Add tests for suhosin.get/post/cookie/request.max_value_length

author: Stefan Esser 2014-02-16 12:21:44 +0100
committer: Stefan Esser 2014-02-16 12:21:44 +0100
commit: f7ef68966204b2ac1e45f1c7e8c72aae2becc382 (patch)
tree: 1af06a6ddead211948760d2d73b01f1da6cc76c6
parent: 4e6c1b038dab5287d0ae7d91c422dd7f225baca8 (diff)
5 files changed, 157 insertions, 0 deletions
diff --git a/tests/filter/input_filter_cookie_max_value_length.phpt b/tests/filter/input_filter_cookie_max_value_length.phpt
new file mode 100644
index 0000000..fb8b3d8
--- /dev/null
+++ b/tests/filter/input_filter_cookie_max_value_length.phpt
@@ -0,0 +1,33 @@
+--TEST--
+suhosin input filter (suhosin.cookie.max_value_length)
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=0
+suhosin.log.stdout=255
+suhosin.log.script=0
+suhosin.request.max_value_length=0
+suhosin.cookie.max_value_length=3
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--COOKIE--
+var1=1;var2=22;var3=333;var4=4444;var5=55%00555;var6=666666;
+--GET--
+--POST--
+--FILE--
+<?php
+var_dump($_COOKIE);
+?>
+--EXPECTF--
+array(3) {
+  ["var1"]=>
+  string(1) "1"
+  ["var2"]=>
+  string(2) "22"
+  ["var3"]=>
+  string(3) "333"
+}
+ALERT - configured COOKIE variable value length limit exceeded - dropped variable 'var4' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - configured COOKIE variable value length limit exceeded - dropped variable 'var5' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - configured COOKIE variable value length limit exceeded - dropped variable 'var6' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - dropped 3 request variables - (0 in GET, 0 in POST, 3 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s')
diff --git a/tests/filter/input_filter_get_max_value_length.phpt b/tests/filter/input_filter_get_max_value_length.phpt
new file mode 100644
index 0000000..a5eaf5b
--- /dev/null
+++ b/tests/filter/input_filter_get_max_value_length.phpt
@@ -0,0 +1,33 @@
+--TEST--
+suhosin input filter (suhosin.get.max_value_length)
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=0
+suhosin.log.stdout=255
+suhosin.log.script=0
+suhosin.request.max_value_length=0
+suhosin.get.max_value_length=3
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--COOKIE--
+--GET--
+var1=1&var2=22&var3=333&var4=4444&var5=55%00555&var6=666666&
+--POST--
+--FILE--
+<?php
+var_dump($_GET);
+?>
+--EXPECTF--
+array(3) {
+  ["var1"]=>
+  string(1) "1"
+  ["var2"]=>
+  string(2) "22"
+  ["var3"]=>
+  string(3) "333"
+}
+ALERT - configured GET variable value length limit exceeded - dropped variable 'var4' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - configured GET variable value length limit exceeded - dropped variable 'var5' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - configured GET variable value length limit exceeded - dropped variable 'var6' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - dropped 3 request variables - (3 in GET, 0 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s')
diff --git a/tests/filter/input_filter_post_max_value_length.phpt b/tests/filter/input_filter_post_max_value_length.phpt
new file mode 100644
index 0000000..b560bde
--- /dev/null
+++ b/tests/filter/input_filter_post_max_value_length.phpt
@@ -0,0 +1,33 @@
+--TEST--
+suhosin input filter (suhosin.post.max_value_length)
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=0
+suhosin.log.stdout=255
+suhosin.log.script=0
+suhosin.request.max_value_length=0
+suhosin.post.max_value_length=3
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--COOKIE--
+--GET--
+--POST--
