Ejemplo n.º 1
0
defined('APPLICATION_ENV') || define('APPLICATION_ENV', getenv('APPLICATION_ENV') ? strtolower(getenv('APPLICATION_ENV')) : 'production');
defined('ENT_HTML5') || define('ENT_HTML5', 0);
// Set the include path, so BeeHub* classes are automatically loaded
set_include_path(realpath(dirname(dirname(__FILE__))) . PATH_SEPARATOR . dirname(__FILE__) . PATH_SEPARATOR . get_include_path());
require_once dirname(dirname(__FILE__)) . DIRECTORY_SEPARATOR . 'vendor' . DIRECTORY_SEPARATOR . 'autoload.php';
DAV::bootstrap();
set_exception_handler(array('BeeHub', 'exception_handler'));
// We need SimpleSamlPHP
require_once BeeHub::$CONFIG['environment']['simplesamlphp'] . 'lib' . DIRECTORY_SEPARATOR . '_autoload.php';
if (isset($_SERVER['HTTP_ORIGIN']) && !empty($_SERVER['HTTP_ORIGIN']) && parse_url($_SERVER['HTTP_ORIGIN'], PHP_URL_HOST) != $_SERVER['SERVER_NAME']) {
    die('Cross Origin Resourc Sharing prohibited!');
}
DAV::$PROTECTED_PROPERTIES[DAV::PROP_GROUP_MEMBER_SET] = true;
DAV::$ACL_PROPERTIES[BeeHub::PROP_SPONSOR] = 'sponsor';
DAV::addSupported_Properties(BeeHub::PROP_SPONSOR, 'sponsor');
BeeHub::handle_method_spoofing();
DAV::$REGISTRY = BeeHub_Registry::inst();
DAV::$LOCKPROVIDER = BeeHub_Lock_Provider::inst();
DAV::$ACLPROVIDER = BeeHub_ACL_Provider::inst();
DAV::$UNAUTHORIZED = array(BeeHub::getAuth(), 'unauthorized');
// In case of POST requests, we can already check the POST authentication code
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    if (!BeeHub::getAuth()->checkPostAuthCode()) {
        throw new DAV_Status(DAV::HTTP_FORBIDDEN, 'POST authentication code (POST_auth_code) was incorrect. The correct code can be obtained with a GET request to /system/?POST_auth_code');
    }
}
// Prepare test environments if needed
if (APPLICATION_ENV === BeeHub::ENVIRONMENT_TEST && isset($_GET['test'])) {
    if (substr($_SERVER['REQUEST_URI'], 0, 19) !== '/foo/client_tests/?') {
        header('Location: /foo/client_tests/?' . $_SERVER['QUERY_STRING']);
        die;
Ejemplo n.º 2
0
 public function testHandle_method_spoofing()
 {
     $_GET = array();
     $_GET['_method'] = 'PROPFIND';
     $_GET['other_variable'] = 'some value';
     $_SERVER['REQUEST_METHOD'] = 'GET';
     $_SERVER['QUERY_STRING'] = \http_build_query($_GET);
     $_SERVER['REQUEST_URI'] = '/some/path?' . $_SERVER['QUERY_STRING'];
     \BeeHub::handle_method_spoofing();
     $this->assertSame('GET', $_SERVER['REQUEST_METHOD'], 'Method spoofing should only be possible when the original method was POST');
     $this->assertSame('PROPFIND', $_GET['_method'], "No method spoofing? Then \$_GET['_method'] should stay as it was");
     $_SERVER['REQUEST_METHOD'] = 'POST';
     \BeeHub::handle_method_spoofing();
     $this->assertSame('POST', $_SERVER['ORIGINAL_REQUEST_METHOD'], "\$_SERVER['ORIGINAL_REQUEST_METHOD'] should be set when doing method spoofing");
     $this->assertSame('PROPFIND', $_SERVER['REQUEST_METHOD'], 'Method should be spoofed to PROPFIND');
     $this->assertSame('other_variable=some+value', $_SERVER['QUERY_STRING'], "\$_SERVER['QUERY_STRING'] should not contain the _method part anymore");
     $this->assertSame('/some/path?other_variable=some+value', $_SERVER['REQUEST_URI'], "\$_SERVER['REQUEST_URI'] should not contain the _method part anymore");
     $this->assertNull(@$_GET['_method'], "\$_GET['_method'] should be cleared when doing method spoofing");
     $this->assertSame('some value', $_GET['other_variable'], "Other \$_GET keys should remain when doing method spoofing");
     $_GET = array();
     $_GET['_method'] = 'GET';
     $_GET['other_variable'] = 'some value';
     $originalPost = array();
     $originalPost['post_variable'] = 'also has some value';
     $_POST = $originalPost;
     $_SERVER['REQUEST_METHOD'] = 'POST';
     $_SERVER['QUERY_STRING'] = \http_build_query($_GET);
     $_SERVER['REQUEST_URI'] = '/some/path?' . $_SERVER['QUERY_STRING'];
     \BeeHub::handle_method_spoofing();
     $this->assertSame('GET', $_SERVER['REQUEST_METHOD'], 'Method should be spoofed to GET');
     $this->assertSame(array(), $_POST, "\$_POST should be cleared when method is spoofed to GET");
     $this->assertSame($originalPost, $_GET, "\$_GET should contain all the variables originally POSTed");
     $this->assertSame('post_variable=also+has+some+value', $_SERVER['QUERY_STRING'], "\$_SERVER['QUERY_STRING'] should reflect the original \$_POST");
     $this->assertSame('/some/path?post_variable=also+has+some+value', $_SERVER['REQUEST_URI'], "\$_SERVER['REQUEST_URI'] should reflect the original \$_POST");
 }