X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/823268e5c78be454f0da5013c1bfa7e5d936902d..b63f1260eef70cf7eb1703ebae1244db7cef0583:/t/relativity.t?ds=sidebyside diff --git a/t/relativity.t b/t/relativity.t index ca1664f3c..c67c8ba17 100755 --- a/t/relativity.t +++ b/t/relativity.t @@ -2,30 +2,36 @@ use warnings; use strict; -use Cwd qw(getcwd); -use Errno qw(ENOENT); - -BEGIN { - if (!eval q{ +use Test::More; +plan(skip_all => "IPC::Run not available") + unless eval q{ use IPC::Run qw(run); 1; - }) { - eval q{use Test::More skip_all => "IPC::Run not available"}; - } - else { - eval q{use Test::More}; - } - use_ok("IkiWiki"); -} + }; -my $pwd = getcwd(); +use IkiWiki; + +use Cwd qw(getcwd); +use Errno qw(ENOENT); # Black-box (ish) test for relative linking between CGI and static content -my $blob; -my ($content, $in, %bits); +my $installed = $ENV{INSTALLED_TESTS}; + +my @command; +if ($installed) { + @command = qw(ikiwiki); +} +else { + ok(! system("make -s ikiwiki.out")); + @command = qw(perl -I. ./ikiwiki.out + --underlaydir=underlays/basewiki + --set underlaydirbase=underlays + --templatedir=templates); +} sub parse_cgi_content { + my $content = shift; my %bits; if ($content =~ qr{}) { $bits{basehref} = $1; @@ -42,10 +48,6 @@ sub parse_cgi_content { return %bits; } -ok(! system("make -s ikiwiki.out")); -ok(! system("rm -rf t/tmp")); -ok(! system("mkdir t/tmp")); - sub write_old_file { my $name = shift; my $content = shift; @@ -54,548 +56,325 @@ sub write_old_file { ok(utime(333333333, 333333333, "t/tmp/in/$name")); } -write_old_file("a.mdwn", "A"); -write_old_file("a/b.mdwn", "B"); -write_old_file("a/b/c.mdwn", -"* A: [[a]]\n". -"* B: [[b]]\n". -"* E: [[a/d/e]]\n"); -write_old_file("a/d.mdwn", "D"); -write_old_file("a/d/e.mdwn", "E"); +sub write_setup_file { + my (%args) = @_; + my $urlline = defined $args{url} ? "url: $args{url}" : ""; + my $w3mmodeline = defined $args{w3mmode} ? "w3mmode: $args{w3mmode}" : ""; + my $reverseproxyline = defined $args{reverse_proxy} ? "reverse_proxy: $args{reverse_proxy}" : ""; -####################################################################### -# site 1: a perfectly ordinary ikiwiki - -writefile("test.setup", "t/tmp", < on static HTML -unlike($content, qr{]+href="/cgi-bin/ikiwiki.cgi\?do=prefs"}); -# cross-links between static pages are relative -like($content, qr{
  • A: a
  • }); -like($content, qr{
  • B: b
  • }); -like($content, qr{
  • E: e
  • }); - -run(["./t/tmp/ikiwiki.cgi"], \undef, \$content, init => sub { - $ENV{REQUEST_METHOD} = 'GET'; - $ENV{SERVER_PORT} = '80'; - $ENV{SCRIPT_NAME} = '/cgi-bin/ikiwiki.cgi'; - $ENV{QUERY_STRING} = 'do=prefs'; - $ENV{HTTP_HOST} = 'example.com'; -}); -%bits = parse_cgi_content($content); -is($bits{basehref}, "http://example.com/wiki/"); -like($bits{stylehref}, qr{^(?:(?:http:)?//example.com)?/wiki/style.css$}); -like($bits{tophref}, qr{^(?:/wiki|\.)/$}); -like($bits{cgihref}, qr{^(?:(?:http:)?//example.com)?/cgi-bin/ikiwiki.cgi$}); - -# when accessed via HTTPS, links are secure -run(["./t/tmp/ikiwiki.cgi"], \undef, \$content, init => sub { - $ENV{REQUEST_METHOD} = 'GET'; - $ENV{SERVER_PORT} = '443'; - $ENV{SCRIPT_NAME} = '/cgi-bin/ikiwiki.cgi'; - $ENV{QUERY_STRING} = 'do=prefs'; - $ENV{HTTP_HOST} = 'example.com'; - $ENV{HTTPS} = 'on'; -}); -%bits = parse_cgi_content($content); -is($bits{basehref}, "https://example.com/wiki/"); -like($bits{stylehref}, qr{^(?:(?:https:)?//example.com)?/wiki/style.css$}); -like($bits{tophref}, qr{^(?:/wiki|\.)/$}); -like($bits{cgihref}, qr{^(?:(?:https:)?//example.com)?