nginx-tests: secure_link.t comparison

comparison secure_link.t @ 1213:64f287c8cc62

Tests: more corner cases for secure_link module.

author	Sergey Kandaurov <pluknet@nginx.com>
date	Tue, 29 Aug 2017 17:21:42 +0300
parents	882267679006
children	97c8280de681

comparison

equal deleted inserted replaced

-:0469ef3fcd34
+:64f287c8cc62
 ###############################################################################
 select STDERR; $| = 1;
 select STDOUT; $| = 1;
-my $t = Test::Nginx->new()->has(qw/http secure_link rewrite/)->plan(10);
+my $t = Test::Nginx->new()->has(qw/http secure_link rewrite/)->plan(19);
 $t->write_file_expand('nginx.conf', <<'EOF');
 %%TEST_GLOBALS%%
 }
 return 403;
 }
 }
+location /stub {
+return 200 x$secure_link${secure_link_expires}x;
+}
 }
 }
 EOF
 like(http_get('/test.html?hash=q-5vpkjBkRXXtkUMXiJVHA=='),
 	qr/PASSED/, 'request md5');
 like(http_get('/test.html?hash=q-5vpkjBkRXXtkUMXiJVHA'),
 	qr/PASSED/, 'request md5 no padding');
+TODO: {
+todo_skip 'stack-buffer-overflow', 1 unless $ENV{TEST_NGINX_UNSAFE}
+	or $t->has_version('1.13.5');
+like(http_get('/test.html?hash=q-5vpkjBkRXXtkUMXiJVHAQQ'),
+	qr/^HTTP.*403/, 'request md5 too long');
+}
+like(http_get('/test.html?hash=q-5vpkjBkRXXtkUMXiJVHA-TOOLONG'),
+	qr/^HTTP.*403/, 'request md5 too long encoding');
+like(http_get('/test.html?hash=BADHASHLENGTH'),
+	qr/^HTTP.*403/, 'request md5 decode error');
+like(http_get('/test.html?hash=q-5vpkjBkRXXtkUMXiJVHX=='),
+	qr/^HTTP.*403/, 'request md5 mismatch');
 like(http_get('/test.html'), qr/^HTTP.*403/, 'request no hash');
 # new style with expires
 my ($expires, $hash);
 $expires = time() - 86400;
 $hash = encode_base64url(md5("secret/expires.html$expires"));
 like(http_get('/expires.html?hash=' . $hash . '&expires=' . $expires),
 	qr/^HTTP.*403/, 'request md5 expired');
+$expires = 0;
+$hash = encode_base64url(md5("secret/expires.html$expires"));
+like(http_get('/expires.html?hash=' . $hash . '&expires=' . $expires),
+	qr/^HTTP.*403/, 'request md5 invalid expiration');
 # old style
 like(http_get('/p/' . md5_hex('test.html' . 'secret') . '/test.html'),
 	qr/PASSED/, 'request old style');
 like(http_get('/p/' . md5_hex('fake') . '/test.html'), qr/^HTTP.*403/,
 	'request old style fake hash');
+like(http_get('/p/' . 'foo' . '/test.html'), qr/^HTTP.*403/,
+	'request old style short hash');
+like(http_get('/p/' . 'x' x 32 . '/test.html'), qr/^HTTP.*403/,
+	'request old style corrupt hash');
+like(http_get('/p%2f'), qr/^HTTP.*403/, 'request old style bad uri');
 like(http_get('/p/test.html'), qr/^HTTP.*403/, 'request old style no hash');
 like(http_get('/inheritance/test'), qr/PASSED/, 'inheritance');
+like(http_get('/stub'), qr/xx/, 'secure_link not found');
 ###############################################################################
 sub encode_base64url {
 	my $e = encode_base64(shift, "");

Mercurial > hg > nginx-tests

comparison secure_link.t @ 1213:64f287c8cc62