--- /dev/null
+2005-02-23 Sebastien Pouliot <sebastien@ximian.com>
+
+ * HttpRequestTest.cs: New. Test that ValidateInput throw exceptions
+ when expected.
+ * HttpServerUtilityTest.cs: New. Test for possible XSS when using
+ HtmlEncode.
+ * HttpUtilityTest.cs: New. Test for possible XSS when using
+ HtmlEncode.
--- /dev/null
+//
+// System.Web.HttpRequestTest.cs - Unit tests for System.Web.HttpRequest
+//
+// Author:
+// Sebastien Pouliot <sebastien@ximian.com>
+//
+// Copyright (C) 2005 Novell, Inc (http://www.novell.com)
+//
+// Permission is hereby granted, free of charge, to any person obtaining
+// a copy of this software and associated documentation files (the
+// "Software"), to deal in the Software without restriction, including
+// without limitation the rights to use, copy, modify, merge, publish,
+// distribute, sublicense, and/or sell copies of the Software, and to
+// permit persons to whom the Software is furnished to do so, subject to
+// the following conditions:
+//
+// The above copyright notice and this permission notice shall be
+// included in all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+// EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+// NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+// LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+// OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+// WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+//
+
+using System.Text;
+using System.Web;
+
+using NUnit.Framework;
+
+namespace MonoTests.System.Web {
+
+ [TestFixture]
+ public class HttpRequestTest {
+
+#if NET_1_1
+ [Test]
+ [ExpectedException (typeof (HttpRequestValidationException))]
+ public void ValidateInput_XSS ()
+ {
+ string problem = "http://server.com/attack2.aspx?test=<script>alert('vulnerability')</script>";
+ string decoded = HttpUtility.UrlDecode (problem);
+ int n = decoded.IndexOf ('?');
+ HttpRequest request = new HttpRequest (null, decoded.Substring (0,n), decoded.Substring (n+1));
+ request.ValidateInput ();
+ // the next statement throws
+ Assert.AreEqual ("<script>alert('vulnerability')</script>", request.QueryString ["test"], "QueryString");
+ }
+
+ // Notes:
+ // * this is to avoid a regression that would cause Mono to
+ // fail again on item #2 of the XSS vulnerabilities listed at:
+ // http://it-project.ru/andir/docs/aspxvuln/aspxvuln.en.xml
+ // * The author notes that Microsoft has decided not to fix
+ // this issue (hence the NotDotNet category).
+
+ [Test]
+ [Category ("NotDotNet")]
+ [ExpectedException (typeof (HttpRequestValidationException))]
+ public void ValidateInput_XSS_Unicode ()
+ {
+ string problem = "http://server.com/attack2.aspx?test=%uff1cscript%uff1ealert('vulnerability')%uff1c/script%uff1e";
+ string decoded = HttpUtility.UrlDecode (problem);
+ int n = decoded.IndexOf ('?');
+ HttpRequest request = new HttpRequest (null, decoded.Substring (0,n), decoded.Substring (n+1));
+ request.ValidateInput ();
+ // the next statement throws
+ Assert.AreEqual ("\xff1cscript\xff1ealert('vulnerability')\xff1c/script\xff1e", request.QueryString ["test"], "QueryString-after");
+ }
+#endif
+ }
+}
--- /dev/null
+//
+// System.Web.HttpServerUtilityTest.cs
+// - Unit tests for System.Web.HttpServerUtility
+//
+// Author:
+// Sebastien Pouliot <sebastien@ximian.com>
+//
+// Copyright (C) 2005 Novell, Inc (http://www.novell.com)
+//
+// Permission is hereby granted, free of charge, to any person obtaining
+// a copy of this software and associated documentation files (the
+// "Software"), to deal in the Software without restriction, including
+// without limitation the rights to use, copy, modify, merge, publish,
+// distribute, sublicense, and/or sell copies of the Software, and to
+// permit persons to whom the Software is furnished to do so, subject to
+// the following conditions:
+//
+// The above copyright notice and this permission notice shall be
+// included in all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+// EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+// NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+// LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+// OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+// WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+//
+
+using System.Text;
+using System.Web;
+
+using NUnit.Framework;
+
+namespace MonoTests.System.Web {
+
+ [TestFixture]
+ public class HttpServerUtilityTest {
+
+ private HttpApplication _app;
+
+ [TestFixtureSetUp]
+ public void FixtureSetUp ()
+ {
+ _app = new HttpApplication ();
+ }
+
+ public HttpServerUtility Server {
+ get { return _app.Server; }
+ }
+
+ [Test]
+ public void HtmlEncode_LtGt ()
+ {
+ Assert.AreEqual ("<script>", Server.HtmlEncode ("<script>"));
+ }
+
+ // Notes:
+ // * this is to avoid a regression that would cause Mono to
+ // fail item #3 of the XSS vulnerabilities listed at:
+ // http://it-project.ru/andir/docs/aspxvuln/aspxvuln.en.xml
+ // we didn't fall the first time so let's ensure we never will
+ // * The author notes that Microsoft has decided not to fix
+ // this issue (hence the NotDotNet category).