/cgi-bin/ikiwiki.cgi$}); - -# when accessed via a different hostname, links stay on that host -run(["./t/tmp/ikiwiki.cgi"], \undef, \$content, init => sub { - $ENV{REQUEST_METHOD} = 'GET'; - $ENV{SERVER_PORT} = '80'; - $ENV{SCRIPT_NAME} = '/cgi-bin/ikiwiki.cgi'; - $ENV{QUERY_STRING} = 'do=prefs'; - $ENV{HTTP_HOST} = 'staging.example.net'; -}); -%bits = parse_cgi_content($content); -is($bits{basehref}, "http://staging.example.net/wiki/"); -like($bits{stylehref}, qr{^(?:(?:http:)?//staging.example.net)?/wiki/style.css$}); -like($bits{tophref}, qr{^(?:/wiki|\.)/$}); -like($bits{cgihref}, qr{^(?:(?:http:)?//staging.example.net)?/cgi-bin/ikiwiki.cgi$}); - -# previewing a page -$in = 'do=edit&page=a/b/c&Preview'; -run(["./t/tmp/ikiwiki.cgi"], \$in, \$content, init => sub { - $ENV{REQUEST_METHOD} = 'POST'; - $ENV{SERVER_PORT} = '80'; - $ENV{SCRIPT_NAME} = '/cgi-bin/ikiwiki.cgi'; - $ENV{HTTP_HOST} = 'example.com'; - $ENV{CONTENT_LENGTH} = length $in; -}); -%bits = parse_cgi_content($content); -is($bits{basehref}, "http://example.com/wiki/a/b/c/"); -like($bits{stylehref}, qr{^(?:(?:http:)?//example.com)?/wiki/style.css$}); -like($bits{tophref}, qr{^(?:/wiki|\.\./\.\./\.\.)/$}); -like($bits{cgihref}, qr{^(?:(?:http:)?//example.com)?/cgi-bin/ikiwiki.cgi$}); - -####################################################################### -# site 2: static content and CGI are on different servers - -writefile("test.setup", "t/tmp", < on static HTML -unlike($content, qr{]+href="(?:http:)?//cgi.example.com/ikiwiki.cgi\?do=prefs"}); -# cross-links between static pages are still relative -like($content, qr{
  • A: a
  • }); -like($content, qr{
  • B: b
  • }); -like($content, qr{
  • E: e
  • }); - -run(["./t/tmp/ikiwiki.cgi"], \undef, \$content, init => sub { - $ENV{REQUEST_METHOD} = 'GET'; - $ENV{SERVER_PORT} = '80'; - $ENV{SCRIPT_NAME} = '/ikiwiki.cgi'; - $ENV{QUERY_STRING} = 'do=prefs'; - $ENV{HTTP_HOST} = 'cgi.example.com'; -}); -%bits = parse_cgi_content($content); -like($bits{basehref}, qr{^http://static.example.com/$}); -like($bits{stylehref}, qr{^(?:(?:http:)?//static.example.com)?/style.css$}); -like($bits{tophref}, qr{^(?:http:)?//static.example.com/$}); -like($bits{cgihref}, qr{^(?:(?:http:)?//cgi.example.com)?/ikiwiki.cgi$}); - -# when accessed via HTTPS, links are secure -run(["./t/tmp/ikiwiki.cgi"], \undef, \$content, init => sub { - $ENV{REQUEST_METHOD} = 'GET'; - $ENV{SERVER_PORT} = '443'; - $ENV{SCRIPT_NAME} = '/ikiwiki.cgi'; - $ENV{QUERY_STRING} = 'do=prefs'; - $ENV{HTTP_HOST} = 'cgi.example.com'; - $ENV{HTTPS} = 'on'; -}); -%bits = parse_cgi_content($content); -TODO: { -local $TODO = "avoid mixed content"; -like($bits{basehref}, qr{^https://static.example.com/$}); -like($bits{stylehref}, qr{^(?:(?:https:)?//static.example.com)?/style.css$}); -like($bits{tophref}, qr{^(?:https:)?//static.example.com/$}); -like($bits{cgihref}, qr{^(?:(?:https:)?//cgi.example.com)?/ikiwiki.cgi$}); + ); } -# when accessed via a different hostname, links to the CGI (only) should -# stay on that host? -$in = 'do=edit&page=a/b/c&Preview'; -run(["./t/tmp/ikiwiki.cgi"], \$in, \$content, init => sub { - $ENV{REQUEST_METHOD} = 'POST'; - $ENV{SERVER_PORT} = '80'; - $ENV{SCRIPT_NAME} = '/ikiwiki.cgi'; - $ENV{HTTP_HOST} = 'staging.example.net'; - $ENV{HTTPS} = 'on'; - $ENV{CONTENT_LENGTH} = length $in; -}); -like($bits{basehref}, qr{^http://static.example.com/$}); -like($bits{stylehref}, qr{^(?:(?:http:)?//static.example.com)?/style.css$}); -like($bits{tophref}, qr{^(?:http:)?//static.example.com/$}); -TODO: { -local $TODO = "use self-referential CGI URL?"; -like($bits{cgihref}, qr{^(?:(?:http:)?//staging.example.net)?/ikiwiki.cgi$}); +sub thoroughly_rebuild { + ok(unlink("t/tmp/ikiwiki.cgi") || $!{ENOENT}); + ok(! system(@command, qw(--setup t/tmp/test.setup --rebuild --wrappers))); } -####################################################################### -# site 3: we specifically want everything to be secure - -writefile("test.setup", "t/tmp", < on static HTML -unlike($content, qr{]+href="/cgi-bin/ikiwiki.cgi\?do=prefs"}); -# cross-links between static pages are relative -like($content, qr{
