diff options
| author | Stefan Esser | 2014-02-13 11:27:18 +0100 |
|---|---|---|
| committer | Stefan Esser | 2014-02-13 11:27:18 +0100 |
| commit | 6909a29e3cb927b0600665e9291a60884da31f3a (patch) | |
| tree | c36644ec0780f17b3169f02d57a7e45afe0564d3 | |
| parent | 63519762d8131b9c6d3f15cca5b498c780523297 (diff) | |
Tests for suhosin.XXX.max_name_length and suhosin.request_max_varname_length
5 files changed, 275 insertions, 0 deletions
diff --git a/tests/filter/input_filter_cookie_max_name_length.phpt b/tests/filter/input_filter_cookie_max_name_length.phpt new file mode 100644 index 0000000..b655424 --- /dev/null +++ b/tests/filter/input_filter_cookie_max_name_length.phpt | |||
| @@ -0,0 +1,41 @@ | |||
| 1 | --TEST-- | ||
| 2 | suhosin input filter (suhosin.cookie.max_name_length) | ||
| 3 | --INI-- | ||
| 4 | suhosin.log.syslog=0 | ||
| 5 | suhosin.log.sapi=0 | ||
| 6 | suhosin.log.stdout=255 | ||
| 7 | suhosin.log.script=0 | ||
| 8 | suhosin.request.max_varname_length=0 | ||
| 9 | suhosin.cookie.max_name_length=4 | ||
| 10 | --SKIPIF-- | ||
| 11 | <?php include('skipif.inc'); ?> | ||
| 12 | --COOKIE-- | ||
| 13 | var=0;var1=1;var2[]=2;var3[xxx]=3;var04=4;var05[]=5;var06[xxx]=6; | ||
| 14 | --GET-- | ||
| 15 | --POST-- | ||
| 16 | --FILE-- | ||
| 17 | <?php | ||
| 18 | var_dump($_COOKIE); | ||
| 19 | ?> | ||
| 20 | --EXPECTF-- | ||
| 21 | array(4) { | ||
| 22 | ["var"]=> | ||
| 23 | string(1) "0" | ||
| 24 | ["var1"]=> | ||
| 25 | string(1) "1" | ||
| 26 | ["var2"]=> | ||
| 27 | array(1) { | ||
| 28 | [0]=> | ||
| 29 | string(1) "2" | ||
| 30 | } | ||
| 31 | ["var3"]=> | ||
| 32 | array(1) { | ||
| 33 | ["xxx"]=> | ||
| 34 | string(1) "3" | ||
| 35 | } | ||
| 36 | } | ||
| 37 | ALERT - configured COOKIE variable name length limit exceeded - dropped variable 'var04' (attacker 'REMOTE_ADDR not set', file '%s') | ||
| 38 | ALERT - configured COOKIE variable name length limit exceeded - dropped variable 'var05[]' (attacker 'REMOTE_ADDR not set', file '%s') | ||
| 39 | ALERT - configured COOKIE variable name length limit exceeded - dropped variable 'var06[xxx]' (attacker 'REMOTE_ADDR not set', file '%s') | ||
| 40 | ALERT - dropped 3 request variables - (0 in GET, 0 in POST, 3 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') | ||
| 41 | |||
diff --git a/tests/filter/input_filter_get_max_name_length.phpt b/tests/filter/input_filter_get_max_name_length.phpt new file mode 100644 index 0000000..4fab0a0 --- /dev/null +++ b/tests/filter/input_filter_get_max_name_length.phpt | |||
| @@ -0,0 +1,41 @@ | |||
| 1 | --TEST-- | ||
| 2 | suhosin input filter (suhosin.get.max_name_length) | ||
| 3 | --INI-- | ||
| 4 | suhosin.log.syslog=0 | ||
| 5 | suhosin.log.sapi=0 | ||
| 6 | suhosin.log.stdout=255 | ||
| 7 | suhosin.log.script=0 | ||
| 8 | suhosin.request.max_varname_length=0 | ||
| 9 | suhosin.get.max_name_length=4 | ||
| 10 | --SKIPIF-- | ||
| 11 | <?php include('skipif.inc'); ?> | ||
| 12 | --COOKIE-- | ||
| 13 | --GET-- | ||
| 14 | var=0&var1=1&var2[]=2&var3[xxx]=3&var04=4&var05[]=5&var06[xxx]=6& | ||
| 15 | --POST-- | ||
| 16 | --FILE-- | ||
| 17 | <?php | ||
| 18 | var_dump($_GET); | ||
