
2014-09-04 23:05:47 +00:00
// Haven't found a browser that accepts this particular example, but we
// don't want to allow embeded svgs, ever
'<svg> <image style=\'filter:url("data:image/svg+xml;charset=utf-8;base64, PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjxzY3JpcHQ/YWxlcnQoMSk8L3NjcmlwdD48L3N2Zz4NCg==")\' /> </svg>',
true,
true,
'SVG with image filter via style (http://html5sec.org/#129)'
Swap the rest of array() -> [] Change-Id: I76a7259ed952a0673a1941f08b39b545211fba07
2016-03-19 01:05:19 +00:00
],
[
SECURITY: Enhance CSS filtering in SVG files * Filter <style> elements * Normalize style elements and attributes before filtering * Add checks for attributes that contain css * Add unit tests for html5sec and reported bugs Bug:69008 Change-Id: I732eece710f1bfaaeea1e5de541fcd4cfb375de7
2014-09-04 23:05:47 +00:00
// This doesn't seem possible without embedding the svg, but just in case
'<svg> <a xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="?"> <circle r="400"></circle> <animate attributeName="xlink:href" begin="0" from="javascript:alert(1)" to="" /> </a></svg>',
true,
true,
'SVG with animate from (http://html5sec.org/#137)'
Swap the rest of array() -> [] Change-Id: I76a7259ed952a0673a1941f08b39b545211fba07
2016-03-19 01:05:19 +00:00
],
[
SECURITY: Fix animate blacklist The blacklist should prevent animating any element's xlink:href to a javascript url. Bug: T86711 Change-Id: Ia9e9192165fdfe1701f22605eee0b0e5c9137d5a
2015-01-14 00:48:01 +00:00
'<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <a><text y="1em">Click me</text> <animate attributeName="xlink:href" values="javascript:alert(\'Bang!\')" begin="0s" dur="0.1s" fill="freeze" /> </a></svg>',
true,
true,
'SVG with animate xlink:href (http://html5sec.org/#137)'
Swap the rest of array() -> [] Change-Id: I76a7259ed952a0673a1941f08b39b545211fba07
2016-03-19 01:05:19 +00:00
],
[
SECURITY: Fix animate blacklist The blacklist should prevent animating any element's xlink:href to a javascript url. Bug: T86711 Change-Id: Ia9e9192165fdfe1701f22605eee0b0e5c9137d5a
2015-01-14 00:48:01 +00:00
'<svg xmlns="http://www.w3.org/2000/svg" xmlns:y="http://www.w3.org/1999/xlink"> <a y:href="#"> <text y="1em">Click me</text> <animate attributeName="y:href" values="javascript:alert(\'Bang!\')" begin="0s" dur="0.1s" fill="freeze" /> </a> </svg>',
true,
true,
'SVG with animate y:href (http://html5sec.org/#137)'
Swap the rest of array() -> [] Change-Id: I76a7259ed952a0673a1941f08b39b545211fba07
2016-03-19 01:05:19 +00:00
],
SECURITY: Enhance CSS filtering in SVG files * Filter <style> elements * Normalize style elements and attributes before filtering * Add checks for attributes that contain css * Add unit tests for html5sec and reported bugs Bug:69008 Change-Id: I732eece710f1bfaaeea1e5de541fcd4cfb375de7
2014-09-04 23:05:47 +00:00
// Other hostile SVG's
Swap the rest of array() -> [] Change-Id: I76a7259ed952a0673a1941f08b39b545211fba07
2016-03-19 01:05:19 +00:00
[
SECURITY: Enhance CSS filtering in SVG files * Filter <style> elements * Normalize style elements and attributes before filtering * Add checks for attributes that contain css * Add unit tests for html5sec and reported bugs Bug:69008 Change-Id: I732eece710f1bfaaeea1e5de541fcd4cfb375de7
2014-09-04 23:05:47 +00:00
'<?xml version="1.0" encoding="UTF-8" standalone="no"?> <svg xmlns:xlink="http://www.w3.org/1999/xlink"> <image xlink:href="https://upload.wikimedia.org/wikipedia/commons/3/34/Bahnstrecke_Zeitz-Camburg_1930.png" /> </svg>',
