1 files changed, 59 insertions, 0 deletions

diff --git a/subsonic-main/src/test/java/net/sourceforge/subsonic/service/SecurityServiceTestCase.java b/subsonic-main/src/test/java/net/sourceforge/subsonic/service/SecurityServiceTestCase.java
new file mode 100644
index 00000000..001b124c
--- /dev/null
+++ b/subsonic-main/src/test/java/net/sourceforge/subsonic/service/SecurityServiceTestCase.java
@@ -0,0 +1,59 @@
+/*
+ This file is part of Subsonic.
+
+ Subsonic is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+
+ Subsonic is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with Subsonic.  If not, see <http://www.gnu.org/licenses/>.
+
+ Copyright 2009 (C) Sindre Mehus
+ */
+package net.sourceforge.subsonic.service;
+
+import junit.framework.*;
+/**
+ * Unit test of {@link SecurityService}.
+ *
+ * @author Sindre Mehus
+ */
+public class SecurityServiceTestCase extends TestCase {
+
+    public void testIsFileInFolder() {
+        SecurityService service = new SecurityService();
+
+        assertTrue(service.isFileInFolder("/music/foo.mp3", "\\"));
+        assertTrue(service.isFileInFolder("/music/foo.mp3", "/"));
+
+        assertTrue(service.isFileInFolder("/music/foo.mp3", "/music"));
+        assertTrue(service.isFileInFolder("\\music\\foo.mp3", "/music"));
+        assertTrue(service.isFileInFolder("/music/foo.mp3", "\\music"));
+        assertTrue(service.isFileInFolder("/music/foo.mp3", "\\music\\"));
+
+        assertFalse(service.isFileInFolder("", "/tmp"));
+        assertFalse(service.isFileInFolder("foo.mp3", "/tmp"));
+        assertFalse(service.isFileInFolder("/music/foo.mp3", "/tmp"));
+        assertFalse(service.isFileInFolder("/music/foo.mp3", "/tmp/music"));
+
+        // Test that references to the parent directory (..) is not allowed.
+        assertTrue(service.isFileInFolder("/music/foo..mp3", "/music"));
+        assertTrue(service.isFileInFolder("/music/foo..", "/music"));
+        assertTrue(service.isFileInFolder("/music/foo.../", "/music"));
+        assertFalse(service.isFileInFolder("/music/foo/..", "/music"));
+        assertFalse(service.isFileInFolder("../music/foo", "/music"));
+        assertFalse(service.isFileInFolder("/music/../foo", "/music"));
+        assertFalse(service.isFileInFolder("/music/../bar/../foo", "/music"));
+        assertFalse(service.isFileInFolder("/music\\foo\\..", "/music"));
+        assertFalse(service.isFileInFolder("..\\music/foo", "/music"));
+        assertFalse(service.isFileInFolder("/music\\../foo", "/music"));
+        assertFalse(service.isFileInFolder("/music/..\\bar/../foo", "/music"));
+    }
+}
+