# HG changeset patch # User Sergey Kandaurov # Date 1504016502 -10800 # Node ID 64f287c8cc62b8429d8e2e93f4151f61c36fefe6 # Parent 0469ef3fcd34b804327c82717a1b97c18d4ca500 Tests: more corner cases for secure_link module. diff --git a/secure_link.t b/secure_link.t --- a/secure_link.t +++ b/secure_link.t @@ -24,7 +24,7 @@ use Test::Nginx; select STDERR; $| = 1; select STDOUT; $| = 1; -my $t = Test::Nginx->new()->has(qw/http secure_link rewrite/)->plan(10); +my $t = Test::Nginx->new()->has(qw/http secure_link rewrite/)->plan(19); $t->write_file_expand('nginx.conf', <<'EOF'); @@ -111,6 +111,10 @@ http { return 403; } } + + location /stub { + return 200 x$secure_link${secure_link_expires}x; + } } } @@ -128,6 +132,22 @@ like(http_get('/test.html?hash=q-5vpkjBk qr/PASSED/, 'request md5'); like(http_get('/test.html?hash=q-5vpkjBkRXXtkUMXiJVHA'), qr/PASSED/, 'request md5 no padding'); + +TODO: { +todo_skip 'stack-buffer-overflow', 1 unless $ENV{TEST_NGINX_UNSAFE} + or $t->has_version('1.13.5'); + +like(http_get('/test.html?hash=q-5vpkjBkRXXtkUMXiJVHAQQ'), + qr/^HTTP.*403/, 'request md5 too long'); + +} + +like(http_get('/test.html?hash=q-5vpkjBkRXXtkUMXiJVHA-TOOLONG'), + qr/^HTTP.*403/, 'request md5 too long encoding'); +like(http_get('/test.html?hash=BADHASHLENGTH'), + qr/^HTTP.*403/, 'request md5 decode error'); +like(http_get('/test.html?hash=q-5vpkjBkRXXtkUMXiJVHX=='), + qr/^HTTP.*403/, 'request md5 mismatch'); like(http_get('/test.html'), qr/^HTTP.*403/, 'request no hash'); # new style with expires @@ -146,15 +166,27 @@ like(http_get('/expires.html?hash=' . $h like(http_get('/expires.html?hash=' . $hash . '&expires=' . $expires), qr/^HTTP.*403/, 'request md5 expired'); +$expires = 0; +$hash = encode_base64url(md5("secret/expires.html$expires")); +like(http_get('/expires.html?hash=' . $hash . '&expires=' . $expires), + qr/^HTTP.*403/, 'request md5 invalid expiration'); + # old style like(http_get('/p/' . md5_hex('test.html' . 'secret') . '/test.html'), qr/PASSED/, 'request old style'); like(http_get('/p/' . md5_hex('fake') . '/test.html'), qr/^HTTP.*403/, 'request old style fake hash'); +like(http_get('/p/' . 'foo' . '/test.html'), qr/^HTTP.*403/, + 'request old style short hash'); +like(http_get('/p/' . 'x' x 32 . '/test.html'), qr/^HTTP.*403/, + 'request old style corrupt hash'); +like(http_get('/p%2f'), qr/^HTTP.*403/, 'request old style bad uri'); like(http_get('/p/test.html'), qr/^HTTP.*403/, 'request old style no hash'); like(http_get('/inheritance/test'), qr/PASSED/, 'inheritance'); +like(http_get('/stub'), qr/xx/, 'secure_link not found'); + ############################################################################### sub encode_base64url {