Inital commit

33 files changed, 610 insertions, 0 deletions

diff --git a/tests/empty.inc b/tests/empty.inc
new file mode 100644
index 0000000..35cbf45
--- /dev/null
+++ b/tests/empty.inc
@@ -0,0 +1,3 @@
+<?php
+  $value = "value-from-empty.inc";
+?>
\ No newline at end of file
diff --git a/tests/executor/disable_emod_off.phpt b/tests/executor/disable_emod_off.phpt
new file mode 100644
index 0000000..3c9cb01
--- /dev/null
+++ b/tests/executor/disable_emod_off.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Testing: suhosin.executor.disable_emodifier=0
+--SKIPIF--
+<?php include "../skipifnotcli.inc"; ?>
+--INI--
+suhosin.log.sapi=64
+suhosin.executor.disable_emodifier=0
+--FILE--
+<?php
+    $text = "HALLO";
+    var_dump(preg_replace('/[a-z]/e', "strtoupper('\\0')", $text));
+    $text = "HalLO";
+    var_dump(preg_replace('/[a-z]/e', "strtoupper('\\0')", $text));
+?>
+--EXPECTF--
+string(5) "HALLO"
+string(5) "HALLO"
+
diff --git a/tests/executor/disable_emod_on.phpt b/tests/executor/disable_emod_on.phpt
new file mode 100644
index 0000000..6daf82f
--- /dev/null
+++ b/tests/executor/disable_emod_on.phpt
@@ -0,0 +1,19 @@
+--TEST--
+Testing: suhosin.executor.disable_emodifier=1
+--SKIPIF--
+<?php include "../skipifnotcli.inc"; ?>
+--INI--
+suhosin.log.sapi=64
+suhosin.executor.disable_emodifier=1
+--FILE--
+<?php
+    $text = "HALLO";
+    var_dump(preg_replace('/[a-z]/e', "strtoupper('\\0')", $text));
+    $text = "HalLO";
+    var_dump(preg_replace('/[a-z]/e', "strtoupper('\\0')", $text));
+?>
+--EXPECTF--
+string(5) "HALLO"
+ALERT - use of preg_replace() with /e modifier is forbidden by configuration (attacker 'REMOTE_ADDR not set', file '%s', line 5)
+
+Fatal error: SUHOSIN - Use of preg_replace() with /e modifier is forbidden by configuration in %s(5) : regexp code on line 5
diff --git a/tests/executor/disable_eval_off.phpt b/tests/executor/disable_eval_off.phpt
new file mode 100644
index 0000000..1ee87f5
--- /dev/null
+++ b/tests/executor/disable_eval_off.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Testing: suhosin.executor.disable_eval=0
+--SKIPIF--
+<?php include "../skipifnotcli.inc"; ?>
+--INI--
+suhosin.log.sapi=64
+suhosin.executor.disable_eval=0
+--FILE--
+<?php
+    $x = 0;
+    eval('$x = 1;');
+    var_dump($x);
+?>
+--EXPECTF--
+int(1)
diff --git a/tests/executor/disable_eval_on.phpt b/tests/executor/disable_eval_on.phpt
new file mode 100644
index 0000000..49f4936
--- /dev/null
+++ b/tests/executor/disable_eval_on.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Testing: suhosin.executor.disable_eval=1
+--SKIPIF--
+<?php include "../skipifnotcli.inc"; ?>
+--INI--
+suhosin.log.sapi=64
+suhosin.executor.disable_eval=1
+--FILE--
+<?php
+    $x = 0;
+    eval('$x = 1;');
+    var_dump($x);
+?>
+--EXPECTF--
+ALERT - use of eval is forbidden by configuration (attacker 'REMOTE_ADDR not set', file '%s', line 3)
+
+Fatal error: SUHOSIN - Use of eval is forbidden by configuration in %s(3) : eval()'d code on line 3
diff --git a/tests/executor/memory_limit.phpt b/tests/executor/memory_limit.phpt
new file mode 100644
index 0000000..404ab19
--- /dev/null
+++ b/tests/executor/memory_limit.phpt
@@ -0,0 +1,29 @@
+--TEST--
+memory_limit test: set suhosin hard_limit to normal limit
+--SKIPIF--
+<?php if (!function_exists("memory_get_usage")) print "skip PHP not compiled with memory_limit support"; ?>
