104 files changed, 827 insertions, 173 deletions

diff --git a/.gitignore b/.gitignore
index ddb1030..e243bfb 100644
--- a/.gitignore
+++ b/.gitignore
@@ -25,4 +25,4 @@
 /modules/
 /run-tests.php
 /suhosin.la
-
+/tests/*/*.tmp
diff --git a/Changelog b/Changelog
index cc95a01..449714d 100644
--- a/Changelog
+++ b/Changelog
@@ -9,11 +9,14 @@
       configure --enable-suhosin-experimental, e.g. MSSQL.
     - disallow_ws now matches all single-byte whitespace characters
     - remove_binary and disallow_binary now optionally allow UTF-8.
-    - introduced suhosin.upload.allow_utf8
-    - reimplemented suhosin_get_raw_cookies()
-    - fixed potential segfault for disable_display_errors=fail (only on ARM)
-    - fixed potential NULL-pointer dereference with func.blacklist and logging
-    - logging timestamps are localtime instead of gmt now (thanks to mkrokos)
+    - Introduced suhosin.upload.allow_utf8 (experimental)
+    - Reimplemented suhosin_get_raw_cookies()
+    - Fixed potential segfault for disable_display_errors=fail (only on ARM)
+    - Fixed potential NULL-pointer dereference with func.blacklist and logging
+    - Logging timestamps are localtime instead of gmt now (thanks to mkrokos)
+    - Added new array index filter (character whitelist/blacklist)
+    - Added option to suppress date/time for suhosin file logging (suhosin.log.file.time=0)
+    - Added simple script to create binary Debian package
 
 2014-06-10 - 0.9.36
 
diff --git a/execute.c b/execute.c
index 560d8f5..a27d82f 100644
--- a/execute.c
+++ b/execute.c
@@ -415,7 +415,6 @@ static void suhosin_execute_ex(zend_op_array *op_array, int zo, long dummy TSRML
                         SUHOSIN_G(att_get_vars)-SUHOSIN_G(cur_get_vars),
                         SUHOSIN_G(att_post_vars)-SUHOSIN_G(cur_post_vars),
                         SUHOSIN_G(att_cookie_vars)-SUHOSIN_G(cur_cookie_vars));
-                
                 }
         
                 if (!SUHOSIN_G(simulation) && SUHOSIN_G(filter_action)) {
diff --git a/ifilter.c b/ifilter.c
index dfe7c6b..47ab6f2 100644
--- a/ifilter.c
+++ b/ifilter.c
@@ -34,6 +34,33 @@
 
 static void (*orig_register_server_variables)(zval *track_vars_array TSRMLS_DC) = NULL;
 
+#if !HAVE_STRNLEN
+static size_t strnlen(const char *s, size_t maxlen) {
+        char *r = memchr(s, '\0', maxlen);
+        return r ? r-s : maxlen;
+}
+#endif
+
+size_t suhosin_strnspn(const char *input, size_t n, const char *accept)
+{
+        size_t count = 0;
+        for (; *input != '\0' && count < n; input++, count++) {
+                if (strchr(accept, *input) == NULL)
+                        break;
+        }
+        return count;
+}
+
+size_t suhosin_strncspn(const char *input, size_t n, const char *reject)
+{
+        size_t count = 0;
+        for (; *input != '\0' && count < n; input++, count++) {
+                if (strchr(reject, *input) != NULL)
+                        break;
+        }
+        return count;
+}
+
 
 /* {{{ normalize_varname
  */
@@ -517,7 +544,8 @@ unsigned int suhosin_input_filter(int arg, char *var, char **val, unsigned int v
                 }
                 
                 index_length = index_end - index;
-                        
+                
+                /* max. array index length */
                 if (SUHOSIN_G(max_array_index_length) && SUHOSIN_G(max_array_index_length) < index_length) {
                         suhosin_log(S_VARS, "configured request variable array index length limit exceeded - dropped variable '%s'", var);
                         if (!SUHOSIN_G(simulation)) {
@@ -551,6 +579,23 @@ unsigned int suhosin_input_filter(int arg, char *var, char **val, unsigned int v
                                 break;
                 }
                 
+                /* index whitelist/blacklist */
+                if (SUHOSIN_G(array_index_whitelist) && *(SUHOSIN_G(array_index_whitelist))) {
+                        if (suhosin_strnspn(index, index_length, SUHOSIN_G(array_index_whitelist)) != index_length) {
+                                suhosin_log(S_VARS, "array index contains not whitelisted characters - dropped variable '%s'", var);
+                                if (!SUHOSIN_G(simulation)) {
+                                        return 0;
+                                }
+                        }
+                } else if (SUHOSIN_G(array_index_blacklist) && *(SUHOSIN_G(array_index_blacklist))) {
+                        if (suhosin_strncspn(index, index_length, SUHOSIN_G(array_index_blacklist)) != index_length) {
+                                suhosin_log(S_VARS, "array index contains blacklisted characters - dropped variable '%s'", var);
+                                if (!SUHOSIN_G(simulation)) {
+                                        return 0;
+                                }
+                        }
+                }
+                
                 index = strchr(index, '[');
         }
         
@@ -590,7 +635,7 @@ unsigned int suhosin_input_filter(int arg, char *var, char **val, unsigned int v
 
         /* Check if variable value is truncated by a \0 */
         
-        if (val && *val && val_len != strlen(*val)) {
+        if (val && *val && val_len != strnlen(*val, val_len)) {
         
                 if (SUHOSIN_G(disallow_nul)) {
                         suhosin_log(S_VARS, "ASCII-NUL chars not allowed within request variables - dropped variable '%s'", var);
diff --git a/log.c b/log.c
index fbea503..1a4c783 100644
--- a/log.c
+++ b/log.c
@@ -261,10 +261,14 @@ log_file:
             return;
         }
 
-        gettimeofday(&tv, NULL);
-        now = tv.tv_sec;
-        php_localtime_r(&now, &tm);
-        ap_php_snprintf(error, sizeof(error), "%s %2d %02d:%02d:%02d [%u] %s\n", month_names[tm.tm_mon], tm.tm_mday, tm.tm_hour, tm.tm_min, tm.tm_sec, getpid(),buf);
+        if (SUHOSIN_G(log_file_time)) {
+                gettimeofday(&tv, NULL);
+                now = tv.tv_sec;
+                php_localtime_r(&now, &tm);
+                ap_php_snprintf(error, sizeof(error), "%s %2d %02d:%02d:%02d [%u] %s\n", month_names[tm.tm_mon], tm.tm_mday, tm.tm_hour, tm.tm_min, tm.tm_sec, getpid(),buf);
+        } else {
+                ap_php_snprintf(error, sizeof(error), "%s\n", buf);
+        }
         towrite = strlen(error);
         wbuf = error;
         php_flock(fd, LOCK_EX);
@@ -290,7 +294,7 @@ log_sapi:
 #endif
         }
         if ((SUHOSIN_G(log_stdout) & loglevel)!=0) {
-                printf("%s\n", buf);
+                fprintf(stdout, "%s\n", buf);
         }
 
 /*log_script:*/
diff --git a/php_suhosin.h b/php_suhosin.h
index d567877..28a88eb 100644
--- a/php_suhosin.h
+++ b/php_suhosin.h
@@ -208,6 +208,8 @@ ZEND_BEGIN_MODULE_GLOBALS(suhosin)
         long  max_value_length;
         long  max_array_depth;
         long  max_array_index_length;
+        char* array_index_whitelist;
+        char* array_index_blacklist;
         zend_bool  disallow_nul;
         zend_bool  disallow_ws;
 /*      cookie variables */
@@ -250,7 +252,9 @@ ZEND_BEGIN_MODULE_GLOBALS(suhosin)
         zend_bool  upload_disallow_elf;
         zend_bool  upload_disallow_binary;
         zend_bool  upload_remove_binary;
+#ifdef SUHOSIN_EXPERIMENTAL
         zend_bool  upload_allow_utf8;
+#endif
         char *upload_verification_script;
         
         zend_bool  no_more_variables;
@@ -275,6 +279,7 @@ ZEND_BEGIN_MODULE_GLOBALS(suhosin)
         zend_bool log_phpscript_is_safe;
         long    log_file;
         char    *log_filename;
+        zend_bool log_file_time;
 
 /*      header handler */
         zend_bool allow_multiheader;
@@ -444,6 +449,8 @@ extern unsigned int (*old_input_filter)(int arg, char *var, char **val, unsigned
 void normalize_varname(char *varname);
 int suhosin_rfc1867_filter(unsigned int event, void *event_data, void **extra TSRMLS_DC);
 void suhosin_bailout(TSRMLS_D);
+size_t suhosin_strnspn(const char *input, size_t n, const char *accept);
+size_t suhosin_strncspn(const char *input, size_t n, const char *reject);
 