true,
true,
'SVG with non-local image href (bug 65839)'
Swap the rest of array() -> [] Change-Id: I76a7259ed952a0673a1941f08b39b545211fba07
2016-03-19 01:05:19 +00:00
],
[
SECURITY: Enhance CSS filtering in SVG files * Filter <style> elements * Normalize style elements and attributes before filtering * Add checks for attributes that contain css * Add unit tests for html5sec and reported bugs Bug:69008 Change-Id: I732eece710f1bfaaeea1e5de541fcd4cfb375de7
2014-09-04 23:05:47 +00:00
'<?xml version="1.0" ?> <?xml-stylesheet type="text/xsl" href="/w/index.php?title=User:Jeeves/test.xsl&amp;action=raw&amp;format=xml" ?> <svg> <height>50</height> <width>100</width> </svg>',
true,
true,
'SVG with remote stylesheet (bug 57550)'
Swap the rest of array() -> [] Change-Id: I76a7259ed952a0673a1941f08b39b545211fba07
2016-03-19 01:05:19 +00:00
],
[
SECURITY: Enhance CSS filtering in SVG files * Filter <style> elements * Normalize style elements and attributes before filtering * Add checks for attributes that contain css * Add unit tests for html5sec and reported bugs Bug:69008 Change-Id: I732eece710f1bfaaeea1e5de541fcd4cfb375de7
2014-09-04 23:05:47 +00:00
'<svg xmlns="http://www.w3.org/2000/svg" viewbox="-1 -1 15 15"> <rect y="0" height="13" width="12" stroke="#179" rx="1" fill="#2ac"/> <text x="1.5" y="11" font-family="courier" stroke="white" font-size="16"><![CDATA[B]]></text> <iframe xmlns="http://www.w3.org/1999/xhtml" srcdoc="&#x3C;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3E;&#x61;&#x6C;&#x65;&#x72;&#x74;&#x28;&#x27;&#x58;&#x53;&#x53;&#x45;&#x44;&#x20;&#x3D;&#x3E;&#x20;&#x44;&#x6F;&#x6D;&#x61;&#x69;&#x6E;&#x28;&#x27;&#x2B;&#x74;&#x6F;&#x70;&#x2E;&#x64;&#x6F;&#x63;&#x75;&#x6D;&#x65;&#x6E;&#x74;&#x2E;&#x64;&#x6F;&#x6D;&#x61;&#x69;&#x6E;&#x2B;&#x27;&#x29;&#x27;&#x29;&#x3B;&#x3C;&#x2F;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3E;"></iframe> </svg>',
true,
true,
'SVG with rembeded iframe (bug 60771)'
Swap the rest of array() -> [] Change-Id: I76a7259ed952a0673a1941f08b39b545211fba07
2016-03-19 01:05:19 +00:00
],
[
SECURITY: Enhance CSS filtering in SVG files * Filter <style> elements * Normalize style elements and attributes before filtering * Add checks for attributes that contain css * Add unit tests for html5sec and reported bugs Bug:69008 Change-Id: I732eece710f1bfaaeea1e5de541fcd4cfb375de7
2014-09-04 23:05:47 +00:00
'<svg xmlns="http://www.w3.org/2000/svg" viewBox="6 3 177 153" xmlns:xlink="http://www.w3.org/1999/xlink"> <style>@import url("https://fonts.googleapis.com/css?family=Bitter:700&amp;text=WebPlatform.org");</style> <g transform="translate(-.5,-.5)"> <text fill="#474747" x="95" y="150" text-anchor="middle" font-family="Bitter" font-size="20" font-weight="bold">WebPlatform.org</text> </g> </svg>',
true,
true,
'SVG with @import in style element (bug 69008)'
Swap the rest of array() -> [] Change-Id: I76a7259ed952a0673a1941f08b39b545211fba07
2016-03-19 01:05:19 +00:00
],
[
SECURITY: Enhance CSS filtering in SVG files * Filter <style> elements * Normalize style elements and attributes before filtering * Add checks for attributes that contain css * Add unit tests for html5sec and reported bugs Bug:69008 Change-Id: I732eece710f1bfaaeea1e5de541fcd4cfb375de7
2014-09-04 23:05:47 +00:00
'<svg xmlns="http://www.w3.org/2000/svg" viewBox="6 3 177 153" xmlns:xlink="http://www.w3.org/1999/xlink"> <style>@import url("https://fonts.googleapis.com/css?family=Bitter:700&amp;text=WebPlatform.org");<foo/></style> <g transform="translate(-.5,-.5)"> <text fill="#474747" x="95" y="150" text-anchor="middle" font-family="Bitter" font-size="20" font-weight="bold">WebPlatform.org</text> </g> </svg>',
