Jonathan Druart
f1f9c6dc74
.pm must not have -x .t must have -x .pl must have -x Test plan: Apply only the first patch, run the tests and confirm that the failures make sense Apply this patch and confirm that the test now returns green Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
146 lines
5.7 KiB
Perl
Executable file
146 lines
5.7 KiB
Perl
Executable file
#!/usr/bin/env perl
|
|
|
|
# This file is part of Koha.
|
|
#
|
|
# Koha is free software; you can redistribute it and/or modify it
|
|
# under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation; either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# Koha is distributed in the hope that it will be useful, but
|
|
# WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with Koha; if not, see <http://www.gnu.org/licenses>.
|
|
|
|
use Modern::Perl;
|
|
|
|
use Test::More tests => 1;
|
|
use Test::Mojo;
|
|
use t::lib::TestBuilder;
|
|
use t::lib::Mocks;
|
|
|
|
use C4::Context;
|
|
use C4::Biblio;
|
|
|
|
use Koha::Database;
|
|
use Koha::Caches;
|
|
|
|
use MARC::Field;
|
|
|
|
my $intranet =
|
|
$ENV{KOHA_INTRANET_URL} || C4::Context->preference("staffClientBaseURL");
|
|
my $opac = $ENV{KOHA_OPAC_URL} || C4::Context->preference("OPACBaseURL");
|
|
|
|
my $context = C4::Context->new();
|
|
my $db_name = $context->config("database");
|
|
my $db_host = $context->config("hostname");
|
|
my $db_port = $context->config("port") || '';
|
|
my $db_user = $context->config("user");
|
|
my $db_passwd = $context->config("pass");
|
|
`mysqldump --add-drop-table -u $db_user --password="$db_passwd" -h $db_host -P $db_port $db_name > dumpfile.sql`;
|
|
|
|
my $t = Test::Mojo->new();
|
|
my $schema = Koha::Database->new->schema;
|
|
my $builder = t::lib::TestBuilder->new;
|
|
|
|
subtest 'open redirection vulnerabilities in tracklinks' => sub {
|
|
plan tests => 36;
|
|
|
|
# No URI's
|
|
my $biblio = $builder->build_sample_biblio();
|
|
my $biblionumber1 = $biblio->biblionumber;
|
|
|
|
# Incorrect URI at Biblio level
|
|
$biblio = $builder->build_sample_biblio();
|
|
my $biblionumber2 = $biblio->biblionumber;
|
|
my $record = $biblio->metadata->record;
|
|
my $new856 = MARC::Field->new( '856', '', '', u => "www.bing.com" );
|
|
$record->insert_fields_ordered($new856);
|
|
C4::Biblio::ModBiblio( $record, $biblionumber2 );
|
|
|
|
# URI at Biblio level
|
|
$biblio = $builder->build_sample_biblio();
|
|
my $biblionumber3 = $biblio->biblionumber;
|
|
$record = $biblio->metadata->record;
|
|
$new856 = MARC::Field->new( '856', '', '', u => "http://www.google.com" );
|
|
$record->insert_fields_ordered($new856);
|
|
C4::Biblio::ModBiblio( $record, $biblionumber3 );
|
|
|
|
# URI at Item level
|
|
my $item = $builder->build_sample_item( { uri => 'http://www.google.com' } );
|
|
my $itemnumber1 = $item->itemnumber;
|
|
|
|
# Incorrect URI at Item level
|
|
$item = $builder->build_sample_item( { uri => 'www.bing.com ' } );
|
|
my $itemnumber2 = $item->itemnumber;
|
|
|
|
my $no_biblionumber =
|
|
'/cgi-bin/koha/tracklinks.pl?uri=http://www.google.com';