 /* Add pseudo refcount macros for PHP version < 5.3 */
 #ifndef Z_REFCOUNT_PP
diff --git a/pkg/build_deb.sh b/pkg/build_deb.sh
new file mode 100755
index 0000000..d4a44fa
--- /dev/null
+++ b/pkg/build_deb.sh
@@ -0,0 +1,119 @@
+#!/bin/bash
+
+_exit() {
+        echo "[E] bye."
+        exit 1
+}
+
+yn_or_exit() {
+        echo -n "[?] OK? [y] "
+        read yn
+        if [ "$yn" != "" -a "$yn" != "y" ]; then
+                _exit
+        fi
+}
+
+##
+
+echo "[*] checking prerequisites..."
+for i in phpize make install fakeroot php-config dpkg-deb dpkg-architecture; do
+        if [ "`which $i`" == "" ]; then
+                echo "[E] please install '$i' and try again."
+                _exit
+        fi
+done
+
+##
+
+HERE=`(cd $(dirname $0); pwd)`
+SUHOSIN=$HERE/..
+ROOT=$HERE/tmp
+PKGDIR=$HERE
+PHP_EX=`php-config --extension-dir`
+eval `dpkg-architecture -l`
+VERSION=${SUHOSIN_VERSION:-$1}
+
+if [ "$VERSION" == "" ]; then
+        echo "[E] please set SUHOSIN_VERSION, e.g. $0 0.9.36-1~dev1"
+        _exit
+fi
+
+echo "[*] -----------------------------------------------------------"
+echo "[+]         suhosin dir: $SUHOSIN"
+echo "[+]             tmp dir: $ROOT"
+echo "[+]   PHP extension dir: $PHP_EX"
+echo "[+]        architecture: $DEB_HOST_ARCH"
+echo "[+] suhosin deb version: $VERSION"
+echo "[+]      pkg output dir: $PKGDIR"
+yn_or_exit
+
+if [ ! -f "$SUHOSIN/modules/suhosin.so" ]; then
+        echo "[+] Cannot find suhosin.so. I will try to build it."
+        yn_or_exit
+        
+        if [ ! -f "$SUHOSIN/configure" ]; then
+                echo "[*] phpize"
+                cd $SUHOSIN
+                phpize || _exit
+        fi
+        
+        if [ ! -f "$SUHOSIN/Makefile" ]; then
+                echo "[*] configure"
+                cd $SUHOSIN
+                ./configure --enable-suhosin-experimental
+        fi
+        
+        echo "[*] make"
+        make clean
+        make -C $SUHOSIN || _exit
+fi
+
+##
+
+echo "[*] deb"
+
+if [ -d "$ROOT" ]; then
+        echo "[+] tmp dir $ROOT already exists. Delete?"
+        yn_or_exit
+        rm -rf $ROOT
+fi
+
+##
+
+mkdir -p $ROOT/DEBIAN
+echo "9" >$ROOT/DEBIAN/compat
+cat >$ROOT/DEBIAN/control <<EOF
+Package: php5-suhosin-extension
+Section: php
+Priority: extra
+Maintainer: Ben Fuhrmannek <ben@sektioneins.de>
+Homepage: http://www.suhosin.org/
+Conflicts: php5-suhosin
+Description: advanced protection system for PHP5
+ This package provides a PHP hardening module.
+ .
+ Suhosin is an advanced protection system for PHP installations. It was
+ designed to protect servers and users from known and unknown flaws in PHP
+ applications and the PHP core. Suhosin comes in two independent parts, that
+ can be used separately or in combination. The first part is a small patch
+ against the PHP core, that implements a few low-level protections against
+ bufferoverflows or format string vulnerabilities and the second part is a
+ powerful PHP extension that implements all the other protections.
+ .
+ This Package provides the suhosin extension only.
+EOF
+
+echo "Architecture: $DEB_HOST_ARCH" >>$ROOT/DEBIAN/control
+echo "Version: $VERSION" >>$ROOT/DEBIAN/control
+
+install -d -g 0 -o 0 $ROOT$PHP_EX
+install -g 0 -o 0 $SUHOSIN/modules/suhosin.so $ROOT$PHP_EX
+install -d -g 0 -o 0 $ROOT/usr/share/doc/php5-suhosin-extension
+install -g 0 -o 0 -m 644 $SUHOSIN/suhosin.ini $ROOT/usr/share/doc/php5-suhosin-extension/suhosin.ini.example
+install -d -g 0 -o 0 $ROOT/etc/php5/mods-available
+sed -e 's/^;extension=/extension=/' $SUHOSIN/suhosin.ini >$ROOT/etc/php5/mods-available/suhosin.ini
+chown root:root $ROOT/etc/php5/mods-available/suhosin.ini
+
+fakeroot dpkg-deb -b $ROOT $PKGDIR
+
+echo "[*] done."
diff --git a/post_handler.c b/post_handler.c
index 4794a6b..8daf055 100644
--- a/post_handler.c
+++ b/post_handler.c
@@ -96,7 +96,7 @@ typedef struct post_var_data {
 
 static zend_bool add_post_var(zval *arr, post_var_data_t *var, zend_bool eof TSRMLS_DC)
 {
-        char *ksep, *vsep;
+        char *ksep, *vsep, *val;
         size_t klen, vlen;
         /* FIXME: string-size_t */
         unsigned int new_vlen;
@@ -127,19 +127,22 @@ static zend_bool add_post_var(zval *arr, post_var_data_t *var, zend_bool eof TSR
                 vlen = 0;
         }
 
-
+        /* do not forget that value needs to be allocated for the filters */
+        val = estrndup(ksep, vlen);
+        
         php_url_decode(var->ptr, klen);
         if (vlen) {
-                vlen = php_url_decode(ksep, vlen);
+                vlen = php_url_decode(val, vlen);
         }
 
-        if (suhosin_input_filter(PARSE_POST, var->ptr, &ksep, vlen, &new_vlen TSRMLS_CC)) {
-                if (sapi_module.input_filter(PARSE_POST, var->ptr, &ksep, new_vlen, &new_vlen TSRMLS_CC)) {
-                        php_register_variable_safe(var->ptr, ksep, new_vlen, arr TSRMLS_CC);
+        if (suhosin_input_filter(PARSE_POST, var->ptr, &val, vlen, &new_vlen TSRMLS_CC)) {
+                if (sapi_module.input_filter(PARSE_POST, var->ptr, &val, new_vlen, &new_vlen TSRMLS_CC)) {
+                        php_register_variable_safe(var->ptr, val, new_vlen, arr TSRMLS_CC);
                 }
         } else {
                 SUHOSIN_G(abort_request)=1;
         }
+        efree(val);
 
         var->ptr = vsep + (vsep != var->end);
         return 1;
diff --git a/rfc1867_new.c b/rfc1867_new.c
index 1d7ff9e..720e3ff 100644
--- a/rfc1867_new.c
+++ b/rfc1867_new.c
@@ -181,12 +181,12 @@ static int unlink_filename(char **filename TSRMLS_DC) /* {{{ */
 }
 /* }}} */
 
-void destroy_uploaded_files_hash(TSRMLS_D) /* {{{ */
-{
-        zend_hash_apply(SG(rfc1867_uploaded_files), (apply_func_t) unlink_filename TSRMLS_CC);
-        zend_hash_destroy(SG(rfc1867_uploaded_files));
-        FREE_HASHTABLE(SG(rfc1867_uploaded_files));
-}
+// void destroy_uploaded_files_hash(TSRMLS_D) /* {{{ */
+// {
+//      zend_hash_apply(SG(rfc1867_uploaded_files), (apply_func_t) unlink_filename TSRMLS_CC);
+//      zend_hash_destroy(SG(rfc1867_uploaded_files));
+//      FREE_HASHTABLE(SG(rfc1867_uploaded_files));
+// }
 /* }}} */
 