  • A: a
  • }); -like($content, qr{
  • B: b
  • }); -like($content, qr{
  • E: e
  • }); - -# when accessed via HTTPS, links are secure -run(["./t/tmp/ikiwiki.cgi"], \undef, \$content, init => sub { - $ENV{REQUEST_METHOD} = 'GET'; - $ENV{SERVER_PORT} = '443'; - $ENV{SCRIPT_NAME} = '/cgi-bin/ikiwiki.cgi'; - $ENV{QUERY_STRING} = 'do=prefs'; - $ENV{HTTP_HOST} = 'example.com'; - $ENV{HTTPS} = 'on'; -}); -%bits = parse_cgi_content($content); -is($bits{basehref}, "https://example.com/wiki/"); -like($bits{stylehref}, qr{^(?:(?:https:)?//example.com)?/wiki/style.css$}); -like($bits{tophref}, qr{^(?:/wiki|\.)/$}); -like($bits{cgihref}, qr{^(?:(?:https:)?//example.com)?/cgi-bin/ikiwiki.cgi$}); - -# when not accessed via HTTPS, links should still be secure -# (but if this happens, that's a sign of web server misconfiguration) -run(["./t/tmp/ikiwiki.cgi"], \undef, \$content, init => sub { - $ENV{REQUEST_METHOD} = 'GET'; - $ENV{SERVER_PORT} = '80'; - $ENV{SCRIPT_NAME} = '/cgi-bin/ikiwiki.cgi'; - $ENV{QUERY_STRING} = 'do=prefs'; - $ENV{HTTP_HOST} = 'example.com'; -}); -%bits = parse_cgi_content($content); -like($bits{tophref}, qr{^(?:/wiki|\.)/$}); -TODO: { -local $TODO = "treat https in configured url, cgiurl as required?"; -is($bits{basehref}, "https://example.com/wiki/"); -like($bits{stylehref}, qr{^(?:(?:https:)?//example.com)?/wiki/style.css$}); +sub check_cgi_mode_bits { + my (undef, undef, $mode, undef, undef, + undef, undef, undef, undef, undef, + undef, undef, undef) = stat("t/tmp/ikiwiki.cgi"); + is($mode & 07777, 0754); } -like($bits{cgihref}, qr{^(?:(?:https:)?//example.com)?/cgi-bin/ikiwiki.cgi$}); - -# when accessed via a different hostname, links stay on that host -run(["./t/tmp/ikiwiki.cgi"], \undef, \$content, init => sub { - $ENV{REQUEST_METHOD} = 'GET'; - $ENV{SERVER_PORT} = '443'; - $ENV{SCRIPT_NAME} = '/cgi-bin/ikiwiki.cgi'; - $ENV{QUERY_STRING} = 'do=prefs'; - $ENV{HTTP_HOST} = 'staging.example.net'; - $ENV{HTTPS} = 'on'; -}); -%bits = parse_cgi_content($content); -is($bits{basehref}, "https://staging.example.net/wiki/"); -like($bits{stylehref}, qr{^(?:(?:https:)?//staging.example.net)?/wiki/style.css$}); -like($bits{tophref}, qr{^(?:/wiki|\.)/$}); -like($bits{cgihref}, qr{^(?:(?:https:)?//staging.example.net)?/cgi-bin/ikiwiki.cgi$}); - -# previewing a page -$in = 'do=edit&page=a/b/c&Preview'; -run(["./t/tmp/ikiwiki.cgi"], \$in, \$content, init => sub { - $ENV{REQUEST_METHOD} = 'POST'; - $ENV{SERVER_PORT} = '443'; - $ENV{SCRIPT_NAME} = '/cgi-bin/ikiwiki.cgi'; - $ENV{HTTP_HOST} = 'example.com'; - $ENV{CONTENT_LENGTH} = length $in; - $ENV{HTTPS} = 'on'; -}); -%bits = parse_cgi_content($content); -is($bits{basehref}, "https://example.com/wiki/a/b/c/"); -like($bits{stylehref}, qr{^(?:(?:https:)?//example.com)?/wiki/style.css$}); -like($bits{tophref}, qr{^(?:/wiki|\.\./\.\./\.\.)/$}); -like($bits{cgihref}, qr{^(?:(?:https:)?//example.com)?/cgi-bin/ikiwiki.cgi$}); - -####################################################################### -# site 4 (NetBSD wiki): CGI is secure, static content doesn't have to be - -writefile("test.setup", "t/tmp", < on static HTML -unlike($content, qr{]+href="https://example.com/cgi-bin/ikiwiki.cgi\?do=prefs"}); -# cross-links between static pages are relative -like($content, qr{
