diff --git a/core/modules/file/src/Tests/FileFieldWidgetTest.php b/core/modules/file/src/Tests/FileFieldWidgetTest.php index ad47d77841..e8b940f335 100644 --- a/core/modules/file/src/Tests/FileFieldWidgetTest.php +++ b/core/modules/file/src/Tests/FileFieldWidgetTest.php @@ -2,132 +2,17 @@ namespace Drupal\file\Tests; -use Drupal\comment\Entity\Comment; -use Drupal\comment\Tests\CommentTestTrait; -use Drupal\Component\Utility\Unicode; -use Drupal\Core\Url; -use Drupal\field\Entity\FieldConfig; -use Drupal\field\Entity\FieldStorageConfig; use Drupal\field_ui\Tests\FieldUiTestTrait; -use Drupal\user\RoleInterface; -use Drupal\file\Entity\File; -use Drupal\user\Entity\User; -use Drupal\user\UserInterface; /** - * Tests the file field widget, single and multi-valued, with and without AJAX, - * with public and private files. + * Tests the file field widget. * * @group file */ class FileFieldWidgetTest extends FileFieldTestBase { - use CommentTestTrait; use FieldUiTestTrait; - /** - * {@inheritdoc} - */ - protected function setUp() { - parent::setUp(); - $this->drupalPlaceBlock('system_breadcrumb_block'); - } - - /** - * Modules to enable. - * - * @var array - */ - public static $modules = ['comment', 'block']; - - /** - * Creates a temporary file, for a specific user. - * - * @param string $data - * A string containing the contents of the file. - * @param \Drupal\user\UserInterface $user - * The user of the file owner. - * - * @return \Drupal\file\FileInterface - * A file object, or FALSE on error. - */ - protected function createTemporaryFile($data, UserInterface $user = NULL) { - $file = file_save_data($data, NULL, NULL); - - if ($file) { - if ($user) { - $file->setOwner($user); - } - else { - $file->setOwner($this->adminUser); - } - // Change the file status to be temporary. - $file->setTemporary(); - // Save the changes. - $file->save(); - } - - return $file; - } - - /** - * Tests upload and remove buttons for a single-valued File field. - */ - public function testSingleValuedWidget() { - $node_storage = $this->container->get('entity.manager')->getStorage('node'); - $type_name = 'article'; - $field_name = strtolower($this->randomMachineName()); - $this->createFileField($field_name, 'node', $type_name); - - $test_file = $this->getTestFile('text'); - - foreach (['nojs', 'js'] as $type) { - // Create a new node with the uploaded file and ensure it got uploaded - // successfully. - // @todo This only tests a 'nojs' submission, because drupalPostAjaxForm() - // does not yet support file uploads. - $nid = $this->uploadNodeFile($test_file, $field_name, $type_name); - $node_storage->resetCache([$nid]); - $node = $node_storage->load($nid); - $node_file = File::load($node->{$field_name}->target_id); - $this->assertFileExists($node_file, 'New file saved to disk on node creation.'); - - // Ensure the file can be downloaded. - $this->drupalGet(file_create_url($node_file->getFileUri())); - $this->assertResponse(200, 'Confirmed that the generated URL is correct by downloading the shipped file.'); - - // Ensure the edit page has a remove button instead of an upload button. - $this->drupalGet("node/$nid/edit"); - $this->assertNoFieldByXPath('//input[@type="submit"]', t('Upload'), 'Node with file does not display the "Upload" button.'); - $this->assertFieldByXpath('//input[@type="submit"]', t('Remove'), 'Node with file displays the "Remove" button.'); - - // "Click" the remove button (emulating either a nojs or js submission). - switch ($type) { - case 'nojs': - $this->drupalPostForm(NULL, [], t('Remove')); - break; - case 'js': - $button = $this->xpath('//input[@type="submit" and @value="' . t('Remove') . '"]'); - $this->drupalPostAjaxForm(NULL, [], [(string) $button[0]['name'] => (string) $button[0]['value']]); - break; - } - - // Ensure the page now has an upload button instead of a remove button. - $this->assertNoFieldByXPath('//input[@type="submit"]', t('Remove'), 'After clicking the "Remove" button, it is no longer displayed.'); - $this->assertFieldByXpath('//input[@type="submit"]', t('Upload'), 'After clicking the "Remove" button, the "Upload" button is displayed.'); - // Test label has correct 'for' attribute. - $input = $this->xpath('//input[@name="files[' . $field_name . '_0]"]'); - $label = $this->xpath('//label[@for="' . (string) $input[0]['id'] . '"]'); - $this->assertTrue(isset($label[0]), 'Label for upload found.'); - - // Save the node and ensure it does not have the file. - $this->drupalPostForm(NULL, [], t('Save')); - $node_storage->resetCache([$nid]); - $node = $node_storage->load($nid); - $this->assertTrue(empty($node->{$field_name}->target_id), 'File was successfully removed from the node.'); - } - } - /** * Tests upload and remove buttons for multiple multi-valued File fields. */ @@ -141,111 +26,11 @@ public function testMultiValuedWidget() { // FileStorage::listAll(), comes down to the alphabetical order on field // names). $field_name = 'test_file_field_1'; - $field_name2 = 'test_file_field_2'; $cardinality = 3; $this->createFileField($field_name, 'node', $type_name, ['cardinality' => $cardinality]); - $this->createFileField($field_name2, 'node', $type_name, ['cardinality' => $cardinality]); $test_file = $this->getTestFile('text'); - foreach (['nojs', 'js'] as $type) { - // Visit the node creation form, and upload 3 files for each field. Since - // the field has cardinality of 3, ensure the "Upload" button is displayed - // until after the 3rd file, and after that, isn't displayed. Because - // SimpleTest triggers the last button with a given name, so upload to the - // second field first. - // @todo This is only testing a non-Ajax upload, because drupalPostAjaxForm() - // does not yet emulate jQuery's file upload. - // - $this->drupalGet("node/add/$type_name"); - foreach ([$field_name2, $field_name] as $each_field_name) { - for ($delta = 0; $delta < 3; $delta++) { - $edit = ['files[' . $each_field_name . '_' . $delta . '][]' => drupal_realpath($test_file->getFileUri())]; - // If the Upload button doesn't exist, drupalPostForm() will automatically - // fail with an assertion message. - $this->drupalPostForm(NULL, $edit, t('Upload')); - } - } - $this->assertNoFieldByXpath('//input[@type="submit"]', t('Upload'), 'After uploading 3 files for each field, the "Upload" button is no longer displayed.'); - - $num_expected_remove_buttons = 6; - - foreach ([$field_name, $field_name2] as $current_field_name) { - // How many uploaded files for the current field are remaining. - $remaining = 3; - // Test clicking each "Remove" button. For extra robustness, test them out - // of sequential order. They are 0-indexed, and get renumbered after each - // iteration, so array(1, 1, 0) means: - // - First remove the 2nd file. - // - Then remove what is then the 2nd file (was originally the 3rd file). - // - Then remove the first file. - foreach ([1, 1, 0] as $delta) { - // Ensure we have the expected number of Remove buttons, and that they - // are numbered sequentially. - $buttons = $this->xpath('//input[@type="submit" and @value="Remove"]'); - $this->assertTrue(is_array($buttons) && count($buttons) === $num_expected_remove_buttons, format_string('There are %n "Remove" buttons displayed (JSMode=%type).', ['%n' => $num_expected_remove_buttons, '%type' => $type])); - foreach ($buttons as $i => $button) { - $key = $i >= $remaining ? $i - $remaining : $i; - $check_field_name = $field_name2; - if ($current_field_name == $field_name && $i < $remaining) { - $check_field_name = $field_name; - } - - $this->assertIdentical((string) $button['name'], $check_field_name . '_' . $key . '_remove_button'); - } - - // "Click" the remove button (emulating either a nojs or js submission). - $button_name = $current_field_name . '_' . $delta . '_remove_button'; - switch ($type) { - case 'nojs': - // drupalPostForm() takes a $submit parameter that is the value of the - // button whose click we want to emulate. Since we have multiple - // buttons with the value "Remove", and