 /* {{{ Following code is based on apache_multipart_buffer.c from libapreq-0.33 package. */
diff --git a/suhosin.c b/suhosin.c
index 964fbf9..00cd264 100644
--- a/suhosin.c
+++ b/suhosin.c
@@ -780,6 +780,7 @@ static zend_ini_entry shared_ini_entries[] = {
         STD_ZEND_INI_ENTRY("suhosin.log.phpscript.name",                        NULL,           ZEND_INI_PERDIR|ZEND_INI_SYSTEM,        OnUpdateLogString, log_phpscriptname, zend_suhosin_globals, suhosin_globals)
         ZEND_INI_ENTRY("suhosin.log.file",                      "0",            ZEND_INI_PERDIR|ZEND_INI_SYSTEM,        OnUpdateSuhosin_log_file)
         STD_ZEND_INI_ENTRY("suhosin.log.file.name",             NULL,           ZEND_INI_PERDIR|ZEND_INI_SYSTEM,        OnUpdateLogString, log_filename, zend_suhosin_globals, suhosin_globals)
+        STD_ZEND_INI_BOOLEAN("suhosin.log.file.time",                   "1",            ZEND_INI_PERDIR|ZEND_INI_SYSTEM,        OnUpdateLogBool, log_file_time, zend_suhosin_globals,   suhosin_globals)
         STD_ZEND_INI_BOOLEAN("suhosin.log.phpscript.is_safe",                   "0",            ZEND_INI_PERDIR|ZEND_INI_SYSTEM,        OnUpdateLogBool, log_phpscript_is_safe, zend_suhosin_globals,   suhosin_globals)
 ZEND_INI_END()
  
@@ -820,6 +821,8 @@ PHP_INI_BEGIN()
         STD_PHP_INI_ENTRY("suhosin.request.max_array_depth", "50", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateRequestLong, max_array_depth, zend_suhosin_globals, suhosin_globals)
         STD_PHP_INI_ENTRY("suhosin.request.max_totalname_length", "256", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateRequestLong, max_totalname_length, zend_suhosin_globals, suhosin_globals)
         STD_PHP_INI_ENTRY("suhosin.request.max_array_index_length", "64", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateRequestLong, max_array_index_length, zend_suhosin_globals, suhosin_globals)
+                STD_PHP_INI_ENTRY("suhosin.request.array_index_whitelist", "", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateString, array_index_whitelist, zend_suhosin_globals, suhosin_globals)
+                STD_PHP_INI_ENTRY("suhosin.request.array_index_blacklist", "", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateString, array_index_blacklist, zend_suhosin_globals, suhosin_globals)
         STD_PHP_INI_ENTRY("suhosin.request.disallow_nul", "1", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateRequestBool, disallow_nul, zend_suhosin_globals, suhosin_globals)
         STD_PHP_INI_ENTRY("suhosin.request.disallow_ws", "0", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateRequestBool, disallow_ws, zend_suhosin_globals, suhosin_globals)
     
@@ -854,7 +857,9 @@ PHP_INI_BEGIN()
         STD_PHP_INI_ENTRY("suhosin.upload.disallow_elf", "1", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateUploadBool, upload_disallow_elf, zend_suhosin_globals, suhosin_globals)
         STD_PHP_INI_ENTRY("suhosin.upload.disallow_binary", "0", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateUploadBool, upload_disallow_binary, zend_suhosin_globals, suhosin_globals)
         STD_PHP_INI_ENTRY("suhosin.upload.remove_binary", "0", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateUploadBool, upload_remove_binary, zend_suhosin_globals, suhosin_globals)
-        STD_PHP_INI_ENTRY("suhosin.upload.allow_utf8", "0", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateUploadBool, upload_allow_utf8, zend_suhosin_globals, suhosin_globals)
+#ifdef SUHOSIN_EXPERIMENTAL
+        STD_PHP_INI_BOOLEAN("suhosin.upload.allow_utf8", "0", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateUploadBool, upload_allow_utf8, zend_suhosin_globals, suhosin_globals)
+#endif
         STD_PHP_INI_ENTRY("suhosin.upload.verification_script", NULL, PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateUploadString, upload_verification_script, zend_suhosin_globals, suhosin_globals)
 
 
diff --git a/suhosin.ini b/suhosin.ini
index fc16f62..1e43248 100644
--- a/suhosin.ini
+++ b/suhosin.ini
@@ -193,6 +193,18 @@
 ;suhosin.log.file.name = 
 ;
 
+; suhosin.log.file.time
+; ---------------------
+; * Type: Boolean
+; * Default: On
+; 
+; Specifies if suhosin.log.file contains timestamp for each log entry. Note: This
+; option is meant for debugging purposes and unittests only and should not be
+; used in production.
+; 
+;suhosin.log.file.time = On
+;
+
 ; suhosin.log.script
 ; ------------------
 ; * Type: Integer
@@ -1178,6 +1190,28 @@
 ;suhosin.post.disallow_ws = Off
 ;
 
