Mercurial > hg > nginx-tests
comparison secure_link.t @ 1213:64f287c8cc62
Tests: more corner cases for secure_link module.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Tue, 29 Aug 2017 17:21:42 +0300 |
parents | 882267679006 |
children | 97c8280de681 |
comparison
equal
deleted
inserted
replaced
1212:0469ef3fcd34 | 1213:64f287c8cc62 |
---|---|
22 ############################################################################### | 22 ############################################################################### |
23 | 23 |
24 select STDERR; $| = 1; | 24 select STDERR; $| = 1; |
25 select STDOUT; $| = 1; | 25 select STDOUT; $| = 1; |
26 | 26 |
27 my $t = Test::Nginx->new()->has(qw/http secure_link rewrite/)->plan(10); | 27 my $t = Test::Nginx->new()->has(qw/http secure_link rewrite/)->plan(19); |
28 | 28 |
29 $t->write_file_expand('nginx.conf', <<'EOF'); | 29 $t->write_file_expand('nginx.conf', <<'EOF'); |
30 | 30 |
31 %%TEST_GLOBALS%% | 31 %%TEST_GLOBALS%% |
32 | 32 |
109 } | 109 } |
110 | 110 |
111 return 403; | 111 return 403; |
112 } | 112 } |
113 } | 113 } |
114 | |
115 location /stub { | |
116 return 200 x$secure_link${secure_link_expires}x; | |
117 } | |
114 } | 118 } |
115 } | 119 } |
116 | 120 |
117 EOF | 121 EOF |
118 | 122 |
126 | 130 |
127 like(http_get('/test.html?hash=q-5vpkjBkRXXtkUMXiJVHA=='), | 131 like(http_get('/test.html?hash=q-5vpkjBkRXXtkUMXiJVHA=='), |
128 qr/PASSED/, 'request md5'); | 132 qr/PASSED/, 'request md5'); |
129 like(http_get('/test.html?hash=q-5vpkjBkRXXtkUMXiJVHA'), | 133 like(http_get('/test.html?hash=q-5vpkjBkRXXtkUMXiJVHA'), |
130 qr/PASSED/, 'request md5 no padding'); | 134 qr/PASSED/, 'request md5 no padding'); |
135 | |
136 TODO: { | |
137 todo_skip 'stack-buffer-overflow', 1 unless $ENV{TEST_NGINX_UNSAFE} | |
138 or $t->has_version('1.13.5'); | |
139 | |
140 like(http_get('/test.html?hash=q-5vpkjBkRXXtkUMXiJVHAQQ'), | |
141 qr/^HTTP.*403/, 'request md5 too long'); | |
142 | |
143 } | |
144 | |
145 like(http_get('/test.html?hash=q-5vpkjBkRXXtkUMXiJVHA-TOOLONG'), | |
146 qr/^HTTP.*403/, 'request md5 too long encoding'); | |
147 like(http_get('/test.html?hash=BADHASHLENGTH'), | |
148 qr/^HTTP.*403/, 'request md5 decode error'); | |
149 like(http_get('/test.html?hash=q-5vpkjBkRXXtkUMXiJVHX=='), | |
150 qr/^HTTP.*403/, 'request md5 mismatch'); | |
131 like(http_get('/test.html'), qr/^HTTP.*403/, 'request no hash'); | 151 like(http_get('/test.html'), qr/^HTTP.*403/, 'request no hash'); |
132 | 152 |
133 # new style with expires | 153 # new style with expires |
134 | 154 |
135 my ($expires, $hash); | 155 my ($expires, $hash); |
144 $expires = time() - 86400; | 164 $expires = time() - 86400; |
145 $hash = encode_base64url(md5("secret/expires.html$expires")); | 165 $hash = encode_base64url(md5("secret/expires.html$expires")); |
146 like(http_get('/expires.html?hash=' . $hash . '&expires=' . $expires), | 166 like(http_get('/expires.html?hash=' . $hash . '&expires=' . $expires), |
147 qr/^HTTP.*403/, 'request md5 expired'); | 167 qr/^HTTP.*403/, 'request md5 expired'); |
148 | 168 |
169 $expires = 0; | |
170 $hash = encode_base64url(md5("secret/expires.html$expires")); | |
171 like(http_get('/expires.html?hash=' . $hash . '&expires=' . $expires), | |
172 qr/^HTTP.*403/, 'request md5 invalid expiration'); | |
173 | |
149 # old style | 174 # old style |
150 | 175 |
151 like(http_get('/p/' . md5_hex('test.html' . 'secret') . '/test.html'), | 176 like(http_get('/p/' . md5_hex('test.html' . 'secret') . '/test.html'), |
152 qr/PASSED/, 'request old style'); | 177 qr/PASSED/, 'request old style'); |
153 like(http_get('/p/' . md5_hex('fake') . '/test.html'), qr/^HTTP.*403/, | 178 like(http_get('/p/' . md5_hex('fake') . '/test.html'), qr/^HTTP.*403/, |
154 'request old style fake hash'); | 179 'request old style fake hash'); |
180 like(http_get('/p/' . 'foo' . '/test.html'), qr/^HTTP.*403/, | |
181 'request old style short hash'); | |
182 like(http_get('/p/' . 'x' x 32 . '/test.html'), qr/^HTTP.*403/, | |
183 'request old style corrupt hash'); | |
184 like(http_get('/p%2f'), qr/^HTTP.*403/, 'request old style bad uri'); | |
155 like(http_get('/p/test.html'), qr/^HTTP.*403/, 'request old style no hash'); | 185 like(http_get('/p/test.html'), qr/^HTTP.*403/, 'request old style no hash'); |
156 like(http_get('/inheritance/test'), qr/PASSED/, 'inheritance'); | 186 like(http_get('/inheritance/test'), qr/PASSED/, 'inheritance'); |
187 | |
188 like(http_get('/stub'), qr/xx/, 'secure_link not found'); | |
157 | 189 |
158 ############################################################################### | 190 ############################################################################### |
159 | 191 |
160 sub encode_base64url { | 192 sub encode_base64url { |
161 my $e = encode_base64(shift, ""); | 193 my $e = encode_base64(shift, ""); |