tests for eval white/blacklist + include white/blacklist

author: Ben Fuhrmannek 2015-02-06 22:38:35 +0100
committer: Ben Fuhrmannek 2015-02-06 22:38:35 +0100
commit: 3741554097cc73f03a9a6a4fa4d65dc01c120bd8 (patch)
tree: 93938c3a27b8b9d40818f652c30fccfee3b3180e /tests
parent: 4085730874e1d88bb5b675633a171ae20989e45a (diff)
9 files changed, 160 insertions, 0 deletions
diff --git a/tests/executor/eval_blacklist.phpt b/tests/executor/eval_blacklist.phpt
new file mode 100644
index 0000000..586bebc
--- /dev/null
+++ b/tests/executor/eval_blacklist.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Testing: suhosin.executor.eval.blacklist=max
+--SKIPIF--
+<?php include "../skipifnotcli.inc"; ?>
+--INI--
+suhosin.log.sapi=64
+suhosin.executor.disable_eval=0
+suhosin.executor.eval.blacklist=max
+--FILE--
+<?php
+        eval('abs(1);
+        max(1,2);
+        abs(1);');
+?>
+--EXPECTF--
+ALERT - function within eval blacklist called: max() (attacker 'REMOTE_ADDR not set', file '%s', line 4)
+Warning: max() has been disabled for security reasons in %s : eval()'d code on line 2
diff --git a/tests/executor/eval_blacklist_printf.phpt b/tests/executor/eval_blacklist_printf.phpt
new file mode 100644
index 0000000..596036e
--- /dev/null
+++ b/tests/executor/eval_blacklist_printf.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Testing: suhosin.executor.eval.blacklist=printf via call_user_func
+--SKIPIF--
+<?php include "../skipifnotcli.inc"; ?>
+--INI--
+suhosin.log.sapi=64
+suhosin.executor.disable_eval=0
+suhosin.executor.eval.blacklist=printf
+--FILE--
+<?php
+        eval('call_user_func("printf", "hello\n");');
+?>
+--EXPECTF--
+ALERT - function within eval blacklist called: printf() (attacker 'REMOTE_ADDR not set', file '%s : eval()'d code', line 1)
+Warning: printf() has been disabled for security reasons in %s : eval()'d code on line 1
diff --git a/tests/executor/eval_blacklist_printf_function_exists.phpt b/tests/executor/eval_blacklist_printf_function_exists.phpt
new file mode 100644
index 0000000..d9b842c
--- /dev/null
+++ b/tests/executor/eval_blacklist_printf_function_exists.phpt
@@ -0,0 +1,23 @@
+--TEST--
+Testing: suhosin.executor.eval.blacklist=printf with function_exists()
+--SKIPIF--
+<?php include "../skipifnotcli.inc"; ?>
+--INI--
+suhosin.log.sapi=64
+suhosin.executor.disable_eval=0
+suhosin.executor.eval.blacklist=printf,max
+--FILE--
+<?php
+        eval('var_dump(function_exists("abs"));');
+        eval('var_dump(function_exists("max"));');
+        eval('var_dump(function_exists("ord"));');
+        eval('var_dump(function_exists("printf"));');
+        eval('var_dump(function_exists("chr"));');
+?>
+--EXPECTF--
+bool(true)
+bool(false)
+bool(true)
+bool(false)
+bool(true)
diff --git a/tests/executor/eval_whitelist_absmax.phpt b/tests/executor/eval_whitelist_absmax.phpt
new file mode 100644
index 0000000..fff7345
--- /dev/null
+++ b/tests/executor/eval_whitelist_absmax.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Testing: suhosin.executor.eval.whitelist=abs,max
+--SKIPIF--
+<?php include "../skipifnotcli.inc"; ?>
+--INI--
+suhosin.log.sapi=64
+suhosin.executor.disable_eval=0
+suhosin.executor.eval.whitelist=abs,max
+--FILE--
+<?php
+        eval('abs(1);
+        max(1,2);
+        abs(1);');
+?>
+--EXPECTF--
diff --git a/tests/executor/eval_whitelist_call_user_func.phpt b/tests/executor/eval_whitelist_call_user_func.phpt
new file mode 100644
index 0000000..6f09b50
--- /dev/null
+++ b/tests/executor/eval_whitelist_call_user_func.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Testing: suhosin.executor.eval.whitelist=printf via call_user_func