+; suhosin.request.array_index_blacklist
+; -------------------------------------
+; * Type: String
+; * Default:
+; * Example: ";-+"
+; 
+; Defines a character blacklist for array indices not allowed in user input.
+; 
+;suhosin.request.array_index_blacklist = 
+;
+
+; suhosin.request.array_index_whitelist
+; -------------------------------------
+; * Type: String
+; * Default:
+; * Example: "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
+; 
+; Defines a character whitelist for array indices allowed in user input.
+; 
+;suhosin.request.array_index_whitelist = 
+;
+
 ; suhosin.request.max_array_depth
 ; -------------------------------
 ; * Type: Integer
@@ -1319,8 +1353,8 @@
 ; * Type: Boolean
 ; * Default: Off
 ; 
-; This option allows UTF-8 along with ASCII when using
-; `suhosin.upload.disallow_binary` or `suhosin.upload.remove_binary`.
+; This is an experimental feature. This option allows UTF-8 along with ASCII when
+; using `suhosin.upload.disallow_binary` or `suhosin.upload.remove_binary`.
 ; 
 ;suhosin.upload.allow_utf8 = Off
 ;
diff --git a/tests/executor/allow_symlink_off.phpt b/tests/executor/allow_symlink_off.phpt
index 782d818..8abdee8 100644
--- a/tests/executor/allow_symlink_off.phpt
+++ b/tests/executor/allow_symlink_off.phpt
@@ -5,10 +5,13 @@ suhosin.executor.allow_symlink=Off
 --INI--
 error_reporting=E_ALL
 open_basedir=
-suhosin.log.stdout=255
-suhosin.log.script=0
 suhosin.log.syslog=0
 suhosin.log.sapi=0
+suhosin.log.script=0
+suhosin.log.file=255
+suhosin.log.file.time=0
+suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
+auto_append_file={PWD}/suhosintest.$$.log.tmp
 suhosin.executor.allow_symlink=Off
 --FILE--
 <?php
diff --git a/tests/filter/filter_logging_statistics.phpt b/tests/filter/filter_logging_statistics.phpt
index a448d78..d7550fd 100644
--- a/tests/filter/filter_logging_statistics.phpt
+++ b/tests/filter/filter_logging_statistics.phpt
@@ -3,12 +3,15 @@ suhosin variable filter logging statistics
 --INI--
 suhosin.log.syslog=0
 suhosin.log.sapi=0
-suhosin.log.stdout=255
 suhosin.log.script=0
+suhosin.log.file=255
+suhosin.log.file.time=0
+suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
+auto_append_file={PWD}/suhosintest.$$.log.tmp
 suhosin.get.max_vars=5
 error_reporting=E_ALL
 --SKIPIF--
-<?php include('skipif.inc'); ?>
+<?php include('../skipif.inc'); ?>
 --COOKIE--
 --GET--
 A=A&B=B&C=C&D=D&E=E&F=F&G=G&
diff --git a/tests/filter/get_filter_1.phpt b/tests/filter/get_filter_1.phpt
index 0ab079c..a4218be 100644
--- a/tests/filter/get_filter_1.phpt
+++ b/tests/filter/get_filter_1.phpt
@@ -3,10 +3,13 @@ suhosin GET filter (disallowed variable names)
 --INI--
 suhosin.log.syslog=0
 suhosin.log.sapi=0
-suhosin.log.stdout=255
 suhosin.log.script=0
+suhosin.log.file=255
+suhosin.log.file.time=0
+suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
+auto_append_file={PWD}/suhosintest.$$.log.tmp
 --SKIPIF--
-<?php include('skipif.inc'); ?>
+<?php include('../skipif.inc'); ?>
 --COOKIE--
 --GET--
 HTTP_RAW_POST_DATA=HTTP_RAW_POST_DATA&HTTP_SESSION_VARS=HTTP_SESSION_VARS&harmless1=harmless1&HTTP_SERVER_VARS=HTTP_SERVER_VARS&HTTP_COOKIE_VARS=HTTP_COOKIE_VARS&HTTP_POST_FILES=HTTP_POST_FILES&HTTP_POST_VARS=HTTP_POST_VARS&HTTP_GET_VARS=HTTP_GET_VARS&HTTP_ENV_VARS=HTTP_ENV_VARS&_SESSION=_SESSION&_REQUEST=_REQUEST&GLOBALS=GLOBALS&_COOKIE=_COOKIE&_SERVER=_SERVER&_FILES=_FILES&_POST=_POST&_ENV=_ENV&_GET=_GET&harmless2=harmless2&
diff --git a/tests/filter/get_filter_2.phpt b/tests/filter/get_filter_2.phpt
index 189ac28..5aa53d7 100644
--- a/tests/filter/get_filter_2.phpt
+++ b/tests/filter/get_filter_2.phpt
@@ -3,11 +3,14 @@ suhosin GET filter (suhosin.get.max_vars)
 --INI--
 suhosin.log.syslog=0
 suhosin.log.sapi=0
-suhosin.log.stdout=255
 suhosin.log.script=0
+suhosin.log.file=255
+suhosin.log.file.time=0
+suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
+auto_append_file={PWD}/suhosintest.$$.log.tmp
 suhosin.get.max_vars=5
 --SKIPIF--
-<?php include('skipif.inc'); ?>
+<?php include('../skipif.inc'); ?>
 --COOKIE--
 --GET--
 A=A&B=B&C=C&D=D&E=E&F=F&G=G&
diff --git a/tests/filter/get_filter_allow_ws.phpt b/tests/filter/get_filter_allow_ws.phpt
index 41b230e..2a0445c 100644
--- a/tests/filter/get_filter_allow_ws.phpt
+++ b/tests/filter/get_filter_allow_ws.phpt
@@ -10,7 +10,7 @@ suhosin.get.disallow_ws=0
 suhosin.post.disallow_ws=0
 suhosin.cookie.disallow_ws=0
 --SKIPIF--
-<?php include('skipif.inc'); ?>
+<?php include('../skipif.inc'); ?>
 --COOKIE--
 +var1=1;var2=2;%20var3=3; var4=4;
 --GET--
diff --git a/tests/filter/get_filter_cookie_disallow_ws.phpt b/tests/filter/get_filter_cookie_disallow_ws.phpt
index 4da6716..3065b7d 100644
--- a/tests/filter/get_filter_cookie_disallow_ws.phpt
+++ b/tests/filter/get_filter_cookie_disallow_ws.phpt
@@ -3,11 +3,14 @@ suhosin input filter (suhosin.cookie.disallow_ws)
 --INI--
 suhosin.log.syslog=0
 suhosin.log.sapi=0
-suhosin.log.stdout=255
 suhosin.log.script=0
+suhosin.log.file=255
+suhosin.log.file.time=0
+suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
+auto_append_file={PWD}/suhosintest.$$.log.tmp
 suhosin.cookie.disallow_ws=1
 --SKIPIF--
-<?php include('skipif.inc'); ?>
+<?php include('../skipif.inc'); ?>
 --COOKIE--
 +var1=1;var2=2;%20var3=3; var4=4;
 --GET--
diff --git a/tests/filter/get_filter_get_disallow_ws.phpt b/tests/filter/get_filter_get_disallow_ws.phpt
index b92dd73..9495486 100644
--- a/tests/filter/get_filter_get_disallow_ws.phpt
+++ b/tests/filter/get_filter_get_disallow_ws.phpt
@@ -3,11 +3,14 @@ suhosin input filter (suhosin.get.disallow_ws)
 --INI--
 suhosin.log.syslog=0
 suhosin.log.sapi=0
-suhosin.log.stdout=255
 suhosin.log.script=0
+suhosin.log.file=255
+suhosin.log.file.time=0
+suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
+auto_append_file={PWD}/suhosintest.$$.log.tmp
 suhosin.get.disallow_ws=1
 --SKIPIF--
-<?php include('skipif.inc'); ?>
+<?php include('../skipif.inc'); ?>
 --COOKIE--
 --GET--
 +var1=1&var2=2&%20var3=3& var4=4&
diff --git a/tests/filter/get_filter_post_disallow_ws.phpt b/tests/filter/get_filter_post_disallow_ws.phpt
index 55c7cf1..003afa5 100644
--- a/tests/filter/get_filter_post_disallow_ws.phpt
+++ b/tests/filter/get_filter_post_disallow_ws.phpt
@@ -3,11 +3,14 @@ suhosin input filter (suhosin.post.disallow_ws)
 --INI--
 suhosin.log.syslog=0
 suhosin.log.sapi=0
-suhosin.log.stdout=255
 suhosin.log.script=0
+suhosin.log.file=255
+suhosin.log.file.time=0
+suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
+auto_append_file={PWD}/suhosintest.$$.log.tmp
 suhosin.post.disallow_ws=1
 --SKIPIF--
-<?php include('skipif.inc'); ?>
+<?php include('../skipif.inc'); ?>
 --COOKIE--
 --GET--
 --POST--
diff --git a/tests/filter/get_filter_request_disallow_ws.phpt b/tests/filter/get_filter_request_disallow_ws.phpt
index fd22d62..fe69e78 100644
--- a/tests/filter/get_filter_request_disallow_ws.phpt
+++ b/tests/filter/get_filter_request_disallow_ws.phpt
@@ -3,11 +3,14 @@ suhosin input filter (suhosin.request.disallow_ws)
 --INI--
 suhosin.log.syslog=0
 suhosin.log.sapi=0
-suhosin.log.stdout=255
 suhosin.log.script=0
+suhosin.log.file=255
+suhosin.log.file.time=0
+suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
+auto_append_file={PWD}/suhosintest.$$.log.tmp
 suhosin.request.disallow_ws=1
 --SKIPIF--
-<?php include('skipif.inc'); ?>
+<?php include('../skipif.inc'); ?>
 --COOKIE--
 --GET--
 +var1=1&var2=2&%20var3=3& var4=4&
diff --git a/tests/filter/input_filter_allow_nul.phpt b/tests/filter/input_filter_allow_nul.phpt
index 478d4b4..a913189 100644
--- a/tests/filter/input_filter_allow_nul.phpt
