174 lines
5.0 KiB
Perl
174 lines
5.0 KiB
Perl
# This Source Code Form is subject to the terms of the Mozilla Public
|
|
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
#
|
|
# This Source Code Form is "Incompatible With Secondary Licenses", as
|
|
# defined by the Mozilla Public License, v. 2.0.
|
|
|
|
|
|
#################
|
|
#Bugzilla Test 2#
|
|
####GoodPerl#####
|
|
|
|
use 5.10.1;
|
|
use strict;
|
|
use warnings;
|
|
|
|
use lib 't';
|
|
|
|
use Support::Files;
|
|
|
|
use Test::More tests => (scalar(@Support::Files::testitems)
|
|
+ scalar(@Support::Files::test_files)) * 6;
|
|
|
|
my @testitems = (@Support::Files::test_files, @Support::Files::testitems);
|
|
my @require_taint = qw(email_in.pl importxml.pl mod_perl.pl whine.pl);
|
|
|
|
foreach my $file (@testitems) {
|
|
$file =~ s/\s.*$//; # nuke everything after the first space (#comment)
|
|
next if (!$file); # skip null entries
|
|
if (! open (FILE, $file)) {
|
|
ok(0,"could not open $file --WARNING");
|
|
}
|
|
my $file_line1 = <FILE>;
|
|
close (FILE);
|
|
|
|
$file =~ m/.*\.(.*)/;
|
|
my $ext = $1;
|
|
|
|
if ($file_line1 !~ m/^#\!/) {
|
|
ok(1,"$file does not have a shebang");
|
|
} else {
|
|
my $flags;
|
|
if (!defined $ext || $ext eq "pl") {
|
|
# standalone programs aren't taint checked yet
|
|
if (grep { $file eq $_ } @require_taint) {
|
|
$flags = 'T';
|
|
}
|
|
else {
|
|
$flags = '';
|
|
}
|
|
} elsif ($ext eq "pm") {
|
|
ok(0, "$file is a module, but has a shebang");
|
|
next;
|
|
} elsif ($ext eq "cgi") {
|
|
# cgi files must be taint checked
|
|
$flags = 'T';
|
|
} else {
|
|
ok(0, "$file has shebang but unknown extension");
|
|
next;
|
|
}
|
|
|
|
if ($file_line1 =~ m#^\#\!/usr/bin/perl(?:\s-(\w+))?$#) {
|
|
my $file_flags = $1 || '';
|
|
if ($flags eq $file_flags) {
|
|
ok(1, "$file uses standard perl location" . ($flags ? " and -$flags flag" : ""));
|
|
}
|
|
elsif ($flags) {
|
|
ok(0, "$file is MISSING -$flags flag --WARNING");
|
|
}
|
|
else {
|
|
ok(0, "$file has unexpected -$file_flags flag --WARNING");
|
|
}
|
|
} else {
|
|
ok(0,"$file uses non-standard perl location");
|
|
}
|
|
}
|
|
}
|
|
|
|
foreach my $file (@testitems) {
|
|
my $found_use_perl = 0;
|
|
my $found_use_strict = 0;
|
|
my $found_use_warnings = 0;
|
|
|
|
$file =~ s/\s.*$//; # nuke everything after the first space (#comment)
|
|
next if (!$file); # skip null entries
|
|
if (! open (FILE, $file)) {
|
|
ok(0,"could not open $file --WARNING");
|
|
next;
|
|
}
|
|
while (my $file_line = <FILE>) {
|
|
$found_use_perl = 1 if $file_line =~ m/^\s*use 5.10.1/;
|
|
$found_use_strict = 1 if $file_line =~ m/^\s*use strict/;
|
|
$found_use_warnings = 1 if $file_line =~ m/^\s*use warnings/;
|
|
last if ($found_use_perl && $found_use_strict && $found_use_warnings);
|
|
}
|
|
close (FILE);
|
|
if ($found_use_perl) {
|
|
ok(1,"$file requires Perl 5.10.1");
|
|
} else {
|
|
ok(0,"$file DOES NOT require Perl 5.10.1 --WARNING");
|
|
}
|
|
|
|
if ($found_use_strict) {
|
|
ok(1,"$file uses strict");
|
|
} else {
|
|
ok(0,"$file DOES NOT use strict --WARNING");
|
|
}
|
|
|
|
if ($found_use_warnings) {
|
|
ok(1,"$file uses warnings");
|
|
} else {
|
|
ok(0,"$file DOES NOT use warnings --WARNING");
|
|
}
|
|
}
|
|
|
|
# Check to see that all error messages use tags (for l10n reasons.)
|
|
foreach my $file (@testitems) {
|
|
$file =~ s/\s.*$//; # nuke everything after the first space (#comment)
|
|
next if (!$file); # skip null entries
|
|
if (! open (FILE, $file)) {
|
|
ok(0,"could not open $file --WARNING");
|
|
next;
|
|
}
|
|
my $lineno = 0;
|
|
my $error = 0;
|
|
|
|
while (!$error && (my $file_line = <FILE>)) {
|
|
$lineno++;
|
|
if ($file_line =~ /Throw.*Error\("(.*?)"/) {
|
|
if ($1 =~ /\s/) {
|
|
ok(0,"$file has a Throw*Error call on line $lineno
|
|
which doesn't use a tag --ERROR");
|
|
$error = 1;
|
|
}
|
|
}
|
|
}
|
|
|
|
ok(1,"$file uses Throw*Error calls correctly") if !$error;
|
|
|
|
close(FILE);
|
|
}
|
|
|
|
# Forbird the { foo => $cgi->param() } syntax, for security reasons.
|
|
foreach my $file (@testitems) {
|
|
$file =~ s/\s.*$//; # nuke everything after the first space (#comment)
|
|
next unless $file; # skip null entries
|
|
if (!open(FILE, $file)) {
|
|
ok(0, "could not open $file --WARNING");
|
|
next;
|
|
}
|
|
my $lineno = 0;
|
|
my @unsafe_args;
|
|
|
|
while (my $file_line = <FILE>) {
|
|
$lineno++;
|
|
$file_line =~ s/^\s*(.+)\s*$/$1/; # Remove leading and trailing whitespaces.
|
|
if ($file_line =~ /^[^#]+=> \$cgi\->param/) {
|
|
push(@unsafe_args, "$file_line on line $lineno");
|
|
}
|
|
}
|
|
|
|
if (@unsafe_args) {
|
|
ok(0, "$file incorrectly passes a CGI argument to a hash --ERROR\n" .
|
|
join("\n", @unsafe_args));
|
|
}
|
|
else {
|
|
ok(1, "$file has no vulnerable hash syntax");
|
|
}
|
|
|
|
close(FILE);
|
|
}
|
|
|
|
exit 0;
|