+var1=1&var2=22&var3=333&var4=4444&var5=55%00555&var6=666666&
+--FILE--
+<?php
+var_dump($_POST);
+?>
+--EXPECTF--
+array(3) {
+  ["var1"]=>
+  string(1) "1"
+  ["var2"]=>
+  string(2) "22"
+  ["var3"]=>
+  string(3) "333"
+}
+ALERT - configured POST variable value length limit exceeded - dropped variable 'var4' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - configured POST variable value length limit exceeded - dropped variable 'var5' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - configured POST variable value length limit exceeded - dropped variable 'var6' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - dropped 3 request variables - (0 in GET, 3 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s')
diff --git a/tests/filter/input_filter_post_max_value_length_rfc1867.phpt b/tests/filter/input_filter_post_max_value_length_rfc1867.phpt
new file mode 100644
index 0000000..7552255
--- /dev/null
+++ b/tests/filter/input_filter_post_max_value_length_rfc1867.phpt
Binary files differ
diff --git a/tests/filter/input_filter_request_max_value_length.phpt b/tests/filter/input_filter_request_max_value_length.phpt
new file mode 100644
index 0000000..6906fb0
--- /dev/null
+++ b/tests/filter/input_filter_request_max_value_length.phpt
@@ -0,0 +1,58 @@
+--TEST--
+suhosin input filter (suhosin.request.max_value_length)
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=0
+suhosin.log.stdout=255
+suhosin.log.script=0
+suhosin.request.max_value_length=3
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--COOKIE--
+var1=1;var2=22;var3=333;var4=4444;var5=55%00555;var6=666666;
+--GET--
+var1=1&var2=22&var3=333&var4=4444&var5=55%00555&var6=666666&
+--POST--
+var1=1&var2=22&var3=333&var4=4444&var5=55%00555&var6=666666&
+--FILE--
+<?php
+var_dump($_GET);
+var_dump($_POST);
+var_dump($_COOKIE);
+?>
+--EXPECTF--
+array(3) {
+  ["var1"]=>
+  string(1) "1"
+  ["var2"]=>
+  string(2) "22"
+  ["var3"]=>
+  string(3) "333"
+}
+array(3) {
+  ["var1"]=>
+  string(1) "1"
+  ["var2"]=>
+  string(2) "22"
+  ["var3"]=>
+  string(3) "333"
+}
+array(3) {
+  ["var1"]=>
+  string(1) "1"
+  ["var2"]=>
+  string(2) "22"
+  ["var3"]=>
+  string(3) "333"
+}
+ALERT - configured request variable value length limit exceeded - dropped variable 'var4' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - configured request variable value length limit exceeded - dropped variable 'var5' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - configured request variable value length limit exceeded - dropped variable 'var6' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - configured request variable value length limit exceeded - dropped variable 'var4' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - configured request variable value length limit exceeded - dropped variable 'var5' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - configured request variable value length limit exceeded - dropped variable 'var6' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - configured request variable value length limit exceeded - dropped variable 'var4' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - configured request variable value length limit exceeded - dropped variable 'var5' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - configured request variable value length limit exceeded - dropped variable 'var6' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - dropped 9 request variables - (3 in GET, 3 in POST, 3 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s')
author	Stefan Esser	2014-02-16 12:21:44 +0100
committer	Stefan Esser	2014-02-16 12:21:44 +0100
