RT 4.0.22

author: Ivan Kohler <ivan@freeside.biz> 2014-09-15 20:44:48 -0700
committer: Ivan Kohler <ivan@freeside.biz> 2014-09-15 20:44:48 -0700
commit: ed1f84b4e8f626245995ecda5afcf83092c153b2 (patch)
tree: 3f58bbef5fbf2502e65d29b37b5dbe537519e89d /rt/t/security/CVE-2011-5092-graph-links.t
parent: fe9ea9183e8a16616d6d04a7b5c7498d28e78248 (diff)
1 files changed, 27 insertions, 0 deletions
diff --git a/rt/t/security/CVE-2011-5092-graph-links.t b/rt/t/security/CVE-2011-5092-graph-links.t
new file mode 100644
index 000000000..5e98dd3b5
--- /dev/null
+++ b/rt/t/security/CVE-2011-5092-graph-links.t
@@ -0,0 +1,27 @@
+use strict;
+use warnings;
+
+use RT::Test tests => undef;
+
+my ($base, $m) = RT::Test->started_ok;
+$m->login;
+
+for my $arg (qw(LeadingLink ShowLinks)) {
+    my $ticket = RT::Test->create_ticket(
+        Queue   => 'General',
+        Subject => 'testing',
+    );
+    ok $ticket->id, 'created ticket';
+
+    ok !$ticket->ToldObj->Unix, 'no Told';
+    $m->get_ok("$base/Ticket/Graphs/index.html?$arg=SetTold;id=" . $ticket->id);
+
+    $ticket->Load($ticket->id); # cache busting
+
+    ok !$ticket->ToldObj->Unix, 'still no Told';
+    $m->content_lacks('GotoFirstItem', 'no GotoFirstItem error');
+    $m->content_like(qr|<img[^>]+?src=['"]/Ticket/Graphs/@{[$ticket->id]}|, 'found image element');
+}
+
+undef $m;
+done_testing;
author	Ivan Kohler <ivan@freeside.biz>	2014-09-15 20:44:48 -0700
committer	Ivan Kohler <ivan@freeside.biz>	2014-09-15 20:44:48 -0700
commit	ed1f84b4e8f626245995ecda5afcf83092c153b2 (patch)
tree	3f58bbef5fbf2502e65d29b37b5dbe537519e89d /rt/t/security/CVE-2011-5092-graph-links.t
parent	fe9ea9183e8a16616d6d04a7b5c7498d28e78248 (diff)