Merge pull request #203 from splitbrain/fetchissues3

prevent third-party requests from using fetch
dokuwiki · Apr 7, 2013 · 892345c · 892345c
2 parents f20dba3 + 3e8bad3
commit 892345c
Show file tree

Hide file tree

Showing 9 changed files with 409 additions and 158 deletions.
diff --git a/_test/core/TestRequest.php b/_test/core/TestRequest.php
@@ -18,6 +18,9 @@ function ob_start_callback($buffer) {
  */
 class TestRequest {
 
+    private $valid_scripts = array('/doku.php', '/lib/exe/fetch.php', '/lib/exe/detail.php');
+    private $script;
+
     private $server = array();
     private $session = array();
     private $get = array();
@@ -27,6 +30,7 @@ public function getServer($key) { return $this->server[$key]; }
     public function getSession($key) { return $this->session[$key]; }
     public function getGet($key) { return $this->get[$key]; }
     public function getPost($key) { return $this->post[$key]; }
+    public function getScript() { return $this->script; }
 
     public function setServer($key, $value) { $this->server[$key] = $value; }
     public function setSession($key, $value) { $this->session[$key] = $value; }
@@ -70,13 +74,13 @@ public function execute($uri='/doku.php') {
         // now execute dokuwiki and grep the output
         header_remove();
         ob_start('ob_start_callback');
-        include(DOKU_INC.'doku.php');
+        include(DOKU_INC.$this->script);
         ob_end_flush();
 
         // create the response object
         $response = new TestResponse(
             $output_buffer,
-            headers_list()
+            (function_exists('xdebug_get_headers') ? xdebug_get_headers() : headers_list())   // cli sapi doesn't do headers, prefer xdebug_get_headers() which works under cli
         );
 
         // reset environment
@@ -102,14 +106,15 @@ public function execute($uri='/doku.php') {
      * @todo make this work with other end points
      */
     protected function setUri($uri){
-        if(substr($uri,0,9) != '/doku.php'){
-            throw new Exception("only '/doku.php' is supported currently");
+        if(!preg_match('#^('.join('|',$this->valid_scripts).')#',$uri)){
+            throw new Exception("$uri \n--- only ".join(', ',$this->valid_scripts)." are supported currently");
         }
 
         $params = array();
         list($uri, $query) = explode('?',$uri,2);
         if($query) parse_str($query, $params);
 
+        $this->script = substr($uri,1);
         $this->get  = array_merge($params, $this->get);
         if(count($this->get)){
             $query = '?'.http_build_query($this->get, '', '&');
@@ -129,7 +134,7 @@ protected function setUri($uri){
      * Simulate a POST request with the given variables
      *
      * @param array $post  all the POST parameters to use
-     * @param string $url  end URL to simulate, needs to start with /doku.php currently
+     * @param string $url  end URL to simulate, needs to start with /doku.php, /lib/exe/fetch.php or /lib/exe/detail.php currently
      * @param return TestResponse
      */
     public function post($post=array(), $uri='/doku.php') {
@@ -141,8 +146,8 @@ public function post($post=array(), $uri='/doku.php') {
     /**
      * Simulate a GET request with the given variables
      *
-     * @param array $GET  all the POST parameters to use
-     * @param string $url  end URL to simulate, needs to start with /doku.php currently
+     * @param array $GET   all the GET parameters to use
+     * @param string $url  end URL to simulate, needs to start with /doku.php, /lib/exe/fetch.php or /lib/exe/detail.php currently
      * @param return TestResponse
      */
     public function get($get=array(), $uri='/doku.php') {

diff --git a/_test/core/TestResponse.php b/_test/core/TestResponse.php
@@ -41,6 +41,44 @@ public function getHeaders() {
         return $this->headers;
     }
 
