defined('APPLICATION_ENV') || define('APPLICATION_ENV', getenv('APPLICATION_ENV') ? strtolower(getenv('APPLICATION_ENV')) : 'production');
defined('ENT_HTML5') || define('ENT_HTML5', 0);
// Set the include path, so BeeHub* classes are automatically loaded
set_include_path(realpath(dirname(dirname(__FILE__))) . PATH_SEPARATOR . dirname(__FILE__) . PATH_SEPARATOR . get_include_path());
require_once dirname(dirname(__FILE__)) . DIRECTORY_SEPARATOR . 'vendor' . DIRECTORY_SEPARATOR . 'autoload.php';
DAV::bootstrap();
set_exception_handler(array('BeeHub', 'exception_handler'));
// We need SimpleSamlPHP
require_once BeeHub::$CONFIG['environment']['simplesamlphp'] . 'lib' . DIRECTORY_SEPARATOR . '_autoload.php';
if (isset($_SERVER['HTTP_ORIGIN']) && !empty($_SERVER['HTTP_ORIGIN']) && parse_url($_SERVER['HTTP_ORIGIN'], PHP_URL_HOST) != $_SERVER['SERVER_NAME']) {
die('Cross Origin Resourc Sharing prohibited!');
}
DAV::$PROTECTED_PROPERTIES[DAV::PROP_GROUP_MEMBER_SET] = true;
DAV::$ACL_PROPERTIES[BeeHub::PROP_SPONSOR] = 'sponsor';
DAV::addSupported_Properties(BeeHub::PROP_SPONSOR, 'sponsor');
BeeHub::handle_method_spoofing();
DAV::$REGISTRY = BeeHub_Registry::inst();
DAV::$LOCKPROVIDER = BeeHub_Lock_Provider::inst();
DAV::$ACLPROVIDER = BeeHub_ACL_Provider::inst();
DAV::$UNAUTHORIZED = array(BeeHub::getAuth(), 'unauthorized');
// In case of POST requests, we can already check the POST authentication code
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
if (!BeeHub::getAuth()->checkPostAuthCode()) {
throw new DAV_Status(DAV::HTTP_FORBIDDEN, 'POST authentication code (POST_auth_code) was incorrect. The correct code can be obtained with a GET request to /system/?POST_auth_code');
}
}
// Prepare test environments if needed
if (APPLICATION_ENV === BeeHub::ENVIRONMENT_TEST && isset($_GET['test'])) {
if (substr($_SERVER['REQUEST_URI'], 0, 19) !== '/foo/client_tests/?') {
header('Location: /foo/client_tests/?' . $_SERVER['QUERY_STRING']);
die;
public function testHandle_method_spoofing()
{
$_GET = array();
$_GET['_method'] = 'PROPFIND';
$_GET['other_variable'] = 'some value';
$_SERVER['REQUEST_METHOD'] = 'GET';
$_SERVER['QUERY_STRING'] = \http_build_query($_GET);
$_SERVER['REQUEST_URI'] = '/some/path?' . $_SERVER['QUERY_STRING'];
\BeeHub::handle_method_spoofing();
$this->assertSame('GET', $_SERVER['REQUEST_METHOD'], 'Method spoofing should only be possible when the original method was POST');
$this->assertSame('PROPFIND', $_GET['_method'], "No method spoofing? Then \$_GET['_method'] should stay as it was");
$_SERVER['REQUEST_METHOD'] = 'POST';
\BeeHub::handle_method_spoofing();
$this->assertSame('POST', $_SERVER['ORIGINAL_REQUEST_METHOD'], "\$_SERVER['ORIGINAL_REQUEST_METHOD'] should be set when doing method spoofing");
$this->assertSame('PROPFIND', $_SERVER['REQUEST_METHOD'], 'Method should be spoofed to PROPFIND');
$this->assertSame('other_variable=some+value', $_SERVER['QUERY_STRING'], "\$_SERVER['QUERY_STRING'] should not contain the _method part anymore");
$this->assertSame('/some/path?other_variable=some+value', $_SERVER['REQUEST_URI'], "\$_SERVER['REQUEST_URI'] should not contain the _method part anymore");
$this->assertNull(@$_GET['_method'], "\$_GET['_method'] should be cleared when doing method spoofing");
$this->assertSame('some value', $_GET['other_variable'], "Other \$_GET keys should remain when doing method spoofing");
$_GET = array();
$_GET['_method'] = 'GET';
$_GET['other_variable'] = 'some value';
$originalPost = array();
$originalPost['post_variable'] = 'also has some value';
$_POST = $originalPost;
$_SERVER['REQUEST_METHOD'] = 'POST';
$_SERVER['QUERY_STRING'] = \http_build_query($_GET);
$_SERVER['REQUEST_URI'] = '/some/path?' . $_SERVER['QUERY_STRING'];
\BeeHub::handle_method_spoofing();
$this->assertSame('GET', $_SERVER['REQUEST_METHOD'], 'Method should be spoofed to GET');
$this->assertSame(array(), $_POST, "\$_POST should be cleared when method is spoofed to GET");
$this->assertSame($originalPost, $_GET, "\$_GET should contain all the variables originally POSTed");
$this->assertSame('post_variable=also+has+some+value', $_SERVER['QUERY_STRING'], "\$_SERVER['QUERY_STRING'] should reflect the original \$_POST");
$this->assertSame('/some/path?post_variable=also+has+some+value', $_SERVER['REQUEST_URI'], "\$_SERVER['REQUEST_URI'] should reflect the original \$_POST");
}