| 19 | ?> | ||
| 20 | --EXPECTF-- | ||
| 21 | array(4) { | ||
| 22 | ["var"]=> | ||
| 23 | string(1) "0" | ||
| 24 | ["var1"]=> | ||
| 25 | string(1) "1" | ||
| 26 | ["var2"]=> | ||
| 27 | array(1) { | ||
| 28 | [0]=> | ||
| 29 | string(1) "2" | ||
| 30 | } | ||
| 31 | ["var3"]=> | ||
| 32 | array(1) { | ||
| 33 | ["xxx"]=> | ||
| 34 | string(1) "3" | ||
| 35 | } | ||
| 36 | } | ||
| 37 | ALERT - configured GET variable name length limit exceeded - dropped variable 'var04' (attacker 'REMOTE_ADDR not set', file '%s') | ||
| 38 | ALERT - configured GET variable name length limit exceeded - dropped variable 'var05[]' (attacker 'REMOTE_ADDR not set', file '%s') | ||
| 39 | ALERT - configured GET variable name length limit exceeded - dropped variable 'var06[xxx]' (attacker 'REMOTE_ADDR not set', file '%s') | ||
| 40 | ALERT - dropped 3 request variables - (3 in GET, 0 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') | ||
| 41 | |||
diff --git a/tests/filter/input_filter_post_max_name_length.phpt b/tests/filter/input_filter_post_max_name_length.phpt new file mode 100644 index 0000000..0065993 --- /dev/null +++ b/tests/filter/input_filter_post_max_name_length.phpt | |||
| @@ -0,0 +1,41 @@ | |||
| 1 | --TEST-- | ||
| 2 | suhosin input filter (suhosin.post.max_name_length) | ||
| 3 | --INI-- | ||
| 4 | suhosin.log.syslog=0 | ||
| 5 | suhosin.log.sapi=0 | ||
| 6 | suhosin.log.stdout=255 | ||
| 7 | suhosin.log.script=0 | ||
| 8 | suhosin.request.max_varname_length=0 | ||
| 9 | suhosin.post.max_name_length=4 | ||
| 10 | --SKIPIF-- | ||
| 11 | <?php include('skipif.inc'); ?> | ||
| 12 | --COOKIE-- | ||
| 13 | --GET-- | ||
| 14 | --POST-- | ||
| 15 | var=0&var1=1&var2[]=2&var3[xxx]=3&var04=4&var05[]=5&var06[xxx]=6& | ||
| 16 | --FILE-- | ||
| 17 | <?php | ||
| 18 | var_dump($_POST); | ||
| 19 | ?> | ||
| 20 | --EXPECTF-- | ||
| 21 | array(4) { | ||
| 22 | ["var"]=> | ||
| 23 | string(1) "0" | ||
| 24 | ["var1"]=> | ||
| 25 | string(1) "1" | ||
| 26 | ["var2"]=> | ||
| 27 | array(1) { | ||
| 28 | [0]=> | ||
| 29 | string(1) "2" | ||
| 30 | } | ||
| 31 | ["var3"]=> | ||
| 32 | array(1) { | ||
| 33 | ["xxx"]=> | ||
| 34 | string(1) "3" | ||
| 35 | } | ||
| 36 | } | ||
| 37 | ALERT - configured POST variable name length limit exceeded - dropped variable 'var04' (attacker 'REMOTE_ADDR not set', file '%s') | ||
| 38 | ALERT - configured POST variable name length limit exceeded - dropped variable 'var05[]' (attacker 'REMOTE_ADDR not set', file '%s') | ||
| 39 | ALERT - configured POST variable name length limit exceeded - dropped variable 'var06[xxx]' (attacker 'REMOTE_ADDR not set', file '%s') | ||
| 40 | ALERT - dropped 3 request variables - (0 in GET, 3 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') | ||
| 41 | |||
diff --git a/tests/filter/input_filter_post_max_name_length_rfc1867.phpt b/tests/filter/input_filter_post_max_name_length_rfc1867.phpt new file mode 100644 index 0000000..45936d5 --- /dev/null +++ b/tests/filter/input_filter_post_max_name_length_rfc1867.phpt | |||
| @@ -0,0 +1,70 @@ | |||
| 1 | --TEST-- | ||
| 2 | suhosin input filter (suhosin.post.max_name_length - RFC1867 version) | ||