+    /**
+     * @param  $name   string, the name of the header without the ':', e.g. 'Content-Type', 'Pragma'
+     * @return mixed   if exactly one header, the header (string); otherwise an array of headers, empty when no headers
+     */
+    public function getHeader($name) {
+        $result = array();
+        foreach ($this->headers as $header) {
+            if (substr($header,0,strlen($name)+1) == $name.':') {
+                $result[] = $header;
+            }
+        }
+
+        return count($result) == 1 ? $result[0] : $result;
+    }
+
+    /**
+     * @return  int  http status code
+     *
+     * in the test environment, only status codes explicitly set by dokuwiki are likely to be returned
+     * this means succcessful status codes (e.g. 200 OK) will not be present, but error codes will be
+     */
+    public function getStatusCode() {
+        $headers = $this->getHeader('Status');
+        $code = null;
+
+        if ($headers) {
+            // if there is more than one status header, use the last one
+            $status = is_array($headers) ? array_pop($headers) : $headers;
+            $matches = array();
+            preg_match('/^Status: ?(\d+)/',$status,$matches);
+            if ($matches){
+                $code = $matches[1];
+            }
+         }
+
+         return $code;
+    }
+
     /**
      * Query the response for a JQuery compatible CSS selector
      *

diff --git a/_test/tests/lib/exe/fetch_imagetoken.test.php b/_test/tests/lib/exe/fetch_imagetoken.test.php
@@ -0,0 +1,99 @@
+<?php
+
+class fetch_imagetoken_test extends DokuWikiTest {
+
+    private $media = 'wiki:dokuwiki-128.png';
+    private $width = 200;
+    private $height = 0;
+
+    function setUp() {
+        // check we can carry out these tests
+        if (!file_exists(mediaFN($this->media))) {
+            $this->markTestSkipped('Source image required for test');
+        }
+
+        header('X-Test: check headers working');
+        $header_check = function_exists('xdebug_get_headers') ? xdebug_get_headers() : headers_list();
+        if (empty($header_check)) {
+            $this->markTestSkipped('headers not returned, perhaps your sapi does not return headers, try xdebug');
+        } else {
+            header_remove('X-Test');
+        }
+
+        parent::setUp();
+
+        global $conf;
+        $conf['sendfile'] = 0;
+
+        global $MIME, $EXT, $CACHE, $INPUT;    // variables fetch creates in global scope -- should this be in fetch?
+    }
+
+    function getUri() {
+       $w = $this->width ? 'w='.$this->width.'&' : '';
+       $h = $this->height ? 'h='.$this->height.'&' : '';
+
+       return '/lib/exe/fetch.php?'.$w.$h.'{%token%}media='.$this->media;
+    }
+
+    function fetchResponse($token){
+        $request = new TestRequest();
+        return $request->get(array(),str_replace('{%token%}',$token,$this->getUri()));
+    }
+
+    /**
+     *  modified image request with valid token
+     *  expect: header with mime-type
+     *  expect: content
+     *  expect: no error response
+     */
+    function test_valid_token(){
+        $valid_token = 'tok='.media_get_token($this->media, $this->width, $this->height).'&';
+        $response = $this->fetchResponse($valid_token);
+        $this->assertTrue((bool)$response->getHeader('Content-Type'));
+        $this->assertTrue((bool)($response->getContent()));
+
+        $status_code = $response->getStatusCode();
+        $this->assertTrue(is_null($status_code) || (200 == $status_code));
+    }
+
+    /**
+     *  modified image request with invalid token
+     *  expect: 412 status code
+     */
+    function test_invalid_token(){
+        $invalid_token = 'tok='.media_get_token('junk',200,100).'&';
+        $this->assertEquals(412,$this->fetchResponse($invalid_token)->getStatusCode());
+    }
+
+    /**
+     *  modified image request with no token
+     *  expect: 412 status code
+     */
+    function test_missing_token(){
+        $no_token = '';
+        $this->assertEquals(412,$this->fetchResponse($notoken)->getStatusCode());
+    }
+
+    /**
+     *  native image request which doesn't require a token
+     *  try: with a token & without a token
+     *  expect: (for both) header with mime-type, content matching source image filesize & no error response
+     */
+    function test_no_token_required(){
+        $this->width = $this->height = 0;   // no width & height, means image request at native dimensions
+        $any_token = 'tok='.media_get_token('junk',200,100).'&';
+        $no_token = '';
+        $bytes = filesize(mediaFN($this->media));
+
+        foreach(array($any_token, $no_token) as $token) {
+            $response = $this->fetchResponse($token);
+            $this->assertTrue((bool)$response->getHeader('Content-Type'));
+            $this->assertEquals(strlen($response->getContent()), $bytes);
+
+            $status_code = $response->getStatusCode();
+            $this->assertTrue(is_null($status_code) || (200 == $status_code));
+        }
+    }
+
+}
+//Setup VIM: ex: et ts=4 :
diff --git a/_test/tests/test/basic.test.php b/_test/tests/test/basic.test.php
@@ -4,6 +4,24 @@
  * @group integration
  */
 class InttestsBasicTest extends DokuWikiTest {
+
+    private $some_headers =  array(
+          'Content-Type: image/png',
+          'Date: Fri, 22 Mar 2013 16:10:01 GMT',
+          'X-Powered-By: PHP/5.3.15',
+          'Expires: Sat, 23 Mar 2013 17:03:46 GMT',
+          'Cache-Control: public, proxy-revalidate, no-transform, max-age=86400',
+          'Pragma: public',
+          'Last-Modified: Fri, 22 Mar 2013 01:48:28 GMT',
+          'ETag: "63daab733b38c30c337229b2e587f8fb"',
+          'Content-Disposition: inline; filename="fe389b0db8c1088c336abb502d2f9ae7.media.200x200.png',
+          'Accept-Ranges: bytes',
+          'Content-Type: image/png',
+          'Content-Length: 62315',
+          'Status: 200 OK',
+          'Status: 404 Not Found',
+     );
+
     /**
      * Execute the simplest possible request and expect
      * a dokuwiki page which obviously has the word "DokuWiki"
@@ -101,5 +119,54 @@ function testGet() {
         $this->assertTrue(strpos($response->getContent(), 'Andreas Gohr') >= 0);
     }
 