+--INI--
+memory_limit=16M
+suhosin.memory_limit=0
+suhosin.log.syslog=0
+suhosin.log.script=0
+suhosin.log.sapi=2
+--FILE--
+<?php
+    ini_set("memory_limit", "13M"); echo ini_get("memory_limit"), "\n";
+    ini_set("memory_limit", "14M"); echo ini_get("memory_limit"), "\n";
+    ini_set("memory_limit", "15M"); echo ini_get("memory_limit"), "\n";
+    ini_set("memory_limit", "16M"); echo ini_get("memory_limit"), "\n";
+    ini_set("memory_limit", "17M"); echo ini_get("memory_limit"), "\n";
+    ini_set("memory_limit", "18M"); echo ini_get("memory_limit"), "\n";
+?>
+--EXPECTF--
+13M
+14M
+15M
+16M
+ALERT - script tried to increase memory_limit to 17825792 bytes which is above the allowed value (attacker 'REMOTE_ADDR not set', file '%s', line 6)
+16M
+ALERT - script tried to increase memory_limit to 18874368 bytes which is above the allowed value (attacker 'REMOTE_ADDR not set', file '%s', line 7)
+16M
+
diff --git a/tests/executor/memory_limit_other_hardlimit.phpt b/tests/executor/memory_limit_other_hardlimit.phpt
new file mode 100644
index 0000000..cac11dc
--- /dev/null
+++ b/tests/executor/memory_limit_other_hardlimit.phpt
@@ -0,0 +1,28 @@
+--TEST--
+memory_limit test: set suhosin hard_limit to normal limit + 1M
+--SKIPIF--
+<?php if (!function_exists("memory_get_usage")) print "skip PHP not compiled with memory_limit support"; ?>
+--INI--
+memory_limit=16M
+suhosin.memory_limit=17M
+suhosin.log.syslog=0
+suhosin.log.script=0
+suhosin.log.sapi=2
+--FILE--
+<?php
+    ini_set("memory_limit", "13M"); echo ini_get("memory_limit"), "\n";
+    ini_set("memory_limit", "14M"); echo ini_get("memory_limit"), "\n";
+    ini_set("memory_limit", "15M"); echo ini_get("memory_limit"), "\n";
+    ini_set("memory_limit", "16M"); echo ini_get("memory_limit"), "\n";
+    ini_set("memory_limit", "17M"); echo ini_get("memory_limit"), "\n";
+    ini_set("memory_limit", "18M"); echo ini_get("memory_limit"), "\n";
+?>
+--EXPECTF--
+13M
+14M
+15M
+16M
+17M
+ALERT - script tried to increase memory_limit to %d bytes which is above the allowed value (attacker 'REMOTE_ADDR not set', file '%s', line 7)
+17M
+
diff --git a/tests/executor/negative_memory_limit.phpt b/tests/executor/negative_memory_limit.phpt
new file mode 100644
index 0000000..8582cc9
--- /dev/null
+++ b/tests/executor/negative_memory_limit.phpt
@@ -0,0 +1,18 @@
+--TEST--
+memory_limit test: trying to set memory_limit to a negative value
+--SKIPIF--
+<?php if (!function_exists("memory_get_usage")) print "skip PHP not compiled with memory_limit support"; ?>
+--INI--
+memory_limit=16M
+suhosin.memory_limit=17M
+suhosin.log.syslog=0
+suhosin.log.script=0
+suhosin.log.sapi=2
+--FILE--
+<?php
+    ini_set("memory_limit", "-200000"); echo ini_get("memory_limit"), "\n";
+?>
+--EXPECTF--
+ALERT - script tried to increase memory_limit to %d bytes which is above the allowed value (attacker 'REMOTE_ADDR not set', file '%s', line 2)
+16M
+
diff --git a/tests/executor/preg_replace.phpt b/tests/executor/preg_replace.phpt
new file mode 100644
index 0000000..9060a29
--- /dev/null
+++ b/tests/executor/preg_replace.phpt
@@ -0,0 +1,30 @@
+--TEST--
+Testing protection against "\0" in preg_replace() first parameter
+--SKIPIF--
+<?php include "../skipif.inc"; ?>
+--INI--
+suhosin.log.sapi=0
+--FILE--
+<?php
+    
+    $text1 = "One little boy with two dogs, three cats and four birds";