+
+ [Test]
+ [Category ("NotDotNet")]
+ public void HtmlEncode_XSS ()
+ {
+ string problem = "\xff1cscript\xff1e"; // unicode looks alike <script>
+ byte[] utf8data = Encoding.UTF8.GetBytes (problem);
+ Encoding win1251 = Encoding.GetEncoding ("windows-1251");
+ byte[] windata = Encoding.Convert (Encoding.UTF8, win1251, utf8data);
+ // now it's a real problem
+ Assert.AreEqual ("<script>", Encoding.ASCII.GetString (windata), "<script>");
+
+ string encoded = Server.HtmlEncode (problem);
+ Assert.AreEqual ("<script>", encoded, "<script>");
+
+ utf8data = Encoding.UTF8.GetBytes (encoded);
+ windata = Encoding.Convert (Encoding.UTF8, win1251, utf8data);
+ Assert.AreEqual ("<script>", Encoding.ASCII.GetString (windata), "ok");
+ }
+ }
+}
--- /dev/null
+//
+// System.Web.HttpUtilityTest.cs - Unit tests for System.Web.HttpUtility
+//
+// Author:
+// Sebastien Pouliot <sebastien@ximian.com>
+//
+// Copyright (C) 2005 Novell, Inc (http://www.novell.com)
+//
+// Permission is hereby granted, free of charge, to any person obtaining
+// a copy of this software and associated documentation files (the
+// "Software"), to deal in the Software without restriction, including
+// without limitation the rights to use, copy, modify, merge, publish,
+// distribute, sublicense, and/or sell copies of the Software, and to
+// permit persons to whom the Software is furnished to do so, subject to
+// the following conditions:
+//
+// The above copyright notice and this permission notice shall be
+// included in all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+// EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+// NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+// LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+// OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+// WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+//
+
+using System.Text;
+using System.Web;
+
+using NUnit.Framework;
+
+namespace MonoTests.System.Web {
+
+ [TestFixture]
+ public class HttpUtilityTest {
+
+ [Test]
+ public void HtmlEncode_LtGt ()
+ {
+ Assert.AreEqual ("<script>", HttpUtility.HtmlEncode ("<script>"));
+ }
+
+ // Notes:
+ // * this is to avoid a regression that would cause Mono to
+ // fail item #3 of the XSS vulnerabilities listed at:
+ // http://it-project.ru/andir/docs/aspxvuln/aspxvuln.en.xml
+ // we didn't fall the first time so let's ensure we never will
+ // * The author notes that Microsoft has decided not to fix
+ // this issue (hence the NotDotNet category).
+
+ [Test]
+ [Category ("NotDotNet")]
+ public void HtmlEncode_XSS ()
+ {
+ string problem = "\xff1cscript\xff1e"; // unicode looks alike <script>
+ byte[] utf8data = Encoding.UTF8.GetBytes (problem);
+ Encoding win1251 = Encoding.GetEncoding ("windows-1251");
+ byte[] windata = Encoding.Convert (Encoding.UTF8, win1251, utf8data);
+ // now it's a real problem
+ Assert.AreEqual ("<script>", Encoding.ASCII.GetString (windata), "<script>");
+
+ string encoded = HttpUtility.HtmlEncode (problem);
+ Assert.AreEqual ("<script>", encoded, "<script>");
+
+ utf8data = Encoding.UTF8.GetBytes (encoded);
+ windata = Encoding.Convert (Encoding.UTF8, win1251, utf8data);
+ Assert.AreEqual ("<script>", Encoding.ASCII.GetString (windata), "ok");
+ }
+ }
+}