true,
true,
'SVG with @import in style element and child element (bug 69008#c11)'
Swap the rest of array() -> [] Change-Id: I76a7259ed952a0673a1941f08b39b545211fba07
2016-03-19 01:05:19 +00:00
],
[
SECURITY: Make SVG @import checking case insensitive @import in embedded CSS is case-insensitive, meaning an attacker can put "@iMpOrT" and it should still work. This uses stripos instead of strpos to make the check case insensitive. Bug: T85349 Change-Id: I31db9d81f46460af2d8d3f161ba46c2ab7a170d1
2014-12-30 20:24:04 +00:00
'<svg xmlns="http://www.w3.org/2000/svg" viewBox="6 3 177 153" xmlns:xlink="http://www.w3.org/1999/xlink"> <style>@imporT "https://fonts.googleapis.com/css?family=Bitter:700&amp;text=WebPlatform.org";</style> <g transform="translate(-.5,-.5)"> <text fill="#474747" x="95" y="150" text-anchor="middle" font-family="Bitter" font-size="20" font-weight="bold">WebPlatform.org</text> </g> </svg>',
true,
true,
'SVG with case-insensitive @import in style element (bug T85349)'
Swap the rest of array() -> [] Change-Id: I76a7259ed952a0673a1941f08b39b545211fba07
2016-03-19 01:05:19 +00:00
],
[
SECURITY: Enhance CSS filtering in SVG files * Filter <style> elements * Normalize style elements and attributes before filtering * Add checks for attributes that contain css * Add unit tests for html5sec and reported bugs Bug:69008 Change-Id: I732eece710f1bfaaeea1e5de541fcd4cfb375de7
2014-09-04 23:05:47 +00:00
'<svg xmlns="http://www.w3.org/2000/svg"> <rect width="100" height="100" style="background-image:url(https://www.google.com/images/srpr/logo11w.png)"/> </svg>',
true,
true,
'SVG with remote background image (bug 69008)'
Swap the rest of array() -> [] Change-Id: I76a7259ed952a0673a1941f08b39b545211fba07
2016-03-19 01:05:19 +00:00
],
[
SECURITY: Enhance CSS filtering in SVG files * Filter <style> elements * Normalize style elements and attributes before filtering * Add checks for attributes that contain css * Add unit tests for html5sec and reported bugs Bug:69008 Change-Id: I732eece710f1bfaaeea1e5de541fcd4cfb375de7
2014-09-04 23:05:47 +00:00
'<svg xmlns="http://www.w3.org/2000/svg"> <rect width="100" height="100" style="background-image:\55rl(https://www.google.com/images/srpr/logo11w.png)"/> </svg>',
true,
true,
'SVG with remote background image, encoded (bug 69008)'
Swap the rest of array() -> [] Change-Id: I76a7259ed952a0673a1941f08b39b545211fba07
2016-03-19 01:05:19 +00:00
],
[
SECURITY: Enhance CSS filtering in SVG files * Filter <style> elements * Normalize style elements and attributes before filtering * Add checks for attributes that contain css * Add unit tests for html5sec and reported bugs Bug:69008 Change-Id: I732eece710f1bfaaeea1e5de541fcd4cfb375de7
2014-09-04 23:05:47 +00:00
'<svg xmlns="http://www.w3.org/2000/svg"> <style> #a { background-image:\55rl(\'https://www.google.com/images/srpr/logo11w.png\'); } </style> <rect width="100" height="100" id="a"/> </svg>',
true,
true,
'SVG with remote background image, in style element (bug 69008)'
Swap the rest of array() -> [] Change-Id: I76a7259ed952a0673a1941f08b39b545211fba07
2016-03-19 01:05:19 +00:00
],
[
SECURITY: Enhance CSS filtering in SVG files * Filter <style> elements * Normalize style elements and attributes before filtering * Add checks for attributes that contain css * Add unit tests for html5sec and reported bugs Bug:69008 Change-Id: I732eece710f1bfaaeea1e5de541fcd4cfb375de7