  • A: a
  • }); -like($content, qr{
  • B: b
  • }); -like($content, qr{
  • E: e
  • }); - -# when accessed via HTTPS, links are secure (to avoid mixed-content) -run(["./t/tmp/ikiwiki.cgi"], \undef, \$content, init => sub { - $ENV{REQUEST_METHOD} = 'GET'; - $ENV{SERVER_PORT} = '443'; - $ENV{SCRIPT_NAME} = '/cgi-bin/ikiwiki.cgi'; - $ENV{QUERY_STRING} = 'do=prefs'; - $ENV{HTTP_HOST} = 'example.com'; - $ENV{HTTPS} = 'on'; -}); -%bits = parse_cgi_content($content); -TODO: { -local $TODO = "avoid mixed content"; -is($bits{basehref}, "https://example.com/wiki/"); -like($bits{stylehref}, qr{^(?:(?:https:)?//example.com)?/wiki/style.css$}); -like($bits{tophref}, qr{^(?:/wiki|\.)/$}); + +sub check_generated_content { + my $cgiurl_regex = shift; + ok(-e "t/tmp/out/a/b/c/index.html"); + my $content = readfile("t/tmp/out/a/b/c/index.html"); + # no on static HTML + unlike($content, qr{A: a}); + like($content, qr{
  • B: b
  • }); + like($content, qr{
  • E: e
  • }); } -like($bits{cgihref}, qr{^(?:(?:https:)?//example.com)?/cgi-bin/ikiwiki.cgi$}); - -# when not accessed via HTTPS, ??? -run(["./t/tmp/ikiwiki.cgi"], \undef, \$content, init => sub { - $ENV{REQUEST_METHOD} = 'GET'; - $ENV{SERVER_PORT} = '80'; - $ENV{SCRIPT_NAME} = '/cgi-bin/ikiwiki.cgi'; - $ENV{QUERY_STRING} = 'do=prefs'; - $ENV{HTTP_HOST} = 'example.com'; -}); -%bits = parse_cgi_content($content); -like($bits{basehref}, qr{^https?://example.com/wiki/$}); -like($bits{stylehref}, qr{^(?:(?:https?:)?//example.com)?/wiki/style.css$}); -like($bits{tophref}, qr{^(?:(?:https?://example.com)?/wiki|\.)/$}); -like($bits{cgihref}, qr{^(?:(?:https:)?//example.com)?/cgi-bin/ikiwiki.cgi$}); - -# when accessed via a different hostname, links stay on that host -run(["./t/tmp/ikiwiki.cgi"], \undef, \$content, init => sub { - $ENV{REQUEST_METHOD} = 'GET'; - $ENV{SERVER_PORT} = '443'; - $ENV{SCRIPT_NAME} = '/cgi-bin/ikiwiki.cgi'; - $ENV{QUERY_STRING} = 'do=prefs'; - $ENV{HTTP_HOST} = 'staging.example.net'; - $ENV{HTTPS} = 'on'; -}); -%bits = parse_cgi_content($content); -TODO: { -local $TODO = "avoid mixed content"; -like($bits{basehref}, qr{^https://example.com/wiki/$}); -like($bits{stylehref}, qr{^(?:(?:https:)?//example.com)?/wiki/style.css$}); -like($bits{tophref}, qr{^(?:(?:(?:https:)?//example.com)?/wiki|\.)/$}); -like($bits{cgihref}, qr{^(?:(?:https:)?//staging.example.net)?/cgi-bin/ikiwiki.cgi$}); + +sub run_cgi { + my (%args) = @_; + my ($in, $out); + my $is_preview = delete $args{is_preview}; + my $is_https = delete $args{is_https}; + my %defaults = ( + SCRIPT_NAME => '/cgi-bin/ikiwiki.cgi', + HTTP_HOST => 'example.com', + ); + if (defined $is_preview) { + $defaults{REQUEST_METHOD} = 'POST'; + $in = 'do=edit&page=a/b/c&Preview'; + $defaults{CONTENT_LENGTH} = length $in; + } else { + $defaults{REQUEST_METHOD} = 'GET'; + $defaults{QUERY_STRING} = 'do=prefs'; + } + if (defined $is_https) { + $defaults{SERVER_PORT} = '443'; + $defaults{HTTPS} = 'on'; + } else { + $defaults{SERVER_PORT} = '80'; + } + my %envvars = ( + %defaults, + %args, + ); + run(["./t/tmp/ikiwiki.cgi"], \$in, \$out, init => sub { + map { + $ENV{$_} = $envvars{$_} + } keys(%envvars); + }); + + return $out; } -# previewing a page -$in = 'do=edit&page=a/b/c&Preview'; -run(["./t/tmp/ikiwiki.cgi"], \$in, \$content, init => sub { - $ENV{REQUEST_METHOD} = 'POST'; - $ENV{SERVER_PORT} = '443'; - $ENV{SCRIPT_NAME} = '/cgi-bin/ikiwiki.cgi'; - $ENV{HTTP_HOST} = 'example.com'; - $ENV{CONTENT_LENGTH} = length $in; - $ENV{HTTPS} = 'on'; -}); -%bits = parse_cgi_content($content); -TODO: { -local $TODO = "avoid mixed content"; -is($bits{basehref}, "https://example.com/wiki/a/b/c/"); -like($bits{stylehref}, qr{^(?:(?:https:)?