One more test.

author: Stefan Esser 2014-02-12 14:10:10 +0100
committer: Stefan Esser 2014-02-12 14:10:10 +0100
commit: cc08f586985df2530a6b5b08a70bb34e8036b481 (patch)
tree: 95eeadcd676b14bfbe1087102bdf276870359b94 /tests/filter
parent: ba107ed8edb37412c3652ca8b17be78294d28ce4 (diff)
1 files changed, 114 insertions, 0 deletions
diff --git a/tests/filter/post_fileupload_filter_1.phpt b/tests/filter/post_fileupload_filter_1.phpt
new file mode 100644
index 0000000..cdc882f
--- /dev/null
+++ b/tests/filter/post_fileupload_filter_1.phpt
@@ -0,0 +1,114 @@
+--TEST--
+suhosin rfc1867 file upload filter (disallowed variable names)
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=0
+suhosin.log.stdout=255
+suhosin.log.script=0
+file_uploads=1
+upload_max_filesize=1024
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--COOKIE--
+--GET--
+--POST_RAW--
+Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="HTTP_RAW_POST_DATA"
+HTTP_RAW_POST_DATA
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="HTTP_SESSION_VARS"
+HTTP_SESSION_VARS
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="HTTP_SERVER_VARS"
+HTTP_SERVER_VARS
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="HTTP_COOKIE_VARS"
+HTTP_COOKIE_VARS
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="HTTP_POST_FILES"
+HTTP_POST_FILES
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="HTTP_POST_VARS"
+HTTP_POST_VARS
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="HTTP_GET_VARS"
+HTTP_GET_VARS
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="HTTP_ENV_VARS"
+HTTP_ENV_VARS
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="_SESSION"
+_SESSION
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="_REQUEST"
+_REQUEST
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="GLOBALS"
+GLOBALS
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="_COOKIE"
+_COOKIE
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="_SERVER"
+_SERVER
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="_FILES"
+_FILES
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="_POST"
+_POST
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="_ENV"
+_ENV
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="_GET"
+_GET
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="harmless"
+harmless
+-----------------------------20896060251896012921717172737--
+--FILE--
+<?php
+var_dump($_POST);
+?>
+--EXPECTF--
+array(1) {
+  ["harmless"]=>
+  string(8) "harmless"
+}
+ALERT - tried to register forbidden variable 'HTTP_RAW_POST_DATA' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - tried to register forbidden variable 'HTTP_SESSION_VARS' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - tried to register forbidden variable 'HTTP_SERVER_VARS' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - tried to register forbidden variable 'HTTP_COOKIE_VARS' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - tried to register forbidden variable 'HTTP_POST_FILES' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - tried to register forbidden variable 'HTTP_POST_VARS' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - tried to register forbidden variable 'HTTP_GET_VARS' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - tried to register forbidden variable 'HTTP_ENV_VARS' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - tried to register forbidden variable '_SESSION' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - tried to register forbidden variable '_REQUEST' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - tried to register forbidden variable 'GLOBALS' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - tried to register forbidden variable '_COOKIE' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - tried to register forbidden variable '_SERVER' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - tried to register forbidden variable '_FILES' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - tried to register forbidden variable '_POST' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - tried to register forbidden variable '_ENV' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - tried to register forbidden variable '_GET' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
author	Stefan Esser	2014-02-12 14:10:10 +0100
committer	Stefan Esser	2014-02-12 14:10:10 +0100
commit	cc08f586985df2530a6b5b08a70bb34e8036b481 (patch)
tree	95eeadcd676b14bfbe1087102bdf276870359b94 /tests/filter
parent	ba107ed8edb37412c3652ca8b17be78294d28ce4 (diff)

diff --git a/tests/filter/post_fileupload_filter_1.phpt b/tests/filter/post_fileupload_filter_1.phpt new file mode 100644 index 0000000..cdc882f --- /dev/null +++ b/tests/filter/post_fileupload_filter_1.phpt
@@ -0,0 +1,114 @@
	1	--TEST--
	2	suhosin rfc1867 file upload filter (disallowed variable names)
	3	--INI--
	4	suhosin.log.syslog=0
	5	suhosin.log.sapi=0
