tests for suhosin.mail.protect

author: Ben Fuhrmannek 2015-02-06 22:44:37 +0100
committer: Ben Fuhrmannek 2015-02-06 22:44:37 +0100
commit: 8672d5ff3ece1b3232c8eee0a1dec6234c85028c (patch)
tree: fd56cc15e29dcd1d730033564f67cd1bca4d0cf4 /tests
parent: b8d1b6ccb5d67874d8637a273f73fd9ae1138f16 (diff)
9 files changed, 160 insertions, 0 deletions
diff --git a/tests/misc/mailprotect_1_header_nl.phpt b/tests/misc/mailprotect_1_header_nl.phpt
new file mode 100644
index 0000000..c8f1bc0
--- /dev/null
+++ b/tests/misc/mailprotect_1_header_nl.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Testing: suhosin.mail.protect=1 and extra headers start with newline
+--SKIPIF--
+<?php include "../skipifnotcli.inc"; ?>
+--INI--
+suhosin.log.sapi=255
+suhosin.log.stdout=0
+suhosin.log.script=0
+suhosin.log.syslog=0
+suhosin.mail.protect=1
+sendmail_path=/usr/bin/true
+--FILE--
+<?php
+        var_dump(mail("to", "subject", "msg", "\r\nFoo: bar"));
+?>
+--EXPECTF--
+ALERT - mail() - double newline in headers, possible injection, mail dropped (attacker 'REMOTE_ADDR not set', file '%s', line 2)
+bool(false)
+\ No newline at end of file
diff --git a/tests/misc/mailprotect_1_header_nlnl.phpt b/tests/misc/mailprotect_1_header_nlnl.phpt
new file mode 100644
index 0000000..cd0083f
--- /dev/null
+++ b/tests/misc/mailprotect_1_header_nlnl.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Testing: suhosin.mail.protect=1 and extra headers contain double newline
+--SKIPIF--
+<?php include "../skipifnotcli.inc"; ?>
+--INI--
+suhosin.log.sapi=255
+suhosin.log.stdout=0
+suhosin.log.script=0
+suhosin.log.syslog=0
+suhosin.mail.protect=1
+sendmail_path=/usr/bin/true
+--FILE--
+<?php
+        var_dump(mail("to", "subject", "msg", "Foo: bar\r\n\r\nfake-msg-start"));
+?>
+--EXPECTF--
+ALERT - mail() - double newline in headers, possible injection, mail dropped (attacker 'REMOTE_ADDR not set', file '%s', line 2)
+bool(false)
+\ No newline at end of file
diff --git a/tests/misc/mailprotect_1_subject.phpt b/tests/misc/mailprotect_1_subject.phpt
new file mode 100644
index 0000000..e43791c
--- /dev/null
+++ b/tests/misc/mailprotect_1_subject.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Testing: suhosin.mail.protect=1 with NL in Subject
+--SKIPIF--
+<?php include "../skipifnotcli.inc"; ?>
+--INI--
+suhosin.log.sapi=255
+suhosin.log.stdout=0
+suhosin.log.script=0
+suhosin.log.syslog=0
+suhosin.mail.protect=1
+sendmail_path=/usr/bin/true
+--FILE--
+<?php
+        var_dump(mail("to", "sub\nject", "msg"));
+?>
+--EXPECTF--
+ALERT - mail() - newline in Subject header, possible injection, mail dropped (attacker 'REMOTE_ADDR not set', file '%s', line 2)
+bool(false)
+\ No newline at end of file
diff --git a/tests/misc/mailprotect_1_subject_long.phpt b/tests/misc/mailprotect_1_subject_long.phpt
new file mode 100644
index 0000000..dc11783
--- /dev/null
+++ b/tests/misc/mailprotect_1_subject_long.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Testing: suhosin.mail.protect=1 with valid long Subject
+--SKIPIF--
+<?php include "../skipifnotcli.inc"; ?>
+--INI--
+suhosin.log.sapi=255
+suhosin.log.stdout=0
+suhosin.log.script=0
+suhosin.log.syslog=0
+suhosin.mail.protect=1
+sendmail_path=/usr/bin/true
+--FILE--
+<?php
+        var_dump(mail("to", "sub\n ject\r\n\tfoo", "msg"));
+?>
+--EXPECTF--
+bool(true)
diff --git a/tests/misc/mailprotect_1_to.phpt b/tests/misc/mailprotect_1_to.phpt
new file mode 100644
index 0000000..59b5202
--- /dev/null
+++ b/tests/misc/mailprotect_1_to.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Testing: suhosin.mail.protect=1 with NL in To