commit	f7ef68966204b2ac1e45f1c7e8c72aae2becc382 (patch)
tree	1af06a6ddead211948760d2d73b01f1da6cc76c6
parent	4e6c1b038dab5287d0ae7d91c422dd7f225baca8 (diff)

diff --git a/tests/filter/input_filter_cookie_max_value_length.phpt b/tests/filter/input_filter_cookie_max_value_length.phpt new file mode 100644 index 0000000..fb8b3d8 --- /dev/null +++ b/tests/filter/input_filter_cookie_max_value_length.phpt
@@ -0,0 +1,33 @@
	1	--TEST--
	2	suhosin input filter (suhosin.cookie.max_value_length)
	3	--INI--
	4	suhosin.log.syslog=0
	5	suhosin.log.sapi=0
	6	suhosin.log.stdout=255
	7	suhosin.log.script=0
	8	suhosin.request.max_value_length=0
	9	suhosin.cookie.max_value_length=3
	10	--SKIPIF--
	11	<?php include('skipif.inc'); ?>
	12	--COOKIE--
	13	var1=1;var2=22;var3=333;var4=4444;var5=55%00555;var6=666666;
	14	--GET--
	15	--POST--
	16	--FILE--
	17	<?php
	18	var_dump($_COOKIE);
	19	?>
	20	--EXPECTF--
	21	array(3) {
	22	["var1"]=>
	23	string(1) "1"
	24	["var2"]=>
	25	string(2) "22"
	26	["var3"]=>
	27	string(3) "333"
	28	}
	29	ALERT - configured COOKIE variable value length limit exceeded - dropped variable 'var4' (attacker 'REMOTE_ADDR not set', file '%s')
	30	ALERT - configured COOKIE variable value length limit exceeded - dropped variable 'var5' (attacker 'REMOTE_ADDR not set', file '%s')
	31	ALERT - configured COOKIE variable value length limit exceeded - dropped variable 'var6' (attacker 'REMOTE_ADDR not set', file '%s')
	32	ALERT - dropped 3 request variables - (0 in GET, 0 in POST, 3 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s')
	33


diff --git a/tests/filter/input_filter_get_max_value_length.phpt b/tests/filter/input_filter_get_max_value_length.phpt new file mode 100644 index 0000000..a5eaf5b --- /dev/null +++ b/tests/filter/input_filter_get_max_value_length.phpt
@@ -0,0 +1,33 @@
	1	--TEST--
	2	suhosin input filter (suhosin.get.max_value_length)
	3	--INI--
	4	suhosin.log.syslog=0
	5	suhosin.log.sapi=0
	6	suhosin.log.stdout=255
	7	suhosin.log.script=0
	8	suhosin.request.max_value_length=0
	9	suhosin.get.max_value_length=3
	10	--SKIPIF--
	11	<?php include('skipif.inc'); ?>
	12	--COOKIE--
	13	--GET--
	14	var1=1&var2=22&var3=333&var4=4444&var5=55%00555&var6=666666&
	15	--POST--
	16	--FILE--
	17	<?php
	18	var_dump($_GET);
	19	?>
	20	--EXPECTF--
	21	array(3) {
	22	["var1"]=>
	23	string(1) "1"
	24	["var2"]=>
	25	string(2) "22"
	26	["var3"]=>
	27	string(3) "333"
	28	}
	29	ALERT - configured GET variable value length limit exceeded - dropped variable 'var4' (attacker 'REMOTE_ADDR not set', file '%s')
	30	ALERT - configured GET variable value length limit exceeded - dropped variable 'var5' (attacker 'REMOTE_ADDR not set', file '%s')
	31	ALERT - configured GET variable value length limit exceeded - dropped variable 'var6' (attacker 'REMOTE_ADDR not set', file '%s')
	32	ALERT - dropped 3 request variables - (3 in GET, 0 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s')
	33


diff --git a/tests/filter/input_filter_post_max_value_length.phpt b/tests/filter/input_filter_post_max_value_length.phpt new file mode 100644 index 0000000..b560bde --- /dev/null +++ b/tests/filter/input_filter_post_max_value_length.phpt
@@ -0,0 +1,33 @@
	1	--TEST--
	2	suhosin input filter (suhosin.post.max_value_length)
	3	--INI--
	4	suhosin.log.syslog=0
	5	suhosin.log.sapi=0
	6	suhosin.log.stdout=255
	7	suhosin.log.script=0
	8	suhosin.request.max_value_length=0
	9	suhosin.post.max_value_length=3
	10	--SKIPIF--
	11	<?php include('skipif.inc'); ?>
	12	--COOKIE--
	13	--GET--
	14	--POST--
	15	var1=1&var2=22&var3=333&var4=4444&var5=55%00555&var6=666666&
	16	--FILE--
