? .DS_Store ? 106559-get-the-naming-right.patch ? 167112_theme_wildcard_update_tests_update2.patch ? 196862-remove-useless-count-queries-we-do-not-like-you-please-go-away_1.patch ? 220592-54.update_cache.d7.patch ? 229660-contact-theme-username-D7_0.patch ? 236657.patch ? 243253-12.update_bail_fetching.d7.patch ? 296693-menu-hide_0.patch ? 303965-ignore-empty-serial-on-insert.patch ? 309007-grants-alter_2.patch ? 315035-jquery-ui_2.patch ? 328155_13_dirindex.patch ? 361277_0_0.patch ? 362852-statistics-admin-form-cleanup-D7_1.patch ? 367214-syntax_fix.patch ? 368064-followup-1.patch ? 369409-9-eojthebrave-theme_block_to_block_module.patch ? 375578-8_cron_do_not_lower_exec_time.patch ? 390774a.diff ? 390774b_0.diff ? 391412-11.patch ? 398902_password_confirm_validate_2.patch ? 408876-2.patch ? 439148-5_0.patch ? 444402.patch ? 444920-book-breadcrumbs-need-love_1.patch ? 445214-I-will-try-to-fix-you-8.patch ? 445748-17.update-hook-projects-alter.d7.patch ? 445950-simpletest-cleanup_6.patch ? 446878-field.test.patch ? 447700-1.update_maintainers.patch ? 448268-2.update_clear_cache_themes.d7.patch ? 459786-count-query-all-fields_1.patch ? 462428-14.taxonomy_help_xss.d7_0.patch ? 467474-typecasting-gone-wrong.2.patch ? 475348-move-admin-development.patch ? 477944-follow-up-1.patch ? 480660-follow-up-1.patch ? 481508-3.patch ? 482920-11.patch ? 493296-fixes.patch ? DRUPAL-7-0-UNSTABLE-7.txt ? FALSE, ? REQUIREMENT_ERROR, ? actions-tests-D7_0.patch ? actions-tests2-D7.patch ? admin_16.patch ? admin_role_fix_3.patch ? aggregator-form-feed-cleanup-0.patch ? assert_link_followup.patch ? bah_1.patch ? blah.patch ? blah.txt ? blog_multiple_content_types_0.patch ? cache_42_0.patch ? cache_frh.patch ? cache_friendly_0.patch ? cache_friendly_1.patch ? cache_update-220592-44.patch ? case-sensitive-revert-1_0.patch ? comment_save_refactor_0_1.patch ? consistent_iso_inc_quoting-0-d7.patch ? contact-229660-10.patch ? cron-trigger3.patch ? cvs-release-notes.php ? d7-garland-comment-links_1.patch ? d7ux_header_jun14.patch ? default.patch ? die-phptemplate-prefix-die-422116-23.patch ? distinguish-updates-431148-23.patch ? drupal-363580.patch ? drupal-comments-HEAD.patch ? drupal-error_2.patch ? drupal-get-filename-341140-18-D7.patch ? drupal-install-enable-multiple-dbs.patch ? drupal-php-eval_3.patch ? drupal.aggregator_module_block_save.patch ? drupal.js-query-string.patch ? drupal7-sun.randomName.patch ? drupal_add_jscss_reset.patch ? drupal_menu_breadcrumbs.patch ? email_trim_0.patch ? enable_search.patch ? extend_1.patch ? field-attach-load-multiple-362024-47.patch ? field-test-db-assumptions-392706-21.patch ? field_doc_typo.patch ? field_no_revision_cache-456488-6.patch ? field_no_revision_cache-456488-8.patch ? field_no_revision_cache-456488-8_0.patch ? field_obj_by_ref-453726-4.patch ? field_query-392494-41.patch ? field_query-392494-51.patch ? field_query-followup-392494-56.patch ? field_query.patch ? field_storage_write.patch ? field_test_fix.patch ? field_test_save.patch ? fieldset, ? filter-cm.patch ? filter-tets-omg-awesome.patch ? filter_to_formats_0.patch ? fix483808andRemoveINs.patch ? fix_warning_update.patch ? followup-351487-30.patch ? font-w+ight: bold; ? formapi_1.patch ? forum_menu_1.patch ? forum_module_grammar.patch ? get_path_alias_12.patch ? granular-455844-99.patch ? granular_4.patch ? granular_templates-followup-455844-103.patch ? hide_operations.patch ? hook-classes-306358-128.patch ? hook_schema_remove_t_docs.patch ? image_docs.patch ? imagetoolkit_bug_fixes.patch ? include.module_0.patch ? indent-fu-345591-28.patch ? information_schema_comment_fix.patch ? inmagic_0.patch ? inmagic_1.patch ? innodb_ftw_1.patch ? innodb_ftw_3.patch ? internal_0.patch ? issue-276597-passed.patch ? issue-320011.patch ? issue_359391.patch ? issue_359391_v3.patch ? jamesan_266153-28.patch ? jamesan_270685-12.patch ? jamesan_270685.patch ? jamesan_480414-1.patch ? js-function.patch ? jsomers_336475_6.patch ? killswitch-1.patch ? log-errors-443154-2.patch ? mail_docs_455172_1.patch ? maint_files.patch ? maint_files_1.patch ? menu.description.cleanup_0_0.patch ? menu_empty_text1.patch ? more-kill-box-372471-25.patch ? ndm_1.patch ? node-title-attribute_1.patch ? node-tpl-php-new2.patch ? node_save_0_0.patch ? node_types_27.patch ? node_types_fix.patch ? number-prefix-356908-10.patch ? openid-help-2.patch ? panels_13.patch ? patch.patch ? path_default.patch ? php_node_0.patch ? poll-block_false.patch ? poll_default_translation_choices.patch ? poll_node_block_fixes_1.patch ? prefix_cache_filename_1.patch ? profile_get_fields_condition2.patch ? profile_render_array.patch ? randomstring_9.patch ? regression.patch ? remember_php_is_not_typed_2.patch ? removedrupalcreatefield-instances-368639-18.patch ? request_uri_slash_d6.patch ? search_index_content.patch ? setup_rebuild_node_types.patch ? simpletest_339210_0_0.patch ? simpletest_fix_pgsql3.patch ? simpletest_test_table, ? site.configuration.descriptions.cleanup_0_1.patch ? sites-all-override-480044-1.patch ? smook ? sortbytitle2.patch ? sortbytitle3.patch ? sqlite_placeholders_1.patch ? status.patch ? system-clean-url-redirect-496922-1.patch ? taxonomy_weight-394422_1.patch ? test-breakpoint-452416-10.patch ? test_strict_getInfo_followup.patch ? text_sanitiza_followup-369011-53.patch ? theme_11.patch ? top_region_468534_0.patch ? trigger-follow_0.patch ? tyop.patch ? unholiness.v4.patch ? unholiness.v5.patch ? unholiness.v8.patch ? user-ashdasd.patch ? user_settings_04.patch ? vertical-tabs-summaries-stark_03.patch ? vertical-tabs.css__0.patch ? vertical-tabs.css__1.patch ? whoops_0.patch ? includes/.DS_Store ? includes/.new.Aq1l4S ? misc/operations.js ? modules/admin ? modules/simpletest/.new.licpIX ? modules/system/.new.60w0ZI ? sites/defaultsettings.php ? sites/all/modules/not_modules ? sites/default/files ? sites/default/sasquatch ? sites/default/settings.php Index: modules/filter/filter.test =================================================================== RCS file: /cvs/drupal/drupal/modules/filter/filter.test,v retrieving revision 1.23 diff -u -p -r1.23 filter.test --- modules/filter/filter.test 12 Jun 2009 08:39:37 -0000 1.23 +++ modules/filter/filter.test 28 Jun 2009 11:34:12 -0000 @@ -197,9 +197,19 @@ class FilterTestCase extends DrupalWebTe } /** - * Test the line break filter + * Test the line break filter. */ function testLineBreakFilter() { + + // Single line breaks should be changed to
tags, while paragraphs + // separated with double line breaks should be enclosed with

