Add various tests for include filename checks

author: Stefan Esser 2014-02-16 10:45:17 +0100
committer: Stefan Esser 2014-02-16 10:45:17 +0100
commit: 04f02a230d40c2d86b9d477a7810de24b15a7590 (patch)
tree: 845b75d12015b95ad2a566bb9ef94e4e731543f1
parent: 2bf085a8d27a5b9a05a0164fcc0c1ea41e78c601 (diff)
5 files changed, 123 insertions, 0 deletions
diff --git a/tests/include/include_max_traversal.phpt b/tests/include/include_max_traversal.phpt
new file mode 100644
index 0000000..1ed083d
--- /dev/null
+++ b/tests/include/include_max_traversal.phpt
@@ -0,0 +1,32 @@
+--TEST--
+Testing suhosin.executor.include.max_traversal=10
+--DESCRIPTION--
+Seems to work fine, maybe split up later into multiple test cases.
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=255
+suhosin.log.script=0
+suhosin.log.phpscript=0
+error_reporting=0
+suhosin.executor.include.whitelist=
+suhosin.executor.include.blacklist=
+suhosin.executor.include.max_traversal=10
+--FILE--
+<?php
+if ($included === TRUE) { echo "$case INCLUDED!\n";return; }
+$included = TRUE;
+$case = "C1"; include("/../../../../../../../../../" . __FILE__);
+$case = "C2"; include("/.././.././.././.././.././.././.././.././../" . __FILE__);
+$case = "C3"; include("/.././.././.././.././.././.././.././.././.././../" . __FILE__);
+$case = "C4"; include("/../../../../../../../../../../" . __FILE__);
+$case = "C5"; include("/../../../../../../../../../../../" . __FILE__);
+$case = "C6"; include("/.././.././.././.././.././.././.././.././../" . __FILE__);
+?>
+--EXPECTF--
+C1 INCLUDED!
+C2 INCLUDED!
+ALERT - Include filename ('/.././.././.././.././.././.././.././.././.././../%s') contains too many '../' (attacker 'REMOTE_ADDR not set', file '%s', line 7)
diff --git a/tests/include/include_nul_in_filename.phpt b/tests/include/include_nul_in_filename.phpt
new file mode 100644
index 0000000..05c2823
--- /dev/null
+++ b/tests/include/include_nul_in_filename.phpt
@@ -0,0 +1,23 @@
+--TEST--
+Testing include of filename including ASCIIZ character
+--DESCRIPTION--
+This test will only trigger the PHP internal protection.
+If this test case ever breaks then PHP has failed and hopefully Suhosin has kicked in.
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=255
+suhosin.log.script=0
+suhosin.log.phpscript=0
+suhosin.executor.include.whitelist=
+suhosin.executor.include.blacklist=
+--FILE--
+<?php
+$filename1 = "AAAA".chr(0)."AAAA";
+include $filename1;
+?>
+--EXPECTF--
+Warning: include(): Failed opening 'AAAA' for inclusion (include_path='%s') in %s on line 3
+\ No newline at end of file
diff --git a/tests/include/include_too_long.phpt b/tests/include/include_too_long.phpt
new file mode 100644
index 0000000..91c9958
--- /dev/null
+++ b/tests/include/include_too_long.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Testing include of too long filename
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=255
+suhosin.log.script=0
+suhosin.log.phpscript=0
+suhosin.executor.include.whitelist=
+suhosin.executor.include.blacklist=
+--FILE--
+<?php
+$filename1 = str_repeat("A", PHP_MAXPATHLEN+1);
+include $filename1;
+?>
+--EXPECTF--
+ALERT - Include filename ('AAAA%sAAAA') is too long (attacker 'REMOTE_ADDR not set', file '%s', line 3)
+\ No newline at end of file
diff --git a/tests/include/include_uploaded_file_diff_filename.phpt b/tests/include/include_uploaded_file_diff_filename.phpt
new file mode 100644
index 0000000..8d3bca5
--- /dev/null
+++ b/tests/include/include_uploaded_file_diff_filename.phpt
@@ -0,0 +1,25 @@
+--TEST--
+Testing include file from $_FILES (but change name a bit)
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=0
+suhosin.log.stdout=255
+suhosin.log.script=0
+suhosin.log.phpscript=0
+suhosin.executor.include.whitelist=
+suhosin.executor.include.blacklist=
+--POST_RAW--
+Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="f1"; filename="filename2"
+<?php echo "NO_GOOD/n";
+-----------------------------20896060251896012921717172737--
+--FILE--
+<?php
+include "/../../../" . $_FILES['f1']['tmp_name'];
+?>
+--EXPECTF--
+ALERT - Include filename is an uploaded file (attacker 'REMOTE_ADDR not set', file '%s', line 2)
+\ No newline at end of file
diff --git a/tests/include/include_uploaded_file_from_FILES.phpt b/tests/include/include_uploaded_file_from_FILES.phpt
new file mode 100644
index 0000000..1ec20f3
--- /dev/null
+++ b/tests/include/include_uploaded_file_from_FILES.phpt
@@ -0,0 +1,25 @@
+--TEST--
+Testing include file from $_FILES
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=0
+suhosin.log.stdout=255
+suhosin.log.script=0
+suhosin.log.phpscript=0
+suhosin.executor.include.whitelist=
+suhosin.executor.include.blacklist=
+--POST_RAW--
+Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="f1"; filename="filename2"
+<?php echo "NO_GOOD/n";
+-----------------------------20896060251896012921717172737--
+--FILE--
+<?php
+include $_FILES['f1']['tmp_name'];
+?>
+--EXPECTF--
+ALERT - Include filename is an uploaded file (attacker 'REMOTE_ADDR not set', file '%s', line 2)
+\ No newline at end of file
author	Stefan Esser	2014-02-16 10:45:17 +0100
committer	Stefan Esser	2014-02-16 10:45:17 +0100
commit	04f02a230d40c2d86b9d477a7810de24b15a7590 (patch)
tree	845b75d12015b95ad2a566bb9ef94e4e731543f1
parent	2bf085a8d27a5b9a05a0164fcc0c1ea41e78c601 (diff)

