From 823268e5c78be454f0da5013c1bfa7e5d936902d Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Sun, 5 Oct 2014 14:29:32 +0100 Subject: [PATCH] add the beginnings of a test for CGI/static URL interactions --- ...cross-linking_between_content_and_CGI.mdwn | 7 + t/relativity.t | 601 ++++++++++++++++++ 2 files changed, 608 insertions(+) create mode 100755 t/relativity.t diff --git a/doc/todo/design_for_cross-linking_between_content_and_CGI.mdwn b/doc/todo/design_for_cross-linking_between_content_and_CGI.mdwn index 64b3e848c..7c920f01f 100644 --- a/doc/todo/design_for_cross-linking_between_content_and_CGI.mdwn +++ b/doc/todo/design_for_cross-linking_between_content_and_CGI.mdwn @@ -109,3 +109,10 @@ in the setup file as http if you intend that they will most commonly be accessed via http (e.g. the "my cert is not CA-cartel approved" use-case), or as https if you intend to force accesses into being via https (the "my wiki is secret" use-case). + +# Regression test + +I've added a regression test in `t/relativity.t`. We might want to +consider dropping some of it or skipping it unless a special environment +variable is set once this is all working, since it's a bit slow. +--[[smcv]] diff --git a/t/relativity.t b/t/relativity.t new file mode 100755 index 000000000..ca1664f3c --- /dev/null +++ b/t/relativity.t @@ -0,0 +1,601 @@ +#!/usr/bin/perl +use warnings; +use strict; + +use Cwd qw(getcwd); +use Errno qw(ENOENT); + +BEGIN { + if (!eval q{ + use IPC::Run qw(run); + 1; + }) { + eval q{use Test::More skip_all => "IPC::Run not available"}; + } + else { + eval q{use Test::More}; + } + use_ok("IkiWiki"); +} + +my $pwd = getcwd(); + +# Black-box (ish) test for relative linking between CGI and static content + +my $blob; +my ($content, $in, %bits); + +sub parse_cgi_content { + my %bits; + if ($content =~ qr{}) { + $bits{basehref} = $1; + } + if ($content =~ qr{href="([^"]+/style.css)"}) { + $bits{stylehref} = $1; + } + if ($content =~ qr{class="parentlinks">\s+this is the name of my wiki/}s) { + $bits{tophref} = $1; + } + if ($content =~ qr{]+href="([^"]+)\?do=prefs"}) { + $bits{cgihref} = $1; + } + return %bits; +} + +ok(! system("make -s ikiwiki.out")); +ok(! system("rm -rf t/tmp")); +ok(! system("mkdir t/tmp")); + +sub write_old_file { + my $name = shift; + my $content = shift; + + writefile($name, "t/tmp/in", $content); + ok(utime(333333333, 333333333, "t/tmp/in/$name")); +} + +write_old_file("a.mdwn", "A"); +write_old_file("a/b.mdwn", "B"); +write_old_file("a/b/c.mdwn", +"* A: [[a]]\n". +"* B: [[b]]\n". +"* E: [[a/d/e]]\n"); +write_old_file("a/d.mdwn", "D"); +write_old_file("a/d/e.mdwn", "E"); + +####################################################################### +# site 1: a perfectly ordinary ikiwiki + +writefile("test.setup", "t/tmp", < on static HTML +unlike($content, qr{]+href="/cgi-bin/ikiwiki.cgi\?do=prefs"}); +# cross-links between static pages are relative +like($content, qr{
