Context Navigation

source: github/tests/mailfunc.php @ a2e8cb36

Visit:

HEADcourier-fixdev-browser-capabilitiespdorelease-0.6release-0.7release-0.8

Last change on this file since a2e8cb36 was 4859fed, checked in by thomascube <thomas@…>, 3 years ago
Fix unit tests + update version
Property mode set to `100644`
File size: 5.4 KB

Line
1	<?php
2
3	/**
4	* Test class to test steps/mail/func.inc functions
5	*
6	* @package Tests
7	*/
8	class rcube_test_mailfunc extends UnitTestCase
9	{
10
11	function __construct()
12	{
13	$this->UnitTestCase('Mail body rendering tests');
14
15	// simulate environment to successfully include func.inc
16	$GLOBALS['RCMAIL'] = $RCMAIL = rcmail::get_instance();
17	$GLOBALS['OUTPUT'] = $OUTPUT = $RCMAIL->load_gui();
18	$RCMAIL->action = 'autocomplete';
19	$RCMAIL->imap_init(false);
20	$IMAP = $RCMAIL->imap;
21
22	require_once 'steps/mail/func.inc';
23
24	$GLOBALS['EMAIL_ADDRESS_PATTERN'] = $EMAIL_ADDRESS_PATTERN;
25	}
26
27	/**
28	* Helper method to create a HTML message part object
29	*/
30	function get_html_part($body)
31	{
32	$part = new rcube_message_part;
33	$part->ctype_primary = 'text';
34	$part->ctype_secondary = 'html';
35	$part->body = file_get_contents(TESTS_DIR . $body);
36	$part->replaces = array();
37	return $part;
38	}
39
40	/**
41	* Test sanitization of a "normal" html message
42	*/
43	function test_html()
44	{
45	$part = $this->get_html_part('src/htmlbody.txt');
46	$part->replaces = array('ex1.jpg' => 'part_1.2.jpg', 'ex2.jpg' => 'part_1.2.jpg');
47
48	// render HTML in normal mode
49	$html = rcmail_html4inline(rcmail_print_body($part, array('safe' => false)), 'foo');
50
51	$this->assertPattern('/src="'.$part->replaces['ex1.jpg'].'"/', $html, "Replace reference to inline image");
52	$this->assertPattern('#background="./program/blocked.gif"#', $html, "Replace external background image");
53	$this->assertNoPattern('/ex3.jpg/', $html, "No references to external images");
54	$this->assertNoPattern('/<meta [^>]+>/', $html, "No meta tags allowed");
55	//$this->assertNoPattern('/<style [^>]+>/', $html, "No style tags allowed");
56	$this->assertNoPattern('/<form [^>]+>/', $html, "No form tags allowed");
57	$this->assertPattern('/Subscription form/', $html, "Include <form> contents");
58	$this->assertPattern('/<!-- input ignored -->/', $html, "No input elements allowed");
59	$this->assertPattern('/<!-- link ignored -->/', $html, "No external links allowed");
60	$this->assertPattern('/<a[^>]+ target="_blank">/', $html, "Set target to _blank");
61	$this->assertTrue($GLOBALS['REMOTE_OBJECTS'], "Remote object detected");
62
63	// render HTML in safe mode
64	$html2 = rcmail_html4inline(rcmail_print_body($part, array('safe' => true)), 'foo');
65
66	$this->assertPattern('/<style [^>]+>/', $html2, "Allow styles in safe mode");
67	$this->assertPattern('#src="http://evilsite.net/mailings/ex3.jpg"#', $html2, "Allow external images in HTML (safe mode)");
68	$this->assertPattern("#url\('?http://evilsite.net/newsletter/image/bg/bg-64.jpg'?\)#", $html2, "Allow external images in CSS (safe mode)");
69
70	$css = '<link rel="stylesheet" type="text/css" href="?_task=utils&_action=modcss&u='.urlencode('http://anysite.net/styles/mail.css').'&c=foo"';
71	$this->assertPattern('#'.preg_quote($css).'#', $html2, "Filter external styleseehts with bin/modcss.php");
72	}
73
74	/**
75	* Test the elimination of some trivial XSS vulnerabilities
76	*/
77	function test_html_xss()
78	{
79	$part = $this->get_html_part('src/htmlxss.txt');
80	$washed = rcmail_print_body($part, array('safe' => true));
81
82	$this->assertNoPattern('/src="skins/', $washed, "Remove local references");
83	$this->assertNoPattern('/\son[a-z]+/', $washed, "Remove on* attributes");
84
85	$html = rcmail_html4inline($washed, 'foo');
86	$this->assertNoPattern('/onclick="return rcmail.command(\'compose\',\'xss@somehost.net\',this)"/', $html, "Clean mailto links");
87	$this->assertNoPattern('/alert/', $html, "Remove alerts");
88	}
89
90	/**
91	* Test HTML sanitization to fix the CSS Expression Input Validation Vulnerability
92	* reported at http://www.securityfocus.com/bid/26800/
93	*/
94	function test_html_xss2()
95	{
96	$part = $this->get_html_part('src/BID-26800.txt');
97	$washed = rcmail_print_body($part, array('safe' => true));
98
99	$this->assertNoPattern('/alert\|expression\|javascript\|xss/', $washed, "Remove evil style blocks");
100	$this->assertNoPattern('/font-style:italic/', $washed, "Allow valid styles");
101	}
102
103	/**
104	* Test links pattern replacements in plaintext messages
105	*/
106	function test_plaintext()
107	{
108	$part = new rcube_message_part;
109	$part->ctype_primary = 'text';
110	$part->ctype_secondary = 'plain';
111	$part->body = quoted_printable_decode(file_get_contents(TESTS_DIR . 'src/plainbody.txt'));
112	$html = rcmail_print_body($part, array('safe' => true));
113
114	$this->assertPattern('/<a href="mailto:nobody@roundcube.net" onclick="return rcmail.command\(\'compose\',\'nobody@roundcube.net\',this\)">nobody@roundcube.net<\/a>/', $html, "Mailto links with onclick");
115	$this->assertPattern('#<a href="http://www.apple.com/legal/privacy/" target="_blank">http://www.apple.com/legal/privacy/</a>#', $html, "Links with target=_blank");
116	}
117
118	/**
119	* Test mailto links in html messages
120	*/
121	function test_mailto()
122	{
123	$part = $this->get_html_part('src/mailto.txt');
124
125	// render HTML in normal mode
126	$html = rcmail_html4inline(rcmail_print_body($part, array('safe' => false)), 'foo');
127
128	$mailto = '<a href="mailto:me@me.com?subject=this is the subject&body=this is the body"'
129	.' onclick="return rcmail.command(\'compose\',\'me@me.com?subject=this is the subject&body=this is the body\',this)">e-mail</a>';
130
131	$this->assertPattern('\|'.preg_quote($mailto, '\|').'\|', $html, "Extended mailto links");
132	}
133
134	}
135
136	?>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: