diff options
author | Steve Clay <steve@mrclay.org> | 2013-07-31 13:34:55 -0400 |
---|---|---|
committer | Paweł Sroka <srokap@gmail.com> | 2013-11-04 03:34:21 +0100 |
commit | 7cacdc8bc26c98a58dc8986acfd911d6542608af (patch) | |
tree | 81aded80c087b3ffb937d62d005b3d8a39b6910c /engine/tests/regression | |
parent | 6eec301f33ff3e618d591d429de7edf30277e972 (diff) | |
download | elgg-7cacdc8bc26c98a58dc8986acfd911d6542608af.tar.gz elgg-7cacdc8bc26c98a58dc8986acfd911d6542608af.tar.bz2 |
Emit notice if XXE can't be tested and skip test
Diffstat (limited to 'engine/tests/regression')
-rw-r--r-- | engine/tests/regression/trac_bugs.php | 21 |
1 files changed, 13 insertions, 8 deletions
diff --git a/engine/tests/regression/trac_bugs.php b/engine/tests/regression/trac_bugs.php index ea39253df..689275661 100644 --- a/engine/tests/regression/trac_bugs.php +++ b/engine/tests/regression/trac_bugs.php @@ -377,6 +377,7 @@ class ElggCoreRegressionBugsTest extends ElggCoreUnitTest { public function test_ElggXMLElement_does_not_load_external_entities() { $elLast = libxml_disable_entity_loader(false); + // build payload that should trigger loading of external entity $payload = file_get_contents(dirname(dirname(__FILE__)) . '/test_files/xxe/request.xml'); $path = realpath(dirname(dirname(__FILE__)) . '/test_files/xxe/external_entity.txt'); $path = str_replace('\\', '/', $path); @@ -384,16 +385,20 @@ class ElggCoreRegressionBugsTest extends ElggCoreUnitTest { $path = '/' . $path; } $path = 'file://' . $path; - $payload = sprintf($payload, $path);
+ $payload = sprintf($payload, $path); - $el = new ElggXMLElement($payload); - $chidren = $el->getChildren(); - $content = $chidren[0]->getContent(); - $this->assertNoPattern('/secret/', $content); - - //make sure the test is valid + // make sure we can actually this in this environment $element = new SimpleXMLElement($payload); - $this->assertPattern('/secret/', (string)$element->methodName); + $can_load_entity = preg_match('/secret/', (string)$element->methodName); + + $this->skipUnless($can_load_entity, "XXE vulnerability cannot be tested on this system"); + + if ($can_load_entity) { + $el = new ElggXMLElement($payload); + $chidren = $el->getChildren(); + $content = $chidren[0]->getContent(); + $this->assertNoPattern('/secret/', $content); + } libxml_disable_entity_loader($elLast); } |