From d2ea460f138fd1f9a527c9b0ece7cce369fd430b Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Fri, 30 Oct 2015 11:47:35 +0200
Subject: Fix #3201

---
 tests/codeigniter/core/Common_test.php | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'tests/codeigniter')

diff --git a/tests/codeigniter/core/Common_test.php b/tests/codeigniter/core/Common_test.php
index 999b49cb3..81a185eaf 100644
--- a/tests/codeigniter/core/Common_test.php
+++ b/tests/codeigniter/core/Common_test.php
@@ -47,6 +47,11 @@ class Common_test extends CI_TestCase {
 			html_escape('Here is a string containing "quoted" text.'),
 			'Here is a string containing &quot;quoted&quot; text.'
 		);
+
+		$this->assertEquals(
+			html_escape(array('associative' => 'and', array('multi' => 'dimentional'))),
+			array('associative' => 'and', array('multi' => 'dimentional'))
+		);
 	}
 
 }
\ No newline at end of file
-- 
cgit v1.2.3-24-g4f1b


From 71b1b3f5b2dcc0f4b652e9494e9853b82541ac8c Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Tue, 27 Oct 2015 12:30:18 +0200
Subject: Harden xss_clean()

---
 tests/codeigniter/core/Security_test.php | 35 ++++++++++++++++++--------------
 1 file changed, 20 insertions(+), 15 deletions(-)

(limited to 'tests/codeigniter')

diff --git a/tests/codeigniter/core/Security_test.php b/tests/codeigniter/core/Security_test.php
index 52967dc2f..2ef822863 100644
--- a/tests/codeigniter/core/Security_test.php
+++ b/tests/codeigniter/core/Security_test.php
@@ -115,7 +115,7 @@ class Security_test extends CI_TestCase {
 	public function test_xss_clean_entity_double_encoded()
 	{
 		$input = '<a href="&#38&#35&#49&#48&#54&#38&#35&#57&#55&#38&#35&#49&#49&#56&#38&#35&#57&#55&#38&#35&#49&#49&#53&#38&#35&#57&#57&#38&#35&#49&#49&#52&#38&#35&#49&#48&#53&#38&#35&#49&#49&#50&#38&#35&#49&#49&#54&#38&#35&#53&#56&#38&#35&#57&#57&#38&#35&#49&#49&#49&#38&#35&#49&#49&#48&#38&#35&#49&#48&#50&#38&#35&#49&#48&#53&#38&#35&#49&#49&#52&#38&#35&#49&#48&#57&#38&#35&#52&#48&#38&#35&#52&#57&#38&#35&#52&#49">Clickhere</a>';
-		$this->assertEquals('<a >Clickhere</a>', $this->security->xss_clean($input));
+		$this->assertEquals('<a>Clickhere</a>', $this->security->xss_clean($input));
 	}
 
 	// --------------------------------------------------------------------
@@ -134,7 +134,7 @@ class Security_test extends CI_TestCase {
 	public function test_xss_clean_js_img_removal()
 	{
 		$input = '<img src="&#38&#35&#49&#48&#54&#38&#35&#57&#55&#38&#35&#49&#49&#56&#38&#35&#57&#55&#38&#35&#49&#49&#53&#38&#35&#57&#57&#38&#35&#49&#49&#52&#38&#35&#49&#48&#53&#38&#35&#49&#49&#50&#38&#35&#49&#49&#54&#38&#35&#53&#56&#38&#35&#57&#57&#38&#35&#49&#49&#49&#38&#35&#49&#49&#48&#38&#35&#49&#48&#50&#38&#35&#49&#48&#53&#38&#35&#49&#49&#52&#38&#35&#49&#48&#57&#38&#35&#52&#48&#38&#35&#52&#57&#38&#35&#52&#49">Clickhere';
-		$this->assertEquals('<img >', $this->security->xss_clean($input));
+		$this->assertEquals('<img>', $this->security->xss_clean($input));
 	}
 
 	// --------------------------------------------------------------------
@@ -146,7 +146,7 @@ class Security_test extends CI_TestCase {
 		$this->assertEquals('<fubar>', $this->security->xss_clean('<fubar>'));
 
 		$this->assertEquals(
-			'<img [removed]> src="x">',
+			'<img svg=""> src="x">',
 			$this->security->xss_clean('<img <svg=""> src="x">')
 		);
 