+    $text2 = "The three cats eat the four birds";
+
+    $regex_array = array("/one/", "/two/", "/three/");
+    $regex_array0 = array("/one/\0", "/two/", "/three/");
+    $replace_array = array("1", "2", "3");
+    $regex = "/eat/";
+    $regex0 = "/ea\0t/";
+    $replace = "play with";
+    
+    var_dump(preg_replace($regex_array, $replace_array, $text1));
+    var_dump(preg_replace($regex_array0, $replace_array, $text1));
+    var_dump(preg_replace($regex, $replace, $text2));
+    var_dump(preg_replace($regex0, $replace, $text2));
+    
+?>
+--EXPECT--
+string(49) "One little boy with 2 dogs, 3 cats and four birds"
+bool(false)
+string(39) "The three cats play with the four birds"
+bool(false)
diff --git a/tests/executor/preg_replace_error.phpt b/tests/executor/preg_replace_error.phpt
new file mode 100644
index 0000000..39e0aee
--- /dev/null
+++ b/tests/executor/preg_replace_error.phpt
@@ -0,0 +1,32 @@
+--TEST--
+Testing protection against "\0" in preg_replace() first parameter (INCL. SUHOSIN ERROR MESSAGES)
+--SKIPIF--
+<?php include "../skipifnotcli.inc"; ?>
+--INI--
+suhosin.log.sapi=64
+--FILE--
+<?php
+    
+    $text1 = "One little boy with two dogs, three cats and four birds";
+    $text2 = "The three cats eat the four birds";
+
+    $regex_array = array("/one/", "/two/", "/three/");
+    $regex_array0 = array("/one/\0", "/two/", "/three/");
+    $replace_array = array("1", "2", "3");
+    $regex = "/eat/";
+    $regex0 = "/ea\0t/";
+    $replace = "play with";
+    
+    var_dump(preg_replace($regex_array, $replace_array, $text1));
+    var_dump(preg_replace($regex_array0, $replace_array, $text1));
+    var_dump(preg_replace($regex, $replace, $text2));
+    var_dump(preg_replace($regex0, $replace, $text2));
+    
+?>
+--EXPECTF--
+string(49) "One little boy with 2 dogs, 3 cats and four birds"
+ALERT - string termination attack on first preg_replace parameter detected (attacker 'REMOTE_ADDR not set', file '%s', line 14)
+bool(false)
+string(39) "The three cats play with the four birds"
+ALERT - string termination attack on first preg_replace parameter detected (attacker 'REMOTE_ADDR not set', file '%s', line 16)
+bool(false)
diff --git a/tests/executor/recursion_maxdepth.phpt b/tests/executor/recursion_maxdepth.phpt
new file mode 100644
index 0000000..31fe9c2
--- /dev/null
+++ b/tests/executor/recursion_maxdepth.phpt
@@ -0,0 +1,31 @@
+--TEST--
+Testing: suhosin.executor.max_depth
+--SKIPIF--
+<?php include "../skipifnotcli.inc"; ?>
+--INI--
+suhosin.log.sapi=64
+suhosin.executor.max_depth=13
+--FILE--
+<?php
+    function rec($level)
+    {
+        echo $level,"\n";
+        rec(++$level);
+    }
+    
+    rec(2);
+?>
+--EXPECTF--
+2
+3
+4
+5
+6
+7
+8
+9
+10
+11
+12
+13
+ALERT - maximum execution depth reached - script terminated (attacker 'REMOTE_ADDR not set', file '%s', line 5)
diff --git a/tests/filter/get_globals.phpt b/tests/filter/get_globals.phpt
new file mode 100644
index 0000000..f16991b
--- /dev/null
+++ b/tests/filter/get_globals.phpt
@@ -0,0 +1,24 @@
+--TEST--
+Testing: GLOBALS in GET
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=255
+suhosin.log.script=255
+suhosin.log.script.name=/tmp/xx
+--GET--
+a=1&b=2&GLOBALS=123&c=3
+--FILE--
+<?php
+    var_dump($_GET['a']);
+    var_dump($_GET['b']);
+    var_dump($_GET['c']);