2014-09-04 23:05:47 +00:00
// This currently doesn't seem to work in any browsers, but in case
// http://www.w3.org/TR/css3-images/ is implemented for SVG files
'<svg xmlns="http://www.w3.org/2000/svg"> <rect width="100" height="100" style="background-image:image(\'sprites.svg#xywh=40,0,20,20\')"/> </svg>',
true,
true,
'SVG with remote background image using image() (bug 69008)'
Swap the rest of array() -> [] Change-Id: I76a7259ed952a0673a1941f08b39b545211fba07
2016-03-19 01:05:19 +00:00
],
[
SECURITY: Don't allow embedded application/xml in SVG's Fix for iSEC-WMF1214-11 and issue reported by Cure 53, which got around our blacklist on embedded href targets. Use a whitelist instead. Bug: T85850 Change-Id: I17b7ed65935b818695a83fd901fcaf90fffecf28
2015-01-13 01:00:45 +00:00
// As reported by Cure53
'<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <a xlink:href="data:text/html;charset=utf-8;base64, PHNjcmlwdD5hbGVydChkb2N1bWVudC5kb21haW4pPC9zY3JpcHQ%2BDQo%3D"> <circle r="400" fill="red"></circle> </a> </svg>',
true,
true,
'SVG with data:text/html link target (firefox only)'
Swap the rest of array() -> [] Change-Id: I76a7259ed952a0673a1941f08b39b545211fba07
2016-03-19 01:05:19 +00:00
],
[
SECURITY: Always expand xml entities when checking SVG's XmlTypeCheck's use of xml_parse for filtering SVG's sometimes left xml entities unexpanded, which can lead to false-negatives when the callback was used for filtering. Update XmlTypeCheck to use XMLReader instead, tell the library to fully expand entities, and rely on the library to error out if it encounters XML that is likely to cause a DoS if parsed. Bug: T88310 Change-Id: I77c77a2d6d22f549e7ef969811f7edd77a45dbba
2015-02-04 01:45:05 +00:00
'<?xml version="1.0" encoding="UTF-8" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd" [ <!ENTITY lol "lol"> <!ENTITY lol2 "&#x3C;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3E;&#x61;&#x6C;&#x65;&#x72;&#x74;&#x28;&#x27;&#x58;&#x53;&#x53;&#x45;&#x44;&#x20;&#x3D;&#x3E;&#x20;&#x27;&#x2B;&#x64;&#x6F;&#x63;&#x75;&#x6D;&#x65;&#x6E;&#x74;&#x2E;&#x64;&#x6F;&#x6D;&#x61;&#x69;&#x6E;&#x29;&#x3B;&#x3C;&#x2F;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3E;"> ]> <svg xmlns="http://www.w3.org/2000/svg" width="68" height="68" viewBox="-34 -34 68 68" version="1.1"> <circle cx="0" cy="0" r="24" fill="#c8c8c8"/> <text x="0" y="0" fill="black">&lol2;</text> </svg>',
true,
true,
'SVG with encoded script tag in internal entity (reported by Beyond Security)'
Swap the rest of array() -> [] Change-Id: I76a7259ed952a0673a1941f08b39b545211fba07
2016-03-19 01:05:19 +00:00
],
[
SECURITY: Always expand xml entities when checking SVG's XmlTypeCheck's use of xml_parse for filtering SVG's sometimes left xml entities unexpanded, which can lead to false-negatives when the callback was used for filtering. Update XmlTypeCheck to use XMLReader instead, tell the library to fully expand entities, and rely on the library to error out if it encounters XML that is likely to cause a DoS if parsed. Bug: T88310 Change-Id: I77c77a2d6d22f549e7ef969811f7edd77a45dbba
2015-02-04 01:45:05 +00:00
'<?xml version="1.0"?> <!DOCTYPE svg [ <!ENTITY foo SYSTEM "file:///etc/passwd"> ]> <svg xmlns="http://www.w3.org/2000/svg" version="1.1"> <desc>&foo;</desc> <rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:1;stroke:rgb(0,0,2)" /> </svg>',
false,
false,
'SVG with external entity'
Swap the rest of array() -> [] Change-Id: I76a7259ed952a0673a1941f08b39b545211fba07