| 3 | --INI-- | ||
| 4 | suhosin.log.syslog=0 | ||
| 5 | suhosin.log.sapi=0 | ||
| 6 | suhosin.log.stdout=255 | ||
| 7 | suhosin.log.script=0 | ||
| 8 | suhosin.request.max_varname_length=0 | ||
| 9 | suhosin.post.max_name_length=4 | ||
| 10 | --SKIPIF-- | ||
| 11 | <?php include('skipif.inc'); ?> | ||
| 12 | --COOKIE-- | ||
| 13 | --GET-- | ||
| 14 | --POST_RAW-- | ||
| 15 | Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737 | ||
| 16 | -----------------------------20896060251896012921717172737 | ||
| 17 | Content-Disposition: form-data; name="var" | ||
| 18 | |||
| 19 | 0 | ||
| 20 | -----------------------------20896060251896012921717172737 | ||
| 21 | Content-Disposition: form-data; name="var1" | ||
| 22 | |||
| 23 | 1 | ||
| 24 | -----------------------------20896060251896012921717172737 | ||
| 25 | Content-Disposition: form-data; name="var2[]" | ||
| 26 | |||
| 27 | 2 | ||
| 28 | -----------------------------20896060251896012921717172737 | ||
| 29 | Content-Disposition: form-data; name="var3[xxx]" | ||
| 30 | |||
| 31 | 3 | ||
| 32 | -----------------------------20896060251896012921717172737 | ||
| 33 | Content-Disposition: form-data; name="var04" | ||
| 34 | |||
| 35 | 4 | ||
| 36 | -----------------------------20896060251896012921717172737 | ||
| 37 | Content-Disposition: form-data; name="var05[]" | ||
| 38 | |||
| 39 | 5 | ||
| 40 | -----------------------------20896060251896012921717172737 | ||
| 41 | Content-Disposition: form-data; name="var06[xxx]" | ||
| 42 | |||
| 43 | 6 | ||
| 44 | -----------------------------20896060251896012921717172737-- | ||
| 45 | --FILE-- | ||
| 46 | <?php | ||
| 47 | var_dump($_POST); | ||
| 48 | ?> | ||
| 49 | --EXPECTF-- | ||
| 50 | array(4) { | ||
| 51 | ["var"]=> | ||
| 52 | string(1) "0" | ||
| 53 | ["var1"]=> | ||
| 54 | string(1) "1" | ||
| 55 | ["var2"]=> | ||
| 56 | array(1) { | ||
| 57 | [0]=> | ||
| 58 | string(1) "2" | ||
| 59 | } | ||
| 60 | ["var3"]=> | ||
| 61 | array(1) { | ||
| 62 | ["xxx"]=> | ||
| 63 | string(1) "3" | ||
| 64 | } | ||
| 65 | } | ||
| 66 | ALERT - configured POST variable name length limit exceeded - dropped variable 'var04' (attacker 'REMOTE_ADDR not set', file '%s') | ||
| 67 | ALERT - configured POST variable name length limit exceeded - dropped variable 'var05[]' (attacker 'REMOTE_ADDR not set', file '%s') | ||
| 68 | ALERT - configured POST variable name length limit exceeded - dropped variable 'var06[xxx]' (attacker 'REMOTE_ADDR not set', file '%s') | ||
| 69 | ALERT - dropped 3 request variables - (0 in GET, 3 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') | ||
| 70 | |||
diff --git a/tests/filter/input_filter_request_max_name_length.phpt b/tests/filter/input_filter_request_max_name_length.phpt new file mode 100644 index 0000000..03b4a3b --- /dev/null +++ b/tests/filter/input_filter_request_max_name_length.phpt | |||
| @@ -0,0 +1,82 @@ | |||
| 1 | --TEST-- | ||
| 2 | suhosin input filter (suhosin.request.max_varname_length) | ||
| 3 | --INI-- | ||
| 4 | suhosin.log.syslog=0 | ||
| 5 | suhosin.log.sapi=0 | ||
| 6 | suhosin.log.stdout=255 | ||
