diff options
| author | Ben Fuhrmannek | 2015-02-06 22:44:37 +0100 |
|---|---|---|
| committer | Ben Fuhrmannek | 2015-02-06 22:44:37 +0100 |
| commit | 8672d5ff3ece1b3232c8eee0a1dec6234c85028c (patch) | |
| tree | fd56cc15e29dcd1d730033564f67cd1bca4d0cf4 /tests | |
| parent | b8d1b6ccb5d67874d8637a273f73fd9ae1138f16 (diff) | |
tests for suhosin.mail.protect
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/misc/mailprotect_1_header_nl.phpt | 18 | ||||
| -rw-r--r-- | tests/misc/mailprotect_1_header_nlnl.phpt | 18 | ||||
| -rw-r--r-- | tests/misc/mailprotect_1_subject.phpt | 18 | ||||
| -rw-r--r-- | tests/misc/mailprotect_1_subject_long.phpt | 17 | ||||
| -rw-r--r-- | tests/misc/mailprotect_1_to.phpt | 18 | ||||
| -rw-r--r-- | tests/misc/mailprotect_1_to_long.phpt | 17 | ||||
| -rw-r--r-- | tests/misc/mailprotect_2_bcc.phpt | 18 | ||||
| -rw-r--r-- | tests/misc/mailprotect_2_cc.phpt | 18 | ||||
| -rw-r--r-- | tests/misc/mailprotect_2_to.phpt | 18 |
9 files changed, 160 insertions, 0 deletions
diff --git a/tests/misc/mailprotect_1_header_nl.phpt b/tests/misc/mailprotect_1_header_nl.phpt new file mode 100644 index 0000000..c8f1bc0 --- /dev/null +++ b/tests/misc/mailprotect_1_header_nl.phpt | |||
| @@ -0,0 +1,18 @@ | |||
| 1 | --TEST-- | ||
| 2 | Testing: suhosin.mail.protect=1 and extra headers start with newline | ||
| 3 | --SKIPIF-- | ||
| 4 | <?php include "../skipifnotcli.inc"; ?> | ||
| 5 | --INI-- | ||
| 6 | suhosin.log.sapi=255 | ||
| 7 | suhosin.log.stdout=0 | ||
| 8 | suhosin.log.script=0 | ||
| 9 | suhosin.log.syslog=0 | ||
| 10 | suhosin.mail.protect=1 | ||
| 11 | sendmail_path=/usr/bin/true | ||
| 12 | --FILE-- | ||
| 13 | <?php | ||
| 14 | var_dump(mail("to", "subject", "msg", "\r\nFoo: bar")); | ||
| 15 | ?> | ||
| 16 | --EXPECTF-- | ||
| 17 | ALERT - mail() - double newline in headers, possible injection, mail dropped (attacker 'REMOTE_ADDR not set', file '%s', line 2) | ||
| 18 | bool(false) \ No newline at end of file | ||
diff --git a/tests/misc/mailprotect_1_header_nlnl.phpt b/tests/misc/mailprotect_1_header_nlnl.phpt new file mode 100644 index 0000000..cd0083f --- /dev/null +++ b/tests/misc/mailprotect_1_header_nlnl.phpt | |||
| @@ -0,0 +1,18 @@ | |||
| 1 | --TEST-- | ||
| 2 | Testing: suhosin.mail.protect=1 and extra headers contain double newline | ||
| 3 | --SKIPIF-- | ||
| 4 | <?php include "../skipifnotcli.inc"; ?> | ||
| 5 | --INI-- | ||
| 6 | suhosin.log.sapi=255 | ||
| 7 | suhosin.log.stdout=0 | ||
| 8 | suhosin.log.script=0 | ||
| 9 | suhosin.log.syslog=0 | ||
| 10 | suhosin.mail.protect=1 | ||
| 11 | sendmail_path=/usr/bin/true | ||
| 12 | --FILE-- | ||
| 13 | <?php | ||
| 14 | var_dump(mail("to", "subject", "msg", "Foo: bar\r\n\r\nfake-msg-start")); | ||
| 15 | ?> | ||
| 16 | --EXPECTF-- | ||
| 17 | ALERT - mail() - double newline in headers, possible injection, mail dropped (attacker 'REMOTE_ADDR not set', file '%s', line 2) | ||
| 18 | bool(false) \ No newline at end of file | ||
