Merge branch 'ifilter'

author: Ben Fuhrmannek 2014-10-16 15:08:59 +0200
committer: Ben Fuhrmannek 2014-10-16 15:08:59 +0200
commit: c4467269c3d5bf4cba72dadf846e229e4bc5c0c7 (patch)
tree: d3696caedda0ffef0143a80cf3e70c459147b255 /tests
parent: 82e8d0eb03fb3bd88062e99065f990b26fb9fc8b (diff)
parent: 49a4321cec080d61ff112aaf27f55257e62402f9 (diff)
4 files changed, 186 insertions, 0 deletions
diff --git a/tests/filter/input_filter_request_array_index_blacklist.phpt b/tests/filter/input_filter_request_array_index_blacklist.phpt
new file mode 100644
index 0000000..01d551f
--- /dev/null
+++ b/tests/filter/input_filter_request_array_index_blacklist.phpt
@@ -0,0 +1,53 @@
+--TEST--
+suhosin input filter (suhosin.request.array_index_blacklist)
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=0
+suhosin.log.stdout=511
+suhosin.log.script=0
+suhosin.request.array_index_blacklist="=ABC%{}\\$;"
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--COOKIE--
+var1[aaa]=1;var2[bbB]=1;var3[ccc][ccC]=1
+--GET--
+var1[aaa]=1&var2[bbB]=1&var3[ccc][ccC]=1
+--POST--
+var1[aaa]=1&var2[bbB]=1&var3[ccc][ccC]=1
+--FILE--
+<?php
+var_dump(ini_get("suhosin.request.array_index_blacklist"));
+var_dump($_GET);
+var_dump($_POST);
+var_dump($_COOKIE);
+?>
+--EXPECTF--
+string(10) "=ABC%{}\$;"
+array(1) {
+  ["var1"]=>
+  array(1) {
+    ["aaa"]=>
+    string(1) "1"
+  }
+}
+array(1) {
+  ["var1"]=>
+  array(1) {
+    ["aaa"]=>
+    string(1) "1"
+  }
+}
+array(1) {
+  ["var1"]=>
+  array(1) {
+    ["aaa"]=>
+    string(1) "1"
+  }
+}
+ALERT - array index contains blacklisted characters - dropped variable 'var2[bbB]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - array index contains blacklisted characters - dropped variable 'var3[ccc][ccC]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - array index contains blacklisted characters - dropped variable 'var2[bbB]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - array index contains blacklisted characters - dropped variable 'var3[ccc][ccC]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - array index contains blacklisted characters - dropped variable 'var2[bbB]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - array index contains blacklisted characters - dropped variable 'var3[ccc][ccC]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - dropped 6 request variables - (2 in GET, 2 in POST, 2 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s')
diff --git a/tests/filter/input_filter_request_array_index_whitelist.phpt b/tests/filter/input_filter_request_array_index_whitelist.phpt
new file mode 100644
index 0000000..8e63a36
--- /dev/null
+++ b/tests/filter/input_filter_request_array_index_whitelist.phpt
@@ -0,0 +1,51 @@
+--TEST--
+suhosin input filter (suhosin.request.array_index_whitelist)
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=0
+suhosin.log.stdout=255
+suhosin.log.script=0
+suhosin.request.array_index_whitelist=abcdefghijklmnopqrstuvwxyz
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--COOKIE--
+var1[aaa]=1;var2[bbB]=1;var3[ccc][ccC]=1
+--GET--
+var1[aaa]=1&var2[bbB]=1&var3[ccc][ccC]=1
+--POST--
+var1[aaa]=1&var2[bbB]=1&var3[ccc][ccC]=1
+--FILE--
+<?php
+var_dump($_GET);
+var_dump($_POST);
+var_dump($_COOKIE);
+?>
+--EXPECTF--
+array(1) {
+  ["var1"]=>
+  array(1) {
+    ["aaa"]=>
+    string(1) "1"
+  }
+}
+array(1) {
+  ["var1"]=>
+  array(1) {
+    ["aaa"]=>
+    string(1) "1"
+  }
+}
+array(1) {
+  ["var1"]=>
+  array(1) {
+    ["aaa"]=>
+    string(1) "1"
+  }
+}
