Merge pull request #797 from nextcloud/only-match-for-auth-cookie

Match only for actual session cookie
author: Joas Schilling <coding@schilljs.com> 2016-08-31 15:59:16 +0200
committer: GitHub <noreply@github.com> 2016-08-31 15:59:16 +0200
commit: f9cea0b582005ed257695e15a444eb372fff95f9 (patch)
tree: f599646e2eeef9206aa12a6fe2819378f04c09df /tests
parent: a0af513a4a4adc295f5673fd7d1d7fd25c6ac75a (diff)
parent: b53ea18ea59c76368b28198968c59b783f17122f (diff)
download: nextcloud-server-f9cea0b582005ed257695e15a444eb372fff95f9.tar.gz
nextcloud-server-f9cea0b582005ed257695e15a444eb372fff95f9.zip
1 files changed, 77 insertions, 1 deletions
diff --git a/tests/lib/AppFramework/Http/RequestTest.php b/tests/lib/AppFramework/Http/RequestTest.php
index a3433e558d8..420b73a22d9 100644
--- a/tests/lib/AppFramework/Http/RequestTest.php
+++ b/tests/lib/AppFramework/Http/RequestTest.php
@@ -1469,6 +1469,7 @@ class RequestTest extends \Test\TestCase {
 						'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
 					],
 					'cookies' => [
+						session_name() => 'asdf',
 						'nc_sameSiteCookiestrict' => 'true',
 					],
 				],
@@ -1495,6 +1496,7 @@ class RequestTest extends \Test\TestCase {
 						'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
 					],
 					'cookies' => [
+						session_name() => 'asdf',
 						'nc_sameSiteCookiestrict' => 'true',
 						'nc_sameSiteCookielax' => 'true',
 					],
@@ -1509,7 +1511,76 @@ class RequestTest extends \Test\TestCase {
 		$this->assertTrue($request->passesStrictCookieCheck());
 	}
 
-	public function testFailsSRFCheckWithPostAndWithCookies() {
+	public function testPassesStrictCookieCheckWithRandomCookies() {
+		/** @var Request $request */
+		$request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
+			->setMethods(['getScriptName'])
+			->setConstructorArgs([
+				[
+					'server' => [
+						'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
+					],
+					'cookies' => [
+						'RandomCookie' => 'asdf',
+					],
+				],
+				$this->secureRandom,
+				$this->config,
+				$this->csrfTokenManager,
+				$this->stream
+			])
+			->getMock();
+
+		$this->assertTrue($request->passesStrictCookieCheck());
+	}
+
+	public function testFailsStrictCookieCheckWithSessionCookie() {
+		/** @var Request $request */
+		$request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
+			->setMethods(['getScriptName'])
+			->setConstructorArgs([
+				[
+					'server' => [
+						'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
+					],
+					'cookies' => [
+						session_name() => 'asdf',
+					],
+				],
+				$this->secureRandom,
+				$this->config,
+				$this->csrfTokenManager,
+				$this->stream
+			])
+			->getMock();
+
+		$this->assertFalse($request->passesStrictCookieCheck());
+	}
+
+	public function testFailsStrictCookieCheckWithRememberMeCookie() {
+		/** @var Request $request */
+		$request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
+			->setMethods(['getScriptName'])
+			->setConstructorArgs([
+				[
+					'server' => [
+						'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
+					],
+					'cookies' => [
+						'oc_token' => 'asdf',
+					],
+				],
+				$this->secureRandom,
+				$this->config,
+				$this->csrfTokenManager,
+				$this->stream
+			])
+			->getMock();
+
+		$this->assertFalse($request->passesStrictCookieCheck());
+	}
+
+	public function testFailsCSRFCheckWithPostAndWithCookies() {
 		/** @var Request $request */
 		$request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
 			->setMethods(['getScriptName'])
@@ -1519,6 +1590,7 @@ class RequestTest extends \Test\TestCase {
 						'requesttoken' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
 					],
 					'cookies' => [
+						session_name() => 'asdf',
 						'foo' => 'bar',
 					],
 				],
@@ -1545,6 +1617,7 @@ class RequestTest extends \Test\TestCase {
 						'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
 					],
 					'cookies' => [
+						session_name() => 'asdf',
 						'nc_sameSiteCookielax' => 'true',
 					],
 				],
@@ -1568,6 +1641,7 @@ class RequestTest extends \Test\TestCase {
 						'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
 					],
 					'cookies' => [
+						session_name() => 'asdf',
 						'nc_sameSiteCookiestrict' => 'true',
 					],
 				],
@@ -1591,6 +1665,7 @@ class RequestTest extends \Test\TestCase {
 						'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
 					],
 					'cookies' => [
+						session_name() => 'asdf',
 						'nc_sameSiteCookielax' => 'true',
 					],
 				],
@@ -1614,6 +1689,7 @@ class RequestTest extends \Test\TestCase {
 						'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
 					],
 					'cookies' => [
+						session_name() => 'asdf',
 						'nc_sameSiteCookiestrict' => 'true',
 					],
 				],
author	Joas Schilling <coding@schilljs.com>	2016-08-31 15:59:16 +0200
committer	GitHub <noreply@github.com>	2016-08-31 15:59:16 +0200
commit	f9cea0b582005ed257695e15a444eb372fff95f9 (patch)
tree	f599646e2eeef9206aa12a6fe2819378f04c09df /tests
parent	a0af513a4a4adc295f5673fd7d1d7fd25c6ac75a (diff)
parent	b53ea18ea59c76368b28198968c59b783f17122f (diff)
download	nextcloud-server-f9cea0b582005ed257695e15a444eb372fff95f9.tar.gz nextcloud-server-f9cea0b582005ed257695e15a444eb372fff95f9.zip