tags. + $f = _filter_autop("aaa\nbbb\n\nccc"); + $this->assertEqual(str_replace("\n", '', $f), "

aaa
bbb

ccc

", t('Line breaking basic case.')); + + // Text within some contexts should not be processed. + $f = _filter_autop(""); + $this->assertEqual($f, "", t('Line breaking -- do not break scripts.')); + $f = _filter_autop('

'); $this->assertEqual(substr_count($f, '

'), substr_count($f, '

'), t('Make sure line breaking produces matching paragraph tags.')); @@ -215,10 +225,381 @@ class FilterTestCase extends DrupalWebTe } /** - * Test the HTML filter + * Test limiting allowed tags, XSS prevention and adding 'nofollow' to links. + * XSS tests assume that script is dissallowed on default and src is allowed on default, but on* and style are dissallowed. + * + * Script injection vectors mostly adopted from http://ha.ckers.org/xss.html. + * + * Relevant CVEs: + * CVE-2002-1806, ~CVE-2005-0682, ~CVE-2005-2106, CVE-2005-3973, + * CVE-2006-1226 (= rev. 1.112?), CVE-2008-0273, CVE-2008-3740. + * */ function testHtmlFilter() { + // Tag stripping, different ways to work around removal of HTML tags. + $f = filter_xss(''); + $this->assertNoNormalized($f, 'script', t('HTML tag stripping -- simple script without special characters.')); + + $f = filter_xss(''); + $this->assertNoNormalized($f, 'script', t('HTML tag stripping evasion -- non whitespace character after tag name.')); + + $f = filter_xss(''); + $this->assertNoNormalized($f, 'script', t('HTML tag stripping evasion -- no space between tag and attribute.')); + + // Null between < and tag name works at least with IE6. + $f = filter_xss("<\0scr\0ipt>alert(0)"); + $this->assertNoNormalized($f, 'ipt', t('HTML tag stripping evasion -- breaking HTML with nulls.')); + + $f = filter_xss(""); + $this->assertNoNormalized($f, 'script', t('HTML tag stripping evasion -- filter just removing "script".')); + + $f = filter_xss('<'); + $this->assertNoNormalized($f, 'script', t('HTML tag stripping evasion -- double opening brackets.')); + + $f = filter_xss('', array('img')); + $this->assertNoNormalized($f, 'script', t('HTML tag stripping evasion -- a malformed image tag.')); + + $f = filter_xss('
', array('blockquote')); + $this->assertNoNormalized($f, 'script', t('HTML tag stripping evasion -- script in a blockqoute.')); + + $f = filter_xss(""); + $this->assertNoNormalized($f, 'script', t('HTML tag stripping evasion -- script within a comment.')); + + // Dangerous attributes removal. + $f = filter_xss('

', array('p')); + $this->assertNoNormalized($f, 'onmouseover', t('HTML filter attributes removal -- events, no evasion.')); + + $f = filter_xss('

  • ', array('li')); + $this->assertNoNormalized($f, 'style', t('HTML filter attributes removal -- style, no evasion.')); + + $f = filter_xss('', array('img')); + $this->assertNoNormalized($f, 'onerror', t('HTML filter attributes removal evasion -- spaces before equals sign.')); + + $f = filter_xss('', array('img')); + $this->assertNoNormalized($f, 'onabort', t('HTML filter attributes removal evasion -- non alphanumeric characters before equals sign.')); + + $f = filter_xss('', array('img')); + $this->assertNoNormalized($f, 'onmediaerror', t('HTML filter attributes removal evasion -- varying case.')); + + // Works at least with IE6. + $f = filter_xss("", array('img')); + $this->assertNoNormalized($f, 'focus', t('HTML filter attributes removal evasion -- breaking with nulls.')); + + // Only whitelisted scheme names in allowed attributes. + $f = filter_xss('', array('img')); + $this->assertNoNormalized($f, 'javascript', t('HTML scheme clearing -- no evasion.')); + + $f = filter_xss('', array('img')); + $this->assertNoNormalized($f, 'javascript', t('HTML scheme clearing evasion -- no quotes.')); + + // A bit like CVE-2006-0070. + $f = filter_xss('', array('img')); + $this->assertNoNormalized($f, 'javascript', t('HTML scheme clearing evasion -- no alert ;)')); + + $f = filter_xss('', array('img')); + $this->assertNoNormalized($f, 'javascript', t('HTML scheme clearing evasion -- grave accents.')); + + $f = filter_xss('', array('img')); + $this->assertNoNormalized($f, 'javascript', t('HTML scheme clearing -- rare attribute.')); + + $f = filter_xss('', array('table')); + $this->assertNoNormalized($f, 'javascript', t('HTML scheme clearing -- another tag.')); + + $f = filter_xss('', array('base')); + $this->assertNoNormalized($f, 'javascript', t('HTML scheme clearing -- one more attribute and tag.')); + + $f = filter_xss('', array('img')); + $this->assertNoNormalized($f, 'javascript', t('HTML scheme clearing evasion -- varying case.')); + + $f = filter_xss('', array('img')); + $this->assertNoNormalized($f, 'javascript', t('HTML scheme clearing evasion -- UTF-8 decimal encoding.')); + + $f = filter_xss('', array('img')); + $this->assertNoNormalized($f, 'javascript', t('HTML scheme clearing evasion -- long UTF-8 encoding.')); + + $f = filter_xss('', array('img')); + $this->assertNoNormalized($f, 'javascript', t('HTML scheme clearing evasion -- UTF-8 hex encoding.')); + + $f = filter_xss("", array('img')); + $this->assertNoNormalized($f, 'script', t('HTML scheme clearing evasion -- an embedded tab.')); + + $f = filter_xss('', array('img')); + $this->assertNoNormalized($f, 'script', t('HTML scheme clearing evasion -- an encoded, embedded tab.')); + + $f = filter_xss('', array('img')); + $this->assertNoNormalized($f, 'script', t('HTML scheme clearing evasion -- an encoded, embedded newline.')); + + // With this test would fail, but the entity gets turned into + // &#xD;, so it's OK. + $f = filter_xss('', array('img')); + $this->assertNoNormalized($f, 'script', t('HTML scheme clearing evasion -- an encoded, embedded carriage return.')); + + $f = filter_xss("", array('img')); + $this->assertNoNormalized($f, 'cript', t('HTML scheme clearing evasion -- broken into many lines.')); + + $f = filter_xss("", array('img')); + $this->assertNoNormalized($f, 'cript', t('HTML scheme clearing evasion -- embedded nulls.')); + + $f = filter_xss('', array('img')); + $this->assertNoNormalized($f, 'javascript', t('HTML scheme clearing evasion -- spaces and metacharacters before scheme.')); + + $f = filter_xss('', array('img')); + $this->assertNoNormalized($f, 'vbscript', t('HTML scheme clearing evasion -- another scheme.')); + + $f = filter_xss('', array('img')); + $this->assertNoNormalized($f, 'nosuchscheme', t('HTML scheme clearing evasion -- unknown scheme.')); + + // Netscape 4.x javascript entities. + $f = filter_xss('
    ', array('br')); + $this->assertNoNormalized($f, 'alert', t('Netscape 4.x javascript entities.')); + + // Invalid UTF-8, these only work as reflected XSS with Internet Explorer 6. + $f = filter_xss("

