1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
|
#!perl -T
#########################
use Test::More tests => 5;
BEGIN { use_ok('CGI::Application::Plugin::AutoRunmode::FileDelegate') };
#########################
# Test CGI::App class
{
package MyTestApp;
use base 'CGI::Application';
use CGI::Application::Plugin::AutoRunmode
qw [ cgiapp_prerun];
sub setup{
my $self = shift;
$self->param(
'::Plugin::AutoRunmode::delegate' =>
new CGI::Application::Plugin::AutoRunmode::FileDelegate('t/runmodes')
);
}
}
{
package MyTestAppWithTwoDirectories;
use base 'CGI::Application';
use CGI::Application::Plugin::AutoRunmode
qw [ cgiapp_prerun];
sub setup{
my $self = shift;
$self->param(
'::Plugin::AutoRunmode::delegate' =>
new CGI::Application::Plugin::AutoRunmode::FileDelegate('t/runmodes', 't/runmodes/sub')
);
}
}
$ENV{CGI_APP_RETURN_ONLY} = 1;
$ENV{REQUEST_METHOD} = 'GET';
$ENV{QUERY_STRING} = 'rm=mode1&tainted=' . $ENV{PATH};
use CGI;
my $q = new CGI;
{
my $testname = "call delegate runmode";
my $app = new MyTestApp(QUERY=>$q);
my $t = $app->run;
ok ($t =~ /called mode1/, $testname);
}
{
my $testname = "security check - try to escape";
$q->param(rm => '../runmodes/mode1');
my $app = new MyTestApp(QUERY=>$q);
eval{ my $t = $app->run; };
ok ($@ =~ /^No such/, $testname);
}
{
my $testname = "security check also disallows subdirectories";
$q->param(rm => 'sub/submode');
my $app = new MyTestApp(QUERY=>$q);
eval{ my $t = $app->run; };
ok ($@ =~ /^No such/, $testname);
}
{
my $testname = "multiple directories";
$q->param(rm => 'submode');
my $app = new MyTestAppWithTwoDirectories(QUERY=>$q);
my $t = $app->run;
ok ($t =~ /called submode/, $testname);
}
|