|
|
my $bad_biblionumber1 =
|
|
'/cgi-bin/koha/tracklinks.pl?uri=http://www.google.com&biblionumber='
|
|
. $biblionumber1;
|
|
my $bad_biblionumber2 =
|
|
'/cgi-bin/koha/tracklinks.pl?uri=http://www.google.com&biblionumber='
|
|
. $biblionumber2;
|
|
my $good_biblionumber =
|
|
'/cgi-bin/koha/tracklinks.pl?uri=http://www.google.com&biblionumber='
|
|
. $biblionumber3;
|
|
my $bad_itemnumber =
|
|
'/cgi-bin/koha/tracklinks.pl?uri=http://www.google.com&itemnumber='
|
|
. $itemnumber2;
|
|
my $good_itemnumber =
|
|
'/cgi-bin/koha/tracklinks.pl?uri=http://www.google.com&itemnumber='
|
|
. $itemnumber1;
|
|
|
|
Koha::Caches->flush_L1_caches;
|
|
# Don't Track
|
|
C4::Context->set_preference( 'TrackClicks', '' );
|
|
$t->get_ok( $opac . $no_biblionumber )
|
|
->status_is( 404, "404 for no biblionumber" );
|
|
$t->get_ok( $opac . $bad_biblionumber1 )
|
|
->status_is( 404, "404 for biblionumber containing no URI - pref off" );
|
|
$t->get_ok( $opac . $bad_biblionumber2 )
|
|
->status_is( 404, "404 for biblionumber containing different URI - pref off" );
|
|
$t->get_ok( $opac . $good_biblionumber )
|
|
->status_is( 404, "404 for biblionumber with matching URI - pref off" );
|
|
$t->get_ok( $opac . $bad_itemnumber )
|
|
->status_is( 404, "404 for itemnumber containing different URI- pref off" );
|
|
$t->get_ok( $opac . $good_itemnumber )
|
|
->status_is( 404, "404 for itemnumber with matching URI - pref off" );
|
|
|
|
# Track
|
|
C4::Context->set_preference( 'TrackClicks', 'track' );
|
|
$t->get_ok( $opac . $no_biblionumber )
|
|
->status_is( 404, "404 for no biblionumber" );
|
|
$t->get_ok( $opac . $bad_biblionumber1 )
|
|
->status_is( 404, "404 for biblionumber containing no URI" );
|
|
$t->get_ok( $opac . $bad_biblionumber2 )
|
|
->status_is( 404, "404 for biblionumber containing different URI" );
|
|
$t->get_ok( $opac . $good_biblionumber )
|
|
->status_is( 302, "302 for biblionumber with matching URI" );
|
|
$t->get_ok( $opac . $bad_itemnumber )
|
|
->status_is( 404, "404 for itemnumber containing different URI" );
|
|
$t->get_ok( $opac . $good_itemnumber )
|
|
->status_is( 302, "302 for itemnumber with matching URI" );
|
|
|
|
# Track Anonymous
|
|
C4::Context->set_preference( 'TrackClicks', 'anonymous' );
|
|
$t->get_ok( $opac . $no_biblionumber )
|
|
->status_is( 404, "404 for no biblionumber" );
|
|
$t->get_ok( $opac . $bad_biblionumber1 )
|
|
->status_is( 404, "404 for biblionumber containing no URI" );
|
|
$t->get_ok( $opac . $bad_biblionumber2 )
|
|
->status_is( 404, "404 for biblionumber containing different URI" );
|
|
$t->get_ok( $opac . $good_biblionumber )
|
|
->status_is( 302, "302 for biblionumber with matching URI" );
|
|
$t->get_ok( $opac . $bad_itemnumber )
|
|
->status_is( 404, "404 for itemnumber containing different URI" );
|
|
$t->get_ok( $opac . $good_itemnumber )
|
|
->status_is( 302, "302 for itemnumber with matching URI" );
|
|
};
|
|
|
|
`mysql -u $db_user --password="$db_passwd" -h $db_host -P $db_port --database="$db_name" < dumpfile.sql`;
|
|
`rm dumpfile.sql`;
|