want to control which one we - // use, we change the value of the other ones to something else. - // Since non-clicked buttons aren't included in the submitted POST - // data, and since drupalPostForm() will result in $this being updated - // with a newly rebuilt form, this doesn't cause problems. - foreach ($buttons as $button) { - if ($button['name'] != $button_name) { - $button['value'] = 'DUMMY'; - } - } - $this->drupalPostForm(NULL, [], t('Remove')); - break; - case 'js': - // drupalPostAjaxForm() lets us target the button precisely, so we don't - // require the workaround used above for nojs. - $this->drupalPostAjaxForm(NULL, [], [$button_name => t('Remove')]); - break; - } - $num_expected_remove_buttons--; - $remaining--; - - // Ensure an "Upload" button for the current field is displayed with the - // correct name. - $upload_button_name = $current_field_name . '_' . $remaining . '_upload_button'; - $buttons = $this->xpath('//input[@type="submit" and @value="Upload" and @name=:name]', [':name' => $upload_button_name]); - $this->assertTrue(is_array($buttons) && count($buttons) == 1, format_string('The upload button is displayed with the correct name (JSMode=%type).', ['%type' => $type])); - - // Ensure only at most one button per field is displayed. - $buttons = $this->xpath('//input[@type="submit" and @value="Upload"]'); - $expected = $current_field_name == $field_name ? 1 : 2; - $this->assertTrue(is_array($buttons) && count($buttons) == $expected, format_string('After removing a file, only one "Upload" button for each possible field is displayed (JSMode=%type).', ['%type' => $type])); - } - } - - // Ensure the page now has no Remove buttons. - $this->assertNoFieldByXPath('//input[@type="submit"]', t('Remove'), format_string('After removing all files, there is no "Remove" button displayed (JSMode=%type).', ['%type' => $type])); - - // Save the node and ensure it does not have any files. - $this->drupalPostForm(NULL, ['title[0][value]' => $this->randomMachineName()], t('Save')); - preg_match('/node\/([0-9]+)/', $this->getUrl(), $matches); - $nid = $matches[1]; - $node_storage->resetCache([$nid]); - $node = $node_storage->load($nid); - $this->assertTrue(empty($node->{$field_name}->target_id), 'Node was successfully saved without any files.'); - } - $upload_files_node_creation = [$test_file, $test_file]; // Try to upload multiple files, but fewer than the maximum. $nid = $this->uploadNodeFiles($upload_files_node_creation, $field_name, $type_name); @@ -297,306 +82,4 @@ public function testMultiValuedWidget() { $this->assertRaw(t('Field %field can only hold @max values but there were @count uploaded. The following files have been omitted as a result: %list.', $args)); } - /** - * Tests a file field with a "Private files" upload destination setting. - */ - public function testPrivateFileSetting() { - $node_storage = $this->container->get('entity.manager')->getStorage('node'); - // Grant the admin user required permissions. - user_role_grant_permissions($this->adminUser->roles[0]->target_id, ['administer node fields']); - - $type_name = 'article'; - $field_name = strtolower($this->randomMachineName()); - $this->createFileField($field_name, 'node', $type_name); - $field = FieldConfig::loadByName('node', $type_name, $field_name); - $field_id = $field->id(); - - $test_file = $this->getTestFile('text'); - - // Change the field setting to make its files private, and upload a file. - $edit = ['settings[uri_scheme]' => 'private']; - $this->drupalPostForm("admin/structure/types/manage/$type_name/fields/$field_id/storage", $edit, t('Save field settings')); - $nid = $this->uploadNodeFile($test_file, $field_name, $type_name); - $node_storage->resetCache([$nid]); - $node = $node_storage->load($nid); - $node_file = File::load($node->{$field_name}->target_id); - $this->assertFileExists($node_file, 'New file saved to disk on node creation.'); - - // Ensure the private file is available to the user who uploaded it. - $this->drupalGet(file_create_url($node_file->getFileUri())); - $this->assertResponse(200, 'Confirmed that the generated URL is correct by downloading the shipped file.'); - - // Ensure we can't change 'uri_scheme' field settings while there are some - // entities with uploaded files. - $this->drupalGet("admin/structure/types/manage/$type_name/fields/$field_id/storage"); - $this->assertFieldByXpath('//input[@id="edit-settings-uri-scheme-public" and @disabled="disabled"]', 'public', 'Upload destination setting disabled.'); - - // Delete node and confirm that setting could be changed. - $node->delete(); - $this->drupalGet("admin/structure/types/manage/$type_name/fields/$field_id/storage"); - $this->assertFieldByXpath('//input[@id="edit-settings-uri-scheme-public" and not(@disabled)]', 'public', 'Upload destination setting enabled.'); - } - - /** - * Tests that download restrictions on private files work on comments. - */ - public function testPrivateFileComment() { - $user = $this->drupalCreateUser(['access comments']); - - // Grant the admin user required comment permissions. - $roles = $this->adminUser->getRoles(); - user_role_grant_permissions($roles[1], ['administer comment fields', 'administer comments']); - - // Revoke access comments permission from anon user, grant post to - // authenticated. - user_role_revoke_permissions(RoleInterface::ANONYMOUS_ID, ['access comments']); - user_role_grant_permissions(RoleInterface::AUTHENTICATED_ID, ['post comments', 'skip comment approval']); - - // Create a new field. - $this->addDefaultCommentField('node', 'article'); - - $name = strtolower($this->randomMachineName()); - $label = $this->randomMachineName(); - $storage_edit = ['settings[uri_scheme]' => 'private']; - $this->fieldUIAddNewField('admin/structure/comment/manage/comment', $name, $label, 'file', $storage_edit); - - // Manually clear cache on the tester side. - \Drupal::entityManager()->clearCachedFieldDefinitions(); - - // Create node. - $edit = [ - 'title[0][value]' => $this->randomMachineName(), - ]; - $this->drupalPostForm('node/add/article', $edit, t('Save')); - $node = $this->drupalGetNodeByTitle($edit['title[0][value]']); - - // Add a comment with a file. - $text_file = $this->getTestFile('text'); - $edit = [ - 'files[field_' . $name . '_' . 0 . ']' => drupal_realpath($text_file->getFileUri()), - 'comment_body[0][value]' => $comment_body = $this->randomMachineName(), - ]; - $this->drupalPostForm('node/' . $node->id(), $edit, t('Save')); - - // Get the comment ID. - preg_match('/comment-([0-9]+)/', $this->getUrl(), $matches); - $cid = $matches[1]; - - // Log in as normal user. - $this->drupalLogin($user); - - $comment = Comment::load($cid); - $comment_file = $comment->{'field_' . $name}->entity; - $this->assertFileExists($comment_file, 'New file saved to disk on node creation.'); - // Test authenticated file download. - $url = file_create_url($comment_file->getFileUri()); - $this->assertNotEqual($url, NULL, 'Confirmed that the URL is valid'); - $this->drupalGet(file_create_url($comment_file->getFileUri())); - $this->assertResponse(200, 'Confirmed that the generated URL is correct by downloading the shipped file.'); - - // Test anonymous file download. - $this->drupalLogout(); - $this->drupalGet(file_create_url($comment_file->getFileUri())); - $this->assertResponse(403, 'Confirmed that access is denied for the file without the needed permission.'); - - // Unpublishes node. - $this->drupalLogin($this->adminUser); - $edit = ['status[value]' => FALSE]; - $this->drupalPostForm('node/' . $node->id() . '/edit', $edit, t('Save')); - - // Ensures normal user can no longer download the file. - $this->drupalLogin($user); - $this->drupalGet(file_create_url($comment_file->getFileUri())); - $this->assertResponse(403, 'Confirmed that access is denied for the file without the needed permission.'); - } - - /** - * Tests validation with the Upload button. - */ - public function testWidgetValidation() { - $type_name = 'article'; - $field_name = strtolower($this->randomMachineName()); - $this->createFileField($field_name, 'node', $type_name); - $this->updateFileField($field_name, $type_name, ['file_extensions' => 'txt']); - - foreach (['nojs', 'js'] as $type) { - // Create node and prepare files for upload. - $node = $this->drupalCreateNode(['type' => 'article']); - $nid = $node->id(); - $this->drupalGet("node/$nid/edit"); - $test_file_text = $this->getTestFile('text'); - $test_file_image = $this->getTestFile('image'); - $name = 'files[' . $field_name . '_0]'; - - // Upload file with incorrect extension, check for validation error. - $edit[$name] = drupal_realpath($test_file_image->getFileUri()); - switch ($type) { - case 'nojs': - $this->drupalPostForm(NULL, $edit, t('Upload')); - break; - case 'js': - $button = $this->xpath('//input[@type="submit" and @value="' . t('Upload') . '"]'); - $this->drupalPostAjaxForm(NULL, $edit, [(string) $button[0]['name'] => (string) $button[0]['value']]); - break; - } - $error_message = t('Only files with the following extensions are allowed: %files-allowed.', ['%files-allowed' => 'txt']); - $this->assertRaw($error_message, t('Validation error when file with wrong extension uploaded (JSMode=%type).', ['%type' => $type])); - - // Upload file with correct extension, check that error message is removed. - $edit[$name] = drupal_realpath($test_file_text->getFileUri()); - switch ($type) { - case 'nojs': - $this->drupalPostForm(NULL, $edit, t('Upload')); - break; - case 'js': - $button = $this->xpath('//input[@type="submit" and @value="' . t('Upload') . '"]'); - $this->drupalPostAjaxForm(NULL, $edit, [(string) $button[0]['name'] => (string) $button[0]['value']]); - break; - } - $this->assertNoRaw($error_message, t('Validation error removed when file with correct extension uploaded (JSMode=%type).', ['%type' => $type])); - } - } - - /** - * Tests file widget element. - */ - public function testWidgetElement() { - $field_name = Unicode::strtolower($this->randomMachineName()); - $html_name = str_replace('_', '-', $field_name); - $this->createFileField($field_name, 'node', 'article', ['cardinality' => FieldStorageConfig::CARDINALITY_UNLIMITED]); - $file = $this->getTestFile('text'); - $xpath = "//details[@data-drupal-selector='edit-$html_name']/div[@class='details-wrapper']/table"; - - $this->drupalGet('node/add/article'); - - $elements = $this->xpath($xpath); - - // If the field has no item, the table should not be visible. - $this->assertIdentical(count($elements), 0); - - // Upload a file. - $edit['files[' . $field_name . '_0][]'] = $this->container->get('file_system')->realpath($file->getFileUri()); - $this->drupalPostAjaxForm(NULL, $edit, "{$field_name}_0_upload_button"); - - $elements = $this->xpath($xpath); - - // If the field has at least a item, the table should be visible. - $this->assertIdentical(count($elements), 1); - - // Test for AJAX error when using progress bar on file field widget - $key = $this->randomMachineName(); - $this->drupalPost('file/progress/' . $key, 'application/json', []); - $this->assertNoResponse(500, t('No AJAX error when using progress bar on file field widget')); - $this->assertText('Starting upload...'); - } - - /** - * Tests exploiting the temporary file removal of another user using fid. - */ - public function testTemporaryFileRemovalExploit() { - // Create a victim user. - $victim_user = $this->drupalCreateUser(); - - // Create an attacker user. - $attacker_user = $this->drupalCreateUser([ - 'access content', - 'create article content', - 'edit any article content', - ]); - - // Log in as the attacker user. - $this->drupalLogin($attacker_user); - - // Perform tests using the newly created users. - $this->doTestTemporaryFileRemovalExploit($victim_user, $attacker_user); - } - - /** - * Tests exploiting the temporary file removal for anonymous users using fid. - */ - public function testTemporaryFileRemovalExploitAnonymous() { - // Set up an anonymous victim user. - $victim_user = User::getAnonymousUser(); - - // Set up an anonymous attacker user. - $attacker_user = User::getAnonymousUser(); - - // Set up permissions for anonymous attacker user. - user_role_change_permissions(RoleInterface::ANONYMOUS_ID, [ - 'access content' => TRUE, - 'create article content' => TRUE, - 'edit any article content' => TRUE, - ]); - - // Log out so as to be the anonymous attacker user. - $this->drupalLogout(); - - // Perform tests using the newly set up anonymous users. - $this->doTestTemporaryFileRemovalExploit($victim_user, $attacker_user); - } - - /** - * Helper for testing exploiting the temporary file removal using fid. - * - * @param \Drupal\user\UserInterface $victim_user - * The victim user. - * @param \Drupal\user\UserInterface $attacker_user - * The attacker user. - */ - protected function doTestTemporaryFileRemovalExploit(UserInterface $victim_user, UserInterface $attacker_user) { - $type_name = 'article'; - $field_name = 'test_file_field'; - $this->createFileField($field_name, 'node', $type_name); - - $test_file = $this->getTestFile('text'); - foreach (['nojs', 'js'] as $type) { - // Create a temporary file owned by the victim user. This will be as if - // they had uploaded the file, but not saved the node they were editing - // or creating. - $victim_tmp_file = $this->createTemporaryFile('some text', $victim_user); - $victim_tmp_file = File::load($victim_tmp_file->id()); - $this->assertTrue($victim_tmp_file->isTemporary(), 'New file saved to disk is temporary.'); - $this->assertFalse(empty($victim_tmp_file->id()), 'New file has an fid.'); - $this->assertEqual($victim_user->id(), $victim_tmp_file->getOwnerId(), 'New file belongs to the victim.'); - - // Have attacker create a new node with a different uploaded file and - // ensure it got uploaded successfully. - $edit = [ - 'title[0][value]' => $type . '-title' , - ]; - - // Attach a file to a node. - $edit['files[' . $field_name . '_0]'] = $this->container->get('file_system')->realpath($test_file->getFileUri()); - $this->drupalPostForm(Url::fromRoute('node.add', ['node_type' => $type_name]), $edit, t('Save')); - $node = $this->drupalGetNodeByTitle($edit['title[0][value]']); - - /** @var \Drupal\file\FileInterface $node_file */ - $node_file = File::load($node->{$field_name}->target_id); - $this->assertFileExists($node_file, 'A file was saved to disk on node creation'); - $this->assertEqual($attacker_user->id(), $node_file->getOwnerId(), 'New file belongs to the attacker.'); - - // Ensure the file can be downloaded. - $this->drupalGet(file_create_url($node_file->getFileUri())); - $this->assertResponse(200, 'Confirmed that the generated URL is correct by downloading the shipped file.'); - - // "Click" the remove button (emulating either a nojs or js submission). - // In this POST request, the attacker "guesses" the fid of the victim's - // temporary file and uses that to remove this file. - $this->drupalGet($node->toUrl('edit-form')); - switch ($type) { - case 'nojs': - $this->drupalPostForm(NULL, [$field_name . '[0][fids]' => (string) $victim_tmp_file->id()], 'Remove'); - break; - - case 'js': - $this->drupalPostAjaxForm(NULL, [$field_name . '[0][fids]' => (string) $victim_tmp_file->id()], ["{$field_name}_0_remove_button" => 'Remove']); - break; - } - - // The victim's temporary file should not be removed by the attacker's - // POST request. - $this->assertFileExists($victim_tmp_file); - } - } - } diff --git a/core/modules/file/tests/src/Functional/FileFieldTestBase.php b/core/modules/file/tests/src/Functional/FileFieldTestBase.php index d6096874d6..ff85790180 100644 --- a/core/modules/file/tests/src/Functional/FileFieldTestBase.php +++ b/core/modules/file/tests/src/Functional/FileFieldTestBase.php @@ -3,16 +3,23 @@ namespace Drupal\Tests\file\Functional; use Drupal\field\Entity\FieldStorageConfig; -use Drupal\field\Entity\FieldConfig; use Drupal\file\FileInterface; use Drupal\Tests\BrowserTestBase; use Drupal\file\Entity\File; +use Drupal\Tests\file\Traits\FileFieldTestTrait; +use