if (php_sapi_name() === 'cli') {
exit('ERROR: This script must be run from the browser.' . PHP_EOL);
}
$ESAPI = new ESAPI(__DIR__ . "/testresources/ESAPI.xml");
ob_start();
session_start();
$view = '';
$tests = null;
if (isset($_SESSION) && isset($_SESSION['tests'])) {
$tests =& $_SESSION['tests'];
} else {
$tests = array('csi' => 'changeSessionIdentifier', 'token' => 'verifyCSRFToken', 'cookie' => 'killAllCookies (incl. killCookie)', 'log' => 'logHTTPRequest', 'logo' => 'logHTTPRequestObfuscate');
$_SESSION['tests'] =& $tests;
}
$util = ESAPI::getHTTPUtilities();
$req = new SafeRequest();
$uri = ESAPI::getEncoder()->encodeForHTML($req->getRequestURI());
if ($req->getParameter('req') == 'test1') {
try {
$util->verifyCSRFToken($req);
$view .= '<p>Your Request contained the CSRF token we have in your session. Good!</p>';
} catch (IntrusionException $e) {
$view .= '<p>Your Request did NOT contain the CSRF token we have in your session. Did you tamper??</p>';
}
$tests['token'] .= ' - DONE';
$oldSessID = session_id();
$sr = $util->changeSessionIdentifier();
if ($sr === true) {
$view .= '<p>Your session was regenerated. ID went from: ';
$view .= ESAPI::getEncoder()->encodeForHTML($oldSessID);
$view .= ' to: ';
/**
* Format the Source IP address, URL, URL parameters, and all form parameters
* into a string suitable for the log file. The list of parameters to obfuscate
* should be specified in order to prevent sensitive information from being
* logged. If a NULL or empty list of parameters is provided, then all
* parameters will be logged in the clear. If HTTP request logging is done in a
* central place $paramsToObfuscate could be made a configuration parameter. We
* include it here in case different parts of the application need to obfuscate
* different parameters.
*
* @param SafeRequest $request Current Request object.
* @param Auditor $auditor The auditor to write the request to.
* @param array|NULL $paramsToObfuscate The sensitive parameters.
*/
public function logHTTPRequestObfuscate($request, $auditor, $paramsToObfuscate)
{
if ($request instanceof SafeRequest == false) {
throw new InvalidArgumentException('logHTTPRequestObfuscate expects an instance of SafeRequest.');
}
if ($auditor instanceof Auditor == false) {
throw new InvalidArgumentException('logHTTPRequestObfuscate expects an instance of Auditor.');
}
if ($paramsToObfuscate === null) {
$paramsToObfuscate = array();
} elseif (!is_array($paramsToObfuscate)) {
throw new InvalidArgumentException('logHTTPRequestObfuscate expects an array $paramsToObfuscate or null.');
}
$msg = '';
$msg .= $request->getRemoteAddr();
if ($msg !== '') {
$msg .= ' ';
}
$msg .= $request->getMethod();
if ($msg !== '') {
$msg .= ' ';
}
$path = $request->getRequestURI() . $request->getPathInfo();
$msg .= $path;
$params = $request->getParameterMap();
if ($path !== '' && sizeof($params, false) > 0) {
$msg .= '?';
} elseif ($msg !== '') {
$msg .= ' ';
}
$paramBuilder = array();
foreach ($params as $pName => $pValues) {
foreach ($pValues as $pval) {
$pair = '';
$pair .= "{$pName}";
if ($pval == '') {
$paramBuilder[] = $pair;
continue;
}
if (in_array($pName, $paramsToObfuscate, true)) {
$pair .= '=********';
} else {
$pair .= "={$pval}";
}
$paramBuilder[] = $pair;
}
}
$msg .= implode('&', $paramBuilder);
$cookies = $request->getCookies();
$sessName = session_name();
foreach ($cookies as $cName => $cValue) {
if ($cName !== $sessName) {
$msg .= "+{$cName}={$cValue}";
}
}
$auditor->info(Auditor::SECURITY, true, $msg);
}
/**
* Test of SafeRequest::getServerGlobal() with valid input.
*
* @return bool true True on Pass.
*/
function testGetServerGlobalInputValid()
{
$req = new SafeRequest(array('env' => array('PHP_SELF' => '/foo%2fbar')));
$result = $req->getServerGlobal('PHP_SELF');
$this->assertInternalType('string', $result);
$this->assertEquals('/foo/bar', $result);
}