@@ -160,21 +160,21 @@ class Security_test extends CI_TestCase {
 
 	public function test_xss_clean_sanitize_naughty_html_attributes()
 	{
-		$this->assertEquals('<foo [removed]>', $this->security->xss_clean('<foo onAttribute="bar">'));
-		$this->assertEquals('<foo [removed]>', $this->security->xss_clean('<foo onAttributeNoQuotes=bar>'));
-		$this->assertEquals('<foo [removed]bar>', $this->security->xss_clean('<foo onAttributeWithSpaces = bar>'));
+		$this->assertEquals('<foo xss=removed>', $this->security->xss_clean('<foo onAttribute="bar">'));
+		$this->assertEquals('<foo xss=removed>', $this->security->xss_clean('<foo onAttributeNoQuotes=bar>'));
+		$this->assertEquals('<foo xss=removed>', $this->security->xss_clean('<foo onAttributeWithSpaces = bar>'));
 		$this->assertEquals('<foo prefixOnAttribute="bar">', $this->security->xss_clean('<foo prefixOnAttribute="bar">'));
 		$this->assertEquals('<foo>onOutsideOfTag=test</foo>', $this->security->xss_clean('<foo>onOutsideOfTag=test</foo>'));
 		$this->assertEquals('onNoTagAtAll = true', $this->security->xss_clean('onNoTagAtAll = true'));
-		$this->assertEquals('<foo [removed]>', $this->security->xss_clean('<foo fscommand=case-insensitive>'));
-		$this->assertEquals('<foo [removed]>', $this->security->xss_clean('<foo seekSegmentTime=whatever>'));
+		$this->assertEquals('<foo xss=removed>', $this->security->xss_clean('<foo fscommand=case-insensitive>'));
+		$this->assertEquals('<foo xss=removed>', $this->security->xss_clean('<foo seekSegmentTime=whatever>'));
 
 		$this->assertEquals(
-			'<foo bar=">" baz=\'>\' [removed]>',
+			'<foo bar=">" baz=\'>\' xss=removed>',
 			$this->security->xss_clean('<foo bar=">" baz=\'>\' onAfterGreaterThan="quotes">')
 		);
 		$this->assertEquals(
-			'<foo bar=">" baz=\'>\' [removed]>',
+			'<foo bar=">" baz=\'>\' xss=removed>',
 			$this->security->xss_clean('<foo bar=">" baz=\'>\' onAfterGreaterThan=noQuotes>')
 		);
 
@@ -194,7 +194,7 @@ class Security_test extends CI_TestCase {
 		);
 
 		$this->assertEquals(
-			'<a [removed]>',
+			'<a xss=removed>',
 			$this->security->xss_clean('<a< onmouseover="alert(1)">')
 		);
 
@@ -204,19 +204,24 @@ class Security_test extends CI_TestCase {
 		);
 
 		$this->assertEquals(
-			'<image src="<>" [removed]>',
+			'<image src="<>" xss=removed>',
 			$this->security->xss_clean('<image src="<>" onerror=\'alert(1)\'>')
 		);
 
 		$this->assertEquals(
-			'<b [removed] [removed]>',
+			'<b xss=removed>',
 			$this->security->xss_clean('<b "=<= onmouseover=alert(1)>')
 		);
 
 		$this->assertEquals(
-			'<b [removed] [removed]alert&#40;1&#41;,1>1">',
+			'<b xss=removed xss=removed>1">',
 			$this->security->xss_clean('<b a=<=" onmouseover="alert(1),1>1">')
 		);
+
+		$this->assertEquals(
+			'<b x=" onmouseover=alert&#40;1&#41;//">',
+			$this->security->xss_clean('<b "="< x=" onmouseover=alert(1)//">')
+		);
 	}
 
 	// --------------------------------------------------------------------
@@ -228,7 +233,7 @@ class Security_test extends CI_TestCase {
 	public function test_naughty_html_plus_evil_attributes()
 	{
 		$this->assertEquals(
-			'&lt;svg<img &gt; src="x" [removed]>',
+			'&lt;svg<img src="x" xss=removed>',
 			$this->security->xss_clean('<svg<img > src="x" onerror="location=/javascript/.source+/:alert/.source+/(1)/.source">')
 		);
 	}
-- 
cgit v1.2.3-24-g4f1b