diff --git a/tests/include/include_max_traversal.phpt b/tests/include/include_max_traversal.phpt new file mode 100644 index 0000000..1ed083d --- /dev/null +++ b/tests/include/include_max_traversal.phpt
@@ -0,0 +1,32 @@
	1	--TEST--
	2	Testing suhosin.executor.include.max_traversal=10
	3	--DESCRIPTION--
	4	Seems to work fine, maybe split up later into multiple test cases.
	5	--SKIPIF--
	6	<?php include "../skipifcli.inc"; ?>
	7	--INI--
	8	suhosin.log.syslog=0
	9	suhosin.log.sapi=255
	10	suhosin.log.script=0
	11	suhosin.log.phpscript=0
	12	error_reporting=0
	13	suhosin.executor.include.whitelist=
	14	suhosin.executor.include.blacklist=
	15	suhosin.executor.include.max_traversal=10
	16	--FILE--
	17	<?php
	18	if ($included === TRUE) { echo "$case INCLUDED!\n";return; }
	19	$included = TRUE;
	20
	21	$case = "C1"; include("/../../../../../../../../../" . __FILE__);
	22	$case = "C2"; include("/.././.././.././.././.././.././.././.././../" . __FILE__);
	23	$case = "C3"; include("/.././.././.././.././.././.././.././.././.././../" . __FILE__);
	24	$case = "C4"; include("/../../../../../../../../../../" . __FILE__);
	25	$case = "C5"; include("/../../../../../../../../../../../" . __FILE__);
	26	$case = "C6"; include("/.././.././.././.././.././.././.././.././../" . __FILE__);
	27
	28	?>
	29	--EXPECTF--
	30	C1 INCLUDED!
	31	C2 INCLUDED!
	32	ALERT - Include filename ('/.././.././.././.././.././.././.././.././.././../%s') contains too many '../' (attacker 'REMOTE_ADDR not set', file '%s', line 7)


diff --git a/tests/include/include_nul_in_filename.phpt b/tests/include/include_nul_in_filename.phpt new file mode 100644 index 0000000..05c2823 --- /dev/null +++ b/tests/include/include_nul_in_filename.phpt
@@ -0,0 +1,23 @@
	1	--TEST--
	2	Testing include of filename including ASCIIZ character
	3	--DESCRIPTION--
	4
	5	This test will only trigger the PHP internal protection.
	6	If this test case ever breaks then PHP has failed and hopefully Suhosin has kicked in.
	7
	8	--SKIPIF--
	9	<?php include "../skipifcli.inc"; ?>
	10	--INI--
	11	suhosin.log.syslog=0
	12	suhosin.log.sapi=255
	13	suhosin.log.script=0
	14	suhosin.log.phpscript=0
	15	suhosin.executor.include.whitelist=
	16	suhosin.executor.include.blacklist=
	17	--FILE--
	18	<?php
	19	$filename1 = "AAAA".chr(0)."AAAA";
	20	include $filename1;
	21	?>
	22	--EXPECTF--
	23	Warning: include(): Failed opening 'AAAA' for inclusion (include_path='%s') in %s on line 3 \ No newline at end of file