2016-03-19 01:05:19 +00:00
],
SECURITY: Enhance CSS filtering in SVG files * Filter <style> elements * Normalize style elements and attributes before filtering * Add checks for attributes that contain css * Add unit tests for html5sec and reported bugs Bug:69008 Change-Id: I732eece710f1bfaaeea1e5de541fcd4cfb375de7
2014-09-04 23:05:47 +00:00
// Test good, but strange files that we want to allow
Swap the rest of array() -> [] Change-Id: I76a7259ed952a0673a1941f08b39b545211fba07
2016-03-19 01:05:19 +00:00
[
SECURITY: Enhance CSS filtering in SVG files * Filter <style> elements * Normalize style elements and attributes before filtering * Add checks for attributes that contain css * Add unit tests for html5sec and reported bugs Bug:69008 Change-Id: I732eece710f1bfaaeea1e5de541fcd4cfb375de7
2014-09-04 23:05:47 +00:00
'<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <g> <a xlink:href="http://en.wikipedia.org/wiki/Main_Page"> <path transform="translate(0,496)" id="path6706" d="m 112.09375,107.6875 -5.0625,3.625 -4.3125,5.03125 -0.46875,0.5 -4.09375,3.34375 -9.125,5.28125 -8.625,-3.375 z" style="fill:#cccccc;fill-opacity:1;stroke:#6e6e6e;stroke-width:0.69999999;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;display:inline" /> </a> </g> </svg>',
true,
false,
'SVG with <a> link to a remote site'
Swap the rest of array() -> [] Change-Id: I76a7259ed952a0673a1941f08b39b545211fba07
2016-03-19 01:05:19 +00:00
],
[
SECURITY: Enhance CSS filtering in SVG files * Filter <style> elements * Normalize style elements and attributes before filtering * Add checks for attributes that contain css * Add unit tests for html5sec and reported bugs Bug:69008 Change-Id: I732eece710f1bfaaeea1e5de541fcd4cfb375de7
2014-09-04 23:05:47 +00:00
'<svg> <defs> <filter id="filter6226" x="-0.93243687" width="2.8648737" y="-0.24250539" height="1.4850108"> <feGaussianBlur stdDeviation="3.2344681" id="feGaussianBlur6228" /> </filter> <clipPath id="clipPath2436"> <path d="M 0,0 L 0,0 L 0,0 L 0,0 z" id="path2438" /> </clipPath> </defs> <g clip-path="url(#clipPath2436)" id="g2460"> <text id="text2466"> <tspan>12345</tspan> </text> </g> <path style="fill:#346733;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:round;stroke-linejoin:bevel;stroke-opacity:1;stroke-miterlimit:4;stroke-dasharray:1, 1;stroke-dashoffset:0;filter:url(\'#filter6226\');fill-opacity:1;opacity:0.79807692" d="M 236.82371,332.63732 C 236.92217,332.63732 z" id="path5618" /> </svg>',
true,
false,
'SVG with local urls, including filter: in style'
Swap the rest of array() -> [] Change-Id: I76a7259ed952a0673a1941f08b39b545211fba07
2016-03-19 01:05:19 +00:00
],
];
Fix Generic.Files.LineLength phpcs check in files under phpunit/includes Bug: T102614 Change-Id: Iee3df5f064f595ecebe8210cc936bc3d20a122c9
2015-10-03 13:04:51 +00:00
// @codingStandardsIgnoreEnd
SECURITY: Enhance CSS filtering in SVG files * Filter <style> elements * Normalize style elements and attributes before filtering * Add checks for attributes that contain css * Add unit tests for html5sec and reported bugs Bug:69008 Change-Id: I732eece710f1bfaaeea1e5de541fcd4cfb375de7
2014-09-04 23:05:47 +00:00
}
Per wikitech-l discussion: Move tests from maintenance/tests/ to tests/. They're not strictly maintenance scripts, and some people want to do a selective checkout that doesn't include the tests. There's still debate on whether we should include these in the release downloads, but we had a pretty firm consensus to move this.