+++ b/tests/filter/input_filter_allow_nul.phpt
diff --git a/tests/filter/input_filter_cookie_disallow_nul.phpt b/tests/filter/input_filter_cookie_disallow_nul.phpt
index dab9241..ae05ac6 100644
--- a/tests/filter/input_filter_cookie_disallow_nul.phpt
+++ b/tests/filter/input_filter_cookie_disallow_nul.phpt
@@ -3,12 +3,15 @@ suhosin input filter (suhosin.cookie.disallow_nul)
 --INI--
 suhosin.log.syslog=0
 suhosin.log.sapi=0
-suhosin.log.stdout=255
 suhosin.log.script=0
+suhosin.log.file=255
+suhosin.log.file.time=0
+suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
+auto_append_file={PWD}/suhosintest.$$.log.tmp
 suhosin.request.disallow_nul=0
 suhosin.cookie.disallow_nul=1
 --SKIPIF--
-<?php include('skipif.inc'); ?>
+<?php include('../skipif.inc'); ?>
 --COOKIE--
 var1=xx%001;var2=2;var3=xx%003;var4=4;
 --GET--
diff --git a/tests/filter/input_filter_cookie_max_array_depth.phpt b/tests/filter/input_filter_cookie_max_array_depth.phpt
index 10fc667..327fa36 100644
--- a/tests/filter/input_filter_cookie_max_array_depth.phpt
+++ b/tests/filter/input_filter_cookie_max_array_depth.phpt
@@ -3,12 +3,15 @@ suhosin input filter (suhosin.cookie.max_array_depth)
 --INI--
 suhosin.log.syslog=0
 suhosin.log.sapi=0
-suhosin.log.stdout=255
 suhosin.log.script=0
+suhosin.log.file=255
+suhosin.log.file.time=0
+suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
+auto_append_file={PWD}/suhosintest.$$.log.tmp
 suhosin.request.max_array_depth=0
 suhosin.cookie.max_array_depth=4
 --SKIPIF--
-<?php include('skipif.inc'); ?>
+<?php include('../skipif.inc'); ?>
 --COOKIE--
 var1[]=1;var2[][]=2;var3[][][]=3;var4[][][][]=4;var5[][][][][]=5;var6[][][][][][]=6;
 --GET--
diff --git a/tests/filter/input_filter_cookie_max_array_index_length.phpt b/tests/filter/input_filter_cookie_max_array_index_length.phpt
index 76dcad4..b954e63 100644
--- a/tests/filter/input_filter_cookie_max_array_index_length.phpt
+++ b/tests/filter/input_filter_cookie_max_array_index_length.phpt
@@ -3,12 +3,15 @@ suhosin input filter (suhosin.cookie.max_array_index_length)
 --INI--
 suhosin.log.syslog=0
 suhosin.log.sapi=0
-suhosin.log.stdout=255
 suhosin.log.script=0
+suhosin.log.file=255
+suhosin.log.file.time=0
+suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
+auto_append_file={PWD}/suhosintest.$$.log.tmp
 suhosin.request.max_array_index_length=0
 suhosin.cookie.max_array_index_length=3
 --SKIPIF--
-<?php include('skipif.inc'); ?>
+<?php include('../skipif.inc'); ?>
 --COOKIE--
 var1[AAA]=1;var2[BBBB]=1;var3[AAA][BBB]=1;var4[AAA][BBBB]=4;var5[AAA][BBB][CCC]=1;var6[AAA][BBBB][CCC]=1;
 --GET--
diff --git a/tests/filter/input_filter_cookie_max_name_length.phpt b/tests/filter/input_filter_cookie_max_name_length.phpt
index b655424..38b8558 100644
--- a/tests/filter/input_filter_cookie_max_name_length.phpt
+++ b/tests/filter/input_filter_cookie_max_name_length.phpt
@@ -3,12 +3,15 @@ suhosin input filter (suhosin.cookie.max_name_length)
 --INI--
 suhosin.log.syslog=0
 suhosin.log.sapi=0
-suhosin.log.stdout=255
 suhosin.log.script=0
+suhosin.log.file=255
+suhosin.log.file.time=0
+suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
+auto_append_file={PWD}/suhosintest.$$.log.tmp
 suhosin.request.max_varname_length=0
 suhosin.cookie.max_name_length=4
 --SKIPIF--
-<?php include('skipif.inc'); ?>
+<?php include('../skipif.inc'); ?>
 --COOKIE--
 var=0;var1=1;var2[]=2;var3[xxx]=3;var04=4;var05[]=5;var06[xxx]=6;
 --GET--
diff --git a/tests/filter/input_filter_cookie_max_totalname_length.phpt b/tests/filter/input_filter_cookie_max_totalname_length.phpt
index b356dc6..b9324fc 100644
--- a/tests/filter/input_filter_cookie_max_totalname_length.phpt
+++ b/tests/filter/input_filter_cookie_max_totalname_length.phpt
@@ -3,12 +3,15 @@ suhosin input filter (suhosin.cookie.max_totalname_length)
 --INI--
 suhosin.log.syslog=0
 suhosin.log.sapi=0
-suhosin.log.stdout=255
 suhosin.log.script=0
+suhosin.log.file=255
+suhosin.log.file.time=0
+suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
+auto_append_file={PWD}/suhosintest.$$.log.tmp
 suhosin.request.max_totalname_length=0
 suhosin.cookie.max_totalname_length=7
 --SKIPIF--
-<?php include('skipif.inc'); ?>
+<?php include('../skipif.inc'); ?>
 --COOKIE--
 var=0;var1=1;var2[]=2;var3[xxx]=3;var04=4;var05[]=5;var06[xxx]=6;
 --GET--
diff --git a/tests/filter/input_filter_cookie_max_value_length.phpt b/tests/filter/input_filter_cookie_max_value_length.phpt
index fb8b3d8..d691c9e 100644
--- a/tests/filter/input_filter_cookie_max_value_length.phpt
+++ b/tests/filter/input_filter_cookie_max_value_length.phpt
@@ -3,12 +3,15 @@ suhosin input filter (suhosin.cookie.max_value_length)
 --INI--
 suhosin.log.syslog=0
 suhosin.log.sapi=0
-suhosin.log.stdout=255
 suhosin.log.script=0
+suhosin.log.file=255
+suhosin.log.file.time=0
+suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
+auto_append_file={PWD}/suhosintest.$$.log.tmp
 suhosin.request.max_value_length=0
 suhosin.cookie.max_value_length=3
 --SKIPIF--
-<?php include('skipif.inc'); ?>
+<?php include('../skipif.inc'); ?>
 --COOKIE--
 var1=1;var2=22;var3=333;var4=4444;var5=55%00555;var6=666666;
 --GET--
diff --git a/tests/filter/input_filter_cookie_max_vars.phpt b/tests/filter/input_filter_cookie_max_vars.phpt
new file mode 100644
index 0000000..fed391e
--- /dev/null
+++ b/tests/filter/input_filter_cookie_max_vars.phpt
@@ -0,0 +1,30 @@
+--TEST--
+suhosin input filter (suhosin.cookie.max_vars)
+--SKIPIF--
+<?php include "../skipif.inc"; ?>
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=0
+suhosin.log.script=0
+suhosin.log.file=255
+suhosin.log.file.time=0
+suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
+auto_append_file={PWD}/suhosintest.$$.log.tmp
+suhosin.cookie.max_vars=3
+--COOKIE--
+a=1; b=2; c=3; d=4
+--FILE--
+<?php
+var_dump($_COOKIE);
+?>
+--EXPECTF--
+array(3) {
+  ["a"]=>
+  string(1) "1"
+  ["b"]=>
+  string(1) "2"
+  ["c"]=>
+  string(1) "3"
+}
+ALERT - configured COOKIE variable limit exceeded - dropped variable 'd' - all further COOKIE variables are dropped (attacker '%s', file '%s')
+ALERT - dropped 1 request variables - (0 in GET, 0 in POST, 1 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s')
diff --git a/tests/filter/input_filter_get_disallow_nul.phpt b/tests/filter/input_filter_get_disallow_nul.phpt
index b7c2ad4..5a5b506 100644
--- a/tests/filter/input_filter_get_disallow_nul.phpt
+++ b/tests/filter/input_filter_get_disallow_nul.phpt
@@ -3,12 +3,15 @@ suhosin input filter (suhosin.get.disallow_nul)
 --INI--
 suhosin.log.syslog=0
 suhosin.log.sapi=0
-suhosin.log.stdout=255
 suhosin.log.script=0
+suhosin.log.file=255
+suhosin.log.file.time=0
+suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
+auto_append_file={PWD}/suhosintest.$$.log.tmp
 suhosin.request.disallow_nul=0
 suhosin.get.disallow_nul=1
 --SKIPIF--
-<?php include('skipif.inc'); ?>
+<?php include('../skipif.inc'); ?>
 --COOKIE--
 --GET--
 var1=xx%001&var2=2&var3=xx%003&var4=4&
diff --git a/tests/filter/input_filter_get_max_array_depth.phpt b/tests/filter/input_filter_get_max_array_depth.phpt
index 9a32f29..99fb666 100644
--- a/tests/filter/input_filter_get_max_array_depth.phpt
+++ b/tests/filter/input_filter_get_max_array_depth.phpt
@@ -3,12 +3,15 @@ suhosin input filter (suhosin.get.max_array_depth)
 --INI--
 suhosin.log.syslog=0
 suhosin.log.sapi=0
-suhosin.log.stdout=255
 suhosin.log.script=0
+suhosin.log.file=255
+suhosin.log.file.time=0
+suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
+auto_append_file={PWD}/suhosintest.$$.log.tmp
 suhosin.request.max_array_depth=0
 suhosin.get.max_array_depth=4
 --SKIPIF--