+    function testScripts() {
+        $request = new TestRequest();
+
+        // doku
+        $response = $request->get();
+        $this->assertEquals('doku.php',$request->getScript());
+
+        $response = $request->get(array(),'/doku.php?id=wiki:dokuwiki&test=foo');
+        $this->assertEquals('doku.php',$request->getScript());
+
+        // fetch
+        $response = $request->get(array(),'/lib/exe/fetch.php?media=wiki:dokuwiki-128.png');
+        $this->assertEquals('lib/exe/fetch.php',$request->getScript());
+
+        // detail
+        $response = $request->get(array(),'/lib/exe/detail.php?id=start&media=wiki:dokuwiki-128.png');
+        $this->assertEquals('lib/exe/detail.php',$request->getScript());
+    }
+
+    function testHeaders(){
+        header('X-Test: check headers working');
+        $header_check = function_exists('xdebug_get_headers') ? xdebug_get_headers() : headers_list();
+        if (empty($header_check)) {
+            $this->markTestSkipped('headers not returned, perhaps your sapi does not return headers, try xdebug');
+        } else {
+            header_remove('X-Test');
+        }
+
+        $request = new TestRequest();
+        $response = $request->get(array(),'/lib/exe/fetch.php?media=wiki:dokuwiki-128.png');
+        $headers = $response->getHeaders();
+        $this->assertTrue(!empty($headers));
+    }
+
+    function testGetHeader(){
+        $response = new TestResponse('',$this->some_headers);
+
+        $this->assertEquals('Pragma: public', $response->getHeader('Pragma'));
+        $this->assertEmpty($response->getHeader('Junk'));
+        $this->assertEquals(array('Content-Type: image/png','Content-Type: image/png'), $response->getHeader('Content-Type'));
+    }
+
+    function testGetStatus(){
+       $response = new TestResponse('',$this->some_headers);
+       $this->assertEquals(404, $response->getStatusCode());
+
+       $response = new TestResponse('',array_slice($this->some_headers,0,-2));  // slice off the last two headers to leave no status header
+       $this->assertNull($response->getStatusCode());
+    }
 
 }
diff --git a/inc/common.php b/inc/common.php
@@ -436,6 +436,10 @@ function exportlink($id = '', $format = 'raw', $more = '', $abs = false, $sep =
 function ml($id = '', $more = '', $direct = true, $sep = '&amp;', $abs = false) {
     global $conf;
     if(is_array($more)) {
+        // add token for resized images
+        if($more['w'] || $more['h']){
+            $more['tok'] = media_get_token($id,$more['w'],$more['h']);
+        }
         // strip defaults for shorter URLs
         if(isset($more['cache']) && $more['cache'] == 'cache') unset($more['cache']);
         if(!$more['w']) unset($more['w']);