Koha/t/db_dependent/www/regressions.t
Jonathan Druart f1f9c6dc74 Bug 26384: Fix executable flags
.pm must not have -x
.t must have -x
.pl must have -x

Test plan:
Apply only the first patch, run the tests and confirm that the failures
make sense
Apply this patch and confirm that the test now returns green

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-09-11 09:56:56 +02:00

146 lines
5.7 KiB
Perl
Executable file

#!/usr/bin/env perl
# This file is part of Koha.
#
# Koha is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# Koha is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Koha; if not, see <http://www.gnu.org/licenses>.
use Modern::Perl;
use Test::More tests => 1;
use Test::Mojo;
use t::lib::TestBuilder;
use t::lib::Mocks;
use C4::Context;
use C4::Biblio;
use Koha::Database;
use Koha::Caches;
use MARC::Field;
my $intranet =
$ENV{KOHA_INTRANET_URL} || C4::Context->preference("staffClientBaseURL");
my $opac = $ENV{KOHA_OPAC_URL} || C4::Context->preference("OPACBaseURL");
my $context = C4::Context->new();
my $db_name = $context->config("database");
my $db_host = $context->config("hostname");
my $db_port = $context->config("port") || '';
my $db_user = $context->config("user");
my $db_passwd = $context->config("pass");
`mysqldump --add-drop-table -u $db_user --password="$db_passwd" -h $db_host -P $db_port $db_name > dumpfile.sql`;
my $t = Test::Mojo->new();
my $schema = Koha::Database->new->schema;
my $builder = t::lib::TestBuilder->new;
subtest 'open redirection vulnerabilities in tracklinks' => sub {
plan tests => 36;
# No URI's
my $biblio = $builder->build_sample_biblio();
my $biblionumber1 = $biblio->biblionumber;
# Incorrect URI at Biblio level
$biblio = $builder->build_sample_biblio();
my $biblionumber2 = $biblio->biblionumber;
my $record = $biblio->metadata->record;
my $new856 = MARC::Field->new( '856', '', '', u => "www.bing.com" );
$record->insert_fields_ordered($new856);
C4::Biblio::ModBiblio( $record, $biblionumber2 );
# URI at Biblio level
$biblio = $builder->build_sample_biblio();
my $biblionumber3 = $biblio->biblionumber;
$record = $biblio->metadata->record;
$new856 = MARC::Field->new( '856', '', '', u => "http://www.google.com" );
$record->insert_fields_ordered($new856);
C4::Biblio::ModBiblio( $record, $biblionumber3 );
# URI at Item level
my $item = $builder->build_sample_item( { uri => 'http://www.google.com' } );
my $itemnumber1 = $item->itemnumber;
# Incorrect URI at Item level
$item = $builder->build_sample_item( { uri => 'www.bing.com ' } );
my $itemnumber2 = $item->itemnumber;
my $no_biblionumber =
'/cgi-bin/koha/tracklinks.pl?uri=http://www.google.com';
my $bad_biblionumber1 =
'/cgi-bin/koha/tracklinks.pl?uri=http://www.google.com&biblionumber='
. $biblionumber1;
my $bad_biblionumber2 =
'/cgi-bin/koha/tracklinks.pl?uri=http://www.google.com&biblionumber='
. $biblionumber2;
my $good_biblionumber =
'/cgi-bin/koha/tracklinks.pl?uri=http://www.google.com&biblionumber='
. $biblionumber3;
my $bad_itemnumber =
'/cgi-bin/koha/tracklinks.pl?uri=http://www.google.com&itemnumber='
. $itemnumber2;
my $good_itemnumber =
'/cgi-bin/koha/tracklinks.pl?uri=http://www.google.com&itemnumber='
. $itemnumber1;
Koha::Caches->flush_L1_caches;
# Don't Track
C4::Context->set_preference( 'TrackClicks', '' );
$t->get_ok( $opac . $no_biblionumber )
->status_is( 404, "404 for no biblionumber" );
$t->get_ok( $opac . $bad_biblionumber1 )
->status_is( 404, "404 for biblionumber containing no URI - pref off" );
$t->get_ok( $opac . $bad_biblionumber2 )
->status_is( 404, "404 for biblionumber containing different URI - pref off" );
$t->get_ok( $opac . $good_biblionumber )
->status_is( 404, "404 for biblionumber with matching URI - pref off" );
$t->get_ok( $opac . $bad_itemnumber )
->status_is( 404, "404 for itemnumber containing different URI- pref off" );
$t->get_ok( $opac . $good_itemnumber )
->status_is( 404, "404 for itemnumber with matching URI - pref off" );
# Track
C4::Context->set_preference( 'TrackClicks', 'track' );
$t->get_ok( $opac . $no_biblionumber )
->status_is( 404, "404 for no biblionumber" );
$t->get_ok( $opac . $bad_biblionumber1 )
->status_is( 404, "404 for biblionumber containing no URI" );
$t->get_ok( $opac . $bad_biblionumber2 )
->status_is( 404, "404 for biblionumber containing different URI" );
$t->get_ok( $opac . $good_biblionumber )
->status_is( 302, "302 for biblionumber with matching URI" );
$t->get_ok( $opac . $bad_itemnumber )
->status_is( 404, "404 for itemnumber containing different URI" );
$t->get_ok( $opac . $good_itemnumber )
->status_is( 302, "302 for itemnumber with matching URI" );
# Track Anonymous
C4::Context->set_preference( 'TrackClicks', 'anonymous' );
$t->get_ok( $opac . $no_biblionumber )
->status_is( 404, "404 for no biblionumber" );
$t->get_ok( $opac . $bad_biblionumber1 )
->status_is( 404, "404 for biblionumber containing no URI" );
$t->get_ok( $opac . $bad_biblionumber2 )
->status_is( 404, "404 for biblionumber containing different URI" );
$t->get_ok( $opac . $good_biblionumber )
->status_is( 302, "302 for biblionumber with matching URI" );
$t->get_ok( $opac . $bad_itemnumber )
->status_is( 404, "404 for itemnumber containing different URI" );
$t->get_ok( $opac . $good_itemnumber )
->status_is( 302, "302 for itemnumber with matching URI" );
};
`mysql -u $db_user --password="$db_passwd" -h $db_host -P $db_port --database="$db_name" < dumpfile.sql`;
`rm dumpfile.sql`;