From 0a6b0661305f20ac1fbd219d43f59193bea90d1d Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Mon, 26 Oct 2015 15:31:38 +0200
Subject: Prevent Host header injections

---
 tests/codeigniter/core/Config_test.php | 47 ++++++++++++----------------------
 1 file changed, 17 insertions(+), 30 deletions(-)

(limited to 'tests/codeigniter')

diff --git a/tests/codeigniter/core/Config_test.php b/tests/codeigniter/core/Config_test.php
index f125fc6e9..26a5f32f5 100644
--- a/tests/codeigniter/core/Config_test.php
+++ b/tests/codeigniter/core/Config_test.php
@@ -79,46 +79,33 @@ class Config_test extends CI_TestCase {
 		$old_script_name = isset($_SERVER['SCRIPT_NAME']) ? $_SERVER['SCRIPT_NAME'] : NULL;
 		$old_script_filename = $_SERVER['SCRIPT_FILENAME'];
 		$old_https = isset($_SERVER['HTTPS']) ? $_SERVER['HTTPS'] : NULL;
+		$old_server_addr = isset($_SERVER['SERVER_ADDR']) ? $_SERVER['SERVER_ADDR'] : NULL;
 
-		// Setup server vars for detection
-		$host = 'test.com';
-		$path = '/';
-		$script = 'base_test.php';
-		$_SERVER['HTTP_HOST'] = $host;
-		$_SERVER['SCRIPT_NAME'] = $path.$script;
-		$_SERVER['SCRIPT_FILENAME'] = '/foo/bar/'.$script;
-
-		// Rerun constructor
+		// The 'Host' header is user input and must not be trusted
+		$_SERVER['HTTP_HOST'] = 'test.com';
 		$this->config = new $cls;
+		$this->assertEquals('http://localhost/', $this->config->base_url());
 
-		// Test plain detected (root)
-		$this->assertEquals('http://'.$host.$path, $this->config->base_url());
-
-		// Rerun constructor
-		$path = '/path/';
-		$_SERVER['SCRIPT_NAME'] = $path.$script;
-		$_SERVER['SCRIPT_FILENAME'] = '/foo/bar/'.$path.$script;
+		// However, we may fallback to the server's IP address
+		$_SERVER['SERVER_ADDR'] = '127.0.0.1';
+		$_SERVER['SCRIPT_NAME'] = '/base_test.php';
+		$_SERVER['SCRIPT_FILENAME'] = '/foo/bar/base_test.php';
 		$this->config = new $cls;
+		$this->assertEquals('http://127.0.0.1/', $this->config->base_url());
 
-		// Test plain detected (subfolder)
-		$this->assertEquals('http://'.$host.$path, $this->config->base_url());
-
-		// Rerun constructor
+		// Making sure that HTTPS and URI path are also detected
 		$_SERVER['HTTPS'] = 'on';
+		$_SERVER['SCRIPT_NAME'] = '/path/base_test.php';
+		$_SERVER['SCRIPT_FILENAME'] = '/foo/bar/path/base_test.php';
 		$this->config = new $cls;
-
-		// Test secure detected
-		$this->assertEquals('https://'.$host.$path, $this->config->base_url());
+		$this->assertEquals('https://127.0.0.1/path/', $this->config->base_url());
 
 		// Restore server vars
-		if ($old_host === NULL) unset($_SERVER['HTTP_HOST']);
-		else $_SERVER['HTTP_HOST'] = $old_host;
-		if ($old_script_name === NULL) unset($_SERVER['SCRIPT_NAME']);
-		else $_SERVER['SCRIPT_NAME'] = $old_script_name;
-		if ($old_https === NULL) unset($_SERVER['HTTPS']);
-		else $_SERVER['HTTPS'] = $old_https;
-
+		$_SERVER['HTTP_HOST'] = $old_host;
+		$_SERVER['SCRIPT_NAME'] = $old_script_name;
 		$_SERVER['SCRIPT_FILENAME'] = $old_script_filename;
+		$_SERVER['HTTPS'] = $old_https;
+		$_SERVER['SERVER_ADDR'] = $old_server_addr;
 	}
 
 	// --------------------------------------------------------------------
-- 
cgit v1.2.3-24-g4f1b