diff --git a/tests/include/include_too_long.phpt b/tests/include/include_too_long.phpt new file mode 100644 index 0000000..91c9958 --- /dev/null +++ b/tests/include/include_too_long.phpt
@@ -0,0 +1,18 @@
	1	--TEST--
	2	Testing include of too long filename
	3	--SKIPIF--
	4	<?php include "../skipifcli.inc"; ?>
	5	--INI--
	6	suhosin.log.syslog=0
	7	suhosin.log.sapi=255
	8	suhosin.log.script=0
	9	suhosin.log.phpscript=0
	10	suhosin.executor.include.whitelist=
	11	suhosin.executor.include.blacklist=
	12	--FILE--
	13	<?php
	14	$filename1 = str_repeat("A", PHP_MAXPATHLEN+1);
	15	include $filename1;
	16	?>
	17	--EXPECTF--
	18	ALERT - Include filename ('AAAA%sAAAA') is too long (attacker 'REMOTE_ADDR not set', file '%s', line 3) \ No newline at end of file


diff --git a/tests/include/include_uploaded_file_diff_filename.phpt b/tests/include/include_uploaded_file_diff_filename.phpt new file mode 100644 index 0000000..8d3bca5 --- /dev/null +++ b/tests/include/include_uploaded_file_diff_filename.phpt
@@ -0,0 +1,25 @@
	1	--TEST--
	2	Testing include file from $_FILES (but change name a bit)
	3	--SKIPIF--
	4	<?php include "../skipifcli.inc"; ?>
	5	--INI--
	6	suhosin.log.syslog=0
	7	suhosin.log.sapi=0
	8	suhosin.log.stdout=255
	9	suhosin.log.script=0
	10	suhosin.log.phpscript=0
	11	suhosin.executor.include.whitelist=
	12	suhosin.executor.include.blacklist=
	13	--POST_RAW--
	14	Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737
	15	-----------------------------20896060251896012921717172737
	16	Content-Disposition: form-data; name="f1"; filename="filename2"
	17
	18	<?php echo "NO_GOOD/n";
	19	-----------------------------20896060251896012921717172737--
	20	--FILE--
	21	<?php
	22	include "/../../../" . $_FILES['f1']['tmp_name'];
	23	?>
	24	--EXPECTF--
	25	ALERT - Include filename is an uploaded file (attacker 'REMOTE_ADDR not set', file '%s', line 2) \ No newline at end of file


diff --git a/tests/include/include_uploaded_file_from_FILES.phpt b/tests/include/include_uploaded_file_from_FILES.phpt new file mode 100644 index 0000000..1ec20f3 --- /dev/null +++ b/tests/include/include_uploaded_file_from_FILES.phpt
@@ -0,0 +1,25 @@
	1	--TEST--
	2	Testing include file from $_FILES
	3	--SKIPIF--
	4	<?php include "../skipifcli.inc"; ?>
	5	--INI--
	6	suhosin.log.syslog=0
	7	suhosin.log.sapi=0
	8	suhosin.log.stdout=255
	9	suhosin.log.script=0
	10	suhosin.log.phpscript=0
	11	suhosin.executor.include.whitelist=
	12	suhosin.executor.include.blacklist=
	13	--POST_RAW--
	14	Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737
	15	-----------------------------20896060251896012921717172737
	16	Content-Disposition: form-data; name="f1"; filename="filename2"
	17
	18	<?php echo "NO_GOOD/n";
	19	-----------------------------20896060251896012921717172737--
	20	--FILE--
	21	<?php
	22	include $_FILES['f1']['tmp_name'];
	23	?>
	24	--EXPECTF--
	25	ALERT - Include filename is an uploaded file (attacker 'REMOTE_ADDR not set', file '%s', line 2) \ No newline at end of file