+--SKIPIF--
+<?php include "../skipifnotcli.inc"; ?>
+--INI--
+suhosin.log.sapi=255
+suhosin.log.stdout=0
+suhosin.log.script=0
+suhosin.log.syslog=0
+suhosin.mail.protect=1
+sendmail_path=/usr/bin/true
+--FILE--
+<?php
+        var_dump(mail("t\r\no", "subject", "msg"));
+?>
+--EXPECTF--
+ALERT - mail() - newline in To header, possible injection, mail dropped (attacker 'REMOTE_ADDR not set', file '%s', line 2)
+bool(false)
+\ No newline at end of file
diff --git a/tests/misc/mailprotect_1_to_long.phpt b/tests/misc/mailprotect_1_to_long.phpt
new file mode 100644
index 0000000..9fb08a0
--- /dev/null
+++ b/tests/misc/mailprotect_1_to_long.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Testing: suhosin.mail.protect=1 with valid long To
+--SKIPIF--
+<?php include "../skipifnotcli.inc"; ?>
+--INI--
+suhosin.log.sapi=255
+suhosin.log.stdout=0
+suhosin.log.script=0
+suhosin.log.syslog=0
+suhosin.mail.protect=1
+sendmail_path=/usr/bin/true
+--FILE--
+<?php
+        var_dump(mail("to\n long\r\n\tfoo", "subject", "msg"));
+?>
+--EXPECTF--
+bool(true)
+\ No newline at end of file
diff --git a/tests/misc/mailprotect_2_bcc.phpt b/tests/misc/mailprotect_2_bcc.phpt
new file mode 100644
index 0000000..f13bcbb
--- /dev/null
+++ b/tests/misc/mailprotect_2_bcc.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Testing: suhosin.mail.protect=2 and extra headers contain Bcc:
+--SKIPIF--
+<?php include "../skipifnotcli.inc"; ?>
+--INI--
+suhosin.log.sapi=255
+suhosin.log.stdout=0
+suhosin.log.script=0
+suhosin.log.syslog=0
+suhosin.mail.protect=2
+sendmail_path=/usr/bin/true
+--FILE--
+<?php
+        var_dump(mail("to", "subject", "msg", "Bcc: me"));
+?>
+--EXPECTF--
+ALERT - mail() - BCC: headers aren't allowed in the headers parameter. (attacker 'REMOTE_ADDR not set', file '%s', line 2)
+bool(false)
+\ No newline at end of file
diff --git a/tests/misc/mailprotect_2_cc.phpt b/tests/misc/mailprotect_2_cc.phpt
new file mode 100644
index 0000000..960b271
--- /dev/null
+++ b/tests/misc/mailprotect_2_cc.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Testing: suhosin.mail.protect=2 and extra headers contain Cc:
+--SKIPIF--
+<?php include "../skipifnotcli.inc"; ?>
+--INI--
+suhosin.log.sapi=255
+suhosin.log.stdout=0
+suhosin.log.script=0
+suhosin.log.syslog=0
+suhosin.mail.protect=2
+sendmail_path=/usr/bin/true
+--FILE--
+<?php
+        var_dump(mail("to", "subject", "msg", "Cc: me"));
+?>
+--EXPECTF--
+ALERT - mail() - CC: headers aren't allowed in the headers parameter. (attacker 'REMOTE_ADDR not set', file '%s', line 2)
+bool(false)
+\ No newline at end of file
diff --git a/tests/misc/mailprotect_2_to.phpt b/tests/misc/mailprotect_2_to.phpt
new file mode 100644
index 0000000..8723b6f
--- /dev/null
+++ b/tests/misc/mailprotect_2_to.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Testing: suhosin.mail.protect=2 and extra headers contain To:
+--SKIPIF--
+<?php include "../skipifnotcli.inc"; ?>
+--INI--
+suhosin.log.sapi=255
+suhosin.log.stdout=0
+suhosin.log.script=0
+suhosin.log.syslog=0
+suhosin.mail.protect=2
+sendmail_path=/usr/bin/true
+--FILE--
+<?php
+        var_dump(mail("to", "subject", "msg", "To: me"));
+?>
+--EXPECTF--
+ALERT - mail() - To: headers aren't allowed in the headers parameter. (attacker 'REMOTE_ADDR not set', file '%s', line 2)
+bool(false)
+\ No newline at end of file
author	Ben Fuhrmannek	2015-02-06 22:44:37 +0100
committer	Ben Fuhrmannek	2015-02-06 22:44:37 +0100
commit	8672d5ff3ece1b3232c8eee0a1dec6234c85028c (patch)
tree	fd56cc15e29dcd1d730033564f67cd1bca4d0cf4 /tests
parent	b8d1b6ccb5d67874d8637a273f73fd9ae1138f16 (diff)