+--SKIPIF--
+<?php include "../skipifnotcli.inc"; ?>
+--INI--
+suhosin.log.sapi=64
+suhosin.executor.eval.whitelist=call_user_func
+--FILE--
+<?php
+        eval('call_user_func("printf", "hello\n");');
+?>
+--EXPECTF--
+ALERT - function outside of eval whitelist called: printf() (attacker 'REMOTE_ADDR not set', file '%s : eval()'d code', line 1)
+Warning: printf() has been disabled for security reasons in %s : eval()'d code on line 1
diff --git a/tests/executor/function_whiletist_absmax.phpt b/tests/executor/function_whitelist_absmax.phpt
index f240e69..f240e69 100644
--- a/tests/executor/function_whiletist_absmax.phpt
+++ b/tests/executor/function_whitelist_absmax.phpt
diff --git a/tests/include/include_blacklist.phpt b/tests/include/include_blacklist.phpt
new file mode 100644
index 0000000..f4c3df0
--- /dev/null
+++ b/tests/include/include_blacklist.phpt
@@ -0,0 +1,24 @@
+--TEST--
+Include blacklist
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=255
+suhosin.log.script=0
+suhosin.log.phpscript=0
+suhosin.executor.include.whitelist=
+suhosin.executor.include.blacklist=foo,boo
+--FILE--
+<?php
+        $var = "file://" . dirname(__FILE__) . "/../empty.inc";
+        include $var;
+        echo $value,"\n";
+    $var = "foo://test";
+    include $var;
+        $var = "boo://test"; // this point is never reached (famous last words)
+        include $var;
+?>
+--EXPECTF--
+value-from-empty.inc
+ALERT - Include filename ('foo://test') is a URL that is forbidden by the blacklist (attacker 'REMOTE_ADDR not set', file '%s', line 6)
+\ No newline at end of file
diff --git a/tests/include/include_blackwhitelist_empty.phpt b/tests/include/include_blackwhitelist_empty.phpt
new file mode 100644
index 0000000..33380fd
--- /dev/null
+++ b/tests/include/include_blackwhitelist_empty.phpt
@@ -0,0 +1,24 @@
+--TEST--
+Include URL with empty black-/whitelist
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=255
+suhosin.log.script=0
+suhosin.log.phpscript=0
+suhosin.executor.include.whitelist=
+suhosin.executor.include.blacklist=
+--FILE--
+<?php
+        $var = dirname(__FILE__) . "/../empty.inc";
+        include $var;
+        echo $value,"\n";
+    $var = "foo://test";
+    include $var;
+        $var = "boo://test"; // this point is never reached (famous last words)
+        include $var;
+?>
+--EXPECTF--
+value-from-empty.inc
+ALERT - Include filename ('foo://test') is a URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 6)
+\ No newline at end of file
diff --git a/tests/include/include_whitelist.phpt b/tests/include/include_whitelist.phpt
new file mode 100644
index 0000000..a0c771f
--- /dev/null
+++ b/tests/include/include_whitelist.phpt
@@ -0,0 +1,24 @@
+--TEST--
+Include whitelist
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=255
+suhosin.log.script=0
+suhosin.log.phpscript=0
+suhosin.executor.include.whitelist=file
+suhosin.executor.include.blacklist=
+--FILE--
+<?php
+        $var = "file://" . dirname(__FILE__) . "/../empty.inc";
+        include $var;
+        echo $value,"\n";
+    $var = "foo://test";
+    include $var;
+        $var = "boo://test"; // this point is never reached (famous last words)
+        include $var;
+?>
+--EXPECTF--
+value-from-empty.inc
+ALERT - Include filename ('foo://test') is a URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 6)
+\ No newline at end of file
author	Ben Fuhrmannek	2015-02-06 22:38:35 +0100
committer	Ben Fuhrmannek	2015-02-06 22:38:35 +0100
commit	3741554097cc73f03a9a6a4fa4d65dc01c120bd8 (patch)
tree	93938c3a27b8b9d40818f652c30fccfee3b3180e /tests
parent	4085730874e1d88bb5b675633a171ae20989e45a (diff)

