Fix tests for PHP7.2 session_id problems.

session_id() can't be set after stdout has been written to. Fixate the session id to a non-empty value during bootstrap to make tests possible.
cakephp · Oct 7, 2017 · f541bdc · f541bdc
1 parent 45eeb56
commit f541bdc
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 23 deletions.
diff --git a/tests/TestCase/Controller/Component/SecurityComponentTest.php b/tests/TestCase/Controller/Component/SecurityComponentTest.php
@@ -156,7 +156,6 @@ class SecurityComponentTest extends TestCase
     public function setUp()
     {
         parent::setUp();
-        session_id('cli');
 
         $this->server = $_SERVER;
         $session = new Session();

diff --git a/tests/TestCase/View/Helper/FormHelperTest.php b/tests/TestCase/View/Helper/FormHelperTest.php
@@ -141,7 +141,6 @@ class FormHelperTest extends TestCase
     public function setUp()
     {
         parent::setUp();
-        session_id('');
 
         Configure::write('Config.language', 'eng');
         Configure::write('App.base', '');
@@ -1133,8 +1132,11 @@ public function testValidateHashNoModel()
     {
         $this->Form->request->params['_Token'] = 'foo';
 
-        $result = $this->Form->secure(['anything']);
-        $this->assertRegExp('/b9731869b9915e3dee6250db1a1fad464371fb94/', $result);
+        $fields = ['anything'];
+        $result = $this->Form->secure($fields);
+
+        $hash = hash_hmac('sha1', serialize($fields) . session_id(), Security::salt());
+        $this->assertContains($hash, $result);
     }
 
     /**
@@ -1165,7 +1167,7 @@ public function testFormSecurityFields()
         $this->Form->request->params['_Token'] = 'testKey';
         $result = $this->Form->secure($fields);
 
-        $hash = hash_hmac('sha1', serialize($fields), Security::salt());
+        $hash = hash_hmac('sha1', serialize($fields) . session_id(), Security::salt());
         $hash .= ':' . 'Model.valid';
         $hash = urlencode($hash);
         $tokenDebug = urlencode(json_encode([
@@ -1213,7 +1215,7 @@ public function testFormSecurityFieldsNoDebugMode()
         $this->Form->request->params['_Token'] = 'testKey';
         $result = $this->Form->secure($fields);
 
-        $hash = hash_hmac('sha1', serialize($fields), Security::salt());
+        $hash = hash_hmac('sha1', serialize($fields) . session_id(), Security::salt());
         $hash .= ':' . 'Model.valid';
         $hash = urlencode($hash);
         $expected = [
@@ -1406,9 +1408,8 @@ public function testFormSecurityMultipleFields()
         ];
         $result = $this->Form->secure($fields);
 
-        $hash = '51e3b55a6edd82020b3f29c9ae200e14bbeb7ee5%3AModel.0.hidden%7CModel.0.valid';
-        $hash = '16e544e04f6d3007231e3e23f8f73427a53272d4%3AModel.0.hidden%7CModel.0.valid';
-        $hash .= '%7CModel.1.hidden%7CModel.1.valid';
+        $hash = '8670192c3f040bf58680479060b4755b7a5c3596' .
+            '%3AModel.0.hidden%7CModel.0.valid%7CModel.1.hidden%7CModel.1.valid';
         $tokenDebug = urlencode(json_encode([
             '',
             $fields,
@@ -1608,7 +1609,7 @@ public function testFormSecurityMultipleControlFields()
         $this->Form->control('Addresses.1.primary', ['type' => 'checkbox']);
 
         $result = $this->Form->secure($this->Form->fields);
-        $hash = '587942c6810603a6d5a07a394316dda455580227%3AAddresses.0.id%7CAddresses.1.id';
+        $hash = 'a4fe49bde94894a01375e7aa2873ea8114a96471%3AAddresses.0.id%7CAddresses.1.id';
         $tokenDebug = urlencode(json_encode([
             '/articles/add',
             [
@@ -1705,7 +1706,7 @@ public function testFormSecurityMultipleControlDisabledFields()
         $this->Form->text('Addresses.1.phone');
 
         $result = $this->Form->secure($this->Form->fields);
-        $hash = '8db4b5f1a912dfafd9c264964df7aa598ea322c0%3AAddresses.0.id%7CAddresses.1.id';
+        $hash = '43c4db25e4162c5e4edd9dea51f5f9d9d92215ec%3AAddresses.0.id%7CAddresses.1.id';
         $tokenDebug = urlencode(json_encode([
                 '/articles/add',
                 [
@@ -1783,7 +1784,7 @@ public function testFormSecurityControlUnlockedFields()
 
         $result = $this->Form->secure($expected, ['data-foo' => 'bar']);
 
-        $hash = 'cdc8fa2dd2aa2804c12cd17279c39747f1c57354%3AAddresses.id';
+        $hash = 'f98315a7d5515e5ae32e35f7d680207c085fae69%3AAddresses.id';
         $tokenDebug = urlencode(json_encode([
                 '/articles/add',
                 [
@@ -1857,7 +1858,7 @@ public function testFormSecurityControlUnlockedFieldsDebugSecurityTrue()
         $this->assertEquals($expected, $result);
         $result = $this->Form->secure($expected, ['data-foo' => 'bar', 'debugSecurity' => true]);
 
