defined('APPLICATION_ENV') || define('APPLICATION_ENV', getenv('APPLICATION_ENV') ? strtolower(getenv('APPLICATION_ENV')) : 'production'); defined('ENT_HTML5') || define('ENT_HTML5', 0); // Set the include path, so BeeHub* classes are automatically loaded set_include_path(realpath(dirname(dirname(__FILE__))) . PATH_SEPARATOR . dirname(__FILE__) . PATH_SEPARATOR . get_include_path()); require_once dirname(dirname(__FILE__)) . DIRECTORY_SEPARATOR . 'vendor' . DIRECTORY_SEPARATOR . 'autoload.php'; DAV::bootstrap(); set_exception_handler(array('BeeHub', 'exception_handler')); // We need SimpleSamlPHP require_once BeeHub::$CONFIG['environment']['simplesamlphp'] . 'lib' . DIRECTORY_SEPARATOR . '_autoload.php'; if (isset($_SERVER['HTTP_ORIGIN']) && !empty($_SERVER['HTTP_ORIGIN']) && parse_url($_SERVER['HTTP_ORIGIN'], PHP_URL_HOST) != $_SERVER['SERVER_NAME']) { die('Cross Origin Resourc Sharing prohibited!'); } DAV::$PROTECTED_PROPERTIES[DAV::PROP_GROUP_MEMBER_SET] = true; DAV::$ACL_PROPERTIES[BeeHub::PROP_SPONSOR] = 'sponsor'; DAV::addSupported_Properties(BeeHub::PROP_SPONSOR, 'sponsor'); BeeHub::handle_method_spoofing(); DAV::$REGISTRY = BeeHub_Registry::inst(); DAV::$LOCKPROVIDER = BeeHub_Lock_Provider::inst(); DAV::$ACLPROVIDER = BeeHub_ACL_Provider::inst(); DAV::$UNAUTHORIZED = array(BeeHub::getAuth(), 'unauthorized'); // In case of POST requests, we can already check the POST authentication code if ($_SERVER['REQUEST_METHOD'] === 'POST') { if (!BeeHub::getAuth()->checkPostAuthCode()) { throw new DAV_Status(DAV::HTTP_FORBIDDEN, 'POST authentication code (POST_auth_code) was incorrect. The correct code can be obtained with a GET request to /system/?POST_auth_code'); } } // Prepare test environments if needed if (APPLICATION_ENV === BeeHub::ENVIRONMENT_TEST && isset($_GET['test'])) { if (substr($_SERVER['REQUEST_URI'], 0, 19) !== '/foo/client_tests/?') { header('Location: /foo/client_tests/?' . $_SERVER['QUERY_STRING']); die;
public function testHandle_method_spoofing() { $_GET = array(); $_GET['_method'] = 'PROPFIND'; $_GET['other_variable'] = 'some value'; $_SERVER['REQUEST_METHOD'] = 'GET'; $_SERVER['QUERY_STRING'] = \http_build_query($_GET); $_SERVER['REQUEST_URI'] = '/some/path?' . $_SERVER['QUERY_STRING']; \BeeHub::handle_method_spoofing(); $this->assertSame('GET', $_SERVER['REQUEST_METHOD'], 'Method spoofing should only be possible when the original method was POST'); $this->assertSame('PROPFIND', $_GET['_method'], "No method spoofing? Then \$_GET['_method'] should stay as it was"); $_SERVER['REQUEST_METHOD'] = 'POST'; \BeeHub::handle_method_spoofing(); $this->assertSame('POST', $_SERVER['ORIGINAL_REQUEST_METHOD'], "\$_SERVER['ORIGINAL_REQUEST_METHOD'] should be set when doing method spoofing"); $this->assertSame('PROPFIND', $_SERVER['REQUEST_METHOD'], 'Method should be spoofed to PROPFIND'); $this->assertSame('other_variable=some+value', $_SERVER['QUERY_STRING'], "\$_SERVER['QUERY_STRING'] should not contain the _method part anymore"); $this->assertSame('/some/path?other_variable=some+value', $_SERVER['REQUEST_URI'], "\$_SERVER['REQUEST_URI'] should not contain the _method part anymore"); $this->assertNull(@$_GET['_method'], "\$_GET['_method'] should be cleared when doing method spoofing"); $this->assertSame('some value', $_GET['other_variable'], "Other \$_GET keys should remain when doing method spoofing"); $_GET = array(); $_GET['_method'] = 'GET'; $_GET['other_variable'] = 'some value'; $originalPost = array(); $originalPost['post_variable'] = 'also has some value'; $_POST = $originalPost; $_SERVER['REQUEST_METHOD'] = 'POST'; $_SERVER['QUERY_STRING'] = \http_build_query($_GET); $_SERVER['REQUEST_URI'] = '/some/path?' . $_SERVER['QUERY_STRING']; \BeeHub::handle_method_spoofing(); $this->assertSame('GET', $_SERVER['REQUEST_METHOD'], 'Method should be spoofed to GET'); $this->assertSame(array(), $_POST, "\$_POST should be cleared when method is spoofed to GET"); $this->assertSame($originalPost, $_GET, "\$_GET should contain all the variables originally POSTed"); $this->assertSame('post_variable=also+has+some+value', $_SERVER['QUERY_STRING'], "\$_SERVER['QUERY_STRING'] should reflect the original \$_POST"); $this->assertSame('/some/path?post_variable=also+has+some+value', $_SERVER['REQUEST_URI'], "\$_SERVER['REQUEST_URI'] should reflect the original \$_POST"); }