tests for eval white/blacklist + include white/blacklist

author: Ben Fuhrmannek 2015-02-06 22:38:35 +0100
committer: Ben Fuhrmannek 2015-02-06 22:38:35 +0100
commit: 3741554097cc73f03a9a6a4fa4d65dc01c120bd8 (patch)
tree: 93938c3a27b8b9d40818f652c30fccfee3b3180e /tests/include
parent: 4085730874e1d88bb5b675633a171ae20989e45a (diff)
3 files changed, 72 insertions, 0 deletions
diff --git a/tests/include/include_blacklist.phpt b/tests/include/include_blacklist.phpt
new file mode 100644
index 0000000..f4c3df0
--- /dev/null
+++ b/tests/include/include_blacklist.phpt
@@ -0,0 +1,24 @@
+--TEST--
+Include blacklist
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=255
+suhosin.log.script=0
+suhosin.log.phpscript=0
+suhosin.executor.include.whitelist=
+suhosin.executor.include.blacklist=foo,boo
+--FILE--
+<?php
+        $var = "file://" . dirname(__FILE__) . "/../empty.inc";
+        include $var;
+        echo $value,"\n";
+    $var = "foo://test";
+    include $var;
+        $var = "boo://test"; // this point is never reached (famous last words)
+        include $var;
+?>
+--EXPECTF--
+value-from-empty.inc
+ALERT - Include filename ('foo://test') is a URL that is forbidden by the blacklist (attacker 'REMOTE_ADDR not set', file '%s', line 6)
+\ No newline at end of file
diff --git a/tests/include/include_blackwhitelist_empty.phpt b/tests/include/include_blackwhitelist_empty.phpt
new file mode 100644
index 0000000..33380fd
--- /dev/null
+++ b/tests/include/include_blackwhitelist_empty.phpt
@@ -0,0 +1,24 @@
+--TEST--
+Include URL with empty black-/whitelist
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=255
+suhosin.log.script=0
+suhosin.log.phpscript=0
+suhosin.executor.include.whitelist=
+suhosin.executor.include.blacklist=
+--FILE--
+<?php
+        $var = dirname(__FILE__) . "/../empty.inc";
+        include $var;
+        echo $value,"\n";
+    $var = "foo://test";
+    include $var;
+        $var = "boo://test"; // this point is never reached (famous last words)
+        include $var;
+?>
+--EXPECTF--
+value-from-empty.inc
+ALERT - Include filename ('foo://test') is a URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 6)
+\ No newline at end of file
diff --git a/tests/include/include_whitelist.phpt b/tests/include/include_whitelist.phpt
new file mode 100644
index 0000000..a0c771f
--- /dev/null
+++ b/tests/include/include_whitelist.phpt
@@ -0,0 +1,24 @@
+--TEST--
+Include whitelist
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=255
+suhosin.log.script=0
+suhosin.log.phpscript=0
+suhosin.executor.include.whitelist=file
+suhosin.executor.include.blacklist=
+--FILE--
+<?php
+        $var = "file://" . dirname(__FILE__) . "/../empty.inc";
+        include $var;
+        echo $value,"\n";
+    $var = "foo://test";
+    include $var;
+        $var = "boo://test"; // this point is never reached (famous last words)
+        include $var;
+?>
+--EXPECTF--
+value-from-empty.inc
+ALERT - Include filename ('foo://test') is a URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 6)
+\ No newline at end of file
author	Ben Fuhrmannek	2015-02-06 22:38:35 +0100
committer	Ben Fuhrmannek	2015-02-06 22:38:35 +0100
commit	3741554097cc73f03a9a6a4fa4d65dc01c120bd8 (patch)
tree	93938c3a27b8b9d40818f652c30fccfee3b3180e /tests/include
parent	4085730874e1d88bb5b675633a171ae20989e45a (diff)

diff --git a/tests/include/include_blacklist.phpt b/tests/include/include_blacklist.phpt new file mode 100644 index 0000000..f4c3df0 --- /dev/null +++ b/tests/include/include_blacklist.phpt
@@ -0,0 +1,24 @@
	1	--TEST--
	2	Include blacklist
	3	--SKIPIF--
	4	<?php include "../skipifcli.inc"; ?>
	5	--INI--
	6	suhosin.log.syslog=0
	7	suhosin.log.sapi=255
	8	suhosin.log.script=0
	9	suhosin.log.phpscript=0
	10	suhosin.executor.include.whitelist=
	11	suhosin.executor.include.blacklist=foo,boo
	12	--FILE--
	13	<?php
	14	$var = "file://" . dirname(__FILE__) . "/../empty.inc";
	15	include $var;
	16	echo $value,"\n";
	17	$var = "foo://test";
	18	include $var;
	19	$var = "boo://test"; // this point is never reached (famous last words)
	20	include $var;
	21	?>
	22	--EXPECTF--
	23	value-from-empty.inc
	24	ALERT - Include filename ('foo://test') is a URL that is forbidden by the blacklist (attacker 'REMOTE_ADDR not set', file '%s', line 6) \ No newline at end of file


diff --git a/tests/include/include_blackwhitelist_empty.phpt b/tests/include/include_blackwhitelist_empty.phpt new file mode 100644 index 0000000..33380fd --- /dev/null +++ b/tests/include/include_blackwhitelist_empty.phpt
@@ -0,0 +1,24 @@
	1	--TEST--
	2	Include URL with empty black-/whitelist
	3	--SKIPIF--
	4	<?php include "../skipifcli.inc"; ?>
	5	--INI--
	6	suhosin.log.syslog=0
	7	suhosin.log.sapi=255
	8	suhosin.log.script=0
	9	suhosin.log.phpscript=0
	10	suhosin.executor.include.whitelist=
	11	suhosin.executor.include.blacklist=
	12	--FILE--
	13	<?php
	14	$var = dirname(__FILE__) . "/../empty.inc";
	15	include $var;
	16	echo $value,"\n";
	17	$var = "foo://test";
	18	include $var;
	19	$var = "boo://test"; // this point is never reached (famous last words)
	20	include $var;
	21	?>
	22	--EXPECTF--
	23	value-from-empty.inc
	24	ALERT - Include filename ('foo://test') is a URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 6) \ No newline at end of file


diff --git a/tests/include/include_whitelist.phpt b/tests/include/include_whitelist.phpt new file mode 100644 index 0000000..a0c771f --- /dev/null +++ b/tests/include/include_whitelist.phpt
@@ -0,0 +1,24 @@
	1	--TEST--
	2	Include whitelist
	3	--SKIPIF--
	4	<?php include "../skipifcli.inc"; ?>
	5	--INI--
	6	suhosin.log.syslog=0
	7	suhosin.log.sapi=255
	8	suhosin.log.script=0
	9	suhosin.log.phpscript=0
	10	suhosin.executor.include.whitelist=file
	11	suhosin.executor.include.blacklist=
	12	--FILE--
	13	<?php
	14	$var = "file://" . dirname(__FILE__) . "/../empty.inc";
	15	include $var;
	16	echo $value,"\n";
	17	$var = "foo://test";
	18	include $var;
	19	$var = "boo://test"; // this point is never reached (famous last words)
	20	include $var;
	21	?>
	22	--EXPECTF--
	23	value-from-empty.inc
	24	ALERT - Include filename ('foo://test') is a URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 6) \ No newline at end of file