Drupal\Tests\TestFileCreationTrait; /** * Provides methods specifically for testing File module's field handling. */ abstract class FileFieldTestBase extends BrowserTestBase { + use FileFieldTestTrait; + + use TestFileCreationTrait { + getTestFiles as drupalGetTestFiles; + } + /** * Modules to enable. * @@ -57,91 +64,6 @@ public function getLastFileId() { return (int) db_query('SELECT MAX(fid) FROM {file_managed}')->fetchField(); } - /** - * Creates a new file field. - * - * @param string $name - * The name of the new field (all lowercase), exclude the "field_" prefix. - * @param string $entity_type - * The entity type. - * @param string $bundle - * The bundle that this field will be added to. - * @param array $storage_settings - * A list of field storage settings that will be added to the defaults. - * @param array $field_settings - * A list of instance settings that will be added to the instance defaults. - * @param array $widget_settings - * A list of widget settings that will be added to the widget defaults. - */ - public function createFileField($name, $entity_type, $bundle, $storage_settings = [], $field_settings = [], $widget_settings = []) { - $field_storage = FieldStorageConfig::create([ - 'entity_type' => $entity_type, - 'field_name' => $name, - 'type' => 'file', - 'settings' => $storage_settings, - 'cardinality' => !empty($storage_settings['cardinality']) ? $storage_settings['cardinality'] : 1, - ]); - $field_storage->save(); - - $this->attachFileField($name, $entity_type, $bundle, $field_settings, $widget_settings); - return $field_storage; - } - - /** - * Attaches a file field to an entity. - * - * @param string $name - * The name of the new field (all lowercase), exclude the "field_" prefix. - * @param string $entity_type - * The entity type this field will be added to. - * @param string $bundle - * The bundle this field will be added to. - * @param array $field_settings - * A list of field settings that will be added to the defaults. - * @param array $widget_settings - * A list of widget settings that will be added to the widget defaults. - */ - public function attachFileField($name, $entity_type, $bundle, $field_settings = [], $widget_settings = []) { - $field = [ - 'field_name' => $name, - 'label' => $name, - 'entity_type' => $entity_type, - 'bundle' => $bundle, - 'required' => !empty($field_settings['required']), - 'settings' => $field_settings, - ]; - FieldConfig::create($field)->save(); - - entity_get_form_display($entity_type, $bundle, 'default') - ->setComponent($name, [ - 'type' => 'file_generic', - 'settings' => $widget_settings, - ]) - ->save(); - // Assign display settings. - entity_get_display($entity_type, $bundle, 'default') - ->setComponent($name, [ - 'label' => 'hidden', - 'type' => 'file_default', - ]) - ->save(); - } - - /** - * Updates an existing file field with new settings. - */ - public function updateFileField($name, $type_name, $field_settings = [], $widget_settings = []) { - $field = FieldConfig::loadByName('node', $type_name, $name); - $field->setSettings(array_merge($field->getSettings(), $field_settings)); - $field->save(); - - entity_get_form_display('node', $type_name, 'default') - ->setComponent($name, [ - 'settings' => $widget_settings, - ]) - ->save(); - } - /** * Uploads a file to a node. * @@ -224,7 +146,8 @@ public function uploadNodeFiles(array $files, $field_name, $nid_or_type, $new_re $edit[$name][] = $file_path; } } - $this->drupalPostForm("node/$nid/edit", $edit, t('Save and keep published')); + + $this->drupalPostForm("node/$nid/edit", $edit, t('Save')); return $nid; } diff --git a/core/modules/file/tests/src/Functional/FileFieldWidgetTest.php b/core/modules/file/tests/src/Functional/FileFieldWidgetTest.php new file mode 100644 index 0000000000..84e9695b55 --- /dev/null +++ b/core/modules/file/tests/src/Functional/FileFieldWidgetTest.php @@ -0,0 +1,452 @@ +drupalPlaceBlock('system_breadcrumb_block'); + } + + /** + * Modules to enable. + * + * @var array + */ + public static $modules = ['comment', 'block']; + + /** + * Tests upload and remove buttons for a single-valued File field. + */ + public function testSingleValuedWidget() { + $node_storage = $this->container->get('entity.manager')->getStorage('node'); + $type_name = 'article'; + $field_name = strtolower($this->randomMachineName()); + $this->createFileField($field_name, 'node', $type_name); + + $test_file = $this->getTestFile('text'); + + // Create a new node with the uploaded file and ensure it got uploaded + // successfully. + $nid = $this->uploadNodeFile($test_file, $field_name, $type_name); + $node_storage->resetCache([$nid]); + $node = $node_storage->load($nid); + $node_file = File::load($node->{$field_name}->target_id); + $this->assertFileExists($node_file, 'New file saved to disk on node creation.'); + + // Ensure the file can be downloaded. + $this->drupalGet(file_create_url($node_file->getFileUri())); + $this->assertResponse(200); // , 'Confirmed that the generated URL is correct by downloading the shipped file.' + + // Ensure the edit page has a remove button instead of an upload button. + $this->drupalGet("node/$nid/edit"); + $this->assertNoFieldByXPath('//input[@type="submit"]', t('Upload'), 'Node with file does not display the "Upload" button.'); + $this->assertFieldByXpath('//input[@type="submit"]', t('Remove'), 'Node with file displays the "Remove" button.'); + + // "Click" the remove button. + $this->drupalPostForm(NULL, [], t('Remove')); + + // Ensure the page now has an upload button instead of a remove button. + $this->assertNoFieldByXPath('//input[@type="submit"]', t('Remove'), 'After clicking the "Remove" button, it is no longer displayed.'); + $this->assertFieldByXpath('//input[@type="submit"]', t('Upload'), 'After clicking the "Remove" button, the "Upload" button is displayed.'); + // Test label has correct 'for' attribute. + $input = $this->xpath('//input[@name="files[' . $field_name . '_0]"]'); + $label = $this->xpath('//label[@for="' . $input[0]->getAttribute('id') . '"]'); + $this->assertTrue(isset($label[0]), 'Label for upload found.'); + + // Save the node and ensure it does not have the file. + $this->drupalPostForm(NULL, [], t('Save')); + $node_storage->resetCache([$nid]); + $node = $node_storage->load($nid); + $this->assertTrue(empty($node->{$field_name}->target_id), 'File was successfully removed from the node.'); + } + + /** + * Tests upload and remove buttons for multiple multi-valued File fields. + */ + public function testMultiValuedWidget() { + $node_storage = $this->container->get('entity.manager')->getStorage('node'); + $type_name = 'article'; + // Use explicit names instead of random names for those fields, because of a + // bug in drupalPostForm() with multiple file uploads in one form, where the + // order of uploads depends on the order in which the upload elements are + // added to the $form (which, in the current implementation of + // FileStorage::listAll(), comes down to the alphabetical order on field + // names). + $field_name = 'test_file_field_1'; + $field_name2 = 'test_file_field_2'; + $cardinality = 3; + $this->createFileField($field_name, 'node', $type_name, ['cardinality' => $cardinality]); + $this->createFileField($field_name2, 'node', $type_name, ['cardinality' => $cardinality]); + + $test_file = $this->getTestFile('text'); + + // Visit the node creation form, and upload 3 files for each field. Since + // the field has cardinality of 3, ensure the "Upload" button is displayed + // until after the 3rd file, and after that, isn't displayed. Because + // SimpleTest triggers the last button with a given name, so upload to the + // second field first. + $this->drupalGet("node/add/$type_name"); + foreach ([$field_name2, $field_name] as $each_field_name) { + for ($delta = 0; $delta < 3; $delta++) { + $edit = ['files[' . $each_field_name . '_' . $delta . '][]' => drupal_realpath($test_file->getFileUri())]; + // If the Upload button doesn't exist, drupalPostForm() will