1
# -*- Mode: perl; indent-tabs-mode: nil -*-
3
# The contents of this file are subject to the Mozilla Public
4
# License Version 1.1 (the "License"); you may not use this file
5
# except in compliance with the License. You may obtain a copy of
6
# the License at http://www.mozilla.org/MPL/
8
# Software distributed under the License is distributed on an "AS
9
# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
10
# implied. See the License for the specific language governing
11
# rights and limitations under the License.
13
# The Original Code are the Bugzilla tests.
15
# The Initial Developer of the Original Code is Jacob Steenhagen.
16
# Portions created by Jacob Steenhagen are
17
# Copyright (C) 2001 Jacob Steenhagen. All
20
# Contributor(s): Gervase Markham <gerv@gerv.net>
26
# This test scans all our templates for every directive. Having eliminated
27
# those which cannot possibly cause XSS problems, it then checks the rest
28
# against the safe list stored in the filterexceptions.pl file.
30
# Sample exploit code: '>"><script>alert('Oh dear...')</script>
37
use Support::Templates;
39
use Test::More tests => $Support::Templates::num_actual_files;
42
# Undefine the record separator so we can read in whole files at once
47
foreach my $path (@Support::Templates::include_paths) {
48
$path =~ s|\\|/|g if $^O eq 'MSWin32'; # convert \ to / in path if on windows
49
$path =~ m|template/([^/]+)/([^/]+)|;
53
chdir $topdir; # absolute path
54
my @testitems = Support::Templates::find_actual_files($path);
55
chdir $topdir; # absolute path
57
next unless @testitems;
59
# Some people require this, others don't. No-one knows why.
60
chdir $path; # relative path
62
# We load a %safe list of acceptable exceptions.
63
if (!-r "filterexceptions.pl") {
64
ok(0, "$path has templates but no filterexceptions.pl file. --ERROR");
68
do "filterexceptions.pl";
69
if ($^O eq 'MSWin32') {
70
# filterexceptions.pl uses / separated paths, while
71
# find_actual_files returns \ separated ones on Windows.
72
# Here, we convert the filter exception hash to use \.
73
foreach my $file (keys %safe) {
74
my $orig_file = $file;
76
if ($file ne $orig_file) {
77
$safe{$file} = $safe{$orig_file};
78
delete $safe{$orig_file};
84
# We preprocess the %safe hash of lists into a hash of hashes. This allows
85
# us to flag which members were not found, and report that as a warning,
86
# thereby keeping the lists clean.
87
foreach my $file (keys %safe) {
88
my $list = $safe{$file};
90
foreach my $directive (@$list) {
91
$safe{$file}{$directive} = 0;
95
foreach my $file (@testitems) {
96
# There are some files we don't check, because there is no need to
97
# filter their contents due to their content-type.
98
if ($file =~ /\.(txt|png)\.tmpl$/) {
99
ok(1, "($lang/$flavor) $file is filter-safe");
103
# Read the entire file into a string
104
open (FILE, "<$file") || die "Can't open $file: $!\n";
110
# /g means we execute this loop for every match
111
# /s means we ignore linefeeds in the regexp matches
112
while ($slurp =~ /\[%(.*?)%\]/gs) {
115
my @lineno = ($` =~ m/\n/gs);
116
my $lineno = scalar(@lineno) + 1;
118
if (!directive_ok($file, $directive)) {
120
# This intentionally makes no effort to eliminate duplicates; to do
121
# so would merely make it more likely that the user would not
122
# escape all instances when attempting to correct an error.
123
push(@unfiltered, "$lineno:$directive");
127
my $fullpath = File::Spec->catfile($path, $file);
130
my $uflist = join("\n ", @unfiltered);
131
ok(0, "($lang/$flavor) $fullpath has unfiltered directives:\n $uflist\n--ERROR");
134
# Find any members of the exclusion list which were not found
136
foreach my $directive (keys %{$safe{$file}}) {
137
push(@notfound, $directive) if ($safe{$file}{$directive} == 0);
141
my $nflist = join("\n ", @notfound);
142
ok(0, "($lang/$flavor) $fullpath - filterexceptions.pl has extra members:\n $nflist\n" .
146
# Don't use the full path here - it's too long and unwieldy.
147
ok(1, "($lang/$flavor) $file is filter-safe");
154
my ($file, $directive) = @_;
157
return 1 if $directive =~ /^[+-]?#/;
159
# Remove any leading/trailing + or - and whitespace.
160
$directive =~ s/^[+-]?\s*//;
161
$directive =~ s/\s*[+-]?$//;
163
# Empty directives are ok; they are usually line break helpers
164
return 1 if $directive eq '';
166
# Make sure we're not looking for ./ in the $safe hash
169
# Exclude those on the nofilter list
170
if (defined($safe{$file}{$directive})) {
171
$safe{$file}{$directive}++;
176
return 1 if $directive =~ /^(IF|END|UNLESS|FOREACH|PROCESS|INCLUDE|
177
BLOCK|USE|ELSE|NEXT|LAST|DEFAULT|FLUSH|
178
ELSIF|SET|SWITCH|CASE|WHILE|RETURN|STOP|
179
TRY|CATCH|FINAL|THROW|CLEAR|MACRO)/x;
182
if ($directive =~ /.+\?(.+):(.+)/) {
183
return 1 if directive_ok($file, $1) && directive_ok($file, $2);
187
return 1 if $directive =~ /[+\-*\/]/;
190
return 1 if $directive =~ /^[0-9]+$/;
193
return 1 if $directive =~ /^[\w\.\$]+\s+=\s+/;
195
# Conditional literals with either sort of quotes
196
# There must be no $ in the string for it to be a literal
197
return 1 if $directive =~ /^(["'])[^\$]*[^\\]\1/;
198
return 1 if $directive =~ /^(["'])\1/;
200
# Special values always used for numbers
201
return 1 if $directive =~ /^[ijkn]$/;
202
return 1 if $directive =~ /^count$/;
205
return 1 if $directive =~ /^Param\(/;
208
return 1 if $directive =~ /^Hook.process\(/;
210
# Other functions guaranteed to return OK output
211
return 1 if $directive =~ /^(time2str|url)\(/;
213
# Safe Template Toolkit virtual methods
214
return 1 if $directive =~ /\.(length$|size$|push\()/;
216
# Special Template Toolkit loop variable
217
return 1 if $directive =~ /^loop\.(index|count)$/;
220
return 1 if $directive =~ /^terms\./;
222
# Things which are already filtered
223
# Note: If a single directive prints two things, and only one is
224
# filtered, we may not catch that case.
225
return 1 if $directive =~ /FILTER\ (html|csv|js|base64|url_quote|css_class_quote|
226
ics|quoteUrls|time|uri|xml|lower|html_light|
227
obsolete|inactive|closed|unitconvert|