  • A: a
  • }); +like($content, qr{
  • B: b
  • }); +like($content, qr{
  • E: e
  • }); + +run(["./t/tmp/ikiwiki.cgi"], \undef, \$content, init => sub { + $ENV{REQUEST_METHOD} = 'GET'; + $ENV{SERVER_PORT} = '80'; + $ENV{SCRIPT_NAME} = '/cgi-bin/ikiwiki.cgi'; + $ENV{QUERY_STRING} = 'do=prefs'; + $ENV{HTTP_HOST} = 'example.com'; +}); +%bits = parse_cgi_content($content); +is($bits{basehref}, "http://example.com/wiki/"); +like($bits{stylehref}, qr{^(?:(?:http:)?//example.com)?/wiki/style.css$}); +like($bits{tophref}, qr{^(?:/wiki|\.)/$}); +like($bits{cgihref}, qr{^(?:(?:http:)?//example.com)?/cgi-bin/ikiwiki.cgi$}); + +# when accessed via HTTPS, links are secure +run(["./t/tmp/ikiwiki.cgi"], \undef, \$content, init => sub { + $ENV{REQUEST_METHOD} = 'GET'; + $ENV{SERVER_PORT} = '443'; + $ENV{SCRIPT_NAME} = '/cgi-bin/ikiwiki.cgi'; + $ENV{QUERY_STRING} = 'do=prefs'; + $ENV{HTTP_HOST} = 'example.com'; + $ENV{HTTPS} = 'on'; +}); +%bits = parse_cgi_content($content); +is($bits{basehref}, "https://example.com/wiki/"); +like($bits{stylehref}, qr{^(?:(?:https:)?//example.com)?/wiki/style.css$}); +like($bits{tophref}, qr{^(?:/wiki|\.)/$}); +like($bits{cgihref}, qr{^(?:(?:https:)?//example.com)?/cgi-bin/ikiwiki.cgi$}); + +# when accessed via a different hostname, links stay on that host +run(["./t/tmp/ikiwiki.cgi"], \undef, \$content, init => sub { + $ENV{REQUEST_METHOD} = 'GET'; + $ENV{SERVER_PORT} = '80'; + $ENV{SCRIPT_NAME} = '/cgi-bin/ikiwiki.cgi'; + $ENV{QUERY_STRING} = 'do=prefs'; + $ENV{HTTP_HOST} = 'staging.example.net'; +}); +%bits = parse_cgi_content($content); +is($bits{basehref}, "http://staging.example.net/wiki/"); +like($bits{stylehref}, qr{^(?:(?:http:)?//staging.example.net)?/wiki/style.css$}); +like($bits{tophref}, qr{^(?:/wiki|\.)/$}); +like($bits{cgihref}, qr{^(?:(?:http:)?//staging.example.net)?/cgi-bin/ikiwiki.cgi$}); + +# previewing a page +$in = 'do=edit&page=a/b/c&Preview'; +run(["./t/tmp/ikiwiki.cgi"], \$in, \$content, init => sub { + $ENV{REQUEST_METHOD} = 'POST'; + $ENV{SERVER_PORT} = '80'; + $ENV{SCRIPT_NAME} = '/cgi-bin/ikiwiki.cgi'; + $ENV{HTTP_HOST} = 'example.com'; + $ENV{CONTENT_LENGTH} = length $in; +}); +%bits = parse_cgi_content($content); +is($bits{basehref}, "http://example.com/wiki/a/b/c/"); +like($bits{stylehref}, qr{^(?:(?:http:)?//example.com)?/wiki/style.css$}); +like($bits{tophref}, qr{^(?:/wiki|\.\./\.\./\.\.)/$}); +like($bits{cgihref}, qr{^(?:(?:http:)?//example.com)?/cgi-bin/ikiwiki.cgi$}); + +####################################################################### +# site 2: static content and CGI are on different servers + +writefile("test.setup", "t/tmp", < on static HTML +unlike($content, qr{]+href="(?:http:)?//cgi.example.com/ikiwiki.cgi\?do=prefs"}); +# cross-links between static pages are still relative +like($content, qr{