| 7 | suhosin.log.script=0 | ||
| 8 | suhosin.request.max_varname_length=4 | ||
| 9 | --SKIPIF-- | ||
| 10 | <?php include('skipif.inc'); ?> | ||
| 11 | --COOKIE-- | ||
| 12 | var=0;var1=1;var2[]=2;var3[xxx]=3;var04=4;var05[]=5;var06[xxx]=6; | ||
| 13 | --GET-- | ||
| 14 | var=0&var1=1&var2[]=2&var3[xxx]=3&var04=4&var05[]=5&var06[xxx]=6& | ||
| 15 | --POST-- | ||
| 16 | var=0&var1=1&var2[]=2&var3[xxx]=3&var04=4&var05[]=5&var06[xxx]=6& | ||
| 17 | --FILE-- | ||
| 18 | <?php | ||
| 19 | var_dump($_GET); | ||
| 20 | var_dump($_POST); | ||
| 21 | var_dump($_COOKIE); | ||
| 22 | ?> | ||
| 23 | --EXPECTF-- | ||
| 24 | array(4) { | ||
| 25 | ["var"]=> | ||
| 26 | string(1) "0" | ||
| 27 | ["var1"]=> | ||
| 28 | string(1) "1" | ||
| 29 | ["var2"]=> | ||
| 30 | array(1) { | ||
| 31 | [0]=> | ||
| 32 | string(1) "2" | ||
| 33 | } | ||
| 34 | ["var3"]=> | ||
| 35 | array(1) { | ||
| 36 | ["xxx"]=> | ||
| 37 | string(1) "3" | ||
| 38 | } | ||
| 39 | } | ||
| 40 | array(4) { | ||
| 41 | ["var"]=> | ||
| 42 | string(1) "0" | ||
| 43 | ["var1"]=> | ||
| 44 | string(1) "1" | ||
| 45 | ["var2"]=> | ||
| 46 | array(1) { | ||
| 47 | [0]=> | ||
| 48 | string(1) "2" | ||
| 49 | } | ||
| 50 | ["var3"]=> | ||
| 51 | array(1) { | ||
| 52 | ["xxx"]=> | ||
| 53 | string(1) "3" | ||
| 54 | } | ||
| 55 | } | ||
| 56 | array(4) { | ||
| 57 | ["var"]=> | ||
| 58 | string(1) "0" | ||
| 59 | ["var1"]=> | ||
| 60 | string(1) "1" | ||
| 61 | ["var2"]=> | ||
| 62 | array(1) { | ||
| 63 | [0]=> | ||
| 64 | string(1) "2" | ||
| 65 | } | ||
| 66 | ["var3"]=> | ||
| 67 | array(1) { | ||
| 68 | ["xxx"]=> | ||
| 69 | string(1) "3" | ||
| 70 | } | ||
| 71 | } | ||
| 72 | ALERT - configured request variable name length limit exceeded - dropped variable 'var04' (attacker 'REMOTE_ADDR not set', file '%s') | ||
| 73 | ALERT - configured request variable name length limit exceeded - dropped variable 'var05[]' (attacker 'REMOTE_ADDR not set', file '%s') | ||
| 74 | ALERT - configured request variable name length limit exceeded - dropped variable 'var06[xxx]' (attacker 'REMOTE_ADDR not set', file '%s') | ||
| 75 | ALERT - configured request variable name length limit exceeded - dropped variable 'var04' (attacker 'REMOTE_ADDR not set', file '%s') | ||
| 76 | ALERT - configured request variable name length limit exceeded - dropped variable 'var05[]' (attacker 'REMOTE_ADDR not set', file '%s') | ||
| 77 | ALERT - configured request variable name length limit exceeded - dropped variable 'var06[xxx]' (attacker 'REMOTE_ADDR not set', file '%s') | ||
| 78 | ALERT - configured request variable name length limit exceeded - dropped variable 'var04' (attacker 'REMOTE_ADDR not set', file '%s') | ||
| 79 | ALERT - configured request variable name length limit exceeded - dropped variable 'var05[]' (attacker 'REMOTE_ADDR not set', file '%s') | ||
| 80 | ALERT - configured request variable name length limit exceeded - dropped variable 'var06[xxx]' (attacker 'REMOTE_ADDR not set', file '%s') | ||
| 81 | ALERT - dropped 9 request variables - (3 in GET, 3 in POST, 3 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') | ||
| 82 | |||
