[SECURITY] Prevent information disclosure in tests bootstrap

IchHabRecht · ohader · commit ed1e46f89c8e · 2015-09-08T10:56:29.000+02:00
Both, the UnitTestsBootstrap and FunctionalTestsBootstrap set display_errors to 1 which shows errors and warnings by default. If you call those scripts within web context the files can't be loaded and the error message shows the website root path. The patch adds proper checks before files are loaded and exits if an error occurs. Resolves: #67900 Releases: 6.2 Security-Bulletin: TYPO3-CORE-SA-2015-008 Change-Id: I1e294bcd2f6cd7c2a32f54a890ca2d4a869c9fda Reviewed-on: http://review.typo3.org/43120 Reviewed-by: Oliver Hader <oliver.hader@typo3.org> Tested-by: Oliver Hader <oliver.hader@typo3.org>
diff --git a/typo3/sysext/core/Build/FunctionalTestsBootstrap.php b/typo3/sysext/core/Build/FunctionalTestsBootstrap.php
@@ -51,6 +51,9 @@ protected function enableDisplayErrors() {
 	 */
 	protected function loadClassFiles() {
 		$testsDirectory = __DIR__ . '/../Tests/';
+		if (!class_exists('PHPUnit_Framework_TestCase')) {
+			die('PHPUnit wasn\'t found. Please check your settings and command.');
+		}
 		require_once($testsDirectory . 'BaseTestCase.php');
 		require_once($testsDirectory . 'FunctionalTestCase.php');
 		require_once($testsDirectory . 'FunctionalTestCaseBootstrapUtility.php');
@@ -122,6 +125,10 @@ protected function getWebRoot() {
 	}
 }
 
+if (PHP_SAPI !== 'cli') {
+	die('This script supports command line usage only. Please check your command.');
+}
+
 $bootstrap = new FunctionalTestsBootstrap();
 $bootstrap->bootstrapSystem();
 unset($bootstrap);
diff --git a/typo3/sysext/core/Build/UnitTestsBootstrap.php b/typo3/sysext/core/Build/UnitTestsBootstrap.php
@@ -171,7 +171,11 @@ protected function createDirectory($directory) {
 	 * @return UnitTestsBootstrap fluent interface
 	 */
 	protected function includeAndStartCoreBootstrap() {
-		require_once PATH_site . '/typo3/sysext/core/Classes/Core/Bootstrap.php';
+		$bootstrapPath = PATH_site . '/typo3/sysext/core/Classes/Core/Bootstrap.php';
+		if (!file_exists($bootstrapPath)) {
+			die('Bootstrap can\'t be loaded. Please check your path or set an environment variable \'TYPO3_PATH_WEB\' to your root path.');
+		}
+		require_once $bootstrapPath;
 
 		Bootstrap::getInstance()
 			->baseSetup()
@@ -211,6 +215,10 @@ protected function finishCoreBootstrap() {
 	}
 }
 
+if (PHP_SAPI !== 'cli') {
+	die('This script supports command line usage only. Please check your command.');
+}
+
 $bootstrap = new UnitTestsBootstrap();
 $bootstrap->bootstrapSystem();
 unset($bootstrap);
