diff options
author | VirtualTam <virtualtam@flibidi.net> | 2015-09-03 23:12:58 +0200 |
---|---|---|
committer | VirtualTam <virtualtam@flibidi.net> | 2015-09-06 16:14:24 +0200 |
commit | 68bc21353a6138a898724c8bb87684bb2b6b2c1c (patch) | |
tree | 8c100e6ca4cba5870640cf3e0ec688b1f0fa7474 /tests/UtilsTest.php | |
parent | a02257b8aed58ef2f8536c877ce2fb222f84ac40 (diff) | |
download | Shaarli-68bc21353a6138a898724c8bb87684bb2b6b2c1c.tar.gz Shaarli-68bc21353a6138a898724c8bb87684bb2b6b2c1c.tar.zst Shaarli-68bc21353a6138a898724c8bb87684bb2b6b2c1c.zip |
Session ID: extend the regex to match possible hash representations
Improves #306
Relates to #335 & #336
Duplicated by #339
Issues:
- PHP regenerates the session ID if it is not compliant
- the regex checking the session ID does not cover all cases
- different algorithms: md5, sha1, sha256, etc.
- bit representations: 4, 5, 6
Fix:
- `index.php`:
- remove `uniqid()` usage
- call `session_regenerate_id()` if an invalid cookie is detected
- regex: support all possible characters - '[a-zA-Z,-]{2,128}'
- tests: add coverage for all algorithms & bit representations
See:
- http://php.net/manual/en/session.configuration.php#ini.session.hash-function
- https://secure.php.net/manual/en/session.configuration.php#ini.session.hash-bits-per-character
- http://php.net/manual/en/function.session-id.php
- http://php.net/manual/en/function.session-regenerate-id.php
- http://php.net/manual/en/function.hash-algos.php
Signed-off-by: VirtualTam <virtualtam@flibidi.net>
Diffstat (limited to 'tests/UtilsTest.php')
-rwxr-xr-x | tests/UtilsTest.php | 56 |
1 files changed, 52 insertions, 4 deletions
diff --git a/tests/UtilsTest.php b/tests/UtilsTest.php index 5175dde0..7f218ad5 100755 --- a/tests/UtilsTest.php +++ b/tests/UtilsTest.php | |||
@@ -4,12 +4,28 @@ | |||
4 | */ | 4 | */ |
5 | 5 | ||
6 | require_once 'application/Utils.php'; | 6 | require_once 'application/Utils.php'; |
7 | require_once 'tests/utils/ReferenceSessionIdHashes.php'; | ||
8 | |||
9 | // Initialize reference data before PHPUnit starts a session | ||
10 | ReferenceSessionIdHashes::genAllHashes(); | ||
11 | |||
7 | 12 | ||
8 | /** | 13 | /** |
9 | * Unitary tests for Shaarli utilities | 14 | * Unitary tests for Shaarli utilities |
10 | */ | 15 | */ |
11 | class UtilsTest extends PHPUnit_Framework_TestCase | 16 | class UtilsTest extends PHPUnit_Framework_TestCase |
12 | { | 17 | { |
18 | // Session ID hashes | ||
19 | protected static $sidHashes = null; | ||
20 | |||
21 | /** | ||
22 | * Assign reference data | ||
23 | */ | ||
24 | public static function setUpBeforeClass() | ||
25 | { | ||
26 | self::$sidHashes = ReferenceSessionIdHashes::getHashes(); | ||
27 | } | ||
28 | |||
13 | /** | 29 | /** |
14 | * Represent a link by its hash | 30 | * Represent a link by its hash |
15 | */ | 31 | */ |
@@ -152,11 +168,41 @@ class UtilsTest extends PHPUnit_Framework_TestCase | |||
152 | } | 168 | } |
153 | 169 | ||
154 | /** | 170 | /** |
155 | * Test is_session_id_valid with a valid ID. | 171 | * Test is_session_id_valid with a valid ID - TEST ALL THE HASHES! |
172 | * | ||
173 | * This tests extensively covers all hash algorithms / bit representations | ||
174 | */ | ||
175 | public function testIsAnyHashSessionIdValid() | ||
176 | { | ||
177 | foreach (self::$sidHashes as $algo => $bpcs) { | ||
178 | foreach ($bpcs as $bpc => $hash) { | ||
179 | $this->assertTrue(is_session_id_valid($hash)); | ||
180 | } | ||
181 | } | ||
182 | } | ||
183 | |||
184 | /** | ||
185 | * Test is_session_id_valid with a valid ID - SHA-1 hashes | ||
186 | */ | ||
187 | public function testIsSha1SessionIdValid() | ||
188 | { | ||
189 | $this->assertTrue(is_session_id_valid(sha1('shaarli'))); | ||
190 | } | ||
191 | |||
192 | /** | ||
193 | * Test is_session_id_valid with a valid ID - SHA-256 hashes | ||
194 | */ | ||
195 | public function testIsSha256SessionIdValid() | ||
196 | { | ||
197 | $this->assertTrue(is_session_id_valid(hash('sha256', 'shaarli'))); | ||
198 | } | ||
199 | |||
200 | /** | ||
201 | * Test is_session_id_valid with a valid ID - SHA-512 hashes | ||
156 | */ | 202 | */ |
157 | public function testIsSessionIdValid() | 203 | public function testIsSha512SessionIdValid() |
158 | { | 204 | { |
159 | $this->assertTrue(is_session_id_valid('azertyuiop123456789AZERTYUIOP1aA')); | 205 | $this->assertTrue(is_session_id_valid(hash('sha512', 'shaarli'))); |
160 | } | 206 | } |
161 | 207 | ||
162 | /** | 208 | /** |
@@ -166,6 +212,8 @@ class UtilsTest extends PHPUnit_Framework_TestCase | |||
166 | { | 212 | { |
167 | $this->assertFalse(is_session_id_valid('')); | 213 | $this->assertFalse(is_session_id_valid('')); |
168 | $this->assertFalse(is_session_id_valid(array())); | 214 | $this->assertFalse(is_session_id_valid(array())); |
169 | $this->assertFalse(is_session_id_valid('c0ZqcWF3VFE2NmJBdm1HMVQ0ZHJ3UmZPbTFsNGhkNHI=')); | 215 | $this->assertFalse( |
216 | is_session_id_valid('c0ZqcWF3VFE2NmJBdm1HMVQ0ZHJ3UmZPbTFsNGhkNHI=') | ||
217 | ); | ||
170 | } | 218 | } |
171 | } | 219 | } |