-<?php include('skipif.inc'); ?>
+<?php include('../skipif.inc'); ?>
 --COOKIE--
 --GET--
 var1[]=1&var2[][]=2&var3[][][]=3&var4[][][][]=4&var5[][][][][]=5&var6[][][][][][]=6&
diff --git a/tests/filter/input_filter_get_max_array_index_length.phpt b/tests/filter/input_filter_get_max_array_index_length.phpt
index 890ec8e..54bf610 100644
--- a/tests/filter/input_filter_get_max_array_index_length.phpt
+++ b/tests/filter/input_filter_get_max_array_index_length.phpt
@@ -3,12 +3,15 @@ suhosin input filter (suhosin.get.max_array_index_length)
 --INI--
 suhosin.log.syslog=0
 suhosin.log.sapi=0
-suhosin.log.stdout=255
 suhosin.log.script=0
+suhosin.log.file=255
+suhosin.log.file.time=0
+suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
+auto_append_file={PWD}/suhosintest.$$.log.tmp
 suhosin.request.max_array_index_length=0
 suhosin.get.max_array_index_length=3
 --SKIPIF--
-<?php include('skipif.inc'); ?>
+<?php include('../skipif.inc'); ?>
 --COOKIE--
 --GET--
 var1[AAA]=1&var2[BBBB]=1&var3[AAA][BBB]=1&var4[AAA][BBBB]=4&var5[AAA][BBB][CCC]=1&var6[AAA][BBBB][CCC]=1
diff --git a/tests/filter/input_filter_get_max_name_length.phpt b/tests/filter/input_filter_get_max_name_length.phpt
index 4fab0a0..76ca5f6 100644
--- a/tests/filter/input_filter_get_max_name_length.phpt
+++ b/tests/filter/input_filter_get_max_name_length.phpt
@@ -3,12 +3,15 @@ suhosin input filter (suhosin.get.max_name_length)
 --INI--
 suhosin.log.syslog=0
 suhosin.log.sapi=0
-suhosin.log.stdout=255
 suhosin.log.script=0
+suhosin.log.file=255
+suhosin.log.file.time=0
+suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
+auto_append_file={PWD}/suhosintest.$$.log.tmp
 suhosin.request.max_varname_length=0
 suhosin.get.max_name_length=4
 --SKIPIF--
-<?php include('skipif.inc'); ?>
+<?php include('../skipif.inc'); ?>
 --COOKIE--
 --GET--
 var=0&var1=1&var2[]=2&var3[xxx]=3&var04=4&var05[]=5&var06[xxx]=6&
diff --git a/tests/filter/input_filter_get_max_totalname_length.phpt b/tests/filter/input_filter_get_max_totalname_length.phpt
index 1353ee0..675708d 100644
--- a/tests/filter/input_filter_get_max_totalname_length.phpt
+++ b/tests/filter/input_filter_get_max_totalname_length.phpt
@@ -3,12 +3,15 @@ suhosin input filter (suhosin.get.max_totalname_length)
 --INI--
 suhosin.log.syslog=0
 suhosin.log.sapi=0
-suhosin.log.stdout=255
 suhosin.log.script=0
+suhosin.log.file=255
+suhosin.log.file.time=0
+suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
+auto_append_file={PWD}/suhosintest.$$.log.tmp
 suhosin.request.max_totalname_length=0
 suhosin.get.max_totalname_length=7
 --SKIPIF--
-<?php include('skipif.inc'); ?>
+<?php include('../skipif.inc'); ?>
 --COOKIE--
 --GET--
 var=0&var1=1&var2[]=2&var3[xxx]=3&var04=4&var05[]=5&var06[xxx]=6&
diff --git a/tests/filter/input_filter_get_max_value_length.phpt b/tests/filter/input_filter_get_max_value_length.phpt
index a5eaf5b..3fa0cb7 100644
--- a/tests/filter/input_filter_get_max_value_length.phpt
+++ b/tests/filter/input_filter_get_max_value_length.phpt
@@ -3,12 +3,15 @@ suhosin input filter (suhosin.get.max_value_length)
 --INI--
 suhosin.log.syslog=0
 suhosin.log.sapi=0
-suhosin.log.stdout=255
 suhosin.log.script=0
+suhosin.log.file=255
+suhosin.log.file.time=0
+suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
+auto_append_file={PWD}/suhosintest.$$.log.tmp
 suhosin.request.max_value_length=0
 suhosin.get.max_value_length=3
 --SKIPIF--
-<?php include('skipif.inc'); ?>
+<?php include('../skipif.inc'); ?>
 --COOKIE--
 --GET--
 var1=1&var2=22&var3=333&var4=4444&var5=55%00555&var6=666666&
diff --git a/tests/filter/input_filter_post_disallow_nul.phpt b/tests/filter/input_filter_post_disallow_nul.phpt
index 60c797e..99462b8 100644
--- a/tests/filter/input_filter_post_disallow_nul.phpt
+++ b/tests/filter/input_filter_post_disallow_nul.phpt
@@ -3,12 +3,15 @@ suhosin input filter (suhosin.post.disallow_nul)
 --INI--
 suhosin.log.syslog=0
 suhosin.log.sapi=0
-suhosin.log.stdout=255
 suhosin.log.script=0
+suhosin.log.file=255
+suhosin.log.file.time=0
+suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
+auto_append_file={PWD}/suhosintest.$$.log.tmp
 suhosin.request.disallow_nul=0
 suhosin.post.disallow_nul=1
 --SKIPIF--
-<?php include('skipif.inc'); ?>
+<?php include('../skipif.inc'); ?>
 --COOKIE--
 --GET--
 --POST--
diff --git a/tests/filter/input_filter_post_disallow_nul_rfc1867.phpt b/tests/filter/input_filter_post_disallow_nul_rfc1867.phpt
index ffd252e..21fba1f 100644
--- a/tests/filter/input_filter_post_disallow_nul_rfc1867.phpt
+++ b/tests/filter/input_filter_post_disallow_nul_rfc1867.phpt
diff --git a/tests/filter/input_filter_post_max_array_depth.phpt b/tests/filter/input_filter_post_max_array_depth.phpt
index 97cd501..5bf8858 100644
--- a/tests/filter/input_filter_post_max_array_depth.phpt
+++ b/tests/filter/input_filter_post_max_array_depth.phpt
@@ -3,12 +3,15 @@ suhosin input filter (suhosin.post.max_array_depth)
 --INI--
 suhosin.log.syslog=0
 suhosin.log.sapi=0
-suhosin.log.stdout=255
 suhosin.log.script=0
+suhosin.log.file=255
+suhosin.log.file.time=0
+suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
+auto_append_file={PWD}/suhosintest.$$.log.tmp
 suhosin.request.max_array_depth=0
 suhosin.post.max_array_depth=4
 --SKIPIF--
-<?php include('skipif.inc'); ?>
+<?php include('../skipif.inc'); ?>
 --COOKIE--
 --GET--
 --POST--
diff --git a/tests/filter/input_filter_post_max_array_depth_rfc1867.phpt b/tests/filter/input_filter_post_max_array_depth_rfc1867.phpt
index e8fd566..b2eab71 100644
--- a/tests/filter/input_filter_post_max_array_depth_rfc1867.phpt
+++ b/tests/filter/input_filter_post_max_array_depth_rfc1867.phpt
@@ -3,12 +3,15 @@ suhosin input filter (suhosin.post.max_array_depth - RFC1867 version)
 --INI--
 suhosin.log.syslog=0
 suhosin.log.sapi=0
-suhosin.log.stdout=255
 suhosin.log.script=0
+suhosin.log.file=255
+suhosin.log.file.time=0
+suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
+auto_append_file={PWD}/suhosintest.$$.log.tmp
 suhosin.request.max_array_depth=0
 suhosin.post.max_array_depth=4
 --SKIPIF--
-<?php include('skipif.inc'); ?>
+<?php include('../skipif.inc'); ?>
 --COOKIE--
 --GET--
 --POST_RAW--
diff --git a/tests/filter/input_filter_post_max_array_index_length.phpt b/tests/filter/input_filter_post_max_array_index_length.phpt
index 2c5adef..285b30e 100644
--- a/tests/filter/input_filter_post_max_array_index_length.phpt
+++ b/tests/filter/input_filter_post_max_array_index_length.phpt
@@ -3,12 +3,15 @@ suhosin input filter (suhosin.post.max_array_index_length)
 --INI--
 suhosin.log.syslog=0
 suhosin.log.sapi=0
-suhosin.log.stdout=255
 suhosin.log.script=0
+suhosin.log.file=255
+suhosin.log.file.time=0
+suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
+auto_append_file={PWD}/suhosintest.$$.log.tmp
 suhosin.request.max_array_index_length=0
 suhosin.post.max_array_index_length=3
 --SKIPIF--
-<?php include('skipif.inc'); ?>
+<?php include('../skipif.inc'); ?>
 --COOKIE--
 --GET--
 --POST--
diff --git a/tests/filter/input_filter_post_max_array_index_length_rfc1867.phpt b/tests/filter/input_filter_post_max_array_index_length_rfc1867.phpt
index 58f0ed2..a3a19fa 100644
--- a/tests/filter/input_filter_post_max_array_index_length_rfc1867.phpt
+++ b/tests/filter/input_filter_post_max_array_index_length_rfc1867.phpt
@@ -3,12 +3,15 @@ suhosin input filter (suhosin.post.max_array_index_length - RFC1867 version)
 --INI--
 suhosin.log.syslog=0
 suhosin.log.sapi=0
-suhosin.log.stdout=255
 suhosin.log.script=0
+suhosin.log.file=255
+suhosin.log.file.time=0
+suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