  • A: a
  • }); +like($content, qr{
  • B: b
  • }); +like($content, qr{
  • E: e
  • }); + +run(["./t/tmp/ikiwiki.cgi"], \undef, \$content, init => sub { + $ENV{REQUEST_METHOD} = 'GET'; + $ENV{SERVER_PORT} = '80'; + $ENV{SCRIPT_NAME} = '/ikiwiki.cgi'; + $ENV{QUERY_STRING} = 'do=prefs'; + $ENV{HTTP_HOST} = 'cgi.example.com'; +}); +%bits = parse_cgi_content($content); +like($bits{basehref}, qr{^http://static.example.com/$}); +like($bits{stylehref}, qr{^(?:(?:http:)?//static.example.com)?/style.css$}); +like($bits{tophref}, qr{^(?:http:)?//static.example.com/$}); +like($bits{cgihref}, qr{^(?:(?:http:)?//cgi.example.com)?/ikiwiki.cgi$}); + +# when accessed via HTTPS, links are secure +run(["./t/tmp/ikiwiki.cgi"], \undef, \$content, init => sub { + $ENV{REQUEST_METHOD} = 'GET'; + $ENV{SERVER_PORT} = '443'; + $ENV{SCRIPT_NAME} = '/ikiwiki.cgi'; + $ENV{QUERY_STRING} = 'do=prefs'; + $ENV{HTTP_HOST} = 'cgi.example.com'; + $ENV{HTTPS} = 'on'; +}); +%bits = parse_cgi_content($content); +TODO: { +local $TODO = "avoid mixed content"; +like($bits{basehref}, qr{^https://static.example.com/$}); +like($bits{stylehref}, qr{^(?:(?:https:)?//static.example.com)?/style.css$}); +like($bits{tophref}, qr{^(?:https:)?//static.example.com/$}); +like($bits{cgihref}, qr{^(?:(?:https:)?//cgi.example.com)?/ikiwiki.cgi$}); +} + +# when accessed via a different hostname, links to the CGI (only) should +# stay on that host? +$in = 'do=edit&page=a/b/c&Preview'; +run(["./t/tmp/ikiwiki.cgi"], \$in, \$content, init => sub { + $ENV{REQUEST_METHOD} = 'POST'; + $ENV{SERVER_PORT} = '80'; + $ENV{SCRIPT_NAME} = '/ikiwiki.cgi'; + $ENV{HTTP_HOST} = 'staging.example.net'; + $ENV{HTTPS} = 'on'; + $ENV{CONTENT_LENGTH} = length $in; +}); +like($bits{basehref}, qr{^http://static.example.com/$}); +like($bits{stylehref}, qr{^(?:(?:http:)?//static.example.com)?/style.css$}); +like($bits{tophref}, qr{^(?:http:)?//static.example.com/$}); +TODO: { +local $TODO = "use self-referential CGI URL?"; +like($bits{cgihref}, qr{^(?:(?:http:)?//staging.example.net)?/ikiwiki.cgi$}); +} + +####################################################################### +# site 3: we specifically want everything to be secure + +writefile("test.setup", "t/tmp", < on static HTML +unlike($content, qr{]+href="/cgi-bin/ikiwiki.cgi\?do=prefs"}); +# cross-links between static pages are relative +like($content, qr{
  • A: a
  • }); +like($content, qr{
  • B: b
  • }); +like($content, qr{
  • E: e