+ALERT - array index contains not whitelisted characters - dropped variable 'var2[bbB]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - array index contains not whitelisted characters - dropped variable 'var3[ccc][ccC]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - array index contains not whitelisted characters - dropped variable 'var2[bbB]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - array index contains not whitelisted characters - dropped variable 'var3[ccc][ccC]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - array index contains not whitelisted characters - dropped variable 'var2[bbB]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - array index contains not whitelisted characters - dropped variable 'var3[ccc][ccC]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - dropped 6 request variables - (2 in GET, 2 in POST, 2 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s')
diff --git a/tests/filter/post_fileupload_array_index_blacklist.phpt b/tests/filter/post_fileupload_array_index_blacklist.phpt
new file mode 100644
index 0000000..f0e003b
--- /dev/null
+++ b/tests/filter/post_fileupload_array_index_blacklist.phpt
@@ -0,0 +1,41 @@
+--TEST--
+suhosin file upload filter (array index whitelist)
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=0
+suhosin.log.stdout=255
+suhosin.log.script=0
+file_uploads=1
+suhosin.request.array_index_blacklist=ABC
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--COOKIE--
+--GET--
+--POST_RAW--
+Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="fn[foo][bar]"
+ok
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="fn[foo][BAR]"
+bad
+-----------------------------20896060251896012921717172737--
+--FILE--
+<?php
+var_dump($_POST);
+?>
+--EXPECTF--
+array(1) {
+  ["fn"]=>
+  array(1) {
+    ["foo"]=>
+    array(1) {
+      ["bar"]=>
+      string(2) "ok"
+    }
+  }
+}
+ALERT - array index contains blacklisted characters - dropped variable 'fn[foo][BAR]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - dropped 1 request variables - (0 in GET, 1 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s')
diff --git a/tests/filter/post_fileupload_array_index_whitelist.phpt b/tests/filter/post_fileupload_array_index_whitelist.phpt
new file mode 100644
index 0000000..f2fe8c8
--- /dev/null
+++ b/tests/filter/post_fileupload_array_index_whitelist.phpt
@@ -0,0 +1,41 @@
+--TEST--
+suhosin file upload filter (array index whitelist)
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=0
+suhosin.log.stdout=255
+suhosin.log.script=0
+file_uploads=1
+suhosin.request.array_index_whitelist=abcdefghijklmnopqrstuvwxyz
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--COOKIE--
+--GET--
+--POST_RAW--
+Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="fn[foo][bar]"
+ok
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="fn[foo][BAR]"
+bad
+-----------------------------20896060251896012921717172737--
+--FILE--
+<?php
+var_dump($_POST);
+?>
+--EXPECTF--
+array(1) {
+  ["fn"]=>
+  array(1) {
+    ["foo"]=>
+    array(1) {
+      ["bar"]=>
+      string(2) "ok"
+    }
+  }
+}
+ALERT - array index contains not whitelisted characters - dropped variable 'fn[foo][BAR]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - dropped 1 request variables - (0 in GET, 1 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s')
author	Ben Fuhrmannek	2014-10-16 15:08:59 +0200
committer	Ben Fuhrmannek	2014-10-16 15:08:59 +0200
commit	c4467269c3d5bf4cba72dadf846e229e4bc5c0c7 (patch)
tree	d3696caedda0ffef0143a80cf3e70c459147b255 /tests
parent	82e8d0eb03fb3bd88062e99065f990b26fb9fc8b (diff)