diff --git a/tests/misc/mailprotect_1_header_nl.phpt b/tests/misc/mailprotect_1_header_nl.phpt new file mode 100644 index 0000000..c8f1bc0 --- /dev/null +++ b/tests/misc/mailprotect_1_header_nl.phpt
@@ -0,0 +1,18 @@
	1	--TEST--
	2	Testing: suhosin.mail.protect=1 and extra headers start with newline
	3	--SKIPIF--
	4	<?php include "../skipifnotcli.inc"; ?>
	5	--INI--
	6	suhosin.log.sapi=255
	7	suhosin.log.stdout=0
	8	suhosin.log.script=0
	9	suhosin.log.syslog=0
	10	suhosin.mail.protect=1
	11	sendmail_path=/usr/bin/true
	12	--FILE--
	13	<?php
	14	var_dump(mail("to", "subject", "msg", "\r\nFoo: bar"));
	15	?>
	16	--EXPECTF--
	17	ALERT - mail() - double newline in headers, possible injection, mail dropped (attacker 'REMOTE_ADDR not set', file '%s', line 2)
	18	bool(false) \ No newline at end of file


diff --git a/tests/misc/mailprotect_1_header_nlnl.phpt b/tests/misc/mailprotect_1_header_nlnl.phpt new file mode 100644 index 0000000..cd0083f --- /dev/null +++ b/tests/misc/mailprotect_1_header_nlnl.phpt
@@ -0,0 +1,18 @@
	1	--TEST--
	2	Testing: suhosin.mail.protect=1 and extra headers contain double newline
	3	--SKIPIF--
	4	<?php include "../skipifnotcli.inc"; ?>
	5	--INI--
	6	suhosin.log.sapi=255
	7	suhosin.log.stdout=0
	8	suhosin.log.script=0
	9	suhosin.log.syslog=0
	10	suhosin.mail.protect=1
	11	sendmail_path=/usr/bin/true
	12	--FILE--
	13	<?php
	14	var_dump(mail("to", "subject", "msg", "Foo: bar\r\n\r\nfake-msg-start"));
	15	?>
	16	--EXPECTF--
	17	ALERT - mail() - double newline in headers, possible injection, mail dropped (attacker 'REMOTE_ADDR not set', file '%s', line 2)
	18	bool(false) \ No newline at end of file


diff --git a/tests/misc/mailprotect_1_subject.phpt b/tests/misc/mailprotect_1_subject.phpt new file mode 100644 index 0000000..e43791c --- /dev/null +++ b/tests/misc/mailprotect_1_subject.phpt
@@ -0,0 +1,18 @@
	1	--TEST--
	2	Testing: suhosin.mail.protect=1 with NL in Subject
	3	--SKIPIF--
	4	<?php include "../skipifnotcli.inc"; ?>
	5	--INI--
	6	suhosin.log.sapi=255
	7	suhosin.log.stdout=0
	8	suhosin.log.script=0
	9	suhosin.log.syslog=0
	10	suhosin.mail.protect=1
	11	sendmail_path=/usr/bin/true
	12	--FILE--
	13	<?php
	14	var_dump(mail("to", "sub\nject", "msg"));
	15	?>
	16	--EXPECTF--
	17	ALERT - mail() - newline in Subject header, possible injection, mail dropped (attacker 'REMOTE_ADDR not set', file '%s', line 2)
	18	bool(false) \ No newline at end of file


diff --git a/tests/misc/mailprotect_1_subject_long.phpt b/tests/misc/mailprotect_1_subject_long.phpt new file mode 100644 index 0000000..dc11783 --- /dev/null +++ b/tests/misc/mailprotect_1_subject_long.phpt
@@ -0,0 +1,17 @@
	1	--TEST--
	2	Testing: suhosin.mail.protect=1 with valid long Subject
	3	--SKIPIF--
	4	<?php include "../skipifnotcli.inc"; ?>
	5	--INI--
	6	suhosin.log.sapi=255
	7	suhosin.log.stdout=0
	8	suhosin.log.script=0
	9	suhosin.log.syslog=0
	10	suhosin.mail.protect=1
	11	sendmail_path=/usr/bin/true
	12	--FILE--
	13	<?php
	14	var_dump(mail("to", "sub\n ject\r\n\tfoo", "msg"));
	15	?>
	16	--EXPECTF--
	17	bool(true)


diff --git a/tests/misc/mailprotect_1_to.phpt b/tests/misc/mailprotect_1_to.phpt new file mode 100644 index 0000000..59b5202 --- /dev/null +++ b/tests/misc/mailprotect_1_to.phpt
@@ -0,0 +1,18 @@
	1	--TEST--
	2	Testing: suhosin.mail.protect=1 with NL in To
	3	--SKIPIF--
	4	<?php include "../skipifnotcli.inc"; ?>
	5	--INI--
	6	suhosin.log.sapi=255
	7	suhosin.log.stdout=0
	8	suhosin.log.script=0
	9	suhosin.log.syslog=0
	10	suhosin.mail.protect=1
	11	sendmail_path=/usr/bin/true
	12	--FILE--
	13	<?php
	14	var_dump(mail("t\r\no", "subject", "msg"));
	15	?>
	16	--EXPECTF--
	17	ALERT - mail() - newline in To header, possible injection, mail dropped (attacker 'REMOTE_ADDR not set', file '%s', line 2)
	18	bool(false) \ No newline at end of file


