Update to Drupal 8.0.4. For more information, see https://www.drupal.org/drupal-8.0.4
This commit is contained in:
parent
9db4fae9a7
commit
315484f62f
7 changed files with 205 additions and 10 deletions
core/modules/file/src/Tests
|
@ -10,11 +10,14 @@ namespace Drupal\file\Tests;
|
|||
use Drupal\comment\Entity\Comment;
|
||||
use Drupal\comment\Tests\CommentTestTrait;
|
||||
use Drupal\Component\Utility\Unicode;
|
||||
use Drupal\Core\Url;
|
||||
use Drupal\field\Entity\FieldConfig;
|
||||
use Drupal\field\Entity\FieldStorageConfig;
|
||||
use Drupal\field_ui\Tests\FieldUiTestTrait;
|
||||
use Drupal\user\RoleInterface;
|
||||
use Drupal\file\Entity\File;
|
||||
use Drupal\user\Entity\User;
|
||||
use Drupal\user\UserInterface;
|
||||
|
||||
/**
|
||||
* Tests the file field widget, single and multi-valued, with and without AJAX,
|
||||
|
@ -42,6 +45,36 @@ class FileFieldWidgetTest extends FileFieldTestBase {
|
|||
*/
|
||||
public static $modules = array('comment', 'block');
|
||||
|
||||
/**
|
||||
* Creates a temporary file, for a specific user.
|
||||
*
|
||||
* @param string $data
|
||||
* A string containing the contents of the file.
|
||||
* @param \Drupal\user\UserInterface $user
|
||||
* The user of the file owner.
|
||||
*
|
||||
* @return \Drupal\file\FileInterface
|
||||
* A file object, or FALSE on error.
|
||||
*/
|
||||
protected function createTemporaryFile($data, UserInterface $user = NULL) {
|
||||
$file = file_save_data($data, NULL, NULL);
|
||||
|
||||
if ($file) {
|
||||
if ($user) {
|
||||
$file->setOwner($user);
|
||||
}
|
||||
else {
|
||||
$file->setOwner($this->adminUser);
|
||||
}
|
||||
// Change the file status to be temporary.
|
||||
$file->setTemporary();
|
||||
// Save the changes.
|
||||
$file->save();
|
||||
}
|
||||
|
||||
return $file;
|
||||
}
|
||||
|
||||
/**
|
||||
* Tests upload and remove buttons for a single-valued File field.
|
||||
*/
|
||||
|
@ -449,4 +482,113 @@ class FileFieldWidgetTest extends FileFieldTestBase {
|
|||
$this->assertIdentical(count($elements), 1);
|
||||
}
|
||||
|
||||
/**
|
||||
* Tests exploiting the temporary file removal of another user using fid.
|
||||
*/
|
||||
public function testTemporaryFileRemovalExploit() {
|
||||
// Create a victim user.
|
||||
$victim_user = $this->drupalCreateUser();
|
||||
|
||||
// Create an attacker user.
|
||||
$attacker_user = $this->drupalCreateUser(array(
|
||||
'access content',
|
||||
'create article content',
|
||||
'edit any article content',
|
||||
));
|
||||
|
||||
// Log in as the attacker user.
|
||||
$this->drupalLogin($attacker_user);
|
||||
|
||||
// Perform tests using the newly created users.
|
||||
$this->doTestTemporaryFileRemovalExploit($victim_user, $attacker_user);
|
||||
}
|
||||
|
||||
/**
|
||||
* Tests exploiting the temporary file removal for anonymous users using fid.
|
||||
*/
|
||||
public function testTemporaryFileRemovalExploitAnonymous() {
|
||||
// Set up an anonymous victim user.
|
||||
$victim_user = User::getAnonymousUser();
|
||||
|
||||
// Set up an anonymous attacker user.
|
||||
$attacker_user = User::getAnonymousUser();
|
||||
|
||||
// Set up permissions for anonymous attacker user.
|
||||
user_role_change_permissions(RoleInterface::ANONYMOUS_ID, array(
|
||||
'access content' => TRUE,
|
||||
'create article content' => TRUE,
|
||||
'edit any article content' => TRUE,
|
||||
));
|
||||
|
||||
// Log out so as to be the anonymous attacker user.