//example.com)?/wiki/style.css$}); +sub test_startup { + ok(! system("rm -rf t/tmp")); + ok(! system("mkdir t/tmp")); + + write_old_file("a.mdwn", "A"); + write_old_file("a/b.mdwn", "B"); + write_old_file("a/b/c.mdwn", + "* A: [[a]]\n". + "* B: [[b]]\n". + "* E: [[a/d/e]]\n"); + write_old_file("a/d.mdwn", "D"); + write_old_file("a/d/e.mdwn", "E"); } -like($bits{tophref}, qr{^(?:/wiki|\.\./\.\./\.\.)/$}); -like($bits{cgihref}, qr{^(?:(?:https:)?//example.com)?/cgi-bin/ikiwiki.cgi$}); -# Deliberately not testing https static content with http cgiurl, -# because that makes remarkably little sense. +sub test_site1_perfectly_ordinary_ikiwiki { + write_setup_file( + url => "http://example.com/wiki/", + cgiurl => "http://example.com/cgi-bin/ikiwiki.cgi", + ); + thoroughly_rebuild(); + check_cgi_mode_bits(); + # url and cgiurl are on the same host so the cgiurl is host-relative + check_generated_content(qr{]+href="/cgi-bin/ikiwiki.cgi\?do=prefs"}); + my %bits = parse_cgi_content(run_cgi()); + like($bits{basehref}, qr{^(?:(?:http:)?//example\.com)?/wiki/$}); + like($bits{stylehref}, qr{^(?:(?:http:)?//example.com)?/wiki/style.css$}); + like($bits{tophref}, qr{^(?:/wiki|\.)/$}); + like($bits{cgihref}, qr{^(?:(?:http:)?//example.com)?/cgi-bin/ikiwiki.cgi$}); + + # when accessed via HTTPS, links are secure + %bits = parse_cgi_content(run_cgi(is_https => 1)); + like($bits{basehref}, qr{^(?:(?:https:)?//example\.com)?/wiki/$}); + like($bits{stylehref}, qr{^(?:(?:https:)?//example.com)?/wiki/style.css$}); + like($bits{tophref}, qr{^(?:/wiki|\.)/$}); + like($bits{cgihref}, qr{^(?:(?:https:)?//example.com)?/cgi-bin/ikiwiki.cgi$}); + + # when accessed via a different hostname, links stay on that host + %bits = parse_cgi_content(run_cgi(HTTP_HOST => 'staging.example.net')); + like($bits{basehref}, qr{^(?:(?:http:)?//staging\.example\.net)?/wiki/$}); + like($bits{stylehref}, qr{^(?:(?:http:)?//staging.example.net)?/wiki/style.css$}); + like($bits{tophref}, qr{^(?:/wiki|\.)/$}); + like($bits{cgihref}, qr{^(?:(?:http:)?//staging.example.net)?/cgi-bin/ikiwiki.cgi$}); + + # previewing a page + %bits = parse_cgi_content(run_cgi(is_preview => 1)); + like($bits{basehref}, qr{^(?:(?:http:)?//example\.com)?/wiki/a/b/c/$}); + like($bits{stylehref}, qr{^(?:(?:http:)?//example.com)?/wiki/style.css$}); + like($bits{tophref}, qr{^(?:/wiki|\.\./\.\./\.\.)/$}); + like($bits{cgihref}, qr{^(?:(?:http:)?//example.com)?/cgi-bin/ikiwiki.cgi$}); +} -####################################################################### -# site 5: w3mmode, as documented in [[w3mmode]] +sub test_site2_static_content_and_cgi_on_different_servers { + write_setup_file( + url => "http://static.example.com/", + cgiurl => "http://cgi.example.com/ikiwiki.cgi", + ); + thoroughly_rebuild(); + check_cgi_mode_bits(); + # url and cgiurl are not on the same host so the cgiurl has to be + # protocol-relative or absolute + check_generated_content(qr{]+href="(?:http:)?//cgi.example.com/ikiwiki.cgi\?do=prefs"}); + + my %bits = parse_cgi_content(run_cgi(SCRIPT_NAME => '/ikiwiki.cgi', HTTP_HOST => 'cgi.example.com')); + like($bits{basehref}, qr{^(?:(?:http:)?//static.example.com)?/$}); + like($bits{stylehref}, qr{^(?:(?:http:)?//static.example.com)?/style.css$}); + like($bits{tophref}, qr{^(?:http:)?//static.example.com/$}); + like($bits{cgihref}, qr{^(?:(?:http:)?