Inital commit

author: Stefan Esser 2010-02-21 11:44:54 +0100
committer: Stefan Esser 2010-02-21 11:44:54 +0100
commit: 36dbfacbe64697d959f524e537b15b73c090d898 (patch)
tree: f1c7ce1409b0e7765fc72d550546967fcf0f9717 /tests/executor
10 files changed, 237 insertions, 0 deletions
diff --git a/tests/executor/disable_emod_off.phpt b/tests/executor/disable_emod_off.phpt
new file mode 100644
index 0000000..3c9cb01
--- /dev/null
+++ b/tests/executor/disable_emod_off.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Testing: suhosin.executor.disable_emodifier=0
+--SKIPIF--
+<?php include "../skipifnotcli.inc"; ?>
+--INI--
+suhosin.log.sapi=64
+suhosin.executor.disable_emodifier=0
+--FILE--
+<?php
+    $text = "HALLO";
+    var_dump(preg_replace('/[a-z]/e', "strtoupper('\\0')", $text));
+    $text = "HalLO";
+    var_dump(preg_replace('/[a-z]/e', "strtoupper('\\0')", $text));
+?>
+--EXPECTF--
+string(5) "HALLO"
+string(5) "HALLO"
diff --git a/tests/executor/disable_emod_on.phpt b/tests/executor/disable_emod_on.phpt
new file mode 100644
index 0000000..6daf82f
--- /dev/null
+++ b/tests/executor/disable_emod_on.phpt
@@ -0,0 +1,19 @@
+--TEST--
+Testing: suhosin.executor.disable_emodifier=1
+--SKIPIF--
+<?php include "../skipifnotcli.inc"; ?>
+--INI--
+suhosin.log.sapi=64
+suhosin.executor.disable_emodifier=1
+--FILE--
+<?php
+    $text = "HALLO";
+    var_dump(preg_replace('/[a-z]/e', "strtoupper('\\0')", $text));
+    $text = "HalLO";
+    var_dump(preg_replace('/[a-z]/e', "strtoupper('\\0')", $text));
+?>
+--EXPECTF--
+string(5) "HALLO"
+ALERT - use of preg_replace() with /e modifier is forbidden by configuration (attacker 'REMOTE_ADDR not set', file '%s', line 5)
+Fatal error: SUHOSIN - Use of preg_replace() with /e modifier is forbidden by configuration in %s(5) : regexp code on line 5
diff --git a/tests/executor/disable_eval_off.phpt b/tests/executor/disable_eval_off.phpt
new file mode 100644
index 0000000..1ee87f5
--- /dev/null
+++ b/tests/executor/disable_eval_off.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Testing: suhosin.executor.disable_eval=0
+--SKIPIF--
+<?php include "../skipifnotcli.inc"; ?>
+--INI--
+suhosin.log.sapi=64
+suhosin.executor.disable_eval=0
+--FILE--
+<?php
+    $x = 0;
+    eval('$x = 1;');
+    var_dump($x);
+?>
+--EXPECTF--
+int(1)
diff --git a/tests/executor/disable_eval_on.phpt b/tests/executor/disable_eval_on.phpt
new file mode 100644
index 0000000..49f4936
--- /dev/null
+++ b/tests/executor/disable_eval_on.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Testing: suhosin.executor.disable_eval=1
+--SKIPIF--
+<?php include "../skipifnotcli.inc"; ?>
+--INI--
+suhosin.log.sapi=64
+suhosin.executor.disable_eval=1
+--FILE--
+<?php
+    $x = 0;
+    eval('$x = 1;');
+    var_dump($x);
+?>
+--EXPECTF--
+ALERT - use of eval is forbidden by configuration (attacker 'REMOTE_ADDR not set', file '%s', line 3)
+Fatal error: SUHOSIN - Use of eval is forbidden by configuration in %s(3) : eval()'d code on line 3
diff --git a/tests/executor/memory_limit.phpt b/tests/executor/memory_limit.phpt
new file mode 100644
index 0000000..404ab19
--- /dev/null
+++ b/tests/executor/memory_limit.phpt
@@ -0,0 +1,29 @@
+--TEST--
+memory_limit test: set suhosin hard_limit to normal limit
+--SKIPIF--
