Mercurial > hg > nginx-tests
changeset 1213:64f287c8cc62
Tests: more corner cases for secure_link module.
| author | Sergey Kandaurov <pluknet@nginx.com> |
|---|---|
| date | Tue, 29 Aug 2017 17:21:42 +0300 |
| parents | 0469ef3fcd34 |
| children | a05ba24a462b |
| files | secure_link.t |
| diffstat | 1 files changed, 33 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/secure_link.t +++ b/secure_link.t @@ -24,7 +24,7 @@ use Test::Nginx; select STDERR; $| = 1; select STDOUT; $| = 1; -my $t = Test::Nginx->new()->has(qw/http secure_link rewrite/)->plan(10); +my $t = Test::Nginx->new()->has(qw/http secure_link rewrite/)->plan(19); $t->write_file_expand('nginx.conf', <<'EOF'); @@ -111,6 +111,10 @@ http { return 403; } } + + location /stub { + return 200 x$secure_link${secure_link_expires}x; + } } } @@ -128,6 +132,22 @@ like(http_get('/test.html?hash=q-5vpkjBk qr/PASSED/, 'request md5'); like(http_get('/test.html?hash=q-5vpkjBkRXXtkUMXiJVHA'), qr/PASSED/, 'request md5 no padding'); + +TODO: { +todo_skip 'stack-buffer-overflow', 1 unless $ENV{TEST_NGINX_UNSAFE} + or $t->has_version('1.13.5'); + +like(http_get('/test.html?hash=q-5vpkjBkRXXtkUMXiJVHAQQ'), + qr/^HTTP.*403/, 'request md5 too long'); + +} + +like(http_get('/test.html?hash=q-5vpkjBkRXXtkUMXiJVHA-TOOLONG'), + qr/^HTTP.*403/, 'request md5 too long encoding'); +like(http_get('/test.html?hash=BADHASHLENGTH'), + qr/^HTTP.*403/, 'request md5 decode error'); +like(http_get('/test.html?hash=q-5vpkjBkRXXtkUMXiJVHX=='), + qr/^HTTP.*403/, 'request md5 mismatch'); like(http_get('/test.html'), qr/^HTTP.*403/, 'request no hash'); # new style with expires @@ -146,15 +166,27 @@ like(http_get('/expires.html?hash=' . $h like(http_get('/expires.html?hash=' . $hash . '&expires=' . $expires), qr/^HTTP.*403/, 'request md5 expired'); +$expires = 0; +$hash = encode_base64url(md5("secret/expires.html$expires")); +like(http_get('/expires.html?hash=' . $hash . '&expires=' . $expires), + qr/^HTTP.*403/, 'request md5 invalid expiration'); + # old style like(http_get('/p/' . md5_hex('test.html' . 'secret') . '/test.html'), qr/PASSED/, 'request old style'); like(http_get('/p/' . md5_hex('fake') . '/test.html'), qr/^HTTP.*403/, 'request old style fake hash'); +like(http_get('/p/' . 'foo' . '/test.html'), qr/^HTTP.*403/, + 'request old style short hash'); +like(http_get('/p/' . 'x' x 32 . '/test.html'), qr/^HTTP.*403/, + 'request old style corrupt hash'); +like(http_get('/p%2f'), qr/^HTTP.*403/, 'request old style bad uri'); like(http_get('/p/test.html'), qr/^HTTP.*403/, 'request old style no hash'); like(http_get('/inheritance/test'), qr/PASSED/, 'inheritance'); +like(http_get('/stub'), qr/xx/, 'secure_link not found'); + ############################################################################### sub encode_base64url {