	6	suhosin.log.stdout=255
	7	suhosin.log.script=0
	8	file_uploads=1
	9	upload_max_filesize=1024
	10	--SKIPIF--
	11	<?php include('skipif.inc'); ?>
	12	--COOKIE--
	13	--GET--
	14	--POST_RAW--
	15	Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737
	16	-----------------------------20896060251896012921717172737
	17	Content-Disposition: form-data; name="HTTP_RAW_POST_DATA"
	18
	19	HTTP_RAW_POST_DATA
	20	-----------------------------20896060251896012921717172737
	21	Content-Disposition: form-data; name="HTTP_SESSION_VARS"
	22
	23	HTTP_SESSION_VARS
	24	-----------------------------20896060251896012921717172737
	25	Content-Disposition: form-data; name="HTTP_SERVER_VARS"
	26
	27	HTTP_SERVER_VARS
	28	-----------------------------20896060251896012921717172737
	29	Content-Disposition: form-data; name="HTTP_COOKIE_VARS"
	30
	31	HTTP_COOKIE_VARS
	32	-----------------------------20896060251896012921717172737
	33	Content-Disposition: form-data; name="HTTP_POST_FILES"
	34
	35	HTTP_POST_FILES
	36	-----------------------------20896060251896012921717172737
	37	Content-Disposition: form-data; name="HTTP_POST_VARS"
	38
	39	HTTP_POST_VARS
	40	-----------------------------20896060251896012921717172737
	41	Content-Disposition: form-data; name="HTTP_GET_VARS"
	42
	43	HTTP_GET_VARS
	44	-----------------------------20896060251896012921717172737
	45	Content-Disposition: form-data; name="HTTP_ENV_VARS"
	46
	47	HTTP_ENV_VARS
	48	-----------------------------20896060251896012921717172737
	49	Content-Disposition: form-data; name="_SESSION"
	50
	51	_SESSION
	52	-----------------------------20896060251896012921717172737
	53	Content-Disposition: form-data; name="_REQUEST"
	54
	55	_REQUEST
	56	-----------------------------20896060251896012921717172737
	57	Content-Disposition: form-data; name="GLOBALS"
	58
	59	GLOBALS
	60	-----------------------------20896060251896012921717172737
	61	Content-Disposition: form-data; name="_COOKIE"
	62
	63	_COOKIE
	64	-----------------------------20896060251896012921717172737
	65	Content-Disposition: form-data; name="_SERVER"
	66
	67	_SERVER
	68	-----------------------------20896060251896012921717172737
	69	Content-Disposition: form-data; name="_FILES"
	70
	71	_FILES
	72	-----------------------------20896060251896012921717172737
	73	Content-Disposition: form-data; name="_POST"
	74
	75	_POST
	76	-----------------------------20896060251896012921717172737
	77	Content-Disposition: form-data; name="_ENV"
	78
	79	_ENV
	80	-----------------------------20896060251896012921717172737
	81	Content-Disposition: form-data; name="_GET"
	82
	83	_GET
	84	-----------------------------20896060251896012921717172737
	85	Content-Disposition: form-data; name="harmless"
	86
	87	harmless
	88	-----------------------------20896060251896012921717172737--
	89	--FILE--
	90	<?php
	91	var_dump($_POST);
	92	?>
	93	--EXPECTF--
	94	array(1) {
	95	["harmless"]=>
	96	string(8) "harmless"
	97	}
	98	ALERT - tried to register forbidden variable 'HTTP_RAW_POST_DATA' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
	99	ALERT - tried to register forbidden variable 'HTTP_SESSION_VARS' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
	100	ALERT - tried to register forbidden variable 'HTTP_SERVER_VARS' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
	101	ALERT - tried to register forbidden variable 'HTTP_COOKIE_VARS' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
	102	ALERT - tried to register forbidden variable 'HTTP_POST_FILES' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
	103	ALERT - tried to register forbidden variable 'HTTP_POST_VARS' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
	104	ALERT - tried to register forbidden variable 'HTTP_GET_VARS' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
	105	ALERT - tried to register forbidden variable 'HTTP_ENV_VARS' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
	106	ALERT - tried to register forbidden variable '_SESSION' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
	107	ALERT - tried to register forbidden variable '_REQUEST' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
	108	ALERT - tried to register forbidden variable 'GLOBALS' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
	109	ALERT - tried to register forbidden variable '_COOKIE' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
	110	ALERT - tried to register forbidden variable '_SERVER' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
	111	ALERT - tried to register forbidden variable '_FILES' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
	112	ALERT - tried to register forbidden variable '_POST' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
	113	ALERT - tried to register forbidden variable '_ENV' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
	114	ALERT - tried to register forbidden variable '_GET' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')