//cgi.example.com)?/ikiwiki.cgi$}); + + # when accessed via HTTPS, links are secure + %bits = parse_cgi_content(run_cgi(is_https => 1, SCRIPT_NAME => '/ikiwiki.cgi', HTTP_HOST => 'cgi.example.com')); + like($bits{basehref}, qr{^(?:https:)?//static\.example\.com/$}); + like($bits{stylehref}, qr{^(?:(?:https:)?//static.example.com)?/style.css$}); + like($bits{tophref}, qr{^(?:https:)?//static.example.com/$}); + like($bits{cgihref}, qr{^(?:(?:https:)?//cgi.example.com)?/ikiwiki.cgi$}); + + # when accessed via a different hostname, links to the CGI (only) should + # stay on that host? + %bits = parse_cgi_content(run_cgi(is_preview => 1, SCRIPT_NAME => '/ikiwiki.cgi', HTTP_HOST => 'staging.example.net')); + like($bits{basehref}, qr{^(?:http:)?//static\.example\.com/a/b/c/$}); + like($bits{stylehref}, qr{^(?:(?:http:)?//static.example.com|\.\./\.\./\.\.)/style.css$}); + like($bits{tophref}, qr{^(?:(?:http:)?//static.example.com|\.\./\.\./\.\.)/$}); + like($bits{cgihref}, qr{^(?:(?:http:)?//(?:staging\.example\.net|cgi\.example\.com))?/ikiwiki.cgi$}); + TODO: { + local $TODO = "use self-referential CGI URL?"; + like($bits{cgihref}, qr{^(?:(?:http:)?//staging.example.net)?/ikiwiki.cgi$}); + } +} -writefile("test.setup", "t/tmp", < on static HTML -unlike($content, qr{]+href="(?:file://)?/\$LIB/ikiwiki-w3m.cgi/ikiwiki.cgi\?do=prefs"}); -# cross-links between static pages are still relative -like($content, qr{
  • A: a
  • }); -like($content, qr{
  • B: b
  • }); -like($content, qr{
  • E: e
  • }); - -run(["./t/tmp/ikiwiki.cgi"], \undef, \$content, init => sub { - $ENV{REQUEST_METHOD} = 'GET'; - $ENV{PATH_INFO} = '/ikiwiki.cgi'; - $ENV{SCRIPT_NAME} = '/cgi-bin/ikiwiki-w3m.cgi'; - $ENV{QUERY_STRING} = 'do=prefs'; -}); -%bits = parse_cgi_content($content); -like($bits{tophref}, qr{^(?:\Q$pwd\E/t/tmp/out|\.)/$}); -like($bits{cgihref}, qr{^(?:file://)?/\$LIB/ikiwiki-w3m.cgi/ikiwiki.cgi$}); -TODO: { -local $TODO = "should be file:///"; -like($bits{basehref}, qr{^(?:(?:file:)?//)?\Q$pwd\E/t/tmp/out/$}); -like($bits{stylehref}, qr{^(?:(?:(?:file:)?//)?\Q$pwd\E/t/tmp/out|\.)/style.css$}); +sub test_site3_we_specifically_want_everything_to_be_secure { + write_setup_file( + url => "https://example.com/wiki/", + cgiurl => "https://example.com/cgi-bin/ikiwiki.cgi", + ); + thoroughly_rebuild(); + check_cgi_mode_bits(); + # url and cgiurl are on the same host so the cgiurl is host-relative + check_generated_content(qr{]+href="/cgi-bin/ikiwiki.cgi\?do=prefs"}); + + # when accessed via HTTPS, links are secure + my %bits = parse_cgi_content(run_cgi(is_https => 1)); + like($bits{basehref}, qr{^(?:(?:https:)?//example\.com)?/wiki/$}); + like($bits{stylehref}, qr{^(?:(?:https:)?//example.com)?/wiki/style.css$}); + like($bits{tophref}, qr{^(?:/wiki|\.)/$}); + like($bits{cgihref}, qr{^(?:(?:https:)?//example.com)?/cgi-bin/ikiwiki.cgi$}); + + # when not accessed via HTTPS, links should still be secure + # (but if this happens, that's a sign of web server misconfiguration) + %bits = parse_cgi_content(run_cgi()); + like($bits{tophref}, qr{^(?:/wiki|\.)/$}); + TODO: { + local $TODO = "treat https in configured url, cgiurl as required?"; + is($bits{basehref}, "https://example.com/wiki/"); + like($bits{stylehref}, qr{^(?:(?:https:)?//example.com)?/wiki/style.css$}); + } + like($bits{cgihref}, qr{^(?:(?:https:)?//example.com)?/cgi-bin/ikiwiki.cgi$}); + + # when accessed via a different hostname, links stay on that host + %bits = parse_cgi_content(run_cgi(is_https => 1, HTTP_HOST => 'staging.example.net')); + like($bits{basehref}, qr{^(?:(?:https:)?//staging\.example\.net)?