Drupal
/
drupal
mirror of https://git.drupalcode.org/project/drupal.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Issue #2399657 by klausi: Add session hijacking test cases for SA-CORE-2014-006

merge-requests/26/head
David Rothstein 2015-05-04 22:18:24 -04:00
parent b85b146a17
commit 27a72017bd
1 changed files with 50 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
modules/simpletest/tests/session.test
View File

@ -477,6 +477,56 @@ class SessionHttpsTestCase extends DrupalWebTestCase {
$this->assertResponse(200);
}
/**
* Tests that empty session IDs do not cause unrelated sessions to load.
*/
public function testEmptySessionId() {
global $is_https;
if ($is_https) {
$secure_session_name = session_name();
}
else {
$secure_session_name = 'S' . session_name();
}
// Enable mixed mode for HTTP and HTTPS.
variable_set('https', TRUE);
$admin_user = $this->drupalCreateUser(array('access administration pages'));
$standard_user = $this->drupalCreateUser(array('access content'));
// First log in as the admin user on HTTP.
// We cannot use $this->drupalLogin() here because we need to use the
// special http.php URLs.
$edit = array(
'name' => $admin_user->name,
'pass' => $admin_user->pass_raw
);
$this->drupalGet('user');
$form = $this->xpath('//form[@id="user-login"]');
$form[0]['action'] = $this->httpUrl('user');
$this->drupalPost(NULL, $edit, t('Log in'));
$this->curlClose();
// Now start a session for the standard user on HTTPS.
$edit = array(
'name' => $standard_user->name,
'pass' => $standard_user->pass_raw
);
$this->drupalGet('user');
$form = $this->xpath('//form[@id="user-login"]');
$form[0]['action'] = $this->httpsUrl('user');
$this->drupalPost(NULL, $edit, t('Log in'));
// Make the secure session cookie blank.
curl_setopt($this->curlHandle, CURLOPT_COOKIE, "$secure_session_name=");
$this->drupalGet($this->httpsUrl('user'));
$this->assertNoText($admin_user->name, 'User is not logged in as admin');
$this->assertNoText($standard_user->name, "The user's own name is not displayed because the invalid session cookie has logged them out.");
}
/**
* Test that there exists a session with two specific session IDs.
*