  • }); + +# when accessed via HTTPS, links are secure +run(["./t/tmp/ikiwiki.cgi"], \undef, \$content, init => sub { + $ENV{REQUEST_METHOD} = 'GET'; + $ENV{SERVER_PORT} = '443'; + $ENV{SCRIPT_NAME} = '/cgi-bin/ikiwiki.cgi'; + $ENV{QUERY_STRING} = 'do=prefs'; + $ENV{HTTP_HOST} = 'example.com'; + $ENV{HTTPS} = 'on'; +}); +%bits = parse_cgi_content($content); +is($bits{basehref}, "https://example.com/wiki/"); +like($bits{stylehref}, qr{^(?:(?:https:)?//example.com)?/wiki/style.css$}); +like($bits{tophref}, qr{^(?:/wiki|\.)/$}); +like($bits{cgihref}, qr{^(?:(?:https:)?//example.com)?/cgi-bin/ikiwiki.cgi$}); + +# when not accessed via HTTPS, links should still be secure +# (but if this happens, that's a sign of web server misconfiguration) +run(["./t/tmp/ikiwiki.cgi"], \undef, \$content, init => sub { + $ENV{REQUEST_METHOD} = 'GET'; + $ENV{SERVER_PORT} = '80'; + $ENV{SCRIPT_NAME} = '/cgi-bin/ikiwiki.cgi'; + $ENV{QUERY_STRING} = 'do=prefs'; + $ENV{HTTP_HOST} = 'example.com'; +}); +%bits = parse_cgi_content($content); +like($bits{tophref}, qr{^(?:/wiki|\.)/$}); +TODO: { +local $TODO = "treat https in configured url, cgiurl as required?"; +is($bits{basehref}, "https://example.com/wiki/"); +like($bits{stylehref}, qr{^(?:(?:https:)?//example.com)?/wiki/style.css$}); +} +like($bits{cgihref}, qr{^(?:(?:https:)?//example.com)?/cgi-bin/ikiwiki.cgi$}); + +# when accessed via a different hostname, links stay on that host +run(["./t/tmp/ikiwiki.cgi"], \undef, \$content, init => sub { + $ENV{REQUEST_METHOD} = 'GET'; + $ENV{SERVER_PORT} = '443'; + $ENV{SCRIPT_NAME} = '/cgi-bin/ikiwiki.cgi'; + $ENV{QUERY_STRING} = 'do=prefs'; + $ENV{HTTP_HOST} = 'staging.example.net'; + $ENV{HTTPS} = 'on'; +}); +%bits = parse_cgi_content($content); +is($bits{basehref}, "https://staging.example.net/wiki/"); +like($bits{stylehref}, qr{^(?:(?:https:)?//staging.example.net)?/wiki/style.css$}); +like($bits{tophref}, qr{^(?:/wiki|\.)/$}); +like($bits{cgihref}, qr{^(?:(?:https:)?//staging.example.net)?/cgi-bin/ikiwiki.cgi$}); + +# previewing a page +$in = 'do=edit&page=a/b/c&Preview'; +run(["./t/tmp/ikiwiki.cgi"], \$in, \$content, init => sub { + $ENV{REQUEST_METHOD} = 'POST'; + $ENV{SERVER_PORT} = '443'; + $ENV{SCRIPT_NAME} = '/cgi-bin/ikiwiki.cgi'; + $ENV{HTTP_HOST} = 'example.com'; + $ENV{CONTENT_LENGTH} = length $in; + $ENV{HTTPS} = 'on'; +}); +%bits = parse_cgi_content($content); +is($bits{basehref}, "https://example.com/wiki/a/b/c/"); +like($bits{stylehref}, qr{^(?:(?:https:)?//example.com)?/wiki/style.css$}); +like($bits{tophref}, qr{^(?:/wiki|\.\./\.\./\.\.)/$}); +like($bits{cgihref}, qr{^(?:(?:https:)?//example.com)?/cgi-bin/ikiwiki.cgi$}); + +####################################################################### +# site 4 (NetBSD wiki): CGI is secure, static content doesn't have to be + +writefile("test.setup", "t/tmp", < on static HTML +unlike($content, qr{]+href="https://example.com/cgi-bin/ikiwiki.cgi\?do=prefs"}); +# cross-links between static pages are relative +like($content, qr{
  • A: a
  • }); +like($content, qr{
  • B: b
  • }); +like($content, qr{
