class FileIncludeGadgetChainTest
Same name and namespace in other branches
- 11.x core/tests/Drupal/KernelTests/Core/Extension/FileIncludeGadgetChainTest.php \Drupal\KernelTests\Core\Extension\FileIncludeGadgetChainTest
Tests protection against Drupal/FI1 gadget chain.
Attributes
#[Group('File')]
#[RunTestsInSeparateProcesses]
Hierarchy
- class \Drupal\KernelTests\KernelTestBase implements \Drupal\Core\DependencyInjection\ServiceProviderInterface uses \Drupal\Tests\DrupalTestCaseTrait, \Drupal\KernelTests\AssertContentTrait, \Drupal\Tests\RandomGeneratorTrait, \Drupal\Tests\ConfigTestTrait, \Drupal\Tests\ExtensionListTestTrait, \Prophecy\PhpUnit\ProphecyTrait, \Drupal\Tests\BrowserHtmlDebugTrait, \Drupal\Tests\HttpKernelUiHelperTrait extends \PHPUnit\Framework\TestCase
- class \Drupal\KernelTests\Core\Extension\FileIncludeGadgetChainTest extends \Drupal\KernelTests\KernelTestBase
Expanded class hierarchy of FileIncludeGadgetChainTest
File
-
core/
tests/ Drupal/ KernelTests/ Core/ Extension/ FileIncludeGadgetChainTest.php, line 19
Namespace
Drupal\KernelTests\Core\ExtensionView source
class FileIncludeGadgetChainTest extends KernelTestBase {
/**
* Provider for paths to include.
*
* @return array
* Paths for test files to try and include with the gadget chain.
*/
public static function providerIncludePaths() : array {
return [
[
'public://cuckoo.txt',
],
[
'PUBLIC_PLACEHOLDER/cuckoo.jpg',
],
];
}
/**
* Tests unserializing a Drupal/FI1 payload.
*/
public function testFileDeleteGadgetChain(string $path) : void {
$path = str_replace('PUBLIC_PLACEHOLDER', Settings::get('file_public_path'), $path);
// cspell:disable-next-line
file_put_contents($path, "<?php print base64_decode('dGhpcyBzaG91bGQgbm90IGJl');?>");
$output = '';
// ./phpggc Drupal/FI1 public://canary.txt
$payload = 'O:36:"Drupal\\views\\DisplayPluginCollection":1:{s:15:"pluginInstances";a:1:{i:0;O:36:"Drupal\\Core\\Extension\\ProceduralCall":1:{s:8:"includes";a:1:{s:7:"destroy";PATH_PLACEHOLDER;}}}}';
// e.g. s:19:"public://cuckoo.txt"
$payload = str_replace('PATH_PLACEHOLDER', 's:' . strlen($path) . ':"' . $path . '"', $payload);
ob_start();
try {
unserialize($payload);
} catch (\Throwable) {
// Error: Call to undefined function \destroy()
// BadMethodCallException: Cannot unserialize Drupal\Core\Extension\ProceduralCall
}
$output = ob_get_clean();
$this->assertNotEquals('this should not be', $output);
}
}Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.