/wiki/$}); + like($bits{stylehref}, qr{^(?:(?:https:)?//staging.example.net)?/wiki/style.css$}); + like($bits{tophref}, qr{^(?:/wiki|\.)/$}); + like($bits{cgihref}, qr{^(?:(?:https:)?//staging.example.net)?/cgi-bin/ikiwiki.cgi$}); + + # previewing a page + %bits = parse_cgi_content(run_cgi(is_preview => 1, is_https => 1)); + like($bits{basehref}, qr{^(?:(?:https:)?//example\.com)?/wiki/a/b/c/$}); + like($bits{stylehref}, qr{^(?:(?:https:)?//example.com)?/wiki/style.css$}); + like($bits{tophref}, qr{^(?:/wiki|\.\./\.\./\.\.)/$}); + like($bits{cgihref}, qr{^(?:(?:https:)?//example.com)?/cgi-bin/ikiwiki.cgi$}); } -####################################################################### -# site 6: we're behind a reverse-proxy +sub test_site4_cgi_is_secure_static_content_doesnt_have_to_be { + # (NetBSD wiki) + write_setup_file( + url => "http://example.com/wiki/", + cgiurl => "https://example.com/cgi-bin/ikiwiki.cgi", + ); + thoroughly_rebuild(); + check_cgi_mode_bits(); + # url and cgiurl are on the same host but different schemes + check_generated_content(qr{]+href="https://example.com/cgi-bin/ikiwiki.cgi\?do=prefs"}); + + # when accessed via HTTPS, links are secure (to avoid mixed-content) + my %bits = parse_cgi_content(run_cgi(is_https => 1)); + like($bits{basehref}, qr{^(?:(?:https:)?//example\.com)?/wiki/$}); + like($bits{stylehref}, qr{^(?:(?:https:)?//example.com)?/wiki/style.css$}); + like($bits{tophref}, qr{^(?:/wiki|\.)/$}); + like($bits{cgihref}, qr{^(?:(?:https:)?//example.com)?/cgi-bin/ikiwiki.cgi$}); + + # FIXME: when not accessed via HTTPS, should the static content be + # forced to https anyway? For now we accept either + %bits = parse_cgi_content(run_cgi()); + like($bits{basehref}, qr{^(?:(?:https?)?://example\.com)?/wiki/$}); + like($bits{stylehref}, qr{^(?:(?:https?:)?//example.com)?/wiki/style.css$}); + like($bits{tophref}, qr{^(?:(?:https?://example.com)?/wiki|\.)/$}); + like($bits{cgihref}, qr{^(?:(?:https:)?//example.com)?/cgi-bin/ikiwiki.cgi$}); + + # when accessed via a different hostname, links stay on that host + %bits = parse_cgi_content(run_cgi(is_https => 1, HTTP_HOST => 'staging.example.net')); + # because the static and dynamic stuff is on the same server, we assume that + # both are also on the staging server + like($bits{basehref}, qr{^(?:(?:https:)?//staging\.example\.net)?/wiki/$}); + like($bits{stylehref}, qr{^(?:(?:https:)?//staging.example.net)?/wiki/style.css$}); + like($bits{tophref}, qr{^(?:(?:(?:https:)?//staging.example.net)?/wiki|\.)/$}); + like($bits{cgihref}, qr{^(?:(?:https:)?//(?:staging\.example\.net|example\.com))?/cgi-bin/ikiwiki.cgi$}); + TODO: { + local $TODO = "this should really point back to itself but currently points to example.com"; + like($bits{cgihref}, qr{^(?:(?:https:)?//staging.example.net)?/cgi-bin/ikiwiki.cgi$}); + } -writefile("test.setup", "t/tmp", < on static HTML -unlike($content, qr{]+href="/cgi-bin/ikiwiki.cgi\?do=prefs"}); -# cross-links between static pages are relative -like($content, qr{
  • A: a
  • }); -like($content, qr{
  • B: b
  • }); -like($content, qr{
  • E: e