  • E: e
  • }); + +# when accessed via HTTPS, links are secure (to avoid mixed-content) +run(["./t/tmp/ikiwiki.cgi"], \undef, \$content, init => sub { + $ENV{REQUEST_METHOD} = 'GET'; + $ENV{SERVER_PORT} = '443'; + $ENV{SCRIPT_NAME} = '/cgi-bin/ikiwiki.cgi'; + $ENV{QUERY_STRING} = 'do=prefs'; + $ENV{HTTP_HOST} = 'example.com'; + $ENV{HTTPS} = 'on'; +}); +%bits = parse_cgi_content($content); +TODO: { +local $TODO = "avoid mixed content"; +is($bits{basehref}, "https://example.com/wiki/"); +like($bits{stylehref}, qr{^(?:(?:https:)?//example.com)?/wiki/style.css$}); +like($bits{tophref}, qr{^(?:/wiki|\.)/$}); +} +like($bits{cgihref}, qr{^(?:(?:https:)?//example.com)?/cgi-bin/ikiwiki.cgi$}); + +# when not accessed via HTTPS, ??? +run(["./t/tmp/ikiwiki.cgi"], \undef, \$content, init => sub { + $ENV{REQUEST_METHOD} = 'GET'; + $ENV{SERVER_PORT} = '80'; + $ENV{SCRIPT_NAME} = '/cgi-bin/ikiwiki.cgi'; + $ENV{QUERY_STRING} = 'do=prefs'; + $ENV{HTTP_HOST} = 'example.com'; +}); +%bits = parse_cgi_content($content); +like($bits{basehref}, qr{^https?://example.com/wiki/$}); +like($bits{stylehref}, qr{^(?:(?:https?:)?//example.com)?/wiki/style.css$}); +like($bits{tophref}, qr{^(?:(?:https?://example.com)?/wiki|\.)/$}); +like($bits{cgihref}, qr{^(?:(?:https:)?//example.com)?/cgi-bin/ikiwiki.cgi$}); + +# when accessed via a different hostname, links stay on that host +run(["./t/tmp/ikiwiki.cgi"], \undef, \$content, init => sub { + $ENV{REQUEST_METHOD} = 'GET'; + $ENV{SERVER_PORT} = '443'; + $ENV{SCRIPT_NAME} = '/cgi-bin/ikiwiki.cgi'; + $ENV{QUERY_STRING} = 'do=prefs'; + $ENV{HTTP_HOST} = 'staging.example.net'; + $ENV{HTTPS} = 'on'; +}); +%bits = parse_cgi_content($content); +TODO: { +local $TODO = "avoid mixed content"; +like($bits{basehref}, qr{^https://example.com/wiki/$}); +like($bits{stylehref}, qr{^(?:(?:https:)?//example.com)?/wiki/style.css$}); +like($bits{tophref}, qr{^(?:(?:(?:https:)?//example.com)?/wiki|\.)/$}); +like($bits{cgihref}, qr{^(?:(?:https:)?//staging.example.net)?/cgi-bin/ikiwiki.cgi$}); +} + +# previewing a page +$in = 'do=edit&page=a/b/c&Preview'; +run(["./t/tmp/ikiwiki.cgi"], \$in, \$content, init => sub { + $ENV{REQUEST_METHOD} = 'POST'; + $ENV{SERVER_PORT} = '443'; + $ENV{SCRIPT_NAME} = '/cgi-bin/ikiwiki.cgi'; + $ENV{HTTP_HOST} = 'example.com'; + $ENV{CONTENT_LENGTH} = length $in; + $ENV{HTTPS} = 'on'; +}); +%bits = parse_cgi_content($content); +TODO: { +local $TODO = "avoid mixed content"; +is($bits{basehref}, "https://example.com/wiki/a/b/c/"); +like($bits{stylehref}, qr{^(?:(?:https:)?//example.com)?/wiki/style.css$}); +} +like($bits{tophref}, qr{^(?:/wiki|\.\./\.\./\.\.)/$}); +like($bits{cgihref}, qr{^(?:(?:https:)?//example.com)?/cgi-bin/ikiwiki.cgi$}); + +# Deliberately not testing https static content with http cgiurl, +# because that makes remarkably little sense. + +####################################################################### +# site 5: w3mmode, as documented in [[w3mmode]] + +writefile("test.setup", "t/tmp", < on static HTML +unlike($content, qr{]+href="(?:file://)?/\$LIB/ikiwiki-w3m.cgi/ikiwiki.cgi\?do=prefs"}); +# cross-links between static pages are still relative +like($content, qr{