diff --git a/tests/misc/mailprotect_1_subject.phpt b/tests/misc/mailprotect_1_subject.phpt new file mode 100644 index 0000000..e43791c --- /dev/null +++ b/tests/misc/mailprotect_1_subject.phpt | |||
| @@ -0,0 +1,18 @@ | |||
| 1 | --TEST-- | ||
| 2 | Testing: suhosin.mail.protect=1 with NL in Subject | ||
| 3 | --SKIPIF-- | ||
| 4 | <?php include "../skipifnotcli.inc"; ?> | ||
| 5 | --INI-- | ||
| 6 | suhosin.log.sapi=255 | ||
| 7 | suhosin.log.stdout=0 | ||
| 8 | suhosin.log.script=0 | ||
| 9 | suhosin.log.syslog=0 | ||
| 10 | suhosin.mail.protect=1 | ||
| 11 | sendmail_path=/usr/bin/true | ||
| 12 | --FILE-- | ||
| 13 | <?php | ||
| 14 | var_dump(mail("to", "sub\nject", "msg")); | ||
| 15 | ?> | ||
| 16 | --EXPECTF-- | ||
| 17 | ALERT - mail() - newline in Subject header, possible injection, mail dropped (attacker 'REMOTE_ADDR not set', file '%s', line 2) | ||
| 18 | bool(false) \ No newline at end of file | ||
diff --git a/tests/misc/mailprotect_1_subject_long.phpt b/tests/misc/mailprotect_1_subject_long.phpt new file mode 100644 index 0000000..dc11783 --- /dev/null +++ b/tests/misc/mailprotect_1_subject_long.phpt | |||
| @@ -0,0 +1,17 @@ | |||
| 1 | --TEST-- | ||
| 2 | Testing: suhosin.mail.protect=1 with valid long Subject | ||
| 3 | --SKIPIF-- | ||
| 4 | <?php include "../skipifnotcli.inc"; ?> | ||
| 5 | --INI-- | ||
| 6 | suhosin.log.sapi=255 | ||
| 7 | suhosin.log.stdout=0 | ||
| 8 | suhosin.log.script=0 | ||
| 9 | suhosin.log.syslog=0 | ||
| 10 | suhosin.mail.protect=1 | ||
| 11 | sendmail_path=/usr/bin/true | ||
| 12 | --FILE-- | ||
| 13 | <?php | ||
| 14 | var_dump(mail("to", "sub\n ject\r\n\tfoo", "msg")); | ||
| 15 | ?> | ||
| 16 | --EXPECTF-- | ||
| 17 | bool(true) | ||
diff --git a/tests/misc/mailprotect_1_to.phpt b/tests/misc/mailprotect_1_to.phpt new file mode 100644 index 0000000..59b5202 --- /dev/null +++ b/tests/misc/mailprotect_1_to.phpt | |||
| @@ -0,0 +1,18 @@ | |||
| 1 | --TEST-- | ||
| 2 | Testing: suhosin.mail.protect=1 with NL in To | ||
| 3 | --SKIPIF-- | ||
| 4 | <?php include "../skipifnotcli.inc"; ?> | ||
| 5 | --INI-- | ||
| 6 | suhosin.log.sapi=255 | ||
| 7 | suhosin.log.stdout=0 | ||
| 8 | suhosin.log.script=0 | ||
| 9 | suhosin.log.syslog=0 | ||
| 10 | suhosin.mail.protect=1 | ||
| 11 | sendmail_path=/usr/bin/true | ||
| 12 | --FILE-- | ||
| 13 | <?php | ||
| 14 | var_dump(mail("t\r\no", "subject", "msg")); | ||
| 15 | ?> | ||
| 16 | --EXPECTF-- | ||
| 17 | ALERT - mail() - newline in To header, possible injection, mail dropped (attacker 'REMOTE_ADDR not set', file '%s', line 2) | ||
| 18 | bool(false) \ No newline at end of file | ||
diff --git a/tests/misc/mailprotect_1_to_long.phpt b/tests/misc/mailprotect_1_to_long.phpt new file mode 100644 index 0000000..9fb08a0 --- /dev/null +++ b/tests/misc/mailprotect_1_to_long.phpt | |||
| @@ -0,0 +1,17 @@ | |||
| 1 | --TEST-- | ||
| 2 | Testing: suhosin.mail.protect=1 with valid long To | ||
| 3 | --SKIPIF-- | ||
| 4 | <?php include "../skipifnotcli.inc"; ?> | ||
| 5 | --INI-- | ||
| 6 | suhosin.log.sapi=255 | ||
| 7 | suhosin.log.stdout=0 | ||
| 8 | suhosin.log.script=0 | ||
| 9 | suhosin.log.syslog=0 | ||