+auto_append_file={PWD}/suhosintest.$$.log.tmp
 suhosin.request.max_array_index_length=0
 suhosin.post.max_array_index_length=3
 --SKIPIF--
-<?php include('skipif.inc'); ?>
+<?php include('../skipif.inc'); ?>
 --COOKIE--
 --GET--
 --POST--
diff --git a/tests/filter/input_filter_post_max_name_length.phpt b/tests/filter/input_filter_post_max_name_length.phpt
index 0065993..cf7b35d 100644
--- a/tests/filter/input_filter_post_max_name_length.phpt
+++ b/tests/filter/input_filter_post_max_name_length.phpt
@@ -3,12 +3,15 @@ suhosin input filter (suhosin.post.max_name_length)
 --INI--
 suhosin.log.syslog=0
 suhosin.log.sapi=0
-suhosin.log.stdout=255
 suhosin.log.script=0
+suhosin.log.file=255
+suhosin.log.file.time=0
+suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
+auto_append_file={PWD}/suhosintest.$$.log.tmp
 suhosin.request.max_varname_length=0
 suhosin.post.max_name_length=4
 --SKIPIF--
-<?php include('skipif.inc'); ?>
+<?php include('../skipif.inc'); ?>
 --COOKIE--
 --GET--
 --POST--
diff --git a/tests/filter/input_filter_post_max_name_length_rfc1867.phpt b/tests/filter/input_filter_post_max_name_length_rfc1867.phpt
index 45936d5..4ad072c 100644
--- a/tests/filter/input_filter_post_max_name_length_rfc1867.phpt
+++ b/tests/filter/input_filter_post_max_name_length_rfc1867.phpt
@@ -3,12 +3,15 @@ suhosin input filter (suhosin.post.max_name_length - RFC1867 version)
 --INI--
 suhosin.log.syslog=0
 suhosin.log.sapi=0
-suhosin.log.stdout=255
 suhosin.log.script=0
+suhosin.log.file=255
+suhosin.log.file.time=0
+suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
+auto_append_file={PWD}/suhosintest.$$.log.tmp
 suhosin.request.max_varname_length=0
 suhosin.post.max_name_length=4
 --SKIPIF--
-<?php include('skipif.inc'); ?>
+<?php include('../skipif.inc'); ?>
 --COOKIE--
 --GET--
 --POST_RAW--
diff --git a/tests/filter/input_filter_post_max_totalname_length.phpt b/tests/filter/input_filter_post_max_totalname_length.phpt
index b922302..1fef2bb 100644
--- a/tests/filter/input_filter_post_max_totalname_length.phpt
+++ b/tests/filter/input_filter_post_max_totalname_length.phpt
@@ -3,12 +3,15 @@ suhosin input filter (suhosin.post.max_totalname_length)
 --INI--
 suhosin.log.syslog=0
 suhosin.log.sapi=0
-suhosin.log.stdout=255
 suhosin.log.script=0
+suhosin.log.file=255
+suhosin.log.file.time=0
+suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
+auto_append_file={PWD}/suhosintest.$$.log.tmp
 suhosin.request.max_totalname_length=0
 suhosin.post.max_totalname_length=7
 --SKIPIF--
-<?php include('skipif.inc'); ?>
+<?php include('../skipif.inc'); ?>
 --COOKIE--
 --GET--
 --POST--
diff --git a/tests/filter/input_filter_post_max_totalname_length_rfc1867.phpt b/tests/filter/input_filter_post_max_totalname_length_rfc1867.phpt
index bbbcca4..f8fa6db 100644
--- a/tests/filter/input_filter_post_max_totalname_length_rfc1867.phpt
+++ b/tests/filter/input_filter_post_max_totalname_length_rfc1867.phpt
@@ -3,12 +3,15 @@ suhosin input filter (suhosin.post.max_totalname_length - RFC1867 version)
 --INI--
 suhosin.log.syslog=0
 suhosin.log.sapi=0
-suhosin.log.stdout=255
 suhosin.log.script=0
+suhosin.log.file=255
+suhosin.log.file.time=0
+suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
+auto_append_file={PWD}/suhosintest.$$.log.tmp
 suhosin.request.max_totalname_length=0
 suhosin.post.max_totalname_length=7
 --SKIPIF--
-<?php include('skipif.inc'); ?>
+<?php include('../skipif.inc'); ?>
 --COOKIE--
 --GET--
 --POST_RAW--
diff --git a/tests/filter/input_filter_post_max_value_length.phpt b/tests/filter/input_filter_post_max_value_length.phpt
index b560bde..7c5493f 100644
--- a/tests/filter/input_filter_post_max_value_length.phpt
+++ b/tests/filter/input_filter_post_max_value_length.phpt
@@ -3,12 +3,15 @@ suhosin input filter (suhosin.post.max_value_length)
 --INI--
 suhosin.log.syslog=0
 suhosin.log.sapi=0
-suhosin.log.stdout=255
 suhosin.log.script=0
+suhosin.log.file=255
+suhosin.log.file.time=0
+suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
+auto_append_file={PWD}/suhosintest.$$.log.tmp
 suhosin.request.max_value_length=0
 suhosin.post.max_value_length=3
 --SKIPIF--
-<?php include('skipif.inc'); ?>
+<?php include('../skipif.inc'); ?>
 --COOKIE--
 --GET--
 --POST--
diff --git a/tests/filter/input_filter_post_max_value_length_rfc1867.phpt b/tests/filter/input_filter_post_max_value_length_rfc1867.phpt
index 7552255..a788dfd 100644
--- a/tests/filter/input_filter_post_max_value_length_rfc1867.phpt
+++ b/tests/filter/input_filter_post_max_value_length_rfc1867.phpt
diff --git a/tests/filter/input_filter_request_array_index_blacklist.phpt b/tests/filter/input_filter_request_array_index_blacklist.phpt
new file mode 100644
index 0000000..ead85c5
--- /dev/null
+++ b/tests/filter/input_filter_request_array_index_blacklist.phpt
@@ -0,0 +1,56 @@
+--TEST--
+suhosin input filter (suhosin.request.array_index_blacklist)
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=0
+suhosin.log.script=0
+suhosin.log.file=255
+suhosin.log.file.time=0
+suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
+auto_append_file={PWD}/suhosintest.$$.log.tmp
+suhosin.request.array_index_blacklist="=ABC%{}\\$;"
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--COOKIE--
+var1[aaa]=1;var2[bbB]=1;var3[ccc][ccC]=1
+--GET--
+var1[aaa]=1&var2[bbB]=1&var3[ccc][ccC]=1
+--POST--
+var1[aaa]=1&var2[bbB]=1&var3[ccc][ccC]=1
+--FILE--
+<?php
+var_dump(ini_get("suhosin.request.array_index_blacklist"));
+var_dump($_GET);
+var_dump($_POST);
+var_dump($_COOKIE);
+?>
+--EXPECTF--
+string(10) "=ABC%{}\$;"
+array(1) {
+  ["var1"]=>
+  array(1) {
+    ["aaa"]=>
+    string(1) "1"
+  }
+}
+array(1) {
+  ["var1"]=>
+  array(1) {
+    ["aaa"]=>
+    string(1) "1"
+  }
+}
+array(1) {
+  ["var1"]=>
+  array(1) {
+    ["aaa"]=>
+    string(1) "1"
+  }
+}
+ALERT - array index contains blacklisted characters - dropped variable 'var2[bbB]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - array index contains blacklisted characters - dropped variable 'var3[ccc][ccC]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - array index contains blacklisted characters - dropped variable 'var2[bbB]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - array index contains blacklisted characters - dropped variable 'var3[ccc][ccC]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - array index contains blacklisted characters - dropped variable 'var2[bbB]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - array index contains blacklisted characters - dropped variable 'var3[ccc][ccC]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - dropped 6 request variables - (2 in GET, 2 in POST, 2 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s')
diff --git a/tests/filter/input_filter_request_array_index_whitelist.phpt b/tests/filter/input_filter_request_array_index_whitelist.phpt
new file mode 100644
index 0000000..a091574
--- /dev/null
+++ b/tests/filter/input_filter_request_array_index_whitelist.phpt
@@ -0,0 +1,54 @@
+--TEST--
+suhosin input filter (suhosin.request.array_index_whitelist)
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=0
+suhosin.log.script=0
+suhosin.log.file=255
+suhosin.log.file.time=0
+suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
+auto_append_file={PWD}/suhosintest.$$.log.tmp
+suhosin.request.array_index_whitelist=abcdefghijklmnopqrstuvwxyz
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--COOKIE--
+var1[aaa]=1;var2[bbB]=1;var3[ccc][ccC]=1
+--GET--
+var1[aaa]=1&var2[bbB]=1&var3[ccc][ccC]=1
+--POST--
+var1[aaa]=1&var2[bbB]=1&var3[ccc][ccC]=1
+--FILE--
+<?php
