Tests: more corner cases for secure_link module.
diff --git a/secure_link.t b/secure_link.t
index 83409b8..0b2b811 100644
--- a/secure_link.t
+++ b/secure_link.t
@@ -24,7 +24,7 @@
select STDERR; $| = 1;
select STDOUT; $| = 1;
-my $t = Test::Nginx->new()->has(qw/http secure_link rewrite/)->plan(10);
+my $t = Test::Nginx->new()->has(qw/http secure_link rewrite/)->plan(19);
$t->write_file_expand('nginx.conf', <<'EOF');
@@ -111,6 +111,10 @@
return 403;
}
}
+
+ location /stub {
+ return 200 x$secure_link${secure_link_expires}x;
+ }
}
}
@@ -128,6 +132,22 @@
qr/PASSED/, 'request md5');
like(http_get('/test.html?hash=q-5vpkjBkRXXtkUMXiJVHA'),
qr/PASSED/, 'request md5 no padding');
+
+TODO: {
+todo_skip 'stack-buffer-overflow', 1 unless $ENV{TEST_NGINX_UNSAFE}
+ or $t->has_version('1.13.5');
+
+like(http_get('/test.html?hash=q-5vpkjBkRXXtkUMXiJVHAQQ'),
+ qr/^HTTP.*403/, 'request md5 too long');
+
+}
+
+like(http_get('/test.html?hash=q-5vpkjBkRXXtkUMXiJVHA-TOOLONG'),
+ qr/^HTTP.*403/, 'request md5 too long encoding');
+like(http_get('/test.html?hash=BADHASHLENGTH'),
+ qr/^HTTP.*403/, 'request md5 decode error');
+like(http_get('/test.html?hash=q-5vpkjBkRXXtkUMXiJVHX=='),
+ qr/^HTTP.*403/, 'request md5 mismatch');
like(http_get('/test.html'), qr/^HTTP.*403/, 'request no hash');
# new style with expires
@@ -146,15 +166,27 @@
like(http_get('/expires.html?hash=' . $hash . '&expires=' . $expires),
qr/^HTTP.*403/, 'request md5 expired');
+$expires = 0;
+$hash = encode_base64url(md5("secret/expires.html$expires"));
+like(http_get('/expires.html?hash=' . $hash . '&expires=' . $expires),
+ qr/^HTTP.*403/, 'request md5 invalid expiration');
+
# old style
like(http_get('/p/' . md5_hex('test.html' . 'secret') . '/test.html'),
qr/PASSED/, 'request old style');
like(http_get('/p/' . md5_hex('fake') . '/test.html'), qr/^HTTP.*403/,
'request old style fake hash');
+like(http_get('/p/' . 'foo' . '/test.html'), qr/^HTTP.*403/,
+ 'request old style short hash');
+like(http_get('/p/' . 'x' x 32 . '/test.html'), qr/^HTTP.*403/,
+ 'request old style corrupt hash');
+like(http_get('/p%2f'), qr/^HTTP.*403/, 'request old style bad uri');
like(http_get('/p/test.html'), qr/^HTTP.*403/, 'request old style no hash');
like(http_get('/inheritance/test'), qr/PASSED/, 'inheritance');
+like(http_get('/stub'), qr/xx/, 'secure_link not found');
+
###############################################################################
sub encode_base64url {