Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Item14033: Refactor attachment path parsing
into Foswiki::Request::Attachment - initial checkin.

All unit tests pass except for the UIFnCompile tests,  which needs to
pick up the attachment request object for the viewfile script.

This all still needs careful testing and inspection to insure that
everthing is correctly validated and untainted.
  • Loading branch information
gac410 committed Apr 5, 2016
1 parent e89ed78 commit 1456e90
Show file tree
Hide file tree
Showing 10 changed files with 580 additions and 100 deletions.
Expand Up @@ -14,6 +14,7 @@ lib/Unit/Eavesdrop.pm 0644
lib/Unit/ExternalEngine.pm 0644
lib/Unit/HTMLDiffer.pm 0644
lib/Unit/Request.pm 0644
lib/Unit/Request/Attachment.pm 0644
lib/Unit/Response.pm 0644
lib/Unit/TestCase.pm 0644
lib/Unit/TestRunner.pm 0644
Expand Down
107 changes: 107 additions & 0 deletions UnitTestContrib/lib/Unit/Request/Attachment.pm
@@ -0,0 +1,107 @@
# See bottom of file for license and copyright
package Unit::Request::Attachment;

=begin TML
---+ package Unit::Request::Attachment
=cut

use Assert;

# SMELL: this package should not be in Unit; it is a Foswiki class and
# should be in test/unit

use Foswiki::Request;
use Foswiki::Request::Attachment;
our @ISA = qw( Foswiki::Request::Attachment );

sub new {
my $class = shift;
my $this = $class->SUPER::new(@_);

# Taint everything
foreach my $k ( @{ $this->{param_list} } ) {
foreach my $k ( @{ $this->{param_list} } ) {
foreach ( @{ $this->{param}{$k} } ) {
$_ = TAINT($_) if defined $_;
}
}
}
return $this;
}

sub finish {
my ($this) = @_;

if ( $this->SUPER::can('finish') ) {
$this->SUPER::finish();
}

return;
}

sub setUrl {
my ( $this, $queryString ) = @_;

#print STDERR "---- setUrl($queryString)\n";

my $path = $queryString;
my $urlParams = '';
if ( $queryString =~ /(.*)\?(.*)/ ) {
$path = $1;
$urlParams = $2;
}

if ( $path =~ /(https?):\/\/(.*?)\// ) {
my $protocol = $1;
my $host = $2;
if ( $protocol =~ /https/i ) {
$this->secure(1);
}
else {
$this->secure(0);
}

#print STDERR "setting Host to $host\n";
$this->header( -name => 'Host', -value => $host );
}

my @pairs = split /[&;]/, $urlParams;
my ( $param, $value, %params, @plist );
foreach (@pairs) {
( $param, $value ) =
map { tr/+/ /; s/%([0-9a-fA-F]{2})/chr(hex($1))/oge; $_ }
split '=', $_, 2;
push @{ $params{$param} }, $value;
push @plist, $param;
}
foreach my $param (@plist) {
$this->queryParam( $param, $params{$param} );

#print STDERR "\t setting $param, ".join(',', @{$params{$param}})."\n";
}
$this->path_info( Foswiki::Sandbox::untaintUnchecked($path) );

#print STDERR "pathinfo = $path\n";
}

1;

__DATA__
Author: Gilmar Santos Jr
Copyright (C) 2008-2010 Foswiki Contributors
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version. For
more details read LICENSE in the root of this distribution.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
As per the GPL, removal of this notice is prohibited.
9 changes: 7 additions & 2 deletions UnitTestContrib/test/unit/FoswikiTestCase.pm
Expand Up @@ -929,8 +929,13 @@ sub captureWithKey {
}
my ( $k, $v ) = ( $1, $2 );
my $request = $fatwilly->{request};
$this->assert( $request->isa('Unit::Request'),
"Could not find the Unit::Request object" );
$this->assert(
(
$request->isa('Unit::Request')
|| $request->isa('Unit::Request::Attachment')
),
"Could not find the Unit::Request object"
);

# As we won't be clicking using javascript, we have to fake that part too
if ($strikeone) {
Expand Down
11 changes: 10 additions & 1 deletion UnitTestContrib/test/unit/HTMLValidationTests.pm
Expand Up @@ -8,6 +8,9 @@ use warnings;
use FoswikiFnTestCase();
our @ISA = qw( FoswikiFnTestCase );

use Unit::Request;
use Unit::Request::Attachment;

use Foswiki();
use Foswiki::Func();
use Foswiki::UI::View();
Expand Down Expand Up @@ -174,7 +177,13 @@ sub call_UI_FN {
if ($params) {
%constructor = ( %constructor, %{$params} );
}
my $query = Unit::Request->new( \%constructor );
my $query;
if ( $SCRIPT_NAME =~ m/^viewfile/ ) {
$query = Unit::Request::Attachment->new( \%constructor );
}
else {
$query = Unit::Request->new( \%constructor );
}
$query->path_info("/$web/$topic");
$query->method('GET');

Expand Down
3 changes: 2 additions & 1 deletion UnitTestContrib/test/unit/ViewFileScriptTests.pm
Expand Up @@ -10,6 +10,7 @@ use Foswiki();
use Foswiki::UI();
use Foswiki::UI::Viewfile();
use Unit::Request();
use Unit::Request::Attachment();
use Error qw( :try );
use File::Path qw(mkpath);

Expand Down Expand Up @@ -149,7 +150,7 @@ sub sneakAttachmentsToTopic {

sub viewfile {
my ( $this, $url, $wantHdrs ) = @_;
my $query = Unit::Request->new( {} );
my $query = Unit::Request::Attachment->new( {} );
$query->setUrl($url);
$query->method('GET');
$this->createNewFoswikiSession( $this->{test_user_login}, $query );
Expand Down
4 changes: 2 additions & 2 deletions core/lib/Foswiki.pm
Expand Up @@ -2014,8 +2014,6 @@ sub new {
$this->{scriptUrlPath} = $1;
}

# See Foswiki::Request for parsing of the path

# Set the default for web
# Development.AddWebParamToAllCgiScripts: enables
# bin/script?topic=WebPreferences;defaultweb=Sandbox
Expand All @@ -2024,6 +2022,8 @@ sub new {
|| $Foswiki::cfg{UsersWebName},
\&Foswiki::Sandbox::validateWebName );

# See Foswiki::Request for parsing of the path

$this->{topicName} = $query->topic()
|| $Foswiki::cfg{HomeTopicName};
$this->{webName} = $query->web() || $defaultweb;
Expand Down
1 change: 1 addition & 0 deletions core/lib/Foswiki/Contrib/core/MANIFEST
Expand Up @@ -652,6 +652,7 @@ lib/Foswiki/Render/Parent.pm 0444
lib/Foswiki/Render/ToolTip.pm 0444
lib/Foswiki/Render/Zones.pm 0444
lib/Foswiki/Request.pm 0444
lib/Foswiki/Request/Attachment.pm 0444
lib/Foswiki/Request/Cache.pm 0444
lib/Foswiki/Request/Upload.pm 0444
lib/Foswiki/Response.pm 0444
Expand Down

0 comments on commit 1456e90

Please sign in to comment.