+<?php if (!function_exists("memory_get_usage")) print "skip PHP not compiled with memory_limit support"; ?>
+--INI--
+memory_limit=16M
+suhosin.memory_limit=0
+suhosin.log.syslog=0
+suhosin.log.script=0
+suhosin.log.sapi=2
+--FILE--
+<?php
+    ini_set("memory_limit", "13M"); echo ini_get("memory_limit"), "\n";
+    ini_set("memory_limit", "14M"); echo ini_get("memory_limit"), "\n";
+    ini_set("memory_limit", "15M"); echo ini_get("memory_limit"), "\n";
+    ini_set("memory_limit", "16M"); echo ini_get("memory_limit"), "\n";
+    ini_set("memory_limit", "17M"); echo ini_get("memory_limit"), "\n";
+    ini_set("memory_limit", "18M"); echo ini_get("memory_limit"), "\n";
+?>
+--EXPECTF--
+13M
+14M
+15M
+16M
+ALERT - script tried to increase memory_limit to 17825792 bytes which is above the allowed value (attacker 'REMOTE_ADDR not set', file '%s', line 6)
+16M
+ALERT - script tried to increase memory_limit to 18874368 bytes which is above the allowed value (attacker 'REMOTE_ADDR not set', file '%s', line 7)
+16M
diff --git a/tests/executor/memory_limit_other_hardlimit.phpt b/tests/executor/memory_limit_other_hardlimit.phpt
new file mode 100644
index 0000000..cac11dc
--- /dev/null
+++ b/tests/executor/memory_limit_other_hardlimit.phpt
@@ -0,0 +1,28 @@
+--TEST--
+memory_limit test: set suhosin hard_limit to normal limit + 1M
+--SKIPIF--
+<?php if (!function_exists("memory_get_usage")) print "skip PHP not compiled with memory_limit support"; ?>
+--INI--
+memory_limit=16M
+suhosin.memory_limit=17M
+suhosin.log.syslog=0
+suhosin.log.script=0
+suhosin.log.sapi=2
+--FILE--
+<?php
+    ini_set("memory_limit", "13M"); echo ini_get("memory_limit"), "\n";
+    ini_set("memory_limit", "14M"); echo ini_get("memory_limit"), "\n";
+    ini_set("memory_limit", "15M"); echo ini_get("memory_limit"), "\n";
+    ini_set("memory_limit", "16M"); echo ini_get("memory_limit"), "\n";
+    ini_set("memory_limit", "17M"); echo ini_get("memory_limit"), "\n";
+    ini_set("memory_limit", "18M"); echo ini_get("memory_limit"), "\n";
+?>
+--EXPECTF--
+13M
+14M
+15M
+16M
+17M
+ALERT - script tried to increase memory_limit to %d bytes which is above the allowed value (attacker 'REMOTE_ADDR not set', file '%s', line 7)
+17M
diff --git a/tests/executor/negative_memory_limit.phpt b/tests/executor/negative_memory_limit.phpt
new file mode 100644
index 0000000..8582cc9
--- /dev/null
+++ b/tests/executor/negative_memory_limit.phpt
@@ -0,0 +1,18 @@
+--TEST--
+memory_limit test: trying to set memory_limit to a negative value
+--SKIPIF--
+<?php if (!function_exists("memory_get_usage")) print "skip PHP not compiled with memory_limit support"; ?>
+--INI--
+memory_limit=16M
+suhosin.memory_limit=17M
+suhosin.log.syslog=0
+suhosin.log.script=0
+suhosin.log.sapi=2
+--FILE--
+<?php
+    ini_set("memory_limit", "-200000"); echo ini_get("memory_limit"), "\n";
+?>
+--EXPECTF--
+ALERT - script tried to increase memory_limit to %d bytes which is above the allowed value (attacker 'REMOTE_ADDR not set', file '%s', line 2)
+16M
diff --git a/tests/executor/preg_replace.phpt b/tests/executor/preg_replace.phpt
new file mode 100644
index 0000000..9060a29
--- /dev/null
+++ b/tests/executor/preg_replace.phpt
@@ -0,0 +1,30 @@
+--TEST--
