1.20.x common.test CommonURLUnitTestCase::testBackdropParseUrl()

Test backdrop_parse_url().

File

modules/simpletest/tests/common.test, line 338
Tests for common.inc functionality.

Class

CommonURLUnitTestCase
All URL testing that does not require a Backdrop bootstrap.

Code

function testBackdropParseUrl() {
  // Relative URL.
  $url = 'foo/bar?foo=bar&bar=baz&baz#foo';
  $result = array(
    'path' => 'foo/bar',
    'query' => array('foo' => 'bar', 'bar' => 'baz', 'baz' => ''),
    'fragment' => 'foo',
  );
  $this->assertEqual(backdrop_parse_url($url), $result, 'Relative URL parsed correctly.');

  // Relative URL that is known to confuse parse_url().
  $url = 'foo/bar:1';
  $result = array(
    'path' => 'foo/bar:1',
    'query' => array(),
    'fragment' => '',
  );
  $this->assertEqual(backdrop_parse_url($url), $result, 'Relative URL parsed correctly.');

  // Absolute URL.
  $url = '/foo/bar?foo=bar&bar=baz&baz#foo';
  $result = array(
    'path' => '/foo/bar',
    'query' => array('foo' => 'bar', 'bar' => 'baz', 'baz' => ''),
    'fragment' => 'foo',
  );
  $this->assertEqual(backdrop_parse_url($url), $result, 'Absolute URL parsed correctly.');

  // External URL testing.
  $url = 'https://backdropcms.org/foo/bar?foo=bar&bar=baz&baz#foo';

  // Test that Backdrop can recognize an absolute URL. Used to prevent attack
  // vectors.
  $this->assertTrue(url_is_external($url), 'Correctly identified an external URL.');

  // External URL without an explicit protocol.
  $url = '//backdropcms.org/foo/bar?foo=bar&bar=baz&baz#foo';
  $this->assertTrue(url_is_external($url), 'Correctly identified an external URL without a protocol part.');

  // Internal URL starting with a slash.
  $url = '/backdropcms.org';
  $this->assertFalse(url_is_external($url), 'Correctly identified an internal URL with a leading slash.');

  // Test the parsing of absolute URLs.
  $url = 'https://backdropcms.org/foo/bar?foo=bar&bar=baz&baz#foo';
  $result = array(
    'path' => 'https://backdropcms.org/foo/bar',
    'query' => array('foo' => 'bar', 'bar' => 'baz', 'baz' => ''),
    'fragment' => 'foo',
  );
  $this->assertEqual(backdrop_parse_url($url), $result, 'External URL parsed correctly.');

  // Verify proper parsing of URLs when clean URLs are disabled.
  $result = array(
    'path' => 'foo/bar',
    'query' => array('bar' => 'baz'),
    'fragment' => 'foo',
  );
  // Non-clean URLs #1: Absolute URL generated by url().
  $url = $GLOBALS['base_url'] . '/?q=foo/bar&bar=baz#foo';
  $this->assertEqual(backdrop_parse_url($url), $result, 'Absolute URL with clean URLs disabled parsed correctly.');

  // Non-clean URLs #2: Relative URL generated by url().
  $url = '?q=foo/bar&bar=baz#foo';
  $this->assertEqual(backdrop_parse_url($url), $result, 'Relative URL with clean URLs disabled parsed correctly.');

  // Non-clean URLs #3: URL generated by url() on non-Apache webserver.
  $url = 'index.php?q=foo/bar&bar=baz#foo';
  $this->assertEqual(backdrop_parse_url($url), $result, 'Relative URL on non-Apache webserver with clean URLs disabled parsed correctly.');

  // Test that backdrop_parse_url() does not allow spoofing a URL to force a malicious redirect.
  $parts = backdrop_parse_url('forged:http://cwe.mitre.org/data/definitions/601.html');
  $this->assertFalse(valid_url($parts['path'], TRUE), 'backdrop_parse_url() correctly parsed a forged URL.');
}