1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
|
use Test::More 'no_plan';
use strict;
$ENV{CGI_APP_RETURN_ONLY} = 1;
use URI;
use URI::QueryParam;
my $Created_Link;
my $Checksum_Callback_Called = 0;
{
package WebApp;
use CGI;
use CGI::Application;
use vars qw(@ISA);
use URI;
use URI::Escape;
@ISA = ('CGI::Application');
use Test::More;
use CGI::Application::Plugin::LinkIntegrity;
sub setup {
my $self = shift;
$self->header_type('none');
$self->run_modes([qw(
link_okay
create_link
bad_user_no_biscuit
)]);
my %li_config = (
secret => 'extree seekrit',
);
if ($self->param('custom_rm')) {
$li_config{'link_tampered_run_mode'} = 'bad_user_no_biscuit';
}
if ($self->param('check')) {
$li_config{'checksum_param'} = $self->param('check');
}
if ($self->param('create_link')) {
$self->start_mode('create_link');
$li_config{'disable'} = 1;
}
else {
$self->start_mode('link_okay');
}
$self->link_integrity_config(
%li_config,
);
}
sub link_okay {
my $self = shift;
return 'rm=link_okay';
}
sub create_link {
my $self = shift;
return $self->link($self->param('create_link'));
}
sub bad_user_no_biscuit {
my $self = shift;
return 'rm=bad_user_no_biscuit';
}
sub checksum_callback {
$Checksum_Callback_Called = 1;
}
}
###########################################################################
local *STDIN;
open(STDIN, '<', '/dev/null');
$ENV{'REQUEST_METHOD'} = 'POST';
# Build the link
$ENV{'REQUEST_METHOD'} = 'POST';
$ENV{'SERVER_PORT'} = '80';
$ENV{'SCRIPT_NAME'} = '/cgi-bin/app.cgi';
$ENV{'SERVER_NAME'} = 'www.example.com';
$ENV{'PATH_INFO'} = '/my/happy/pathy/info';
$ENV{'QUERY_STRING'} = 'zap=zoom&zap=zub&guff=gubbins&zap=zuzzu';
my $link = URI->new(WebApp->new(PARAMS => {
create_link => 'http://www.example.com/script.cgi/path/info?p1=v1&p2=v2&p2=v3',
})->run);
# Validate it
$ENV{'REQUEST_METHOD'} = 'POST';
$ENV{'SERVER_PORT'} = $link->port;
$ENV{'SCRIPT_NAME'} = $link->path;
$ENV{'SERVER_NAME'} = $link->authority;
$ENV{'PATH_INFO'} = '';
$ENV{'QUERY_STRING'} = $link->query;
is(WebApp->new->run, 'rm=link_okay', 'link_okay');
# remove the _checksum from the query - this should invalidate it
my $checksum = $link->query_param_delete('_checksum');
$ENV{'QUERY_STRING'} = $link->query;
ok(!$Checksum_Callback_Called, 'checksum hook not yet called');
is(WebApp->new->run, '<h1>Access Denied</h1>', 'link_tampered (checksum removed)');
ok(!$Checksum_Callback_Called, 'checksum hook called');
|