+Testing protection against "\0" in preg_replace() first parameter
+--SKIPIF--
+<?php include "../skipif.inc"; ?>
+--INI--
+suhosin.log.sapi=0
+--FILE--
+<?php
+    
+    $text1 = "One little boy with two dogs, three cats and four birds";
+    $text2 = "The three cats eat the four birds";
+    $regex_array = array("/one/", "/two/", "/three/");
+    $regex_array0 = array("/one/\0", "/two/", "/three/");
+    $replace_array = array("1", "2", "3");
+    $regex = "/eat/";
+    $regex0 = "/ea\0t/";
+    $replace = "play with";
+    
+    var_dump(preg_replace($regex_array, $replace_array, $text1));
+    var_dump(preg_replace($regex_array0, $replace_array, $text1));
+    var_dump(preg_replace($regex, $replace, $text2));
+    var_dump(preg_replace($regex0, $replace, $text2));
+    
+?>
+--EXPECT--
+string(49) "One little boy with 2 dogs, 3 cats and four birds"
+bool(false)
+string(39) "The three cats play with the four birds"
+bool(false)
diff --git a/tests/executor/preg_replace_error.phpt b/tests/executor/preg_replace_error.phpt
new file mode 100644
index 0000000..39e0aee
--- /dev/null
+++ b/tests/executor/preg_replace_error.phpt
@@ -0,0 +1,32 @@
+--TEST--
+Testing protection against "\0" in preg_replace() first parameter (INCL. SUHOSIN ERROR MESSAGES)
+--SKIPIF--
+<?php include "../skipifnotcli.inc"; ?>
+--INI--
+suhosin.log.sapi=64
+--FILE--
+<?php
+    
+    $text1 = "One little boy with two dogs, three cats and four birds";
+    $text2 = "The three cats eat the four birds";
+    $regex_array = array("/one/", "/two/", "/three/");
+    $regex_array0 = array("/one/\0", "/two/", "/three/");
+    $replace_array = array("1", "2", "3");
+    $regex = "/eat/";
+    $regex0 = "/ea\0t/";
+    $replace = "play with";
+    
+    var_dump(preg_replace($regex_array, $replace_array, $text1));
+    var_dump(preg_replace($regex_array0, $replace_array, $text1));
+    var_dump(preg_replace($regex, $replace, $text2));
+    var_dump(preg_replace($regex0, $replace, $text2));
+    
+?>
+--EXPECTF--
+string(49) "One little boy with 2 dogs, 3 cats and four birds"
+ALERT - string termination attack on first preg_replace parameter detected (attacker 'REMOTE_ADDR not set', file '%s', line 14)
+bool(false)
+string(39) "The three cats play with the four birds"
+ALERT - string termination attack on first preg_replace parameter detected (attacker 'REMOTE_ADDR not set', file '%s', line 16)
+bool(false)
diff --git a/tests/executor/recursion_maxdepth.phpt b/tests/executor/recursion_maxdepth.phpt
new file mode 100644
index 0000000..31fe9c2
--- /dev/null
+++ b/tests/executor/recursion_maxdepth.phpt
@@ -0,0 +1,31 @@
+--TEST--
+Testing: suhosin.executor.max_depth
+--SKIPIF--
+<?php include "../skipifnotcli.inc"; ?>
+--INI--
+suhosin.log.sapi=64
+suhosin.executor.max_depth=13
+--FILE--
+<?php
+    function rec($level)
+    {
+        echo $level,"\n";
+        rec(++$level);
+    }
+    
+    rec(2);
+?>
+--EXPECTF--
+2
+3
+4
+5
+6
+7
+8
+9
+10
+11
+12
+13
+ALERT - maximum execution depth reached - script terminated (attacker 'REMOTE_ADDR not set', file '%s', line 5)
author	Stefan Esser	2010-02-21 11:44:54 +0100
committer	Stefan Esser	2010-02-21 11:44:54 +0100
commit	36dbfacbe64697d959f524e537b15b73c090d898 (patch)
tree	f1c7ce1409b0e7765fc72d550546967fcf0f9717 /tests/executor