  • }); - -# because we are behind a reverse-proxy we must assume that -# we're being accessed by the configured cgiurl -run(["./t/tmp/ikiwiki.cgi"], \undef, \$content, init => sub { - $ENV{REQUEST_METHOD} = 'GET'; - $ENV{SERVER_PORT} = '80'; - $ENV{SCRIPT_NAME} = '/cgi-bin/ikiwiki.cgi'; - $ENV{QUERY_STRING} = 'do=prefs'; - $ENV{HTTP_HOST} = 'localhost'; -}); -%bits = parse_cgi_content($content); -like($bits{tophref}, qr{^(?:/wiki|\.)/$}); -like($bits{cgihref}, qr{^(?:(?:https:)?//example.com)?/cgi-bin/ikiwiki.cgi$}); -TODO: { -local $TODO = "reverse-proxy support needed"; -is($bits{basehref}, "https://example.com/wiki/"); -like($bits{stylehref}, qr{^(?:(?:https:)?//example.com)?/wiki/style.css$}); + # previewing a page + %bits = parse_cgi_content(run_cgi(is_preview => 1, is_https => 1)); + like($bits{basehref}, qr{^(?:(?:https:)?//example\.com)?/wiki/a/b/c/$}); + like($bits{stylehref}, qr{^(?:(?:https:)?//example.com)?/wiki/style.css$}); + like($bits{tophref}, qr{^(?:/wiki|\.\./\.\./\.\.)/$}); + like($bits{cgihref}, qr{^(?:(?:https:)?//example.com)?/cgi-bin/ikiwiki.cgi$}); +} + +sub test_site5_w3mmode { + # as documented in [[w3mmode]] + write_setup_file( + url => undef, + cgiurl => "ikiwiki.cgi", + w3mmode => 1, + ); + thoroughly_rebuild(); + check_cgi_mode_bits(); + # FIXME: does /$LIB/ikiwiki-w3m.cgi work under w3m? + check_generated_content(qr{]+href="(?:file://)?/\$LIB/ikiwiki-w3m.cgi/ikiwiki.cgi\?do=prefs"}); + + my %bits = parse_cgi_content(run_cgi(PATH_INFO => '/ikiwiki.cgi', SCRIPT_NAME => '/cgi-bin/ikiwiki-w3m.cgi')); + my $pwd = getcwd(); + like($bits{tophref}, qr{^(?:\Q$pwd\E/t/tmp/out|\.)/$}); + like($bits{cgihref}, qr{^(?:file://)?/\$LIB/ikiwiki-w3m.cgi/ikiwiki.cgi$}); + like($bits{basehref}, qr{^(?:(?:file:)?//)?\Q$pwd\E/t/tmp/out/$}); + like($bits{stylehref}, qr{^(?:(?:(?:file:)?//)?\Q$pwd\E/t/tmp/out|\.)/style.css$}); } -# previewing a page -$in = 'do=edit&page=a/b/c&Preview'; -run(["./t/tmp/ikiwiki.cgi"], \$in, \$content, init => sub { - $ENV{REQUEST_METHOD} = 'POST'; - $ENV{SERVER_PORT} = '80'; - $ENV{SCRIPT_NAME} = '/cgi-bin/ikiwiki.cgi'; - $ENV{HTTP_HOST} = 'localhost'; - $ENV{CONTENT_LENGTH} = length $in; -}); -%bits = parse_cgi_content($content); -like($bits{tophref}, qr{^(?:/wiki|\.\./\.\./\.\.)/$}); -like($bits{cgihref}, qr{^(?:(?:https:)?//example.com)?/cgi-bin/ikiwiki.cgi$}); -TODO: { -local $TODO = "reverse-proxy support needed"; -is($bits{basehref}, "https://example.com/wiki/a/b/c/"); -like($bits{stylehref}, qr{^(?:(?:https:)?//example.com)?/wiki/style.css$}); +sub test_site6_behind_reverse_proxy { + write_setup_file( + url => "https://example.com/wiki/", + cgiurl => "https://example.com/cgi-bin/ikiwiki.cgi", + reverse_proxy => 1, + ); + thoroughly_rebuild(); + check_cgi_mode_bits(); + # url and cgiurl are on the same host so the cgiurl is host-relative + check_generated_content(qr{]+href="/cgi-bin/ikiwiki.cgi\?do=prefs"}); + + # because we are behind a reverse-proxy we must assume that + # we're being accessed by the configured cgiurl + my %bits = parse_cgi_content(run_cgi(HTTP_HOST => 'localhost')); + like($bits{tophref}, qr{^(?:/wiki|\.)/$}); + like($bits{cgihref}, qr{^(?:(?:https:)?//example.com)?/cgi-bin/ikiwiki.cgi$}); + like($bits{basehref}, qr{^(?:(?:https:)?//example\.com)?/wiki/$}); + like($bits{stylehref}, qr{^(?:(?:https:)?//example.com)?/wiki/style.css$}); + + # previewing a page + %bits = parse_cgi_content(run_cgi(is_preview => 1, HTTP_HOST => 'localhost')); + like($bits{tophref}, qr{^(?:/wiki|\.\./\.\./\.\.)/$}); + like($bits{cgihref}, qr{^(?:(?:https:)?//example.com)?/cgi-bin/ikiwiki.cgi$}); + like($bits{basehref}, qr{^(?:(?:https)?://example\.com)?/wiki/a/b/c/$}); + like($bits{stylehref}, qr{^(?:(?:https:)?//example.com)?/wiki/style.css$}); } -done_testing; +test_startup(); + +test_site1_perfectly_ordinary_ikiwiki(); +test_site2_static_content_and_cgi_on_different_servers(); +test_site3_we_specifically_want_everything_to_be_secure(); +test_site4_cgi_is_secure_static_content_doesnt_have_to_be(); +test_site5_w3mmode(); +test_site6_behind_reverse_proxy(); + +done_testing();