+    if (!isset($_GET['GLOBALS'])) var_dump(5);
+    else var_dump(0);
+?>
+--EXPECT--
+string(1) "1"
+string(1) "2"
+string(1) "3"
+int(5)
diff --git a/tests/funcs/crypt_blowfish.phpt b/tests/funcs/crypt_blowfish.phpt
new file mode 100644
index 0000000..f48e411
--- /dev/null
+++ b/tests/funcs/crypt_blowfish.phpt
@@ -0,0 +1,13 @@
+--TEST--
+CRYPT_BLOWFISH support
+--SKIPIF--
+<?php include "../skipif.inc"; ?>
+--FILE--
+<?php
+    var_dump(CRYPT_BLOWFISH);
+    echo crypt('rasmuslerdorf', '$2a$07$rasmuslerd...........$') . "\n";
+?>
+--EXPECT--
+int(1)
+$2a$07$rasmuslerd............nIdrcHdxcUxWomQX9j6kvERCFjTg7Ra
+
diff --git a/tests/funcs/crypt_ext_des.phpt b/tests/funcs/crypt_ext_des.phpt
new file mode 100644
index 0000000..4e2ba73
--- /dev/null
+++ b/tests/funcs/crypt_ext_des.phpt
@@ -0,0 +1,12 @@
+--TEST--
+CRYPT_EXT_DES support
+--SKIPIF--
+<?php if (CRYPT_EXT_DES == 0) print 'skip'; ?>
+--FILE--
+<?php
+    echo crypt('rasmuslerdorf', '_J9..rasm') . "\n"
+?>
+--EXPECT--
+_J9..rasmBYk8r9AiWNc
+
+
diff --git a/tests/funcs/crypt_md5.phpt b/tests/funcs/crypt_md5.phpt
new file mode 100644
index 0000000..fd39d20
--- /dev/null
+++ b/tests/funcs/crypt_md5.phpt
@@ -0,0 +1,11 @@
+--TEST--
+CRYPT_MD5 support
+--SKIPIF--
+<?php if (CRYPT_MD5 == 0) print 'skip'; ?>
+--FILE--
+<?php
+    echo crypt('rasmuslerdorf', '$1$rasmusle$') . "\n"
+?>
+--EXPECT--
+$1$rasmusle$rISCgZzpwk3UhDidwXvin0
+
diff --git a/tests/funcs/crypt_std_des.phpt b/tests/funcs/crypt_std_des.phpt
new file mode 100644
index 0000000..926ec44
--- /dev/null
+++ b/tests/funcs/crypt_std_des.phpt
@@ -0,0 +1,11 @@
+--TEST--
+CRYPT_STD_DES support
+--SKIPIF--
+<?php if (CRYPT_STD_DES == 0) print 'skip'; ?>
+--FILE--
+<?php
+    echo crypt('rasmuslerdorf', 'rl') . "\n"
+?>
+--EXPECT--
+rl.3StKT.4T8M
+
diff --git a/tests/funcs/sha256.phpt b/tests/funcs/sha256.phpt
new file mode 100644
index 0000000..cb407b1
--- /dev/null
+++ b/tests/funcs/sha256.phpt
@@ -0,0 +1,40 @@
+--TEST--
+SHA256 support
+--SKIPIF--
+<?php include "../skipif.inc"; ?>
+--FILE--
+<?php
+    echo sha256("") , "\n";
+    echo sha256("a"), "\n";
+    echo sha256(pack("H*", "bd")), "\n";
+    echo sha256(pack("H*", "5fd4")), "\n";
+    echo sha256(pack("H*", "b0bd69")), "\n";
+    echo sha256(pack("H*", "c98c8e55")), "\n";
+    echo sha256(pack("H*", "81a723d966")), "\n";
+    echo sha256(pack("H*", "c97a2db566e5")), "\n";
+    echo sha256(pack("H*", "f53210aa6ed72e")), "\n";
+    echo sha256(pack("H*", "0df1cd526b5a4edd")), "\n";
+    echo sha256(pack("H*", "b80233e2c53ab32cc3")), "\n";
+    echo sha256(pack("H*", "5d54ed5b52d879aeb5dd")), "\n";
+    echo sha256(pack("H*", "df866ecb67ab00515f6247")), "\n";
+    echo sha256(pack("H*", "0757de9485a2eaea51126077")), "\n";
+    echo sha256(pack("H*", "7c66f5d443c11cfb39dd0aa715")), "\n";
+    echo sha256(pack("H*", "329624fed35639fe54957b7d47a9")), "\n";
+?>
+--EXPECT--
+e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
+ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb
+68325720aabd7c82f30f554b313d0570c95accbb7dc4b5aae11204c08ffe732b
+7c4fbf484498d21b487b9d61de8914b2eadaf2698712936d47c3ada2558f6788
+4096804221093ddccfbf46831490ea63e9e99414858f8d75ff7f642c7ca61803
+7abc22c0ae5af26ce93dbb94433a0e0b2e119d014f8e7f65bd56c61ccccd9504
+7516fb8bb11350df2bf386bc3c33bd0f52cb4c67c6e4745e0488e62c2aea2605
+0eb0281b27a4604709b0513b43ad29fdcff9a7a958554abc689d7fe35af703e4