	17	<?php
	18	var_dump($_POST);
	19	?>
	20	--EXPECTF--
	21	array(3) {
	22	["var1"]=>
	23	string(1) "1"
	24	["var2"]=>
	25	string(2) "22"
	26	["var3"]=>
	27	string(3) "333"
	28	}
	29	ALERT - configured POST variable value length limit exceeded - dropped variable 'var4' (attacker 'REMOTE_ADDR not set', file '%s')
	30	ALERT - configured POST variable value length limit exceeded - dropped variable 'var5' (attacker 'REMOTE_ADDR not set', file '%s')
	31	ALERT - configured POST variable value length limit exceeded - dropped variable 'var6' (attacker 'REMOTE_ADDR not set', file '%s')
	32	ALERT - dropped 3 request variables - (0 in GET, 3 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s')
	33


diff --git a/tests/filter/input_filter_post_max_value_length_rfc1867.phpt b/tests/filter/input_filter_post_max_value_length_rfc1867.phpt new file mode 100644 index 0000000..7552255 --- /dev/null +++ b/tests/filter/input_filter_post_max_value_length_rfc1867.phpt
Binary files differ


diff --git a/tests/filter/input_filter_request_max_value_length.phpt b/tests/filter/input_filter_request_max_value_length.phpt new file mode 100644 index 0000000..6906fb0 --- /dev/null +++ b/tests/filter/input_filter_request_max_value_length.phpt
@@ -0,0 +1,58 @@
	1	--TEST--
	2	suhosin input filter (suhosin.request.max_value_length)
	3	--INI--
	4	suhosin.log.syslog=0
	5	suhosin.log.sapi=0
	6	suhosin.log.stdout=255
	7	suhosin.log.script=0
	8	suhosin.request.max_value_length=3
	9	--SKIPIF--
	10	<?php include('skipif.inc'); ?>
	11	--COOKIE--
	12	var1=1;var2=22;var3=333;var4=4444;var5=55%00555;var6=666666;
	13	--GET--
	14	var1=1&var2=22&var3=333&var4=4444&var5=55%00555&var6=666666&
	15	--POST--
	16	var1=1&var2=22&var3=333&var4=4444&var5=55%00555&var6=666666&
	17	--FILE--
	18	<?php
	19	var_dump($_GET);
	20	var_dump($_POST);
	21	var_dump($_COOKIE);
	22	?>
	23	--EXPECTF--
	24	array(3) {
	25	["var1"]=>
	26	string(1) "1"
	27	["var2"]=>
	28	string(2) "22"
	29	["var3"]=>
	30	string(3) "333"
	31	}
	32	array(3) {
	33	["var1"]=>
	34	string(1) "1"
	35	["var2"]=>
	36	string(2) "22"
	37	["var3"]=>
	38	string(3) "333"
	39	}
	40	array(3) {
	41	["var1"]=>
	42	string(1) "1"
	43	["var2"]=>
	44	string(2) "22"
	45	["var3"]=>
	46	string(3) "333"
	47	}
	48	ALERT - configured request variable value length limit exceeded - dropped variable 'var4' (attacker 'REMOTE_ADDR not set', file '%s')
	49	ALERT - configured request variable value length limit exceeded - dropped variable 'var5' (attacker 'REMOTE_ADDR not set', file '%s')
	50	ALERT - configured request variable value length limit exceeded - dropped variable 'var6' (attacker 'REMOTE_ADDR not set', file '%s')
	51	ALERT - configured request variable value length limit exceeded - dropped variable 'var4' (attacker 'REMOTE_ADDR not set', file '%s')
	52	ALERT - configured request variable value length limit exceeded - dropped variable 'var5' (attacker 'REMOTE_ADDR not set', file '%s')
	53	ALERT - configured request variable value length limit exceeded - dropped variable 'var6' (attacker 'REMOTE_ADDR not set', file '%s')
	54	ALERT - configured request variable value length limit exceeded - dropped variable 'var4' (attacker 'REMOTE_ADDR not set', file '%s')
	55	ALERT - configured request variable value length limit exceeded - dropped variable 'var5' (attacker 'REMOTE_ADDR not set', file '%s')
	56	ALERT - configured request variable value length limit exceeded - dropped variable 'var6' (attacker 'REMOTE_ADDR not set', file '%s')
	57	ALERT - dropped 9 request variables - (3 in GET, 3 in POST, 3 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s')
	58