parent	49a4321cec080d61ff112aaf27f55257e62402f9 (diff)

diff --git a/tests/filter/input_filter_request_array_index_blacklist.phpt b/tests/filter/input_filter_request_array_index_blacklist.phpt new file mode 100644 index 0000000..01d551f --- /dev/null +++ b/tests/filter/input_filter_request_array_index_blacklist.phpt
@@ -0,0 +1,53 @@
	1	--TEST--
	2	suhosin input filter (suhosin.request.array_index_blacklist)
	3	--INI--
	4	suhosin.log.syslog=0
	5	suhosin.log.sapi=0
	6	suhosin.log.stdout=511
	7	suhosin.log.script=0
	8	suhosin.request.array_index_blacklist="=ABC%{}\\$;"
	9	--SKIPIF--
	10	<?php include('skipif.inc'); ?>
	11	--COOKIE--
	12	var1[aaa]=1;var2[bbB]=1;var3[ccc][ccC]=1
	13	--GET--
	14	var1[aaa]=1&var2[bbB]=1&var3[ccc][ccC]=1
	15	--POST--
	16	var1[aaa]=1&var2[bbB]=1&var3[ccc][ccC]=1
	17	--FILE--
	18	<?php
	19	var_dump(ini_get("suhosin.request.array_index_blacklist"));
	20	var_dump($_GET);
	21	var_dump($_POST);
	22	var_dump($_COOKIE);
	23	?>
	24	--EXPECTF--
	25	string(10) "=ABC%{}\$;"
	26	array(1) {
	27	["var1"]=>
	28	array(1) {
	29	["aaa"]=>
	30	string(1) "1"
	31	}
	32	}
	33	array(1) {
	34	["var1"]=>
	35	array(1) {
	36	["aaa"]=>
	37	string(1) "1"
	38	}
	39	}
	40	array(1) {
	41	["var1"]=>
	42	array(1) {
	43	["aaa"]=>
	44	string(1) "1"
	45	}
	46	}
	47	ALERT - array index contains blacklisted characters - dropped variable 'var2[bbB]' (attacker 'REMOTE_ADDR not set', file '%s')
	48	ALERT - array index contains blacklisted characters - dropped variable 'var3[ccc][ccC]' (attacker 'REMOTE_ADDR not set', file '%s')
	49	ALERT - array index contains blacklisted characters - dropped variable 'var2[bbB]' (attacker 'REMOTE_ADDR not set', file '%s')
	50	ALERT - array index contains blacklisted characters - dropped variable 'var3[ccc][ccC]' (attacker 'REMOTE_ADDR not set', file '%s')
	51	ALERT - array index contains blacklisted characters - dropped variable 'var2[bbB]' (attacker 'REMOTE_ADDR not set', file '%s')
	52	ALERT - array index contains blacklisted characters - dropped variable 'var3[ccc][ccC]' (attacker 'REMOTE_ADDR not set', file '%s')
	53	ALERT - dropped 6 request variables - (2 in GET, 2 in POST, 2 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s')


diff --git a/tests/filter/input_filter_request_array_index_whitelist.phpt b/tests/filter/input_filter_request_array_index_whitelist.phpt new file mode 100644 index 0000000..8e63a36 --- /dev/null +++ b/tests/filter/input_filter_request_array_index_whitelist.phpt
@@ -0,0 +1,51 @@
	1	--TEST--
	2	suhosin input filter (suhosin.request.array_index_whitelist)
	3	--INI--
	4	suhosin.log.syslog=0
	5	suhosin.log.sapi=0
	6	suhosin.log.stdout=255
	7	suhosin.log.script=0
	8	suhosin.request.array_index_whitelist=abcdefghijklmnopqrstuvwxyz
	9	--SKIPIF--
	10	<?php include('skipif.inc'); ?>
	11	--COOKIE--
	12	var1[aaa]=1;var2[bbB]=1;var3[ccc][ccC]=1
	13	--GET--
	14	var1[aaa]=1&var2[bbB]=1&var3[ccc][ccC]=1
	15	--POST--
	16	var1[aaa]=1&var2[bbB]=1&var3[ccc][ccC]=1
	17	--FILE--
	18	<?php
	19	var_dump($_GET);
	20	var_dump($_POST);
	21	var_dump($_COOKIE);
	22	?>
	23	--EXPECTF--
	24	array(1) {
	25	["var1"]=>
	26	array(1) {
	27	["aaa"]=>
	28	string(1) "1"
	29	}
	30	}
	31	array(1) {
	32	["var1"]=>
	33	array(1) {
	34	["aaa"]=>
	35	string(1) "1"
	36	}
	37	}
	38	array(1) {
	39	["var1"]=>
	40	array(1) {
	41	["aaa"]=>
	42	string(1) "1"
	43	}
	44	}
	45	ALERT - array index contains not whitelisted characters - dropped variable 'var2[bbB]' (attacker 'REMOTE_ADDR not set', file '%s')
	46	ALERT - array index contains not whitelisted characters - dropped variable 'var3[ccc][ccC]' (attacker 'REMOTE_ADDR not set', file '%s')
