array index whitelist/blacklist for multipart formdata

author: Ben Fuhrmannek 2014-09-25 18:07:55 +0200
committer: Ben Fuhrmannek 2014-09-25 18:07:55 +0200
commit: 49a4321cec080d61ff112aaf27f55257e62402f9 (patch)
tree: c3500f64ef6cc5d45d70296339827857de1bf889 /tests
parent: 594c8df58c6f7f9b9610c7f0fd11da08a532de98 (diff)
2 files changed, 82 insertions, 0 deletions
diff --git a/tests/filter/post_fileupload_array_index_blacklist.phpt b/tests/filter/post_fileupload_array_index_blacklist.phpt
new file mode 100644
index 0000000..f0e003b
--- /dev/null
+++ b/tests/filter/post_fileupload_array_index_blacklist.phpt
@@ -0,0 +1,41 @@
+--TEST--
+suhosin file upload filter (array index whitelist)
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=0
+suhosin.log.stdout=255
+suhosin.log.script=0
+file_uploads=1
+suhosin.request.array_index_blacklist=ABC
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--COOKIE--
+--GET--
+--POST_RAW--
+Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="fn[foo][bar]"
+ok
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="fn[foo][BAR]"
+bad
+-----------------------------20896060251896012921717172737--
+--FILE--
+<?php
+var_dump($_POST);
+?>
+--EXPECTF--
+array(1) {
+  ["fn"]=>
+  array(1) {
+    ["foo"]=>
+    array(1) {
+      ["bar"]=>
+      string(2) "ok"
+    }
+  }
+}
+ALERT - array index contains blacklisted characters - dropped variable 'fn[foo][BAR]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - dropped 1 request variables - (0 in GET, 1 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s')
diff --git a/tests/filter/post_fileupload_array_index_whitelist.phpt b/tests/filter/post_fileupload_array_index_whitelist.phpt
new file mode 100644
index 0000000..f2fe8c8
--- /dev/null
+++ b/tests/filter/post_fileupload_array_index_whitelist.phpt
@@ -0,0 +1,41 @@
+--TEST--
+suhosin file upload filter (array index whitelist)
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=0
+suhosin.log.stdout=255
+suhosin.log.script=0
+file_uploads=1
+suhosin.request.array_index_whitelist=abcdefghijklmnopqrstuvwxyz
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--COOKIE--
+--GET--
+--POST_RAW--
+Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="fn[foo][bar]"
+ok
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="fn[foo][BAR]"
+bad
+-----------------------------20896060251896012921717172737--
+--FILE--
+<?php
+var_dump($_POST);
+?>
+--EXPECTF--
+array(1) {
+  ["fn"]=>
+  array(1) {
+    ["foo"]=>
+    array(1) {
+      ["bar"]=>
+      string(2) "ok"
+    }
+  }
+}
+ALERT - array index contains not whitelisted characters - dropped variable 'fn[foo][BAR]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - dropped 1 request variables - (0 in GET, 1 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s')
author	Ben Fuhrmannek	2014-09-25 18:07:55 +0200
committer	Ben Fuhrmannek	2014-09-25 18:07:55 +0200
commit	49a4321cec080d61ff112aaf27f55257e62402f9 (patch)
tree	c3500f64ef6cc5d45d70296339827857de1bf889 /tests
parent	594c8df58c6f7f9b9610c7f0fd11da08a532de98 (diff)

diff --git a/tests/filter/post_fileupload_array_index_blacklist.phpt b/tests/filter/post_fileupload_array_index_blacklist.phpt new file mode 100644 index 0000000..f0e003b --- /dev/null +++ b/tests/filter/post_fileupload_array_index_blacklist.phpt
@@ -0,0 +1,41 @@
	1	--TEST--
	2	suhosin file upload filter (array index whitelist)
	3	--INI--
	4	suhosin.log.syslog=0
	5	suhosin.log.sapi=0
	6	suhosin.log.stdout=255
	7	suhosin.log.script=0
	8	file_uploads=1
	9	suhosin.request.array_index_blacklist=ABC
	10	--SKIPIF--
	11	<?php include('skipif.inc'); ?>
	12	--COOKIE--
	13	--GET--
	14	--POST_RAW--
	15	Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737
	16	-----------------------------20896060251896012921717172737
	17	Content-Disposition: form-data; name="fn[foo][bar]"
	18
	19	ok
	20	-----------------------------20896060251896012921717172737
	21	Content-Disposition: form-data; name="fn[foo][BAR]"
	22
	23	bad
	24	-----------------------------20896060251896012921717172737--
	25	--FILE--
	26	<?php
	27	var_dump($_POST);
	28	?>
	29	--EXPECTF--
	30	array(1) {
	31	["fn"]=>
	32	array(1) {
	33	["foo"]=>
	34	array(1) {
	35	["bar"]=>
	36	string(2) "ok"
	37	}
	38	}
	39	}
	40	ALERT - array index contains blacklisted characters - dropped variable 'fn[foo][BAR]' (attacker 'REMOTE_ADDR not set', file '%s')
	41	ALERT - dropped 1 request variables - (0 in GET, 1 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s')


diff --git a/tests/filter/post_fileupload_array_index_whitelist.phpt b/tests/filter/post_fileupload_array_index_whitelist.phpt new file mode 100644 index 0000000..f2fe8c8 --- /dev/null +++ b/tests/filter/post_fileupload_array_index_whitelist.phpt
@@ -0,0 +1,41 @@
	1	--TEST--
	2	suhosin file upload filter (array index whitelist)
	3	--INI--
	4	suhosin.log.syslog=0
	5	suhosin.log.sapi=0
	6	suhosin.log.stdout=255
	7	suhosin.log.script=0
	8	file_uploads=1
	9	suhosin.request.array_index_whitelist=abcdefghijklmnopqrstuvwxyz
	10	--SKIPIF--
	11	<?php include('skipif.inc'); ?>
	12	--COOKIE--
	13	--GET--
	14	--POST_RAW--
	15	Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737
	16	-----------------------------20896060251896012921717172737
	17	Content-Disposition: form-data; name="fn[foo][bar]"
	18
	19	ok
	20	-----------------------------20896060251896012921717172737
	21	Content-Disposition: form-data; name="fn[foo][BAR]"
	22
	23	bad
	24	-----------------------------20896060251896012921717172737--
	25	--FILE--
	26	<?php
	27	var_dump($_POST);
	28	?>
	29	--EXPECTF--
	30	array(1) {
	31	["fn"]=>
	32	array(1) {
	33	["foo"]=>
	34	array(1) {
	35	["bar"]=>
	36	string(2) "ok"
	37	}
	38	}
	39	}
	40	ALERT - array index contains not whitelisted characters - dropped variable 'fn[foo][BAR]' (attacker 'REMOTE_ADDR not set', file '%s')
	41	ALERT - dropped 1 request variables - (0 in GET, 1 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s')