diff --git a/tests/executor/eval_blacklist.phpt b/tests/executor/eval_blacklist.phpt new file mode 100644 index 0000000..586bebc --- /dev/null +++ b/tests/executor/eval_blacklist.phpt
@@ -0,0 +1,18 @@
	1	--TEST--
	2	Testing: suhosin.executor.eval.blacklist=max
	3	--SKIPIF--
	4	<?php include "../skipifnotcli.inc"; ?>
	5	--INI--
	6	suhosin.log.sapi=64
	7	suhosin.executor.disable_eval=0
	8	suhosin.executor.eval.blacklist=max
	9	--FILE--
	10	<?php
	11	eval('abs(1);
	12	max(1,2);
	13	abs(1);');
	14	?>
	15	--EXPECTF--
	16	ALERT - function within eval blacklist called: max() (attacker 'REMOTE_ADDR not set', file '%s', line 4)
	17
	18	Warning: max() has been disabled for security reasons in %s : eval()'d code on line 2


diff --git a/tests/executor/eval_blacklist_printf.phpt b/tests/executor/eval_blacklist_printf.phpt new file mode 100644 index 0000000..596036e --- /dev/null +++ b/tests/executor/eval_blacklist_printf.phpt
@@ -0,0 +1,16 @@
	1	--TEST--
	2	Testing: suhosin.executor.eval.blacklist=printf via call_user_func
	3	--SKIPIF--
	4	<?php include "../skipifnotcli.inc"; ?>
	5	--INI--
	6	suhosin.log.sapi=64
	7	suhosin.executor.disable_eval=0
	8	suhosin.executor.eval.blacklist=printf
	9	--FILE--
	10	<?php
	11	eval('call_user_func("printf", "hello\n");');
	12	?>
	13	--EXPECTF--
	14	ALERT - function within eval blacklist called: printf() (attacker 'REMOTE_ADDR not set', file '%s : eval()'d code', line 1)
	15
	16	Warning: printf() has been disabled for security reasons in %s : eval()'d code on line 1


diff --git a/tests/executor/eval_blacklist_printf_function_exists.phpt b/tests/executor/eval_blacklist_printf_function_exists.phpt new file mode 100644 index 0000000..d9b842c --- /dev/null +++ b/tests/executor/eval_blacklist_printf_function_exists.phpt
@@ -0,0 +1,23 @@
	1	--TEST--
	2	Testing: suhosin.executor.eval.blacklist=printf with function_exists()
	3	--SKIPIF--
	4	<?php include "../skipifnotcli.inc"; ?>
	5	--INI--
	6	suhosin.log.sapi=64
	7	suhosin.executor.disable_eval=0
	8	suhosin.executor.eval.blacklist=printf,max
	9	--FILE--
	10	<?php
	11	eval('var_dump(function_exists("abs"));');
	12	eval('var_dump(function_exists("max"));');
	13	eval('var_dump(function_exists("ord"));');
	14	eval('var_dump(function_exists("printf"));');
	15	eval('var_dump(function_exists("chr"));');
	16	?>
	17	--EXPECTF--
	18	bool(true)
	19	bool(false)
	20	bool(true)
	21	bool(false)
	22	bool(true)
	23


diff --git a/tests/executor/eval_whitelist_absmax.phpt b/tests/executor/eval_whitelist_absmax.phpt new file mode 100644 index 0000000..fff7345 --- /dev/null +++ b/tests/executor/eval_whitelist_absmax.phpt
@@ -0,0 +1,16 @@
	1	--TEST--
	2	Testing: suhosin.executor.eval.whitelist=abs,max
	3	--SKIPIF--
	4	<?php include "../skipifnotcli.inc"; ?>
	5	--INI--
	6	suhosin.log.sapi=64
	7	suhosin.executor.disable_eval=0
	8	suhosin.executor.eval.whitelist=abs,max
	9	--FILE--
	10	<?php
	11	eval('abs(1);
	12	max(1,2);
	13	abs(1);');
	14	?>
	15	--EXPECTF--
	16


diff --git a/tests/executor/eval_whitelist_call_user_func.phpt b/tests/executor/eval_whitelist_call_user_func.phpt new file mode 100644 index 0000000..6f09b50 --- /dev/null +++ b/tests/executor/eval_whitelist_call_user_func.phpt
@@ -0,0 +1,15 @@
	1	--TEST--
	2	Testing: suhosin.executor.eval.whitelist=printf via call_user_func
	3	--SKIPIF--
	4	<?php include "../skipifnotcli.inc"; ?>
	5	--INI--
	6	suhosin.log.sapi=64
	7	suhosin.executor.eval.whitelist=call_user_func
	8	--FILE--
	9	<?php
	10	eval('call_user_func("printf", "hello\n");');
	11	?>
	12	--EXPECTF--
	13	ALERT - function outside of eval whitelist called: printf() (attacker 'REMOTE_ADDR not set', file '%s : eval()'d code', line 1)
	14
	15	Warning: printf() has been disabled for security reasons in %s : eval()'d code on line 1