	47	ALERT - array index contains not whitelisted characters - dropped variable 'var2[bbB]' (attacker 'REMOTE_ADDR not set', file '%s')
	48	ALERT - array index contains not whitelisted characters - dropped variable 'var3[ccc][ccC]' (attacker 'REMOTE_ADDR not set', file '%s')
	49	ALERT - array index contains not whitelisted characters - dropped variable 'var2[bbB]' (attacker 'REMOTE_ADDR not set', file '%s')
	50	ALERT - array index contains not whitelisted characters - dropped variable 'var3[ccc][ccC]' (attacker 'REMOTE_ADDR not set', file '%s')
	51	ALERT - dropped 6 request variables - (2 in GET, 2 in POST, 2 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s')


diff --git a/tests/filter/post_fileupload_array_index_blacklist.phpt b/tests/filter/post_fileupload_array_index_blacklist.phpt new file mode 100644 index 0000000..f0e003b --- /dev/null +++ b/tests/filter/post_fileupload_array_index_blacklist.phpt
@@ -0,0 +1,41 @@
	1	--TEST--
	2	suhosin file upload filter (array index whitelist)
	3	--INI--
	4	suhosin.log.syslog=0
	5	suhosin.log.sapi=0
	6	suhosin.log.stdout=255
	7	suhosin.log.script=0
	8	file_uploads=1
	9	suhosin.request.array_index_blacklist=ABC
	10	--SKIPIF--
	11	<?php include('skipif.inc'); ?>
	12	--COOKIE--
	13	--GET--
	14	--POST_RAW--
	15	Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737
	16	-----------------------------20896060251896012921717172737
	17	Content-Disposition: form-data; name="fn[foo][bar]"
	18
	19	ok
	20	-----------------------------20896060251896012921717172737
	21	Content-Disposition: form-data; name="fn[foo][BAR]"
	22
	23	bad
	24	-----------------------------20896060251896012921717172737--
	25	--FILE--
	26	<?php
	27	var_dump($_POST);
	28	?>
	29	--EXPECTF--
	30	array(1) {
	31	["fn"]=>
	32	array(1) {
	33	["foo"]=>
	34	array(1) {
	35	["bar"]=>
	36	string(2) "ok"
	37	}
	38	}
	39	}
	40	ALERT - array index contains blacklisted characters - dropped variable 'fn[foo][BAR]' (attacker 'REMOTE_ADDR not set', file '%s')
	41	ALERT - dropped 1 request variables - (0 in GET, 1 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s')


diff --git a/tests/filter/post_fileupload_array_index_whitelist.phpt b/tests/filter/post_fileupload_array_index_whitelist.phpt new file mode 100644 index 0000000..f2fe8c8 --- /dev/null +++ b/tests/filter/post_fileupload_array_index_whitelist.phpt
@@ -0,0 +1,41 @@
	1	--TEST--
	2	suhosin file upload filter (array index whitelist)
	3	--INI--
	4	suhosin.log.syslog=0
	5	suhosin.log.sapi=0
	6	suhosin.log.stdout=255
	7	suhosin.log.script=0
	8	file_uploads=1
	9	suhosin.request.array_index_whitelist=abcdefghijklmnopqrstuvwxyz
	10	--SKIPIF--
	11	<?php include('skipif.inc'); ?>
	12	--COOKIE--
	13	--GET--
	14	--POST_RAW--
	15	Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737
	16	-----------------------------20896060251896012921717172737
	17	Content-Disposition: form-data; name="fn[foo][bar]"
	18
	19	ok
	20	-----------------------------20896060251896012921717172737
	21	Content-Disposition: form-data; name="fn[foo][BAR]"
	22
	23	bad
	24	-----------------------------20896060251896012921717172737--
	25	--FILE--
	26	<?php
	27	var_dump($_POST);
	28	?>
	29	--EXPECTF--
	30	array(1) {
	31	["fn"]=>
	32	array(1) {
	33	["foo"]=>
	34	array(1) {
	35	["bar"]=>
	36	string(2) "ok"
	37	}
	38	}
	39	}
	40	ALERT - array index contains not whitelisted characters - dropped variable 'fn[foo][BAR]' (attacker 'REMOTE_ADDR not set', file '%s')
	41	ALERT - dropped 1 request variables - (0 in GET, 1 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s')