2010-12-14 16:26:35 +00:00
}
class UploadTestHandler extends UploadBase {
Update code formatting Change-Id: I16a9b42651f1cfb1a70dffbb67b7b83dfeb90d03
2013-04-26 12:00:22 +00:00
public function initializeFromRequest( &$request ) {
}
Update formatting 11 of n. Change-Id: Ifdaf198b16bf72e1e0a3d3802c041d239096ae28
2013-02-15 11:38:53 +00:00
public function testTitleValidation( $name ) {
$this->mTitle = false;
$this->mDesiredDestName = $name;
$this->mTitleError = UploadBase::OK;
$this->getTitle();
Update code formatting Change-Id: I16a9b42651f1cfb1a70dffbb67b7b83dfeb90d03
2013-04-26 12:00:22 +00:00
Update formatting 11 of n. Change-Id: Ifdaf198b16bf72e1e0a3d3802c041d239096ae28
2013-02-15 11:38:53 +00:00
return $this->mTitleError;
}
SECURITY: Enhance CSS filtering in SVG files * Filter <style> elements * Normalize style elements and attributes before filtering * Add checks for attributes that contain css * Add unit tests for html5sec and reported bugs Bug:69008 Change-Id: I732eece710f1bfaaeea1e5de541fcd4cfb375de7
2014-09-04 23:05:47 +00:00
/**
* Almost the same as UploadBase::detectScriptInSvg, except it's
* public, works on an xml string instead of filename, and returns
* the result instead of interpreting them.
*/
public function checkSvgString( $svg ) {
$check = new XmlTypeCheck(
$svg,
Convert all array() syntax to [] Per wikitech-l consensus: https://lists.wikimedia.org/pipermail/wikitech-l/2016-February/084821.html Notes: * Disabled CallTimePassByReference due to false positives (T127163) Change-Id: I2c8ce713ce6600a0bb7bf67537c87044c7a45c4b
2016-02-17 09:09:32 +00:00
[ $this, 'checkSvgScriptCallback' ],
SECURITY: Enhance CSS filtering in SVG files * Filter <style> elements * Normalize style elements and attributes before filtering * Add checks for attributes that contain css * Add unit tests for html5sec and reported bugs Bug:69008 Change-Id: I732eece710f1bfaaeea1e5de541fcd4cfb375de7
2014-09-04 23:05:47 +00:00
false,
Convert all array() syntax to [] Per wikitech-l consensus: https://lists.wikimedia.org/pipermail/wikitech-l/2016-February/084821.html Notes: * Disabled CallTimePassByReference due to false positives (T127163) Change-Id: I2c8ce713ce6600a0bb7bf67537c87044c7a45c4b
2016-02-17 09:09:32 +00:00
[ 'processing_instruction_handler' => 'UploadBase::checkSvgPICallback' ]
SECURITY: Enhance CSS filtering in SVG files * Filter <style> elements * Normalize style elements and attributes before filtering * Add checks for attributes that contain css * Add unit tests for html5sec and reported bugs Bug:69008 Change-Id: I732eece710f1bfaaeea1e5de541fcd4cfb375de7
2014-09-04 23:05:47 +00:00
);
Convert all array() syntax to [] Per wikitech-l consensus: https://lists.wikimedia.org/pipermail/wikitech-l/2016-February/084821.html Notes: * Disabled CallTimePassByReference due to false positives (T127163) Change-Id: I2c8ce713ce6600a0bb7bf67537c87044c7a45c4b
2016-02-17 09:09:32 +00:00
return [ $check->wellFormed, $check->filterMatch ];
SECURITY: Enhance CSS filtering in SVG files * Filter <style> elements * Normalize style elements and attributes before filtering * Add checks for attributes that contain css * Add unit tests for html5sec and reported bugs Bug:69008 Change-Id: I732eece710f1bfaaeea1e5de541fcd4cfb375de7
2014-09-04 23:05:47 +00:00
}
Per wikitech-l discussion: Move tests from maintenance/tests/ to tests/. They're not strictly maintenance scripts, and some people want to do a selective checkout that doesn't include the tests. There's still debate on whether we should include these in the release downloads, but we had a pretty firm consensus to move this.
2010-12-14 16:26:35 +00:00
}
Reference in a new issue Copy permalink