|
||||
$this->drupalLogout();
|
||||
|
||||
// Perform tests using the newly set up anonymous users.
|
||||
$this->doTestTemporaryFileRemovalExploit($victim_user, $attacker_user);
|
||||
}
|
||||
|
||||
/**
|
||||
* Helper for testing exploiting the temporary file removal using fid.
|
||||
*
|
||||
* @param \Drupal\user\UserInterface $victim_user
|
||||
* The victim user.
|
||||
* @param \Drupal\user\UserInterface $attacker_user
|
||||
* The attacker user.
|
||||
*/
|
||||
protected function doTestTemporaryFileRemovalExploit(UserInterface $victim_user, UserInterface $attacker_user) {
|
||||
$type_name = 'article';
|
||||
$field_name = 'test_file_field';
|
||||
$this->createFileField($field_name, 'node', $type_name);
|
||||
|
||||
$test_file = $this->getTestFile('text');
|
||||
foreach (array('nojs', 'js') as $type) {
|
||||
// Create a temporary file owned by the victim user. This will be as if
|
||||
// they had uploaded the file, but not saved the node they were editing
|
||||
// or creating.
|
||||
$victim_tmp_file = $this->createTemporaryFile('some text', $victim_user);
|
||||
$victim_tmp_file = File::load($victim_tmp_file->id());
|
||||
$this->assertTrue($victim_tmp_file->isTemporary(), 'New file saved to disk is temporary.');
|
||||
$this->assertFalse(empty($victim_tmp_file->id()), 'New file has an fid.');
|
||||
$this->assertEqual($victim_user->id(), $victim_tmp_file->getOwnerId(), 'New file belongs to the victim.');
|
||||
|
||||
// Have attacker create a new node with a different uploaded file and
|
||||
// ensure it got uploaded successfully.
|
||||
$edit = [
|
||||
'title[0][value]' => $type . '-title' ,
|
||||
];
|
||||
|
||||
// Attach a file to a node.
|
||||
$edit['files[' . $field_name . '_0]'] = $this->container->get('file_system')->realpath($test_file->getFileUri());
|
||||
$this->drupalPostForm(Url::fromRoute('node.add', array('node_type' => $type_name)), $edit, t('Save'));
|
||||
$node = $this->drupalGetNodeByTitle($edit['title[0][value]']);
|
||||
|
||||
/** @var \Drupal\file\FileInterface $node_file */
|
||||
$node_file = File::load($node->{$field_name}->target_id);
|
||||
$this->assertFileExists($node_file, 'A file was saved to disk on node creation');
|
||||
$this->assertEqual($attacker_user->id(), $node_file->getOwnerId(), 'New file belongs to the attacker.');
|
||||
|
||||
// Ensure the file can be downloaded.
|
||||
$this->drupalGet(file_create_url($node_file->getFileUri()));
|
||||
$this->assertResponse(200, 'Confirmed that the generated URL is correct by downloading the shipped file.');
|
||||
|
||||
// "Click" the remove button (emulating either a nojs or js submission).
|
||||
// In this POST request, the attacker "guesses" the fid of the victim's
|
||||
// temporary file and uses that to remove this file.
|
||||
$this->drupalGet($node->toUrl('edit-form'));
|
||||
switch ($type) {
|
||||
case 'nojs':
|
||||
$this->drupalPostForm(NULL, [$field_name . '[0][fids]' => (string) $victim_tmp_file->id()], 'Remove');
|
||||
break;
|
||||
|
||||
case 'js':
|
||||
$this->drupalPostAjaxForm(NULL, [$field_name . '[0][fids]' => (string) $victim_tmp_file->id()], ["{$field_name}_0_remove_button" => 'Remove']);
|
||||
break;
|
||||
}
|
||||
|
||||
// The victim's temporary file should not be removed by the attacker's
|
||||
// POST request.
|
||||
$this->assertFileExists($victim_tmp_file);
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
|
Reference in a new issue