diff --git a/tests/executor/disable_emod_off.phpt b/tests/executor/disable_emod_off.phpt new file mode 100644 index 0000000..3c9cb01 --- /dev/null +++ b/tests/executor/disable_emod_off.phpt
@@ -0,0 +1,18 @@
	1	--TEST--
	2	Testing: suhosin.executor.disable_emodifier=0
	3	--SKIPIF--
	4	<?php include "../skipifnotcli.inc"; ?>
	5	--INI--
	6	suhosin.log.sapi=64
	7	suhosin.executor.disable_emodifier=0
	8	--FILE--
	9	<?php
	10	$text = "HALLO";
	11	var_dump(preg_replace('/[a-z]/e', "strtoupper('\\0')", $text));
	12	$text = "HalLO";
	13	var_dump(preg_replace('/[a-z]/e', "strtoupper('\\0')", $text));
	14	?>
	15	--EXPECTF--
	16	string(5) "HALLO"
	17	string(5) "HALLO"
	18


diff --git a/tests/executor/disable_emod_on.phpt b/tests/executor/disable_emod_on.phpt new file mode 100644 index 0000000..6daf82f --- /dev/null +++ b/tests/executor/disable_emod_on.phpt
@@ -0,0 +1,19 @@
	1	--TEST--
	2	Testing: suhosin.executor.disable_emodifier=1
	3	--SKIPIF--
	4	<?php include "../skipifnotcli.inc"; ?>
	5	--INI--
	6	suhosin.log.sapi=64
	7	suhosin.executor.disable_emodifier=1
	8	--FILE--
	9	<?php
	10	$text = "HALLO";
	11	var_dump(preg_replace('/[a-z]/e', "strtoupper('\\0')", $text));
	12	$text = "HalLO";
	13	var_dump(preg_replace('/[a-z]/e', "strtoupper('\\0')", $text));
	14	?>
	15	--EXPECTF--
	16	string(5) "HALLO"
	17	ALERT - use of preg_replace() with /e modifier is forbidden by configuration (attacker 'REMOTE_ADDR not set', file '%s', line 5)
	18
	19	Fatal error: SUHOSIN - Use of preg_replace() with /e modifier is forbidden by configuration in %s(5) : regexp code on line 5


diff --git a/tests/executor/disable_eval_off.phpt b/tests/executor/disable_eval_off.phpt new file mode 100644 index 0000000..1ee87f5 --- /dev/null +++ b/tests/executor/disable_eval_off.phpt
@@ -0,0 +1,15 @@
	1	--TEST--
	2	Testing: suhosin.executor.disable_eval=0
	3	--SKIPIF--
	4	<?php include "../skipifnotcli.inc"; ?>
	5	--INI--
	6	suhosin.log.sapi=64
	7	suhosin.executor.disable_eval=0
	8	--FILE--
	9	<?php
	10	$x = 0;
	11	eval('$x = 1;');
	12	var_dump($x);
	13	?>
	14	--EXPECTF--
	15	int(1)


diff --git a/tests/executor/disable_eval_on.phpt b/tests/executor/disable_eval_on.phpt new file mode 100644 index 0000000..49f4936 --- /dev/null +++ b/tests/executor/disable_eval_on.phpt
@@ -0,0 +1,17 @@
	1	--TEST--
	2	Testing: suhosin.executor.disable_eval=1
	3	--SKIPIF--
	4	<?php include "../skipifnotcli.inc"; ?>
	5	--INI--
	6	suhosin.log.sapi=64
	7	suhosin.executor.disable_eval=1
	8	--FILE--
	9	<?php
	10	$x = 0;
	11	eval('$x = 1;');
	12	var_dump($x);
	13	?>
	14	--EXPECTF--
	15	ALERT - use of eval is forbidden by configuration (attacker 'REMOTE_ADDR not set', file '%s', line 3)
	16
	17	Fatal error: SUHOSIN - Use of eval is forbidden by configuration in %s(3) : eval()'d code on line 3


