Skip to content

Commit

Permalink
[SECURITY] Prevent information disclosure in tests bootstrap
Browse files Browse the repository at this point in the history 
Both, the UnitTestsBootstrap and FunctionalTestsBootstrap set
display_errors to 1 which shows errors and warnings by default. If you
call those scripts within web context the files can't be loaded and the
error message shows the website root path. The patch adds proper checks
before files are loaded and exits if an error occurs.

Resolves: #67900
Releases: 6.2
Security-Bulletin: TYPO3-CORE-SA-2015-008
Change-Id: I1e294bcd2f6cd7c2a32f54a890ca2d4a869c9fda
Reviewed-on: http://review.typo3.org/43120
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
  • Loading branch information
@IchHabRecht @ohader
IchHabRecht authored and ohader committed Sep 8, 2015
1 parent 045b4ea commit ed1e46f
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 1 deletion.
7 changes: 7 additions & 0 deletions typo3/sysext/core/Build/FunctionalTestsBootstrap.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,9 @@ protected function enableDisplayErrors() {
*/
protected function loadClassFiles() {
$testsDirectory = __DIR__ . '/../Tests/';
if (!class_exists('PHPUnit_Framework_TestCase')) {
die('PHPUnit wasn\'t found. Please check your settings and command.');
}
require_once($testsDirectory . 'BaseTestCase.php');
require_once($testsDirectory . 'FunctionalTestCase.php');
require_once($testsDirectory . 'FunctionalTestCaseBootstrapUtility.php');
Expand Down Expand Up @@ -122,6 +125,10 @@ protected function getWebRoot() {
}
}

if (PHP_SAPI !== 'cli') {
die('This script supports command line usage only. Please check your command.');
}

$bootstrap = new FunctionalTestsBootstrap();
$bootstrap->bootstrapSystem();
unset($bootstrap);
10 changes: 9 additions & 1 deletion typo3/sysext/core/Build/UnitTestsBootstrap.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -171,7 +171,11 @@ protected function createDirectory($directory) {
* @return UnitTestsBootstrap fluent interface
*/
protected function includeAndStartCoreBootstrap() {
require_once PATH_site . '/typo3/sysext/core/Classes/Core/Bootstrap.php';
$bootstrapPath = PATH_site . '/typo3/sysext/core/Classes/Core/Bootstrap.php';
if (!file_exists($bootstrapPath)) {
die('Bootstrap can\'t be loaded. Please check your path or set an environment variable \'TYPO3_PATH_WEB\' to your root path.');
}
require_once $bootstrapPath;

Bootstrap::getInstance()
->baseSetup()
Expand Down Expand Up @@ -211,6 +215,10 @@ protected function finishCoreBootstrap() {
}
}

if (PHP_SAPI !== 'cli') {
die('This script supports command line usage only. Please check your command.');
}

$bootstrap = new UnitTestsBootstrap();
$bootstrap->bootstrapSystem();
unset($bootstrap);

0 comments on commit ed1e46f

Please sign in to comment.