Merge branch 'anum-bug4788' into develop

* anum-bug4788: (Bug 4788) If we guessed the anum, then save it as "untrusted_anum" (Bug 4788) Add test for entry lookup.
dreamwidth · Jan 8, 2013 · 23d6b68 · 23d6b68
2 parents c4d798a + 56f020b
commit 23d6b68
Show file tree

Hide file tree

Showing 2 changed files with 70 additions and 2 deletions.
diff --git a/cgi-bin/LJ/Entry.pm b/cgi-bin/LJ/Entry.pm
@@ -115,7 +115,7 @@ sub new
         if %opts;
 
     if ($self->{ditemid}) {
-        $self->{anum}    = $self->{ditemid} & 255;
+        $self->{_untrusted_anum} = $self->{ditemid} & 255;
         $self->{jitemid} = $self->{ditemid} >> 8;
     }
 
@@ -283,9 +283,14 @@ sub anum {
 #   $entry->correct_anum
 #   $entry->correct_anum($given_anum)
 # if no given anum, gets it from the provided ditemid to constructor
+# Note: an anum parsed from the ditemid cannot be trusted which is what we're verifying here
 sub correct_anum {
     my ( $self, $given ) = @_;
-    $given = defined $given ? int( $given ) : $self->{anum};
+
+    $given = defined $given ? int( $given ) :
+           $self->{ditemid} ? $self->{_untrusted_anum} :
+                              $self->{anum};
+
     return 0 unless $self->valid;
     return 0 unless defined $self->{anum} && defined $given;
     return $self->{anum} == $given;

diff --git a/t/entry-lookup.t b/t/entry-lookup.t
@@ -0,0 +1,63 @@
+# -*-perl-*-
+
+use strict;
+use Test::More;
+use lib "$ENV{LJHOME}/cgi-bin";
+BEGIN { require 'ljlib.pl'; }
+
+
+use LJ::Test qw(temp_user);
+use LJ::Entry;
+
+plan tests => 10;
+
+my $u = temp_user();
+
+my $entry_real = $u->t_post_fake_entry;
+my $ditemid = $entry_real->{ditemid};
+my $jitemid = $entry_real->{jitemid};
+my $anum = $entry_real->{anum};
+
+note( "test entry from jitemid (valid jitemid)" );
+{
+    LJ::Entry->reset_singletons;
+    my $entry_from_jitemid = LJ::Entry->new( $u, jitemid => $jitemid );
+    ok( $entry_from_jitemid->valid, "valid entry" );
+    ok( $entry_from_jitemid->correct_anum, "correct anum" );
+}
+
+note( "test entry from jitemid (invalid jitemid" );
+{
+    LJ::Entry->reset_singletons;
+    my $entry_from_jitemid = LJ::Entry->new( $u, jitemid => $jitemid + 1 );
+    ok( ! $entry_from_jitemid->valid, "invalid entry" );
+    ok( ! $entry_from_jitemid->correct_anum, "incorrect anum" );
+}
+
+note( "test entry from ditemid (valid ditemid) ");
+{
+    LJ::Entry->reset_singletons;
+    my $entry_from_ditemid = LJ::Entry->new( $u, ditemid => $ditemid );
+    ok( $entry_from_ditemid->valid, "valid entry" );
+    ok( $entry_from_ditemid->correct_anum, "correct anum" );
+}
+
+note( "test entry from ditemid (valid jitemid, invalid anum)" );
+{
+    LJ::Entry->reset_singletons;
+    my $entry_from_ditemid = LJ::Entry->new( $u, ditemid => ( $jitemid << 8 ) + ( ( $anum + 1 ) % 256 ) );
+    warn "$entry_real->{ditemid}; $entry_real->{anum} ;; $entry_from_ditemid->{ditemid}; $entry_from_ditemid->{anum}";
+    ok(   $entry_from_ditemid->valid, "valid entry" );
+    ok( ! $entry_from_ditemid->correct_anum, "incorrect anum" );
+}
+
+note( "test entry from ditemid (invalid jitemid, invalid anum)" );
+{
+    LJ::Entry->reset_singletons;
+    my $entry_from_ditemid = LJ::Entry->new( $u, ditemid => ( $jitemid + 1 ) );
+    ok( ! $entry_from_ditemid->valid, "valid entry" );
+    ok( ! $entry_from_ditemid->correct_anum, "incorrect anum" );
+}
+
+1;
+