diff --git a/tests/executor/memory_limit.phpt b/tests/executor/memory_limit.phpt new file mode 100644 index 0000000..404ab19 --- /dev/null +++ b/tests/executor/memory_limit.phpt
@@ -0,0 +1,29 @@
	1	--TEST--
	2	memory_limit test: set suhosin hard_limit to normal limit
	3	--SKIPIF--
	4	<?php if (!function_exists("memory_get_usage")) print "skip PHP not compiled with memory_limit support"; ?>
	5	--INI--
	6	memory_limit=16M
	7	suhosin.memory_limit=0
	8	suhosin.log.syslog=0
	9	suhosin.log.script=0
	10	suhosin.log.sapi=2
	11	--FILE--
	12	<?php
	13	ini_set("memory_limit", "13M"); echo ini_get("memory_limit"), "\n";
	14	ini_set("memory_limit", "14M"); echo ini_get("memory_limit"), "\n";
	15	ini_set("memory_limit", "15M"); echo ini_get("memory_limit"), "\n";
	16	ini_set("memory_limit", "16M"); echo ini_get("memory_limit"), "\n";
	17	ini_set("memory_limit", "17M"); echo ini_get("memory_limit"), "\n";
	18	ini_set("memory_limit", "18M"); echo ini_get("memory_limit"), "\n";
	19	?>
	20	--EXPECTF--
	21	13M
	22	14M
	23	15M
	24	16M
	25	ALERT - script tried to increase memory_limit to 17825792 bytes which is above the allowed value (attacker 'REMOTE_ADDR not set', file '%s', line 6)
	26	16M
	27	ALERT - script tried to increase memory_limit to 18874368 bytes which is above the allowed value (attacker 'REMOTE_ADDR not set', file '%s', line 7)
	28	16M
	29


diff --git a/tests/executor/memory_limit_other_hardlimit.phpt b/tests/executor/memory_limit_other_hardlimit.phpt new file mode 100644 index 0000000..cac11dc --- /dev/null +++ b/tests/executor/memory_limit_other_hardlimit.phpt
@@ -0,0 +1,28 @@
	1	--TEST--
	2	memory_limit test: set suhosin hard_limit to normal limit + 1M
	3	--SKIPIF--
	4	<?php if (!function_exists("memory_get_usage")) print "skip PHP not compiled with memory_limit support"; ?>
	5	--INI--
	6	memory_limit=16M
	7	suhosin.memory_limit=17M
	8	suhosin.log.syslog=0
	9	suhosin.log.script=0
	10	suhosin.log.sapi=2
	11	--FILE--
	12	<?php
	13	ini_set("memory_limit", "13M"); echo ini_get("memory_limit"), "\n";
	14	ini_set("memory_limit", "14M"); echo ini_get("memory_limit"), "\n";
	15	ini_set("memory_limit", "15M"); echo ini_get("memory_limit"), "\n";
	16	ini_set("memory_limit", "16M"); echo ini_get("memory_limit"), "\n";
	17	ini_set("memory_limit", "17M"); echo ini_get("memory_limit"), "\n";
	18	ini_set("memory_limit", "18M"); echo ini_get("memory_limit"), "\n";
	19	?>
	20	--EXPECTF--
	21	13M
	22	14M
	23	15M
	24	16M
	25	17M
	26	ALERT - script tried to increase memory_limit to %d bytes which is above the allowed value (attacker 'REMOTE_ADDR not set', file '%s', line 7)
	27	17M
	28


diff --git a/tests/executor/negative_memory_limit.phpt b/tests/executor/negative_memory_limit.phpt new file mode 100644 index 0000000..8582cc9 --- /dev/null +++ b/tests/executor/negative_memory_limit.phpt
@@ -0,0 +1,18 @@
	1	--TEST--
	2	memory_limit test: trying to set memory_limit to a negative value
	3	--SKIPIF--
	4	<?php if (!function_exists("memory_get_usage")) print "skip PHP not compiled with memory_limit support"; ?>
	5	--INI--
	6	memory_limit=16M
	7	suhosin.memory_limit=17M
	8	suhosin.log.syslog=0
	9	suhosin.log.script=0
	10	suhosin.log.sapi=2
	11	--FILE--
	12	<?php
	13	ini_set("memory_limit", "-200000"); echo ini_get("memory_limit"), "\n";
	14	?>
	15	--EXPECTF--
	16	ALERT - script tried to increase memory_limit to %d bytes which is above the allowed value (attacker 'REMOTE_ADDR not set', file '%s', line 2)
	17	16M
	18