-        $hash = 'cdc8fa2dd2aa2804c12cd17279c39747f1c57354%3AAddresses.id';
+        $hash = 'f98315a7d5515e5ae32e35f7d680207c085fae69%3AAddresses.id';
         $tokenDebug = urlencode(json_encode([
             '/articles/add',
             [
@@ -1932,7 +1933,7 @@ public function testFormSecurityControlUnlockedFieldsDebugSecurityDebugFalse()
         Configure::write('debug', false);
         $result = $this->Form->secure($expected, ['data-foo' => 'bar', 'debugSecurity' => true]);
 
-        $hash = 'cdc8fa2dd2aa2804c12cd17279c39747f1c57354%3AAddresses.id';
+        $hash = 'f98315a7d5515e5ae32e35f7d680207c085fae69%3AAddresses.id';
         $expected = [
             'div' => ['style' => 'display:none;'],
             ['input' => [
@@ -1985,8 +1986,7 @@ public function testFormSecurityControlUnlockedFieldsDebugSecurityFalse()
         $this->assertEquals($expected, $result);
 
         $result = $this->Form->secure($expected, ['data-foo' => 'bar', 'debugSecurity' => false]);
-
-        $hash = 'cdc8fa2dd2aa2804c12cd17279c39747f1c57354%3AAddresses.id';
+        $hash = 'f98315a7d5515e5ae32e35f7d680207c085fae69%3AAddresses.id';
 
         $expected = [
             'div' => ['style' => 'display:none;'],
@@ -2480,7 +2480,7 @@ public function testSecuredFormUrlIgnoresHost()
     {
         $this->Form->request->params['_Token'] = ['key' => 'testKey'];
 
-        $expected = '8312b8faa7e74c6f36e05c8d188eda58b39fab20%3A';
+        $expected = '2548654895b160d724042ed269a2a863fd9d66ee%3A';
         $this->Form->create($this->article, [
             'url' => ['controller' => 'articles', 'action' => 'view', 1, '?' => ['page' => 1]]
         ]);
@@ -2511,7 +2511,7 @@ public function testSecuredFormUrlHasHtmlAndIdentifier()
     {
         $this->Form->request->params['_Token'] = ['key' => 'testKey'];
 
-        $expected = '93acdc2336947d62cf057a17275264c1fecc2443%3A';
+        $expected = '0a913f45b887b4d9cc2650ef1edc50183896959c%3A';
         $this->Form->create($this->article, [
             'url' => [
                 'controller' => 'articles',
@@ -5578,8 +5578,8 @@ public function testSelectMultipleCheckboxSecurity()
         $this->assertEquals(['Model.multi_field'], $this->Form->fields);
 
         $result = $this->Form->secure($this->Form->fields);
-        $key = '3cecbba5b65c8792d963b0498c67741466e61d47%3A';
-        $this->assertRegExp('/"' . $key . '"/', $result);
+        $key = '8af36fb34e6f2ef8ba0eb473bb4365ec232f3fe5%3A';
+        $this->assertContains('"' . $key . '"', $result);
     }
 
     /**
@@ -7613,7 +7613,7 @@ public function testPostLinkWithData()
      */
     public function testPostLinkSecurityHash()
     {
-        $hash = hash_hmac('sha1', '/posts/delete/1' . serialize(['id' => '1']), Security::getSalt());
+        $hash = hash_hmac('sha1', '/posts/delete/1' . serialize(['id' => '1']) . session_id(), Security::getSalt());
         $hash .= '%3Aid';
         $this->Form->request->params['_Token']['key'] = 'test';
 
@@ -7666,7 +7666,7 @@ public function testPostLinkSecurityHash()
      */
     public function testPostLinkSecurityHashBlockMode()
     {
-        $hash = hash_hmac('sha1', '/posts/delete/1' . serialize([]), Security::getSalt());
+        $hash = hash_hmac('sha1', '/posts/delete/1' . serialize([]) . session_id(), Security::getSalt());
         $hash .= '%3A';
         $this->Form->request->params['_Token']['key'] = 'test';
 
@@ -7690,7 +7690,7 @@ public function testPostLinkSecurityHashBlockMode()
     public function testPostLinkSecurityHashNoDebugMode()
     {
         Configure::write('debug', false);
-        $hash = hash_hmac('sha1', '/posts/delete/1' . serialize(['id' => '1']), Security::getSalt());
+        $hash = hash_hmac('sha1', '/posts/delete/1' . serialize(['id' => '1']) . session_id(), Security::getSalt());
         $hash .= '%3Aid';
         $this->Form->request->params['_Token']['key'] = 'test';
 

diff --git a/tests/bootstrap.php b/tests/bootstrap.php
@@ -139,3 +139,8 @@ class_alias('PHPUnit_Framework_Error', 'PHPUnit\Framework\Error\Error');
     class_alias('PHPUnit_Framework_Error_Warning', 'PHPUnit\Framework\Error\Warning');
     class_alias('PHPUnit_Framework_ExpectationFailedException', 'PHPUnit\Framework\ExpectationFailedException');
 }
+
+// Fixate sessionid early on, as php7.2+
+// does not allow the sessionid to be set after stdout
+// has been written to.
+session_id('cli');