Tests for the suhosin.XXX.disallow_nul feature

5 files changed, 135 insertions, 0 deletions

diff --git a/tests/filter/input_filter_allow_nul.phpt b/tests/filter/input_filter_allow_nul.phpt
new file mode 100644
index 0000000..015d211
--- /dev/null
+++ b/tests/filter/input_filter_allow_nul.phpt
diff --git a/tests/filter/input_filter_cookie_disallow_nul.phpt b/tests/filter/input_filter_cookie_disallow_nul.phpt
new file mode 100644
index 0000000..dab9241
--- /dev/null
+++ b/tests/filter/input_filter_cookie_disallow_nul.phpt
@@ -0,0 +1,29 @@
+--TEST--
+suhosin input filter (suhosin.cookie.disallow_nul)
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=0
+suhosin.log.stdout=255
+suhosin.log.script=0
+suhosin.request.disallow_nul=0
+suhosin.cookie.disallow_nul=1
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--COOKIE--
+var1=xx%001;var2=2;var3=xx%003;var4=4;
+--GET--
+--POST--
+--FILE--
+<?php
+var_dump($_COOKIE);
+?>
+--EXPECTF--
+array(2) {
+  ["var2"]=>
+  string(1) "2"
+  ["var4"]=>
+  string(1) "4"
+}
+ALERT - ASCII-NUL chars not allowed within COOKIE variables - dropped variable 'var1' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - ASCII-NUL chars not allowed within COOKIE variables - dropped variable 'var3' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - dropped 2 request variables - (0 in GET, 0 in POST, 2 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s')
diff --git a/tests/filter/input_filter_get_disallow_nul.phpt b/tests/filter/input_filter_get_disallow_nul.phpt
new file mode 100644
index 0000000..b7c2ad4
--- /dev/null
+++ b/tests/filter/input_filter_get_disallow_nul.phpt
@@ -0,0 +1,29 @@
+--TEST--
+suhosin input filter (suhosin.get.disallow_nul)
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=0
+suhosin.log.stdout=255
+suhosin.log.script=0
+suhosin.request.disallow_nul=0
+suhosin.get.disallow_nul=1
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--COOKIE--
+--GET--
+var1=xx%001&var2=2&var3=xx%003&var4=4&
+--POST--
+--FILE--
+<?php
+var_dump($_GET);
+?>
+--EXPECTF--
+array(2) {
+  ["var2"]=>
+  string(1) "2"
+  ["var4"]=>
+  string(1) "4"
+}
+ALERT - ASCII-NUL chars not allowed within GET variables - dropped variable 'var1' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - ASCII-NUL chars not allowed within GET variables - dropped variable 'var3' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - dropped 2 request variables - (2 in GET, 0 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s')
diff --git a/tests/filter/input_filter_post_disallow_nul.phpt b/tests/filter/input_filter_post_disallow_nul.phpt
new file mode 100644
index 0000000..60c797e
--- /dev/null
+++ b/tests/filter/input_filter_post_disallow_nul.phpt
@@ -0,0 +1,29 @@
+--TEST--
+suhosin input filter (suhosin.post.disallow_nul)
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=0
+suhosin.log.stdout=255
+suhosin.log.script=0
+suhosin.request.disallow_nul=0
+suhosin.post.disallow_nul=1
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--COOKIE--
+--GET--
+--POST--
+var1=xx%001&var2=2&var3=xx%003&var4=4&
+--FILE--
+<?php
+var_dump($_POST);
+?>
+--EXPECTF--
+array(2) {
+  ["var2"]=>
+  string(1) "2"
+  ["var4"]=>
+  string(1) "4"
+}
+ALERT - ASCII-NUL chars not allowed within POST variables - dropped variable 'var1' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - ASCII-NUL chars not allowed within POST variables - dropped variable 'var3' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - dropped 2 request variables - (0 in GET, 2 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s')
diff --git a/tests/filter/input_filter_request_disallow_nul.phpt b/tests/filter/input_filter_request_disallow_nul.phpt
new file mode 100644
index 0000000..09903ec
--- /dev/null
+++ b/tests/filter/input_filter_request_disallow_nul.phpt
@@ -0,0 +1,48 @@
+--TEST--
+suhosin input filter (suhosin.request.disallow_nul)
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=0
+suhosin.log.stdout=255
+suhosin.log.script=0
+suhosin.request.disallow_nul=1
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--COOKIE--
+var1=xx%001;var2=2;var3=xx%003;var4=4;
+--GET--
+var1=xx%001&var2=2&var3=xx%003&var4=4&
+--POST--
+var1=xx%001&var2=2&var3=xx%003&var4=4&
+--FILE--
+<?php
+var_dump($_GET);
+var_dump($_POST);
+var_dump($_COOKIE);
+?>
+--EXPECTF--
+array(2) {
+  ["var2"]=>
+  string(1) "2"
+  ["var4"]=>
+  string(1) "4"
+}
+array(2) {
+  ["var2"]=>
+  string(1) "2"
+  ["var4"]=>
+  string(1) "4"
+}
+array(2) {
+  ["var2"]=>
+  string(1) "2"
+  ["var4"]=>
+  string(1) "4"
+}
+ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'var1' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'var3' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'var1' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'var3' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'var1' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'var3' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - dropped 6 request variables - (2 in GET, 2 in POST, 2 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s')