Tests: more corner cases for secure_link module.

Author: pluknet

secure_link.t

@@ -24,7 +24,7 @@ use Test::Nginx;
 select STDERR; $| = 1;
 select STDOUT; $| = 1;
 
-my $t = Test::Nginx->new()->has(qw/http secure_link rewrite/)->plan(10);
+my $t = Test::Nginx->new()->has(qw/http secure_link rewrite/)->plan(19);
 
 $t->write_file_expand('nginx.conf', <<'EOF');
 
@@ -111,6 +111,10 @@ http {
                 return 403;
             }
         }
+
+        location /stub {
+            return 200 x$secure_link${secure_link_expires}x;
+        }
     }
 }
 
@@ -128,6 +132,22 @@ like(http_get('/test.html?hash=q-5vpkjBkRXXtkUMXiJVHA=='),
 	qr/PASSED/, 'request md5');
 like(http_get('/test.html?hash=q-5vpkjBkRXXtkUMXiJVHA'),
 	qr/PASSED/, 'request md5 no padding');
+
+TODO: {
+todo_skip 'stack-buffer-overflow', 1 unless $ENV{TEST_NGINX_UNSAFE}
+	or $t->has_version('1.13.5');
+
+like(http_get('/test.html?hash=q-5vpkjBkRXXtkUMXiJVHAQQ'),
+	qr/^HTTP.*403/, 'request md5 too long');
+
+}
+
+like(http_get('/test.html?hash=q-5vpkjBkRXXtkUMXiJVHA-TOOLONG'),
+	qr/^HTTP.*403/, 'request md5 too long encoding');
+like(http_get('/test.html?hash=BADHASHLENGTH'),
+	qr/^HTTP.*403/, 'request md5 decode error');
+like(http_get('/test.html?hash=q-5vpkjBkRXXtkUMXiJVHX=='),
+	qr/^HTTP.*403/, 'request md5 mismatch');
 like(http_get('/test.html'), qr/^HTTP.*403/, 'request no hash');
 
 # new style with expires
@@ -146,15 +166,27 @@ $hash = encode_base64url(md5("secret/expires.html$expires"));
 like(http_get('/expires.html?hash=' . $hash . '&expires=' . $expires),
 	qr/^HTTP.*403/, 'request md5 expired');
 
+$expires = 0;
+$hash = encode_base64url(md5("secret/expires.html$expires"));
+like(http_get('/expires.html?hash=' . $hash . '&expires=' . $expires),
+	qr/^HTTP.*403/, 'request md5 invalid expiration');
+
 # old style
 
 like(http_get('/p/' . md5_hex('test.html' . 'secret') . '/test.html'),
 	qr/PASSED/, 'request old style');
 like(http_get('/p/' . md5_hex('fake') . '/test.html'), qr/^HTTP.*403/,
 	'request old style fake hash');
+like(http_get('/p/' . 'foo' . '/test.html'), qr/^HTTP.*403/,
+	'request old style short hash');
+like(http_get('/p/' . 'x' x 32 . '/test.html'), qr/^HTTP.*403/,
+	'request old style corrupt hash');
+like(http_get('/p%2f'), qr/^HTTP.*403/, 'request old style bad uri');
 like(http_get('/p/test.html'), qr/^HTTP.*403/, 'request old style no hash');
 like(http_get('/inheritance/test'), qr/PASSED/, 'inheritance');
 
+like(http_get('/stub'), qr/xx/, 'secure_link not found');
+
 ###############################################################################
 
 sub encode_base64url {