+dee684641421d1ba5a65c71f986a117cbb3d619a052a0b3409306c629575c00f
+47f527210d6e8f940b5082fec01b7305908fa2b49ea3ae597c19a3986097153c
+c60d239cc6da3ad31f4de0c2d58a73ccf3f9279e504fa60ad55a31dcf686f3ca
+e0164d90dbfcf173bb88044fac596ccd03b8d247c79907aaa5701767fad7b576
+dc990ef3109a7bcf626199db9ab7801213ceb0ad2ee398963b5061e39c05c7b5
+c1c9a4daadcc8678835872c7f1f8824376ac7b412e1fc2285069b41afd51397e
+6840619417b4d8ecaa7902f8eaf2e82be2638dec97cb7e8fcc377007cc176718
+0f5308ff22b828e18bd65afbc427e3c1a678962832519df5f2f803f68f55e10b
diff --git a/tests/include/include_constant.phpt b/tests/include/include_constant.phpt
new file mode 100644
index 0000000..180aa69
--- /dev/null
+++ b/tests/include/include_constant.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Include "Constant URL";
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=255
+suhosin.log.script=0
+suhosin.log.phpscript=0
+suhosin.executor.include.whitelist=
+suhosin.executor.include.blacklist=
+--FILE--
+<?php
+    include "http://127.0.0.1/";
+?>
+--EXPECTF--
+ALERT - Include filename ('http://127.0.0.1/') is an URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 2)
diff --git a/tests/include/include_etc_passwd.phpt b/tests/include/include_etc_passwd.phpt
new file mode 100644
index 0000000..fb3c4e2
--- /dev/null
+++ b/tests/include/include_etc_passwd.phpt
@@ -0,0 +1,23 @@
+--TEST--
+Include "../../../../../../../../../../../etc/passwd";
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=255
+suhosin.log.script=0
+suhosin.log.phpscript=0
+suhosin.executor.include.whitelist=
+suhosin.executor.include.blacklist=
+suhosin.executor.include.max_traversal=3
+--FILE--
+<?php
+        $var = dirname(__FILE__)."/../empty.inc";
+        include $var;
+        echo $value,"\n";
+    $var = dirname(__FILE__)."/../../../../../../../../../../../etc/passwd";
+    include $var;
+?>
+--EXPECTF--
+value-from-empty.inc
+ALERT - Include filename ('%s../../../../../../../../../../../etc/passwd') contains too many '../' (attacker 'REMOTE_ADDR not set', file '%s', line 6)
diff --git a/tests/include/include_once_constant.phpt b/tests/include/include_once_constant.phpt
new file mode 100644
index 0000000..3faac33
--- /dev/null
+++ b/tests/include/include_once_constant.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Include_once "Constant URL";
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=255
+suhosin.log.script=0
+suhosin.log.phpscript=0
+suhosin.executor.include.whitelist=
+suhosin.executor.include.blacklist=
+--FILE--
+<?php
+    include_once "http://127.0.0.1/";
+?>
+--EXPECTF--
+ALERT - Include filename ('http://127.0.0.1/') is an URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 2)
diff --git a/tests/include/include_once_tmpvar.phpt b/tests/include/include_once_tmpvar.phpt
new file mode 100644
index 0000000..1f94c5a
--- /dev/null
+++ b/tests/include/include_once_tmpvar.phpt
@@ -0,0 +1,19 @@
+--TEST--
+Include_once "Temp Variable URL";
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=255
+suhosin.log.script=0
+suhosin.log.phpscript=0
+suhosin.executor.include.whitelist=
+suhosin.executor.include.blacklist=
+--FILE--
+<?php
+    $var = "http://127.0.0.1/";
+    $app = "?";
+    include_once $var.$app;
+?>
+--EXPECTF--
+ALERT - Include filename ('http://127.0.0.1/?') is an URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 4)
