diff options
author | Daniel Stenberg <daniel@haxx.se> | 2013-06-15 23:47:02 +0200 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2013-06-22 14:15:07 +0200 |
commit | 7877619f856a04af0519e92780b1d6674a8ff3f7 (patch) | |
tree | 6b1c1f0c5ef5761494be6d5d2851a6c196917898 /tests | |
parent | ec248b590df3ac2e6873ea9c7507eff8e5044825 (diff) |
dotdot: introducing dot file path cleanup
RFC3986 details how a path part passed in as part of a URI should be
"cleaned" from dot sequences before getting used. The described
algorithm is now implemented in lib/dotdot.c with the accompanied test
case in test 1395.
Bug: http://curl.haxx.se/bug/view.cgi?id=1200
Reported-by: Alex Vinnik
Diffstat (limited to 'tests')
-rw-r--r-- | tests/data/Makefile.am | 2 | ||||
-rw-r--r-- | tests/data/test1231 | 61 | ||||
-rw-r--r-- | tests/data/test1395 | 26 | ||||
-rw-r--r-- | tests/unit/Makefile.inc | 5 | ||||
-rw-r--r-- | tests/unit/unit1395.c | 87 |
5 files changed, 179 insertions, 2 deletions
diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am index e96bc9ba1..ecfee4850 100644 --- a/tests/data/Makefile.am +++ b/tests/data/Makefile.am @@ -93,7 +93,7 @@ test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \ test1208 test1209 test1210 test1211 test1212 test1213 test1214 test1215 \ test1216 test1217 test1218 test1219 \ test1220 test1221 test1222 test1223 test1224 test1225 test1226 test1227 \ -test1228 test1229 test1230 \ +test1228 test1229 test1230 test1231 \ \ test1300 test1301 test1302 test1303 test1304 test1305 test1306 test1307 \ test1308 test1309 test1310 test1311 test1312 test1313 test1314 test1315 \ diff --git a/tests/data/test1231 b/tests/data/test1231 new file mode 100644 index 000000000..16533a851 --- /dev/null +++ b/tests/data/test1231 @@ -0,0 +1,61 @@ +<testcase> +<info> +<keywords> +HTTP +HTTP GET +dotdot removal +</keywords> +</info> + +# +# Server-side +<reply name="1"> +<data> +HTTP/1.1 200 OK +Content-Length: 6 +Connection: close + +-foo- +</data> + +<data1> +HTTP/1.1 200 OK +Content-Length: 7 +Connection: close + +-cool- +</data1> +</reply> + +# +# Client-side +<client> +<server> +http +</server> + <name> +HTTP URL with dotdot removal from path + </name> + <command> +http://%HOSTIP:%HTTPPORT/../../hej/but/who/../1231?stupid=me/../1231#soo/../1231 http://%HOSTIP:%HTTPPORT/../../hej/but/who/../12310001#/../12310001 +</command> +</client> + +# +# Verify data after the test has been "shot" +<verify> +<strip> +^User-Agent:.* +</strip> +<protocol> +GET /hej/but/1231?stupid=me/../1231 HTTP/1.1
+Host: %HOSTIP:%HTTPPORT
+Accept: */*
+
+GET /hej/but/12310001 HTTP/1.1
+Host: %HOSTIP:%HTTPPORT
+Accept: */*
+
+</protocol> +</verify> +</testcase> diff --git a/tests/data/test1395 b/tests/data/test1395 new file mode 100644 index 000000000..967c8d492 --- /dev/null +++ b/tests/data/test1395 @@ -0,0 +1,26 @@ +<testcase> +<info> +<keywords> +unittest +</keywords> +</info> + +# +# Client-side +<client> +<server> +none +</server> +<features> +unittest +</features> + <name> +Curl_dedotdotify + </name> +<tool> +unit1395 +</tool> + +</client> + +</testcase> diff --git a/tests/unit/Makefile.inc b/tests/unit/Makefile.inc index 4b3f903e3..4c06fcf86 100644 --- a/tests/unit/Makefile.inc +++ b/tests/unit/Makefile.inc @@ -6,7 +6,7 @@ UNITFILES = curlcheck.h \ # These are all unit test programs UNITPROGS = unit1300 unit1301 unit1302 unit1303 unit1304 unit1305 unit1307 \ - unit1308 unit1309 unit1330 unit1394 unit1396 + unit1308 unit1309 unit1330 unit1394 unit1395 unit1396 unit1300_SOURCES = unit1300.c $(UNITFILES) unit1300_CPPFLAGS = $(AM_CPPFLAGS) @@ -44,5 +44,8 @@ unit1394_LDADD = @LIBMETALINK_LIBS@ $(top_builddir)/lib/libcurl.la @LIBCURL_LIBS unit1394_LDFLAGS = @LIBMETALINK_LDFLAGS@ $(top_builddir)/src/libcurltool.la unit1394_LIBS = +unit1395_SOURCES = unit1395.c $(UNITFILES) +unit1395_CPPFLAGS = $(AM_CPPFLAGS) + unit1396_SOURCES = unit1396.c $(UNITFILES) unit1396_CPPFLAGS = $(AM_CPPFLAGS) diff --git a/tests/unit/unit1395.c b/tests/unit/unit1395.c new file mode 100644 index 000000000..8b0b0a08a --- /dev/null +++ b/tests/unit/unit1395.c @@ -0,0 +1,87 @@ +/*************************************************************************** + * _ _ ____ _ + * Project ___| | | | _ \| | + * / __| | | | |_) | | + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * + * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms + * are also available at http://curl.haxx.se/docs/copyright.html. + * + * You may opt to use, copy, modify, merge, publish, distribute and/or sell + * copies of the Software, and permit persons to whom the Software is + * furnished to do so, under the terms of the COPYING file. + * + * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY + * KIND, either express or implied. + * + ***************************************************************************/ +#include "curlcheck.h" + +#include "dotdot.h" + +#include "memdebug.h" + +static CURLcode unit_setup(void) +{ + return CURLE_OK; +} + +static void unit_stop(void) +{ + +} + +struct dotdot { + const char *input; + const char *output; +}; + +UNITTEST_START + + unsigned int i; + int fails=0; + struct dotdot pairs[] = { + { "/a/b/c/./../../g", "/a/g" }, + { "mid/content=5/../6", "mid/6" }, + { "/hello/../moo", "/moo" }, + { "/1/../1", "/1" }, + { "/1/./1", "/1/1" }, + { "/1/..", "/" }, + { "/1/.", "/1/" }, + { "/1/./..", "/" }, + { "/1/./../2", "/2" }, + { "/hello/1/./../2", "/hello/2" }, + { "test/this", "test/this" }, + { "test/this/../now", "test/now" }, + { "/1../moo../foo", "/1../moo../foo"}, + { "/../../moo", "/moo"}, + { "/../../moo?andnot/../yay", "/moo?andnot/../yay"}, + { "/123?foo=/./&bar=/../", "/123?foo=/./&bar=/../"}, + { "/../moo/..?what", "/?what" }, + }; + + for(i=0; i < sizeof(pairs)/sizeof(pairs[0]); i++) { + char *out = Curl_dedotdotify((char *)pairs[i].input); + + if(strcmp(out, pairs[i].output)) { + fprintf(stderr, "Test %d: '%s' gave '%s' instead of '%s'\n", + i, pairs[i].input, out, pairs[i].output); + fail("Test case output mismatched"); + fails++; + } + else + fprintf(stderr, "Test %d: OK\n", i); + free(out); + } + + return fails; + +UNITTEST_STOP + + + + |