Skip to content

Commit fd5b192

Browse files
svitjasvitja
committed
MAGETWO-85143: Stored XSS - Downloadable products (Exfiltrating database, admin takeover)
1 parent 06fd94e commit fd5b192

File tree

1 file changed

+65
-0
lines changed
  • app/code/Magento/Downloadable/Test/Unit/Controller/Download

1 file changed

+65
-0
lines changed

app/code/Magento/Downloadable/Test/Unit/Controller/Download/LinkTest.php

Lines changed: 65 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -403,6 +403,71 @@ public function testLinkNotAvailable($messageType, $status, $notice)
403403
$this->assertEquals($this->response, $this->link->execute());
404404
}
405405

406+
/**
407+
* @param string $mimeType
408+
* @param string $disposition
409+
* @dataProvider downloadTypesDataProvider
410+
* @return void
411+
*/
412+
public function testContentDisposition($mimeType, $disposition)
413+
{
414+
$this->objectManager->expects($this->at(0))
415+
->method('get')
416+
->with(\Magento\Customer\Model\Session::class)
417+
->willReturn($this->session);
418+
$this->request->expects($this->once())->method('getParam')->with('id', 0)->willReturn('some_id');
419+
$this->objectManager->expects($this->at(1))
420+
->method('create')
421+
->with(\Magento\Downloadable\Model\Link\Purchased\Item::class)
422+
->willReturn($this->linkPurchasedItem);
423+
$this->linkPurchasedItem->expects($this->once())
424+
->method('load')
425+
->with('some_id', 'link_hash')
426+
->willReturnSelf();
427+
$this->linkPurchasedItem->expects($this->once())->method('getId')->willReturn(5);
428+
$this->objectManager->expects($this->at(2))
429+
->method('get')
430+
->with(\Magento\Downloadable\Helper\Data::class)
431+
->willReturn($this->helperData);
432+
$this->helperData->expects($this->once())
433+
->method('getIsShareable')
434+
->with($this->linkPurchasedItem)
435+
->willReturn(true);
436+
$this->linkPurchasedItem->expects($this->any())->method('getNumberOfDownloadsBought')->willReturn(10);
437+
$this->linkPurchasedItem->expects($this->any())->method('getNumberOfDownloadsUsed')->willReturn(9);
438+
$this->linkPurchasedItem->expects($this->once())->method('getStatus')->willReturn('available');
439+
$this->linkPurchasedItem->expects($this->once())->method('getLinkType')->willReturn('url');
440+
$this->linkPurchasedItem->expects($this->once())->method('getLinkUrl')->willReturn('link_url');
441+
442+
$fileSize = 58493;
443+
$fileName = 'link.jpg';
444+
445+
$this->objectManager->expects($this->at(3))
446+
->method('get')
447+
->with(\Magento\Downloadable\Helper\Download::class)
448+
->willReturn($this->downloadHelper);
449+
$this->downloadHelper->expects($this->once())
450+
->method('setResource')
451+
->with('link_url', 'url')
452+
->willReturnSelf();
453+
$this->downloadHelper->expects($this->once())->method('getFilename')->willReturn($fileName);
454+
$this->downloadHelper->expects($this->once())->method('getContentType')->willReturn($mimeType);
455+
$this->response->expects($this->once())->method('setHttpResponseCode')->with(200)->willReturnSelf();
456+
$this->response
457+
->expects($this->any())
458+
->method('setHeader')
459+
->withConsecutive(
460+
['Pragma', 'public', true],
461+
['Cache-Control', 'must-revalidate, post-check=0, pre-check=0', true],
462+
['Content-type', $mimeType, true],
463+
['Content-Length', $fileSize],
464+
['Content-Disposition', $disposition . '; filename=' . $fileName]
465+
)
466+
->willReturnSelf();
467+
468+
$this->assertEquals($this->response, $this->link->execute());
469+
}
470+
406471
/**
407472
* @return array
408473
*/

0 commit comments

Comments
 (0)