diff --git a/tests/executor/preg_replace.phpt b/tests/executor/preg_replace.phpt new file mode 100644 index 0000000..9060a29 --- /dev/null +++ b/tests/executor/preg_replace.phpt
@@ -0,0 +1,30 @@
	1	--TEST--
	2	Testing protection against "\0" in preg_replace() first parameter
	3	--SKIPIF--
	4	<?php include "../skipif.inc"; ?>
	5	--INI--
	6	suhosin.log.sapi=0
	7	--FILE--
	8	<?php
	9
	10	$text1 = "One little boy with two dogs, three cats and four birds";
	11	$text2 = "The three cats eat the four birds";
	12
	13	$regex_array = array("/one/", "/two/", "/three/");
	14	$regex_array0 = array("/one/\0", "/two/", "/three/");
	15	$replace_array = array("1", "2", "3");
	16	$regex = "/eat/";
	17	$regex0 = "/ea\0t/";
	18	$replace = "play with";
	19
	20	var_dump(preg_replace($regex_array, $replace_array, $text1));
	21	var_dump(preg_replace($regex_array0, $replace_array, $text1));
	22	var_dump(preg_replace($regex, $replace, $text2));
	23	var_dump(preg_replace($regex0, $replace, $text2));
	24
	25	?>
	26	--EXPECT--
	27	string(49) "One little boy with 2 dogs, 3 cats and four birds"
	28	bool(false)
	29	string(39) "The three cats play with the four birds"
	30	bool(false)


diff --git a/tests/executor/preg_replace_error.phpt b/tests/executor/preg_replace_error.phpt new file mode 100644 index 0000000..39e0aee --- /dev/null +++ b/tests/executor/preg_replace_error.phpt
@@ -0,0 +1,32 @@
	1	--TEST--
	2	Testing protection against "\0" in preg_replace() first parameter (INCL. SUHOSIN ERROR MESSAGES)
	3	--SKIPIF--
	4	<?php include "../skipifnotcli.inc"; ?>
	5	--INI--
	6	suhosin.log.sapi=64
	7	--FILE--
	8	<?php
	9
	10	$text1 = "One little boy with two dogs, three cats and four birds";
	11	$text2 = "The three cats eat the four birds";
	12
	13	$regex_array = array("/one/", "/two/", "/three/");
	14	$regex_array0 = array("/one/\0", "/two/", "/three/");
	15	$replace_array = array("1", "2", "3");
	16	$regex = "/eat/";
	17	$regex0 = "/ea\0t/";
	18	$replace = "play with";
	19
	20	var_dump(preg_replace($regex_array, $replace_array, $text1));
	21	var_dump(preg_replace($regex_array0, $replace_array, $text1));
	22	var_dump(preg_replace($regex, $replace, $text2));
	23	var_dump(preg_replace($regex0, $replace, $text2));
	24
	25	?>
	26	--EXPECTF--
	27	string(49) "One little boy with 2 dogs, 3 cats and four birds"
	28	ALERT - string termination attack on first preg_replace parameter detected (attacker 'REMOTE_ADDR not set', file '%s', line 14)
	29	bool(false)
	30	string(39) "The three cats play with the four birds"
	31	ALERT - string termination attack on first preg_replace parameter detected (attacker 'REMOTE_ADDR not set', file '%s', line 16)
	32	bool(false)


diff --git a/tests/executor/recursion_maxdepth.phpt b/tests/executor/recursion_maxdepth.phpt new file mode 100644 index 0000000..31fe9c2 --- /dev/null +++ b/tests/executor/recursion_maxdepth.phpt
@@ -0,0 +1,31 @@
	1	--TEST--
	2	Testing: suhosin.executor.max_depth
	3	--SKIPIF--
	4	<?php include "../skipifnotcli.inc"; ?>
	5	--INI--
	6	suhosin.log.sapi=64
	7	suhosin.executor.max_depth=13
	8	--FILE--
	9	<?php
	10	function rec($level)
	11	{
	12	echo $level,"\n";
	13	rec(++$level);
	14	}
	15
	16	rec(2);
	17	?>
	18	--EXPECTF--
	19	2
	20	3
	21	4
	22	5
	23	6
	24	7
	25	8
	26	9
	27	10
	28	11
	29	12
	30	13
	31	ALERT - maximum execution depth reached - script terminated (attacker 'REMOTE_ADDR not set', file '%s', line 5)