  • A: a
  • }); +like($content, qr{
  • B: b
  • }); +like($content, qr{
  • E: e
  • }); + +run(["./t/tmp/ikiwiki.cgi"], \undef, \$content, init => sub { + $ENV{REQUEST_METHOD} = 'GET'; + $ENV{PATH_INFO} = '/ikiwiki.cgi'; + $ENV{SCRIPT_NAME} = '/cgi-bin/ikiwiki-w3m.cgi'; + $ENV{QUERY_STRING} = 'do=prefs'; +}); +%bits = parse_cgi_content($content); +like($bits{tophref}, qr{^(?:\Q$pwd\E/t/tmp/out|\.)/$}); +like($bits{cgihref}, qr{^(?:file://)?/\$LIB/ikiwiki-w3m.cgi/ikiwiki.cgi$}); +TODO: { +local $TODO = "should be file:///"; +like($bits{basehref}, qr{^(?:(?:file:)?//)?\Q$pwd\E/t/tmp/out/$}); +like($bits{stylehref}, qr{^(?:(?:(?:file:)?//)?\Q$pwd\E/t/tmp/out|\.)/style.css$}); +} + +####################################################################### +# site 6: we're behind a reverse-proxy + +writefile("test.setup", "t/tmp", < on static HTML +unlike($content, qr{]+href="/cgi-bin/ikiwiki.cgi\?do=prefs"}); +# cross-links between static pages are relative +like($content, qr{
  • A: a
  • }); +like($content, qr{
  • B: b
  • }); +like($content, qr{
  • E: e
  • }); + +# because we are behind a reverse-proxy we must assume that +# we're being accessed by the configured cgiurl +run(["./t/tmp/ikiwiki.cgi"], \undef, \$content, init => sub { + $ENV{REQUEST_METHOD} = 'GET'; + $ENV{SERVER_PORT} = '80'; + $ENV{SCRIPT_NAME} = '/cgi-bin/ikiwiki.cgi'; + $ENV{QUERY_STRING} = 'do=prefs'; + $ENV{HTTP_HOST} = 'localhost'; +}); +%bits = parse_cgi_content($content); +like($bits{tophref}, qr{^(?:/wiki|\.)/$}); +like($bits{cgihref}, qr{^(?:(?:https:)?//example.com)?/cgi-bin/ikiwiki.cgi$}); +TODO: { +local $TODO = "reverse-proxy support needed"; +is($bits{basehref}, "https://example.com/wiki/"); +like($bits{stylehref}, qr{^(?:(?:https:)?//example.com)?/wiki/style.css$}); +} + +# previewing a page +$in = 'do=edit&page=a/b/c&Preview'; +run(["./t/tmp/ikiwiki.cgi"], \$in, \$content, init => sub { + $ENV{REQUEST_METHOD} = 'POST'; + $ENV{SERVER_PORT} = '80'; + $ENV{SCRIPT_NAME} = '/cgi-bin/ikiwiki.cgi'; + $ENV{HTTP_HOST} = 'localhost'; + $ENV{CONTENT_LENGTH} = length $in; +}); +%bits = parse_cgi_content($content); +like($bits{tophref}, qr{^(?:/wiki|\.\./\.\./\.\.)/$}); +like($bits{cgihref}, qr{^(?:(?:https:)?//example.com)?/cgi-bin/ikiwiki.cgi$}); +TODO: { +local $TODO = "reverse-proxy support needed"; +is($bits{basehref}, "https://example.com/wiki/a/b/c/"); +like($bits{stylehref}, qr{^(?:(?:https:)?//example.com)?/wiki/style.css$}); +} + +done_testing; -- 2.39.5