| 10 | suhosin.mail.protect=1 | ||
| 11 | sendmail_path=/usr/bin/true | ||
| 12 | --FILE-- | ||
| 13 | <?php | ||
| 14 | var_dump(mail("to\n long\r\n\tfoo", "subject", "msg")); | ||
| 15 | ?> | ||
| 16 | --EXPECTF-- | ||
| 17 | bool(true) \ No newline at end of file | ||
diff --git a/tests/misc/mailprotect_2_bcc.phpt b/tests/misc/mailprotect_2_bcc.phpt new file mode 100644 index 0000000..f13bcbb --- /dev/null +++ b/tests/misc/mailprotect_2_bcc.phpt | |||
| @@ -0,0 +1,18 @@ | |||
| 1 | --TEST-- | ||
| 2 | Testing: suhosin.mail.protect=2 and extra headers contain Bcc: | ||
| 3 | --SKIPIF-- | ||
| 4 | <?php include "../skipifnotcli.inc"; ?> | ||
| 5 | --INI-- | ||
| 6 | suhosin.log.sapi=255 | ||
| 7 | suhosin.log.stdout=0 | ||
| 8 | suhosin.log.script=0 | ||
| 9 | suhosin.log.syslog=0 | ||
| 10 | suhosin.mail.protect=2 | ||
| 11 | sendmail_path=/usr/bin/true | ||
| 12 | --FILE-- | ||
| 13 | <?php | ||
| 14 | var_dump(mail("to", "subject", "msg", "Bcc: me")); | ||
| 15 | ?> | ||
| 16 | --EXPECTF-- | ||
| 17 | ALERT - mail() - BCC: headers aren't allowed in the headers parameter. (attacker 'REMOTE_ADDR not set', file '%s', line 2) | ||
| 18 | bool(false) \ No newline at end of file | ||
diff --git a/tests/misc/mailprotect_2_cc.phpt b/tests/misc/mailprotect_2_cc.phpt new file mode 100644 index 0000000..960b271 --- /dev/null +++ b/tests/misc/mailprotect_2_cc.phpt | |||
| @@ -0,0 +1,18 @@ | |||
| 1 | --TEST-- | ||
| 2 | Testing: suhosin.mail.protect=2 and extra headers contain Cc: | ||
| 3 | --SKIPIF-- | ||
| 4 | <?php include "../skipifnotcli.inc"; ?> | ||
| 5 | --INI-- | ||
| 6 | suhosin.log.sapi=255 | ||
| 7 | suhosin.log.stdout=0 | ||
| 8 | suhosin.log.script=0 | ||
| 9 | suhosin.log.syslog=0 | ||
| 10 | suhosin.mail.protect=2 | ||
| 11 | sendmail_path=/usr/bin/true | ||
| 12 | --FILE-- | ||
| 13 | <?php | ||
| 14 | var_dump(mail("to", "subject", "msg", "Cc: me")); | ||
| 15 | ?> | ||
| 16 | --EXPECTF-- | ||
| 17 | ALERT - mail() - CC: headers aren't allowed in the headers parameter. (attacker 'REMOTE_ADDR not set', file '%s', line 2) | ||
| 18 | bool(false) \ No newline at end of file | ||
diff --git a/tests/misc/mailprotect_2_to.phpt b/tests/misc/mailprotect_2_to.phpt new file mode 100644 index 0000000..8723b6f --- /dev/null +++ b/tests/misc/mailprotect_2_to.phpt | |||
| @@ -0,0 +1,18 @@ | |||
| 1 | --TEST-- | ||
| 2 | Testing: suhosin.mail.protect=2 and extra headers contain To: | ||
| 3 | --SKIPIF-- | ||
| 4 | <?php include "../skipifnotcli.inc"; ?> | ||
| 5 | --INI-- | ||
| 6 | suhosin.log.sapi=255 | ||
| 7 | suhosin.log.stdout=0 | ||
| 8 | suhosin.log.script=0 | ||
| 9 | suhosin.log.syslog=0 | ||
| 10 | suhosin.mail.protect=2 | ||
| 11 | sendmail_path=/usr/bin/true | ||
| 12 | --FILE-- | ||
| 13 | <?php | ||
| 14 | var_dump(mail("to", "subject", "msg", "To: me")); | ||
| 15 | ?> | ||
| 16 | --EXPECTF-- | ||
| 17 | ALERT - mail() - To: headers aren't allowed in the headers parameter. (attacker 'REMOTE_ADDR not set', file '%s', line 2) | ||
| 18 | bool(false) \ No newline at end of file | ||