automatically + // fail with an assertion message. + $this->drupalPostForm(NULL, $edit, t('Upload')); + } + } + $this->assertNoFieldByXpath('//input[@type="submit"]', t('Upload'), 'After uploading 3 files for each field, the "Upload" button is no longer displayed.'); + + $num_expected_remove_buttons = 6; + + foreach ([$field_name, $field_name2] as $current_field_name) { + // How many uploaded files for the current field are remaining. + $remaining = 3; + // Test clicking each "Remove" button. For extra robustness, test them out + // of sequential order. They are 0-indexed, and get renumbered after each + // iteration, so array(1, 1, 0) means: + // - First remove the 2nd file. + // - Then remove what is then the 2nd file (was originally the 3rd file). + // - Then remove the first file. + foreach ([1, 1, 0] as $delta) { + // Ensure we have the expected number of Remove buttons, and that they + // are numbered sequentially. + $buttons = $this->xpath('//input[@type="submit" and @value="Remove"]'); + $this->assertTrue(is_array($buttons) && count($buttons) === $num_expected_remove_buttons, format_string('There are %n "Remove" buttons displayed.', ['%n' => $num_expected_remove_buttons])); + foreach ($buttons as $i => $button) { + $key = $i >= $remaining ? $i - $remaining : $i; + $check_field_name = $field_name2; + if ($current_field_name == $field_name && $i < $remaining) { + $check_field_name = $field_name; + } + + $this->assertIdentical($button->getAttribute('name'), $check_field_name . '_' . $key . '_remove_button'); + } + + // "Click" the remove button (emulating either a nojs or js submission). + $button_name = $current_field_name . '_' . $delta . '_remove_button'; + $this->getSession()->getPage()->findButton($button_name)->press(); + $num_expected_remove_buttons--; + $remaining--; + + // Ensure an "Upload" button for the current field is displayed with the + // correct name. + $upload_button_name = $current_field_name . '_' . $remaining . '_upload_button'; + $buttons = $this->xpath('//input[@type="submit" and @value="Upload" and @name=:name]', [':name' => $upload_button_name]); + $this->assertTrue(is_array($buttons) && count($buttons) == 1, 'The upload button is displayed with the correct name.'); + + // Ensure only at most one button per field is displayed. + $buttons = $this->xpath('//input[@type="submit" and @value="Upload"]'); + $expected = $current_field_name == $field_name ? 1 : 2; + $this->assertTrue(is_array($buttons) && count($buttons) == $expected, 'After removing a file, only one "Upload" button for each possible field is displayed.'); + } + } + + // Ensure the page now has no Remove buttons. + $this->assertNoFieldByXPath('//input[@type="submit"]', t('Remove'), 'After removing all files, there is no "Remove" button displayed.'); + + // Save the node and ensure it does not have any files. + $this->drupalPostForm(NULL, ['title[0][value]' => $this->randomMachineName()], t('Save')); + preg_match('/node\/([0-9]+)/', $this->getUrl(), $matches); + $nid = $matches[1]; + $node_storage->resetCache([$nid]); + $node = $node_storage->load($nid); + $this->assertTrue(empty($node->{$field_name}->target_id), 'Node was successfully saved without any files.'); + } + + /** + * Tests a file field with a "Private files" upload destination setting. + */ + public function testPrivateFileSetting() { + $node_storage = $this->container->get('entity.manager')->getStorage('node'); + // Grant the admin user required permissions. + user_role_grant_permissions($this->adminUser->roles[0]->target_id, ['administer node fields']); + + $type_name = 'article'; + $field_name = strtolower($this->randomMachineName()); + $this->createFileField($field_name, 'node', $type_name); + $field = FieldConfig::loadByName('node', $type_name, $field_name); + $field_id = $field->id(); + + $test_file = $this->getTestFile('text'); + + // Change the field setting to make its files private, and upload a file. + $edit = ['settings[uri_scheme]' => 'private']; + $this->drupalPostForm("admin/structure/types/manage/$type_name/fields/$field_id/storage", $edit, t('Save field settings')); + $nid = $this->uploadNodeFile($test_file, $field_name, $type_name); + $node_storage->resetCache([$nid]); + $node = $node_storage->load($nid); + $node_file = File::load($node->{$field_name}->target_id); + $this->assertFileExists($node_file, 'New file saved to disk on node creation.'); + + // Ensure the private file is available to the user who uploaded it. + $this->drupalGet(file_create_url($node_file->getFileUri())); + // Confirmed that the generated URL is correct by downloading the shipped file. + $this->assertResponse(200); + + // Ensure we can't change 'uri_scheme' field settings while there are some + // entities with uploaded files. + $this->drupalGet("admin/structure/types/manage/$type_name/fields/$field_id/storage"); + $this->assertFieldByXpath('//input[@id="edit-settings-uri-scheme-public" and @disabled="disabled"]', 'public', 'Upload destination setting disabled.'); + + // Delete node and confirm that setting could be changed. + $node->delete(); + $this->drupalGet("admin/structure/types/manage/$type_name/fields/$field_id/storage"); + $this->assertFieldByXpath('//input[@id="edit-settings-uri-scheme-public" and not(@disabled)]', 'public', 'Upload destination setting enabled.'); + } + + /** + * Tests that download restrictions on private files work on comments. + */ + public function testPrivateFileComment() { + $user = $this->drupalCreateUser(['access comments']); + + // Grant the admin user required comment permissions. + $roles = $this->adminUser->getRoles(); + user_role_grant_permissions($roles[1], ['administer comment fields', 'administer comments']); + + // Revoke access comments permission from anon user, grant post to + // authenticated. + user_role_revoke_permissions(RoleInterface::ANONYMOUS_ID, ['access comments']); + user_role_grant_permissions(RoleInterface::AUTHENTICATED_ID, ['post comments', 'skip comment approval']); + + // Create a new field. + $this->addDefaultCommentField('node', 'article'); + + $name = strtolower($this->randomMachineName()); + $label = $this->randomMachineName(); + $storage_edit = ['settings[uri_scheme]' => 'private']; + $this->fieldUIAddNewField('admin/structure/comment/manage/comment', $name, $label, 'file', $storage_edit); + + // Manually clear cache on the tester side. + \Drupal::entityManager()->clearCachedFieldDefinitions(); + + // Create node. + $edit = [ + 'title[0][value]' => $this->randomMachineName(), + ]; + $this->drupalPostForm('node/add/article', $edit, t('Save')); + $node = $this->drupalGetNodeByTitle($edit['title[0][value]']); + + // Add a comment with a file. + $text_file = $this->getTestFile('text'); + $edit = [ + 'files[field_' . $name . '_' . 0 . ']' => drupal_realpath($text_file->getFileUri()), + 'comment_body[0][value]' => $comment_body = $this->randomMachineName(), + ]; + $this->drupalPostForm('node/' . $node->id(), $edit, t('Save')); + + // Get the comment ID. + preg_match('/comment-([0-9]+)/', $this->getUrl(), $matches); + $cid = $matches[1]; + + // Log in as normal user. + $this->drupalLogin($user); + + $comment = Comment::load($cid); + $comment_file = $comment->{'field_' . $name}->entity; + $this->assertFileExists($comment_file, 'New file saved to disk on node creation.'); + // Test authenticated file download. + $url = file_create_url($comment_file->getFileUri()); + $this->assertNotEqual($url, NULL, 'Confirmed that the URL is valid'); + $this->drupalGet(file_create_url($comment_file->getFileUri())); + $this->assertResponse(200, 'Confirmed that the generated URL is correct by downloading the shipped file.'); + + // Test anonymous file download. + $this->drupalLogout(); + $this->drupalGet(file_create_url($comment_file->getFileUri())); + $this->assertResponse(403, 'Confirmed that access is denied for the file without the needed permission.'); + + // Unpublishes node. + $this->drupalLogin($this->adminUser); + $edit = ['status[value]' => FALSE]; + $this->drupalPostForm('node/' . $node->id() . '/edit', $edit, t('Save')); + + // Ensures normal user can no longer download the file. + $this->drupalLogin($user); + $this->drupalGet(file_create_url($comment_file->getFileUri())); + $this->assertResponse(403, 'Confirmed that access is denied for the file without the needed permission.'); + } + + /** + * Tests validation with the Upload button. + */ + public function testWidgetValidation() { + $type_name = 'article'; + $field_name = strtolower($this->randomMachineName()); + $this->createFileField($field_name, 'node', $type_name); + $this->updateFileField($field_name, $type_name, ['file_extensions' => 'txt']); + + // Create node and prepare files for upload. + $node = $this->drupalCreateNode(['type' => 'article']); + $nid = $node->id(); + $this->drupalGet("node/$nid/edit"); + $test_file_text = $this->getTestFile('text'); + $test_file_image = $this->getTestFile('image'); + $name = 'files[' . $field_name . '_0]'; + + // Upload file with incorrect extension, check for validation error. + $edit[$name] = drupal_realpath($test_file_image->getFileUri()); + $this->drupalPostForm(NULL, $edit, t('Upload')); + $error_message = t('Only files with the following extensions are allowed: %files-allowed.', ['%files-allowed' => 'txt']); + $this->assertRaw($error_message, 'Validation error when file with wrong extension uploaded.'); + + // Upload file with correct extension, check that error message is removed. + $edit[$name] = drupal_realpath($test_file_text->getFileUri()); + $this->drupalPostForm(NULL, $edit, t('Upload')); + $this->assertNoRaw($error_message, 'Validation error removed when file with correct extension uploaded.'); + } + + /** + * Tests file widget element. + */ + public function testWidgetElement() { + $field_name = Unicode::strtolower($this->randomMachineName()); + $html_name = str_replace('_', '-', $field_name); + $this->createFileField($field_name, 'node', 'article', ['cardinality' => FieldStorageConfig::CARDINALITY_UNLIMITED]); + $file = $this->getTestFile('text'); + $xpath = "//details[@data-drupal-selector='edit-$html_name']/div[@class='details-wrapper']/table"; + + $this->drupalGet('node/add/article'); + + $elements = $this->xpath($xpath); + + // If the field has no item, the table should not be visible. + $this->assertIdentical(count($elements), 0); + + // Upload a file. + $edit['files[' . $field_name . '_0][]'] = $this->container->get('file_system')->realpath($file->getFileUri()); + $this->drupalPostForm(NULL, $edit, t('Upload')); + $elements = $this->xpath($xpath); + + // If the field has at least a item, the table should be visible. + $this->assertIdentical(count($elements), 1); + } + + /** + * Tests exploiting the temporary file removal of another user using fid. + */ + public function testTemporaryFileRemovalExploit() { + // Create a victim user. + $victim_user = $this->drupalCreateUser(); + + // Create an attacker user. + $attacker_user = $this->drupalCreateUser([ + 'access content', + 'create article content', + 'edit any article content', + ]); + + // Log in as the attacker user. + $this->drupalLogin($attacker_user); + + // Perform tests using the newly created users. + $this->doTestTemporaryFileRemovalExploit($victim_user, $attacker_user); + } + + /** + * Tests exploiting the temporary file removal for anonymous users using fid. + */ + public function testTemporaryFileRemovalExploitAnonymous() { + // Set up an anonymous victim user. + $victim_user = User::getAnonymousUser(); + + // Set up an anonymous attacker user. + $attacker_user = User::getAnonymousUser(); + + // Set up permissions for anonymous attacker user. + user_role_change_permissions(RoleInterface::ANONYMOUS_ID, [ + 'access content' => TRUE, + 'create article content' => TRUE, + 'edit any article content' => TRUE, + ]); + + // Log out so as to be the anonymous attacker user. + $this->drupalLogout(); + + // Perform tests using the newly set up anonymous users. + $this->doTestTemporaryFileRemovalExploit($victim_user, $attacker_user); + } + + /** + * Helper for testing exploiting the temporary file removal using fid. + * + * @param \Drupal\user\UserInterface $victim_user + * The victim user. + * @param \Drupal\user\UserInterface $attacker_user + * The attacker user. + */ + protected function doTestTemporaryFileRemovalExploit(UserInterface $victim_user, UserInterface $attacker_user) { + $type_name = 'article'; + $field_name = 'test_file_field'; + $this->createFileField($field_name, 'node', $type_name); + + $test_file = $this->getTestFile('text'); + + // Create a temporary file owned by the victim user. This will be as if + // they had uploaded the file, but not saved the node they were editing + // or creating. + $victim_tmp_file = $this->createTemporaryFile('some text', $victim_user); + $victim_tmp_file = File::load($victim_tmp_file->id()); + $this->assertTrue($victim_tmp_file->isTemporary(), 'New file saved to disk is temporary.'); + $this->assertFalse(empty($victim_tmp_file->id()), 'New file has an fid.'); + $this->assertEqual($victim_user->id(), $victim_tmp_file->getOwnerId(), 'New file belongs to the victim.'); + + // Have attacker create a new node with a different uploaded file and + // ensure it got uploaded successfully. + $edit = [ + 'title[0][value]' => 'test-title' , + ]; + + // Attach a file to a node. + $edit['files[' . $field_name . '_0]'] = $this->container->get('file_system')->realpath($test_file->getFileUri()); + $this->drupalPostForm(Url::fromRoute('node.add', ['node_type' => $type_name]), $edit, t('Save')); + $node = $this->drupalGetNodeByTitle($edit['title[0][value]']); + + /** @var \Drupal\file\FileInterface $node_file */ + $node_file = File::load($node->{$field_name}->target_id); + $this->assertFileExists($node_file, 'A file was saved to disk on node creation'); + $this->assertEqual($attacker_user->id(), $node_file->getOwnerId(), 'New file belongs to the attacker.'); + + // Ensure the file can be downloaded. + $this->drupalGet(file_create_url($node_file->getFileUri())); + // Confirmed that the generated URL is correct by downloading the shipped file. + $this->assertResponse(200); + + // "Click" the remove button (emulating either a nojs or js submission). + // In this POST request, the attacker "guesses" the fid of the victim's + // temporary file and uses that to remove this file. + $this->drupalGet($node->toUrl('edit-form')); + $this->drupalPostForm(NULL, [$field_name . '[0][fids]' => (string) $victim_tmp_file->id()], 'Remove'); + + // The victim's temporary file should not be removed by the attacker's + // POST request. + $this->assertFileExists($victim_tmp_file); + } + +} diff --git a/core/modules/file/tests/src/FunctionalJavascript/FileFieldWidgetTest.php b/core/modules/file/tests/src/FunctionalJavascript/FileFieldWidgetTest.php new file mode 100644 index 0000000000..d2ad68e36d --- /dev/null +++ b/core/modules/file/tests/src/FunctionalJavascript/FileFieldWidgetTest.php @@ -0,0 +1,362 @@ +drupalCreateUser([ + 'access content', + 'access administration pages', + 'administer site configuration', + 'administer users', + 'administer permissions', + 'administer content types', + 'administer node fields', + 'administer node display', + 'administer nodes', + 'bypass node access', + ]); + $this->drupalLogin($admin); + + $this->drupalCreateContentType(['type' => 'article']); + } + + /** + * Tests upload and remove buttons for a single-valued File field. + */ + public function testSingleValuedWidget() { + // Create node type with single file field. + $this->createFileField('field_single_file', 'node', 'article'); + + $page = $this->getSession()->getPage(); + $assert_session = $this->assertSession(); + + $this->drupalGet('node/add/article'); + + // Create test file for upload. + $file = current($this->getTestFiles('text')); + $file_path = \Drupal::service('file_system')->realpath($file->uri); + + // Upload file. + $page->attachFileToField('files[field_single_file_0]', $file_path); + $remove_button = $assert_session->waitForButton('field_single_file_0_remove_button'); + $this->assertNotNull($assert_session->waitForElementVisible('css', '[name="field_single_file_0_remove_button"]')); + // Ensure the page now has an remove button instead of a upload button. + $this->assertNotNull($remove_button); + $this->assertNull($assert_session->waitForButton('field_single_file_0_upload_button')); + + // Assert the new file is uploaded. + $field = $this->xpath('//input[@name="field_single_file[0][fids]"]')[0]; + $fid = $field->getValue(); + \Drupal::entityTypeManager()->getStorage('file')->resetCache(); + $file = File::load($fid); + $this->assertNotNull($file); + + // Remove file. + $remove_button->click(); + // Ensure the page now has an upload button instead of a remove button. + $this->assertNotNull($assert_session->waitForButton('field_single_file_0_upload_button')); + $this->assertNull($assert_session->waitForButton('field_single_file_0_remove_button')); + + // Save the node and ensure it does not have the file. + $page->pressButton('Save'); + \Drupal::entityTypeManager()->getStorage('file')->resetCache(); + $file = File::load($fid); + $this->assertNull($file); + } + + /** + * Tests upload and remove buttons for multiple multi-valued File fields. + */ + public function testMultiValuedWidget() { + $type_name = 'article'; + $field_name = 'test_file_field_1'; + $field_name2 = 'test_file_field_2'; + $cardinality = 3; + $this->createFileField($field_name, 'node', $type_name, ['cardinality' => $cardinality]); + $this->createFileField($field_name2, 'node', $type_name, ['cardinality' => $cardinality]); + + $page = $this->getSession()->getPage(); + $assert_session = $this->assertSession(); + + $test_file = current($this->getTestFiles('text')); + $test_file_path = \Drupal::service('file_system')->realpath($test_file->uri); + + $this->drupalGet("node/add/$type_name"); + foreach ([$field_name2, $field_name] as $each_field_name) { + for ($delta = 0; $delta < 3; $delta++) { + $page->attachFileToField('files[' . $each_field_name . '_' . $delta . '][]', $test_file_path); + $this->assertNotNull($assert_session->waitForElementVisible('css', '[name="' . $each_field_name . '_' . $delta . '_remove_button"]')); + $this->assertNull($assert_session->waitForButton($each_field_name . '_' . $delta . '_upload_button')); + } + } + + $num_expected_remove_buttons = 6; + + foreach ([$field_name, $field_name2] as $current_field_name) { + // How many uploaded files for the current field are remaining. + $remaining = 3; + // Test clicking each "Remove" button. For extra robustness, test them out + // of sequential order. They are 0-indexed, and get renumbered after each + // iteration, so array(1, 1, 0) means: + // - First remove the 2nd file. + // - Then remove what is then the 2nd file (was originally the 3rd file). + // - Then remove the first file. + foreach ([1, 1, 0] as $delta) { + // Ensure we have the expected number of Remove buttons, and that they + // are numbered sequentially. + $buttons = $this->xpath('//input[@type="submit" and @value="Remove"]'); + $this->assertTrue(is_array($buttons) && count($buttons) === $num_expected_remove_buttons, format_string('There are %n "Remove" buttons displayed.', ['%n' => $num_expected_remove_buttons])); + foreach ($buttons as $i => $button) { + $key = $i >= $remaining ? $i - $remaining : $i; + $check_field_name = $field_name2; + if ($current_field_name == $field_name && $i < $remaining) { + $check_field_name = $field_name; + } + + $this->assertIdentical($button->getAttribute('name'), $check_field_name . '_' . $key . '_remove_button'); + } + + $button_name = $current_field_name . '_' . $delta . '_remove_button'; + $remove_button = $assert_session->waitForButton($button_name); + $remove_button->click(); + + $num_expected_remove_buttons--; + $remaining--; + + // Ensure an "Upload" button for the current field is displayed with the + // correct name. + $upload_button_name = $current_field_name . '_' . $remaining . '_upload_button'; + $this->assertNotNull($assert_session->waitForButton($upload_button_name)); + $buttons = $this->xpath('//input[@type="submit" and @value="Upload" and @name=:name]', [':name' => $upload_button_name]); + $this->assertTrue(is_array($buttons) && count($buttons) == 1, 'The upload button is displayed with the correct name.'); + + // Ensure only at most one button per field is displayed. + $buttons = $this->xpath('//input[@type="submit" and @value="Upload"]'); + $expected = $current_field_name == $field_name ? 1 : 2; + $this->assertTrue(is_array($buttons) && count($buttons) == $expected, 'After removing a file, only one "Upload" button for each possible field is displayed.'); + } + } + } + + /** + * Tests validation with the Upload button. + */ + public function testWidgetValidation() { + $type_name = 'article'; + $field_name = strtolower($this->randomMachineName()); + $this->createFileField($field_name, 'node', $type_name); + $this->updateFileField($field_name, $type_name, ['file_extensions' => 'txt']); + + $page = $this->getSession()->getPage(); + $assert_session = $this->assertSession(); + + // Create node and prepare files for upload. + $node = $this->drupalCreateNode(['type' => 'article']); + $nid = $node->id(); + $this->drupalGet("node/$nid/edit"); + $test_file_text = current($this->getTestFiles('text')); + $test_file_text_path = \Drupal::service('file_system')->realpath($test_file_text->uri); + $test_file_image = current($this->getTestFiles('image')); + $test_file_image_path = \Drupal::service('file_system')->realpath($test_file_image->uri); + $name = 'files[' . $field_name . '_0]'; + + // Upload file with incorrect extension, check for validation error. + $page->attachFileToField($name, $test_file_image_path); + $this->assertNotNull($assert_session->waitForElementVisible('css', '.messages--error')); + + $error_message = t('Only files with the following extensions are allowed: %files-allowed.', ['%files-allowed' => 'txt']); + $this->assertRaw($error_message, 'Validation error when file with wrong extension uploaded.'); + + $page->attachFileToField($name, $test_file_text_path); + $this->assertNotNull($assert_session->waitForElementVisible('css', '[name="' . $field_name . '_0_remove_button"]')); + $this->assertNull($assert_session->waitForElementVisible('css', '.messages--error')); + + $this->assertNoRaw($error_message, 'Validation error removed when file with correct extension uploaded.'); + } + + /** + * Tests file widget element. + */ + public function testWidgetElement() { + $field_name = 'field_test_file'; + $this->createFileField($field_name, 'node', 'article', ['cardinality' => FieldStorageConfig::CARDINALITY_UNLIMITED]); + $file = current($this->getTestFiles('text')); + $file_path = \Drupal::service('file_system')->realpath($file->uri); + + $page = $this->getSession()->getPage(); + $assert_session = $this->assertSession(); + + $this->drupalGet('node/add/article'); + + // Upload a file. + $page->attachFileToField('files[' . $field_name . '_0][]', $file_path); + + // Test for AJAX error when using progress bar on file field widget + $key = $this->randomMachineName(); + + $script = <<' + data.message + '').appendTo('body'); + }, + statusCode: { + 500: function () { + jQuery('