diff --git a/tests/misc/mailprotect_1_to_long.phpt b/tests/misc/mailprotect_1_to_long.phpt new file mode 100644 index 0000000..9fb08a0 --- /dev/null +++ b/tests/misc/mailprotect_1_to_long.phpt
@@ -0,0 +1,17 @@
	1	--TEST--
	2	Testing: suhosin.mail.protect=1 with valid long To
	3	--SKIPIF--
	4	<?php include "../skipifnotcli.inc"; ?>
	5	--INI--
	6	suhosin.log.sapi=255
	7	suhosin.log.stdout=0
	8	suhosin.log.script=0
	9	suhosin.log.syslog=0
	10	suhosin.mail.protect=1
	11	sendmail_path=/usr/bin/true
	12	--FILE--
	13	<?php
	14	var_dump(mail("to\n long\r\n\tfoo", "subject", "msg"));
	15	?>
	16	--EXPECTF--
	17	bool(true) \ No newline at end of file


diff --git a/tests/misc/mailprotect_2_bcc.phpt b/tests/misc/mailprotect_2_bcc.phpt new file mode 100644 index 0000000..f13bcbb --- /dev/null +++ b/tests/misc/mailprotect_2_bcc.phpt
@@ -0,0 +1,18 @@
	1	--TEST--
	2	Testing: suhosin.mail.protect=2 and extra headers contain Bcc:
	3	--SKIPIF--
	4	<?php include "../skipifnotcli.inc"; ?>
	5	--INI--
	6	suhosin.log.sapi=255
	7	suhosin.log.stdout=0
	8	suhosin.log.script=0
	9	suhosin.log.syslog=0
	10	suhosin.mail.protect=2
	11	sendmail_path=/usr/bin/true
	12	--FILE--
	13	<?php
	14	var_dump(mail("to", "subject", "msg", "Bcc: me"));
	15	?>
	16	--EXPECTF--
	17	ALERT - mail() - BCC: headers aren't allowed in the headers parameter. (attacker 'REMOTE_ADDR not set', file '%s', line 2)
	18	bool(false) \ No newline at end of file


diff --git a/tests/misc/mailprotect_2_cc.phpt b/tests/misc/mailprotect_2_cc.phpt new file mode 100644 index 0000000..960b271 --- /dev/null +++ b/tests/misc/mailprotect_2_cc.phpt
@@ -0,0 +1,18 @@
	1	--TEST--
	2	Testing: suhosin.mail.protect=2 and extra headers contain Cc:
	3	--SKIPIF--
	4	<?php include "../skipifnotcli.inc"; ?>
	5	--INI--
	6	suhosin.log.sapi=255
	7	suhosin.log.stdout=0
	8	suhosin.log.script=0
	9	suhosin.log.syslog=0
	10	suhosin.mail.protect=2
	11	sendmail_path=/usr/bin/true
	12	--FILE--
	13	<?php
	14	var_dump(mail("to", "subject", "msg", "Cc: me"));
	15	?>
	16	--EXPECTF--
	17	ALERT - mail() - CC: headers aren't allowed in the headers parameter. (attacker 'REMOTE_ADDR not set', file '%s', line 2)
	18	bool(false) \ No newline at end of file


diff --git a/tests/misc/mailprotect_2_to.phpt b/tests/misc/mailprotect_2_to.phpt new file mode 100644 index 0000000..8723b6f --- /dev/null +++ b/tests/misc/mailprotect_2_to.phpt
@@ -0,0 +1,18 @@
	1	--TEST--
	2	Testing: suhosin.mail.protect=2 and extra headers contain To:
	3	--SKIPIF--
	4	<?php include "../skipifnotcli.inc"; ?>
	5	--INI--
	6	suhosin.log.sapi=255
	7	suhosin.log.stdout=0
	8	suhosin.log.script=0
	9	suhosin.log.syslog=0
	10	suhosin.mail.protect=2
	11	sendmail_path=/usr/bin/true
	12	--FILE--
	13	<?php
	14	var_dump(mail("to", "subject", "msg", "To: me"));
	15	?>
	16	--EXPECTF--
	17	ALERT - mail() - To: headers aren't allowed in the headers parameter. (attacker 'REMOTE_ADDR not set', file '%s', line 2)
	18	bool(false) \ No newline at end of file