diff --git a/tests/executor/function_whiletist_absmax.phpt b/tests/executor/function_whitelist_absmax.phpt index f240e69..f240e69 100644 --- a/tests/executor/function_whiletist_absmax.phpt +++ b/tests/executor/function_whitelist_absmax.phpt


diff --git a/tests/include/include_blacklist.phpt b/tests/include/include_blacklist.phpt new file mode 100644 index 0000000..f4c3df0 --- /dev/null +++ b/tests/include/include_blacklist.phpt
@@ -0,0 +1,24 @@
	1	--TEST--
	2	Include blacklist
	3	--SKIPIF--
	4	<?php include "../skipifcli.inc"; ?>
	5	--INI--
	6	suhosin.log.syslog=0
	7	suhosin.log.sapi=255
	8	suhosin.log.script=0
	9	suhosin.log.phpscript=0
	10	suhosin.executor.include.whitelist=
	11	suhosin.executor.include.blacklist=foo,boo
	12	--FILE--
	13	<?php
	14	$var = "file://" . dirname(__FILE__) . "/../empty.inc";
	15	include $var;
	16	echo $value,"\n";
	17	$var = "foo://test";
	18	include $var;
	19	$var = "boo://test"; // this point is never reached (famous last words)
	20	include $var;
	21	?>
	22	--EXPECTF--
	23	value-from-empty.inc
	24	ALERT - Include filename ('foo://test') is a URL that is forbidden by the blacklist (attacker 'REMOTE_ADDR not set', file '%s', line 6) \ No newline at end of file


diff --git a/tests/include/include_blackwhitelist_empty.phpt b/tests/include/include_blackwhitelist_empty.phpt new file mode 100644 index 0000000..33380fd --- /dev/null +++ b/tests/include/include_blackwhitelist_empty.phpt
@@ -0,0 +1,24 @@
	1	--TEST--
	2	Include URL with empty black-/whitelist
	3	--SKIPIF--
	4	<?php include "../skipifcli.inc"; ?>
	5	--INI--
	6	suhosin.log.syslog=0
	7	suhosin.log.sapi=255
	8	suhosin.log.script=0
	9	suhosin.log.phpscript=0
	10	suhosin.executor.include.whitelist=
	11	suhosin.executor.include.blacklist=
	12	--FILE--
	13	<?php
	14	$var = dirname(__FILE__) . "/../empty.inc";
	15	include $var;
	16	echo $value,"\n";
	17	$var = "foo://test";
	18	include $var;
	19	$var = "boo://test"; // this point is never reached (famous last words)
	20	include $var;
	21	?>
	22	--EXPECTF--
	23	value-from-empty.inc
	24	ALERT - Include filename ('foo://test') is a URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 6) \ No newline at end of file


diff --git a/tests/include/include_whitelist.phpt b/tests/include/include_whitelist.phpt new file mode 100644 index 0000000..a0c771f --- /dev/null +++ b/tests/include/include_whitelist.phpt
@@ -0,0 +1,24 @@
	1	--TEST--
	2	Include whitelist
	3	--SKIPIF--
	4	<?php include "../skipifcli.inc"; ?>
	5	--INI--
	6	suhosin.log.syslog=0
	7	suhosin.log.sapi=255
	8	suhosin.log.script=0
	9	suhosin.log.phpscript=0
	10	suhosin.executor.include.whitelist=file
	11	suhosin.executor.include.blacklist=
	12	--FILE--
	13	<?php
	14	$var = "file://" . dirname(__FILE__) . "/../empty.inc";
	15	include $var;
	16	echo $value,"\n";
	17	$var = "foo://test";
	18	include $var;
	19	$var = "boo://test"; // this point is never reached (famous last words)
	20	include $var;
	21	?>
	22	--EXPECTF--
	23	value-from-empty.inc
	24	ALERT - Include filename ('foo://test') is a URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 6) \ No newline at end of file