').appendTo('body'); + }, + }, +}) +JS; + + $this->getSession()->executeScript($script); + $message = $assert_session->waitForElementVisible('css', '#ajax-response-message'); + $this->assertNotNull($message); + $this->assertSame('Starting upload...', $message->getText()); + $this->assertNull($assert_session->waitForElement('css', '#status-500'), 'No AJAX error when using progress bar on file field widget'); + $this->assertNotNull($assert_session->waitForElementVisible('css', '[name="' . $field_name . '_0_remove_button"]')); + } + + /** + * Tests exploiting the temporary file removal of another user using fid. + */ + public function testTemporaryFileRemovalExploit() { + // Create a victim user. + $victim_user = $this->drupalCreateUser(); + + // Create an attacker user. + $attacker_user = $this->drupalCreateUser([ + 'access content', + 'create article content', + 'edit any article content', + ]); + + // Log in as the attacker user. + $this->drupalLogin($attacker_user); + + // Perform tests using the newly created users. + $this->doTestTemporaryFileRemovalExploit($victim_user, $attacker_user); + } + + /** + * Tests exploiting the temporary file removal for anonymous users using fid. + */ + public function testTemporaryFileRemovalExploitAnonymous() { + // Set up an anonymous victim user. + $victim_user = User::getAnonymousUser(); + + // Set up an anonymous attacker user. + $attacker_user = User::getAnonymousUser(); + + // Set up permissions for anonymous attacker user. + user_role_change_permissions(RoleInterface::ANONYMOUS_ID, [ + 'access content' => TRUE, + 'create article content' => TRUE, + 'edit any article content' => TRUE, + ]); + + // Log out so as to be the anonymous attacker user. + $this->drupalLogout(); + + // Perform tests using the newly set up anonymous users. + $this->doTestTemporaryFileRemovalExploit($victim_user, $attacker_user); + } + + /** + * Helper for testing exploiting the temporary file removal using fid. + * + * @param \Drupal\user\UserInterface $victim_user + * The victim user. + * @param \Drupal\user\UserInterface $attacker_user + * The attacker user. + */ + protected function doTestTemporaryFileRemovalExploit(UserInterface $victim_user, UserInterface $attacker_user) { + $type_name = 'article'; + $field_name = 'test_file_field'; + $this->createFileField($field_name, 'node', $type_name); + + $test_file = current($this->getTestFiles('text')); + $test_file_path = \Drupal::service('file_system')->realpath($test_file->uri); + + $page = $this->getSession()->getPage(); + $assert_session = $this->assertSession(); + + // Create a temporary file owned by the victim user. This will be as if + // they had uploaded the file, but not saved the node they were editing + // or creating. + $victim_tmp_file = $this->createTemporaryFile('some text', $victim_user); + $victim_tmp_file = File::load($victim_tmp_file->id()); + $this->assertTrue($victim_tmp_file->isTemporary(), 'New file saved to disk is temporary.'); + $this->assertFalse(empty($victim_tmp_file->id()), 'New file has an fid.'); + $this->assertEqual($victim_user->id(), $victim_tmp_file->getOwnerId(), 'New file belongs to the victim.'); + + // Have attacker create a new node with a different uploaded file and + // ensure it got uploaded successfully. + $this->drupalGet('node/add/article'); + $title = $page->findField('title[0][value]'); + $title->setValue('test-title'); + + // Attach a file to a node. + $page->attachFileToField('files[' . $field_name . '_0]', $test_file_path); + $this->assertNotNull($assert_session->waitForElementVisible('css', '[name="' . $field_name . '_0_remove_button"]')); + + $page->findButton('Save')->press(); + + $node = $this->drupalGetNodeByTitle('test-title'); + + /** @var \Drupal\file\FileInterface $node_file */ + $node_file = File::load($node->{$field_name}->target_id); + $this->assertFileExists($node_file->getFileUri(), 'A file was saved to disk on node creation'); + $this->assertEqual($attacker_user->id(), $node_file->getOwnerId(), 'New file belongs to the attacker.'); + + // Ensure the file can be downloaded. + $this->drupalGet('node/' . $node->id()); + $assert_session->linkByHrefExists(file_create_url($node_file->getFileUri())); + + // "Click" the remove button (emulating either a nojs or js submission). + // In this POST request, the attacker "guesses" the fid of the victim's + // temporary file and uses that to remove this file. + $this->drupalGet($node->toUrl('edit-form')); + $remove_button = $assert_session->waitForButton("{$field_name}_0_remove_button"); + $remove_button->press(); + + // The victim's temporary file should not be removed by the attacker's + // POST request. + $this->assertFileExists($victim_tmp_file->getFileUri()); + } + +} diff --git a/core/modules/file/tests/src/Traits/FileFieldTestTrait.php b/core/modules/file/tests/src/Traits/FileFieldTestTrait.php new file mode 100644 index 0000000000..75ad596508 --- /dev/null +++ b/core/modules/file/tests/src/Traits/FileFieldTestTrait.php @@ -0,0 +1,126 @@ + $entity_type, + 'field_name' => $name, + 'type' => 'file', + 'settings' => $storage_settings, + 'cardinality' => !empty($storage_settings['cardinality']) ? $storage_settings['cardinality'] : 1, + ]); + $field_storage->save(); + + $this->attachFileField($name, $entity_type, $bundle, $field_settings, $widget_settings); + return $field_storage; + } + + /** + * Attaches a file field to an entity. + * + * @param string $name + * The name of the new field (all lowercase), exclude the "field_" prefix. + * @param string $entity_type + * The entity type this field will be added to. + * @param string $bundle + * The bundle this field will be added to. + * @param array $field_settings + * A list of field settings that will be added to the defaults. + * @param array $widget_settings + * A list of widget settings that will be added to the widget defaults. + */ + public function attachFileField($name, $entity_type, $bundle, $field_settings = [], $widget_settings = []) { + $field = [ + 'field_name' => $name, + 'label' => $name, + 'entity_type' => $entity_type, + 'bundle' => $bundle, + 'required' => !empty($field_settings['required']), + 'settings' => $field_settings, + ]; + FieldConfig::create($field)->save(); + + entity_get_form_display($entity_type, $bundle, 'default') + ->setComponent($name, [ + 'type' => 'file_generic', + 'settings' => $widget_settings, + ]) + ->save(); + // Assign display settings. + entity_get_display($entity_type, $bundle, 'default') + ->setComponent($name, [ + 'label' => 'hidden', + 'type' => 'file_default', + ]) + ->save(); + } + + /** + * Creates a temporary file, for a specific user. + * + * @param string $data + * A string containing the contents of the file. + * @param \Drupal\user\UserInterface $user + * The user of the file owner. + * + * @return \Drupal\file\FileInterface + * A file object, or FALSE on error. + */ + protected function createTemporaryFile($data, UserInterface $user = NULL) { + $file = file_save_data($data, NULL, NULL); + + if ($file) { + if ($user) { + $file->setOwner($user); + } + else { + $file->setOwner($this->adminUser); + } + // Change the file status to be temporary. + $file->setTemporary(); + // Save the changes. + $file->save(); + } + + return $file; + } + + /** + * Updates an existing file field with new settings. + */ + public function updateFileField($name, $type_name, $field_settings = [], $widget_settings = []) { + $field = FieldConfig::loadByName('node', $type_name, $name); + $field->setSettings(array_merge($field->getSettings(), $field_settings)); + $field->save(); + + entity_get_form_display('node', $type_name, 'default') + ->setComponent($name, [ + 'settings' => $widget_settings, + ]) + ->save(); + } + +} diff --git a/core/tests/Drupal/Tests/BrowserTestBase.php b/core/tests/Drupal/Tests/BrowserTestBase.php index e7c79f380a..b966c8c08d 100644 --- a/core/tests/Drupal/Tests/BrowserTestBase.php +++ b/core/tests/Drupal/Tests/BrowserTestBase.php @@ -4,6 +4,7 @@ use Behat\Mink\Driver\GoutteDriver; use Behat\Mink\Element\Element; +use Behat\Mink\Exception\ElementNotFoundException; use Behat\Mink\Mink; use Behat\Mink\Selector\SelectorsHandler; use Behat\Mink\Session; @@ -806,7 +807,14 @@ protected function submitForm(array $edit, $submit, $form_html_id = NULL) { // Edit the form values. foreach ($edit as $name => $value) { - $field = $assert_session->fieldExists($name, $form); + try { + $field = $assert_session->fieldExists($name, $form); + } + catch (ElementNotFoundException $e) { + // @todo: DON'T COMMIT WHILE WE HAVE IT! + $field = $assert_session->hiddenFieldExists($name, $form); + } + // Provide support for the values '1' and '0' for checkboxes instead of // TRUE and FALSE.