You are here

function drupal_valid_test_ua in Zircon Profile 8

Same name and namespace in other branches
  1. 8.0 core/includes/bootstrap.inc \drupal_valid_test_ua()

Returns the test prefix if this is an internal request from SimpleTest.

Parameters

string $new_prefix: Internal use only. A new prefix to be stored.

Return value

string|FALSE Either the simpletest prefix (the string "simpletest" followed by any number of digits) or FALSE if the user agent does not contain a valid HMAC and timestamp.

16 calls to drupal_valid_test_ua()
BrowserTestBase::prepareEnvironment in core/modules/simpletest/src/BrowserTestBase.php
Prepares the current environment for running the test.
CoreServiceProvider::registerTest in core/lib/Drupal/Core/CoreServiceProvider.php
Registers services and event subscribers for a site under test.
DrupalKernel::bootEnvironment in core/lib/Drupal/Core/DrupalKernel.php
Setup a consistent PHP environment.
DrupalKernel::findSitePath in core/lib/Drupal/Core/DrupalKernel.php
Returns the appropriate site directory for a request.
drupal_generate_test_ua in core/includes/bootstrap.inc
Generates a user agent string with a HMAC and timestamp for simpletest.

... See full list

1 string reference to 'drupal_valid_test_ua'
DrupalKernelTest.php in core/tests/Drupal/Tests/Core/DrupalKernel/DrupalKernelTest.php
Contains \Drupal\Tests\Core\DrupalKernel\DrupalKernelTest.

File

core/includes/bootstrap.inc, line 603
Functions that need to be loaded on every Drupal request.

Code

function drupal_valid_test_ua($new_prefix = NULL) {
  static $test_prefix;
  if (isset($new_prefix)) {
    $test_prefix = $new_prefix;
  }
  if (isset($test_prefix)) {
    return $test_prefix;
  }

  // Unless the below User-Agent and HMAC validation succeeds, we are not in
  // a test environment.
  $test_prefix = FALSE;

  // A valid Simpletest request will contain a hashed and salted authentication
  // code. Check if this code is present in a cookie or custom user agent
  // string.
  $http_user_agent = isset($_SERVER['HTTP_USER_AGENT']) ? $_SERVER['HTTP_USER_AGENT'] : NULL;
  $user_agent = isset($_COOKIE['SIMPLETEST_USER_AGENT']) ? $_COOKIE['SIMPLETEST_USER_AGENT'] : $http_user_agent;
  if (isset($user_agent) && preg_match("/^(simpletest\\d+);(.+);(.+);(.+)\$/", $user_agent, $matches)) {
    list(, $prefix, $time, $salt, $hmac) = $matches;
    $check_string = $prefix . ';' . $time . ';' . $salt;

    // Read the hash salt prepared by drupal_generate_test_ua().
    // This function is called before settings.php is read and Drupal's error
    // handlers are set up. While Drupal's error handling may be properly
    // configured on production sites, the server's PHP error_reporting may not.
    // Ensure that no information leaks on production sites.
    $key_file = DRUPAL_ROOT . '/sites/simpletest/' . substr($prefix, 10) . '/.htkey';
    if (!is_readable($key_file)) {
      header($_SERVER['SERVER_PROTOCOL'] . ' 403 Forbidden');
      exit;
    }
    $private_key = file_get_contents($key_file);

    // The file properties add more entropy not easily accessible to others.
    $key = $private_key . filectime(__FILE__) . fileinode(__FILE__);
    $time_diff = REQUEST_TIME - $time;
    $test_hmac = Crypt::hmacBase64($check_string, $key);

    // Since we are making a local request a 5 second time window is allowed,
    // and the HMAC must match.
    if ($time_diff >= 0 && $time_diff <= 5 && $hmac === $test_hmac) {
      $test_prefix = $prefix;
    }
  }
  return $test_prefix;
}