diff --git a/tests/include/include_once_var.phpt b/tests/include/include_once_var.phpt
new file mode 100644
index 0000000..bf38377
--- /dev/null
+++ b/tests/include/include_once_var.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Include_once "Variable URL";
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=255
+suhosin.log.script=0
+suhosin.log.phpscript=0
+suhosin.executor.include.whitelist=
+suhosin.executor.include.blacklist=
+--FILE--
+<?php
+    $var = "http://127.0.0.1/";
+    include_once $var;
+?>
+--EXPECTF--
+ALERT - Include filename ('http://127.0.0.1/') is an URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 3)
diff --git a/tests/include/include_tmpvar.phpt b/tests/include/include_tmpvar.phpt
new file mode 100644
index 0000000..8ad26d7
--- /dev/null
+++ b/tests/include/include_tmpvar.phpt
@@ -0,0 +1,19 @@
+--TEST--
+Include "Temp Variable URL";
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=255
+suhosin.log.script=0
+suhosin.log.phpscript=0
+suhosin.executor.include.whitelist=
+suhosin.executor.include.blacklist=
+--FILE--
+<?php
+    $var = "http://127.0.0.1/";
+    $app = "?";
+    include $var.$app;
+?>
+--EXPECTF--
+ALERT - Include filename ('http://127.0.0.1/?') is an URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 4)
diff --git a/tests/include/include_var.phpt b/tests/include/include_var.phpt
new file mode 100644
index 0000000..7431240
--- /dev/null
+++ b/tests/include/include_var.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Include "Variable URL";
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=255
+suhosin.log.script=0
+suhosin.log.phpscript=0
+suhosin.executor.include.whitelist=
+suhosin.executor.include.blacklist=
+--FILE--
+<?php
+    $var = "http://127.0.0.1/";
+    include $var;
+?>
+--EXPECTF--
+ALERT - Include filename ('http://127.0.0.1/') is an URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 3)
diff --git a/tests/include/require_constant.phpt b/tests/include/require_constant.phpt
new file mode 100644
index 0000000..6ee79fb
--- /dev/null
+++ b/tests/include/require_constant.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Require "Constant URL";
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=255
+suhosin.log.script=0
+suhosin.log.phpscript=0
+suhosin.executor.include.whitelist=
+suhosin.executor.include.blacklist=
+--FILE--
+<?php
+    require "http://127.0.0.1/";
+?>
+--EXPECTF--
+ALERT - Include filename ('http://127.0.0.1/') is an URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 2)
diff --git a/tests/include/require_once_constant.phpt b/tests/include/require_once_constant.phpt
new file mode 100644
index 0000000..43c69c8
--- /dev/null
+++ b/tests/include/require_once_constant.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Require_once "Constant URL";
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=255
+suhosin.log.script=0
+suhosin.log.phpscript=0
+suhosin.executor.include.whitelist=
+suhosin.executor.include.blacklist=
+--FILE--
+<?php
+    require_once "http://127.0.0.1/";
+?>
+--EXPECTF--
+ALERT - Include filename ('http://127.0.0.1/') is an URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 2)
diff --git a/tests/include/require_once_tmpvar.phpt b/tests/include/require_once_tmpvar.phpt
new file mode 100644
index 0000000..2be24b2
--- /dev/null