    \" style=\"background-image: url(javascript:alert(0));\"\xe0

    ", array('p')); // DRUPAL-SA-2008-006 + $this->assertNoNormalized($f, 'style', t('HTML filter -- invalid UTF-8.')); + + $f = filter_xss("\xc0aaa"); + $this->assertEqual($f, '', t('HTML filter -- overlong UTF-8 sequences.')); + } + + /** + * Test filter settings, defaults, access restrictions and similar. + * + * TODO: This is for functions like filter_filter and check_markup, whose + * functionality is not completely focused on filtering. Some ideas: + * restricting formats according to user permissions, proper cache + * handling, defaults -- allowed tags/attributes/protocols. + * + * TODO: It is possible to add script, iframe etc. to allowed tags, but + * this makes HTML filter completely ineffective. + * + * TODO: Class, id, name and xmlns should be added to disallowed attributes, + * or better a whitelist approach should be used for that too. + */ + function testFilter() { + // Check that access restriction really works. + + // HTML filter is not able to secure some tags, these should never be + // allowed. + $f = filter_filter('process', 0, 'no_such_format', '', 'f'); + $this->assertEqual($f, '', t('Converting URLs -- do not process scripts.')); + + // Addresses in attributes should not be converted. + $f = _filter_url('

    ', 'f'); + $this->assertEqual($f, '

    ', t('Converting URLs -- do not convert addresses in attributes.')); + + $f = _filter_url('text', 'f'); + $this->assertEqual($f, 'text', t('Converting URLs -- do not break existing links with custom title attribute.')); + + // Even though a dot at the end of a URL can indicate a fully qualified + // domain name, such usage is rare compared to using a link at the end + // of a sentence, so remove the dot from the link. + // name. It can also be used at the end of a filename or a query string + $f = _filter_url('www.example.com.', 'f'); + $this->assertEqual($f, 'www.example.com.', t('Converting URLs -- do not recognize a dot at the end of a domain name (FQDNs).')); + + $f = _filter_url('http://www.example.com.', 'f'); + $this->assertEqual($f, 'http://www.example.com.', t('Converting URLs -- do not recognize a dot at the end of an URL (FQDNs).')); + + $f = _filter_url('www.example.com/index.php?a=.', 'f'); + $this->assertEqual($f, 'www.example.com/index.php?a=.', t('Converting URLs -- do forget about a dot at the end of a query string.')); + } + + /** + * Test the HTML corrector. + * + * TODO: This test could really use some validity checking function. + */ + function testHtmlCorrector() { + // Tag closing. + $f = _filter_htmlcorrector('

    text'); + $this->assertEqual($f, '

    text

    ', t('HTML corrector -- tag closing at the end of input.')); + + $f = _filter_htmlcorrector('

    text

    text'); + $this->assertEqual($f, '

    text

    text

    ', t('HTML corrector -- tag closing.')); + + $f = _filter_htmlcorrector("