1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
|
<?php
namespace MediaWiki\Tests\Session;
use MediaWiki\Request\WebRequest;
use MediaWiki\Session\CsrfTokenSet;
use MediaWiki\Session\SessionManager;
use MediaWiki\User\User;
use MediaWikiIntegrationTestCase;
/**
* @covers \MediaWiki\Session\CsrfTokenSet
* @group Database
*/
class CsrfTokenSetTest extends MediaWikiIntegrationTestCase {
private function makeRequest( bool $userRegistered ): WebRequest {
$webRequest = new WebRequest();
$session1 = SessionManager::singleton()->getEmptySession( $webRequest );
$session1->setUser( $userRegistered ? $this->getTestUser()->getUser() : new User() );
return $webRequest;
}
public function testCSRFTokens_anon() {
$webRequest1 = $this->makeRequest( false );
$tokenRepo1 = new CsrfTokenSet( $webRequest1 );
$token = $tokenRepo1->getToken()->toString();
$webRequest2 = $this->makeRequest( false );
$tokenRepo2 = new CsrfTokenSet( $webRequest2 );
$this->assertTrue( $tokenRepo2->matchToken( $token ) );
$webRequest2->setVal( 'wpBlabla', $token );
$this->assertTrue( $tokenRepo2->matchTokenField( 'wpBlabla' ) );
}
public function testCSRFTokens_registered() {
$webRequest1 = $this->makeRequest( true );
$tokenRepo1 = new CsrfTokenSet( $webRequest1 );
$token = $tokenRepo1->getToken()->toString();
$this->assertTrue( $tokenRepo1->matchToken( $token ) );
$this->assertFalse( $tokenRepo1->matchTokenField( 'wpBlabla' ) );
$webRequest1->setVal( 'wpBlabla', $token );
$this->assertTrue( $tokenRepo1->matchTokenField( 'wpBlabla' ) );
$webRequest2 = $this->makeRequest( true );
$webRequest2->setVal( 'wpBlabla', $token );
$tokenRepo2 = new CsrfTokenSet( $webRequest2 );
$this->assertFalse( $tokenRepo2->matchTokenField( 'wpBlabla' ) );
$this->assertFalse( $tokenRepo2->matchToken( $token ) );
}
}
|