+++ b/tests/include/require_once_tmpvar.phpt
@@ -0,0 +1,19 @@
+--TEST--
+Require_once "Temp Variable URL";
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=255
+suhosin.log.script=0
+suhosin.log.phpscript=0
+suhosin.executor.include.whitelist=
+suhosin.executor.include.blacklist=
+--FILE--
+<?php
+    $var = "http://127.0.0.1/";
+    $app = "?";
+    require_once $var.$app;
+?>
+--EXPECTF--
+ALERT - Include filename ('http://127.0.0.1/?') is an URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 4)
diff --git a/tests/include/require_once_var.phpt b/tests/include/require_once_var.phpt
new file mode 100644
index 0000000..b3857f5
--- /dev/null
+++ b/tests/include/require_once_var.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Require_once "Variable URL";
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=255
+suhosin.log.script=0
+suhosin.log.phpscript=0
+suhosin.executor.include.whitelist=
+suhosin.executor.include.blacklist=
+--FILE--
+<?php
+    $var = "http://127.0.0.1/";
+    require_once $var;
+?>
+--EXPECTF--
+ALERT - Include filename ('http://127.0.0.1/') is an URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 3)
diff --git a/tests/include/require_tmpvar.phpt b/tests/include/require_tmpvar.phpt
new file mode 100644
index 0000000..d411067
--- /dev/null
+++ b/tests/include/require_tmpvar.phpt
@@ -0,0 +1,19 @@
+--TEST--
+Require "Temp Variable URL";
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=255
+suhosin.log.script=0
+suhosin.log.phpscript=0
+suhosin.executor.include.whitelist=
+suhosin.executor.include.blacklist=
+--FILE--
+<?php
+    $var = "http://127.0.0.1/";
+    $app = "?";
+    require $var.$app;
+?>
+--EXPECTF--
+ALERT - Include filename ('http://127.0.0.1/?') is an URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 4)
diff --git a/tests/include/require_var.phpt b/tests/include/require_var.phpt
new file mode 100644
index 0000000..20468d4
--- /dev/null
+++ b/tests/include/require_var.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Require "Variable URL";
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=255
+suhosin.log.script=0
+suhosin.log.phpscript=0
+suhosin.executor.include.whitelist=
+suhosin.executor.include.blacklist=
+--FILE--
+<?php
+    $var = "http://127.0.0.1/";
+    require $var;
+?>
+--EXPECTF--
+ALERT - Include filename ('http://127.0.0.1/') is an URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 3)
diff --git a/tests/skipif.inc b/tests/skipif.inc
new file mode 100644
index 0000000..fd0598c
--- /dev/null
+++ b/tests/skipif.inc
@@ -0,0 +1,4 @@
+<?php 
+if(!extension_loaded("suhosin")) 
+        print "skip - SUHOSIN extension not available"; 
+?>
diff --git a/tests/skipifcli.inc b/tests/skipifcli.inc
new file mode 100644
index 0000000..63b41ca
--- /dev/null
+++ b/tests/skipifcli.inc
@@ -0,0 +1,8 @@
+<?php 
+if (php_sapi_name()=='cli') { 
+        print 'skip - SAPI == cli'; 
+} else {
+if(!extension_loaded("suhosin")) 
+        print "skip - SUHOSIN extension not available"; 
+}
+?>
diff --git a/tests/skipifnotcli.inc b/tests/skipifnotcli.inc
new file mode 100644
index 0000000..823cb91
--- /dev/null
+++ b/tests/skipifnotcli.inc
@@ -0,0 +1,8 @@
+<?php 
+if (php_sapi_name()!='cli') { 
+        print 'skip - SAPI != cli'; 
+} else {
+if(!extension_loaded("suhosin")) 
+        print "skip - SUHOSIN extension not available"; 
+}
+?>