+var_dump($_GET);
+var_dump($_POST);
+var_dump($_COOKIE);
+?>
+--EXPECTF--
+array(1) {
+  ["var1"]=>
+  array(1) {
+    ["aaa"]=>
+    string(1) "1"
+  }
+}
+array(1) {
+  ["var1"]=>
+  array(1) {
+    ["aaa"]=>
+    string(1) "1"
+  }
+}
+array(1) {
+  ["var1"]=>
+  array(1) {
+    ["aaa"]=>
+    string(1) "1"
+  }
+}
+ALERT - array index contains not whitelisted characters - dropped variable 'var2[bbB]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - array index contains not whitelisted characters - dropped variable 'var3[ccc][ccC]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - array index contains not whitelisted characters - dropped variable 'var2[bbB]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - array index contains not whitelisted characters - dropped variable 'var3[ccc][ccC]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - array index contains not whitelisted characters - dropped variable 'var2[bbB]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - array index contains not whitelisted characters - dropped variable 'var3[ccc][ccC]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - dropped 6 request variables - (2 in GET, 2 in POST, 2 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s')
diff --git a/tests/filter/input_filter_request_disallow_nul.phpt b/tests/filter/input_filter_request_disallow_nul.phpt
index 09903ec..0e9636f 100644
--- a/tests/filter/input_filter_request_disallow_nul.phpt
+++ b/tests/filter/input_filter_request_disallow_nul.phpt
@@ -3,11 +3,14 @@ suhosin input filter (suhosin.request.disallow_nul)
 --INI--
 suhosin.log.syslog=0
 suhosin.log.sapi=0
-suhosin.log.stdout=255
 suhosin.log.script=0
+suhosin.log.file=255
+suhosin.log.file.time=0
+suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
+auto_append_file={PWD}/suhosintest.$$.log.tmp
 suhosin.request.disallow_nul=1
 --SKIPIF--
-<?php include('skipif.inc'); ?>
+<?php include('../skipif.inc'); ?>
 --COOKIE--
 var1=xx%001;var2=2;var3=xx%003;var4=4;
 --GET--
diff --git a/tests/filter/input_filter_request_max_array_depth.phpt b/tests/filter/input_filter_request_max_array_depth.phpt
index ca67a39..0f10afe 100644
--- a/tests/filter/input_filter_request_max_array_depth.phpt
+++ b/tests/filter/input_filter_request_max_array_depth.phpt
@@ -3,11 +3,14 @@ suhosin input filter (suhosin.request.max_array_depth)
 --INI--
 suhosin.log.syslog=0
 suhosin.log.sapi=0
-suhosin.log.stdout=255
 suhosin.log.script=0
+suhosin.log.file=255
+suhosin.log.file.time=0
+suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
+auto_append_file={PWD}/suhosintest.$$.log.tmp
 suhosin.request.max_array_depth=4
 --SKIPIF--
-<?php include('skipif.inc'); ?>
+<?php include('../skipif.inc'); ?>
 --COOKIE--
 var1[]=1;var2[][]=2;var3[][][]=3;var4[][][][]=4;var5[][][][][]=5;var6[][][][][][]=6;
 --GET--
diff --git a/tests/filter/input_filter_request_max_array_index_length.phpt b/tests/filter/input_filter_request_max_array_index_length.phpt
index bb4c2ef..84b3849 100644
--- a/tests/filter/input_filter_request_max_array_index_length.phpt
+++ b/tests/filter/input_filter_request_max_array_index_length.phpt
@@ -3,11 +3,14 @@ suhosin input filter (suhosin.request.max_array_index_length)
 --INI--
 suhosin.log.syslog=0
 suhosin.log.sapi=0
-suhosin.log.stdout=255
 suhosin.log.script=0
+suhosin.log.file=255
+suhosin.log.file.time=0
+suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
+auto_append_file={PWD}/suhosintest.$$.log.tmp
 suhosin.request.max_array_index_length=3
 --SKIPIF--
-<?php include('skipif.inc'); ?>
+<?php include('../skipif.inc'); ?>
 --COOKIE--
 var1[AAA]=1;var2[BBBB]=1;var3[AAA][BBB]=1;var4[AAA][BBBB]=4;var5[AAA][BBB][CCC]=1;var6[AAA][BBBB][CCC]=1;
 --GET--
diff --git a/tests/filter/input_filter_request_max_name_length.phpt b/tests/filter/input_filter_request_max_name_length.phpt
index 03b4a3b..e231447 100644
--- a/tests/filter/input_filter_request_max_name_length.phpt
+++ b/tests/filter/input_filter_request_max_name_length.phpt
@@ -3,11 +3,14 @@ suhosin input filter (suhosin.request.max_varname_length)
 --INI--
 suhosin.log.syslog=0
 suhosin.log.sapi=0
-suhosin.log.stdout=255
 suhosin.log.script=0
+suhosin.log.file=255
+suhosin.log.file.time=0
+suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
+auto_append_file={PWD}/suhosintest.$$.log.tmp
 suhosin.request.max_varname_length=4
 --SKIPIF--
-<?php include('skipif.inc'); ?>
+<?php include('../skipif.inc'); ?>
 --COOKIE--
 var=0;var1=1;var2[]=2;var3[xxx]=3;var04=4;var05[]=5;var06[xxx]=6;
 --GET--
diff --git a/tests/filter/input_filter_request_max_totalname_length.phpt b/tests/filter/input_filter_request_max_totalname_length.phpt
index f028db1..e4ddd5b 100644
--- a/tests/filter/input_filter_request_max_totalname_length.phpt
+++ b/tests/filter/input_filter_request_max_totalname_length.phpt
@@ -3,11 +3,14 @@ suhosin input filter (suhosin.request.max_totalname_length)
 --INI--
 suhosin.log.syslog=0
 suhosin.log.sapi=0
-suhosin.log.stdout=255
 suhosin.log.script=0
+suhosin.log.file=255
+suhosin.log.file.time=0
+suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
+auto_append_file={PWD}/suhosintest.$$.log.tmp
 suhosin.request.max_totalname_length=7
 --SKIPIF--
-<?php include('skipif.inc'); ?>
+<?php include('../skipif.inc'); ?>
 --COOKIE--
 var=0;var1=1;var2[]=2;var3[xxx]=3;var04=4;var05[]=5;var06[xxx]=6;
 --GET--
diff --git a/tests/filter/input_filter_request_max_value_length.phpt b/tests/filter/input_filter_request_max_value_length.phpt
index 6906fb0..7617ff2 100644
--- a/tests/filter/input_filter_request_max_value_length.phpt
+++ b/tests/filter/input_filter_request_max_value_length.phpt
@@ -3,11 +3,14 @@ suhosin input filter (suhosin.request.max_value_length)
 --INI--
 suhosin.log.syslog=0
 suhosin.log.sapi=0
-suhosin.log.stdout=255
 suhosin.log.script=0
+suhosin.log.file=255
+suhosin.log.file.time=0
+suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
+auto_append_file={PWD}/suhosintest.$$.log.tmp
 suhosin.request.max_value_length=3
 --SKIPIF--
-<?php include('skipif.inc'); ?>
+<?php include('../skipif.inc'); ?>
 --COOKIE--
 var1=1;var2=22;var3=333;var4=4444;var5=55%00555;var6=666666;
 --GET--
diff --git a/tests/filter/post_fileupload_array_index_blacklist.phpt b/tests/filter/post_fileupload_array_index_blacklist.phpt
new file mode 100644
index 0000000..7e19014
--- /dev/null
+++ b/tests/filter/post_fileupload_array_index_blacklist.phpt
@@ -0,0 +1,44 @@
+--TEST--
+suhosin file upload filter (array index whitelist)
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=0
+suhosin.log.script=0
+suhosin.log.file=255
+suhosin.log.file.time=0
+suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
+auto_append_file={PWD}/suhosintest.$$.log.tmp
+file_uploads=1
+suhosin.request.array_index_blacklist=ABC
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--COOKIE--
+--GET--
+--POST_RAW--
+Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="fn[foo][bar]"
+
+ok
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="fn[foo][BAR]"
+
+bad
+-----------------------------20896060251896012921717172737--
+--FILE--
+<?php
+var_dump($_POST);
+?>
+--EXPECTF--
+array(1) {
+  ["fn"]=>
+  array(1) {
+    ["foo"]=>
+    array(1) {
+      ["bar"]=>
+      string(2) "ok"
+    }
+  }
+}
+ALERT - array index contains blacklisted characters - dropped variable 'fn[foo][BAR]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - dropped 1 request variables - (0 in GET, 1 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s')
diff --git a/tests/filter/post_fileupload_array_index_whitelist.phpt b/tests/filter/post_fileupload_array_index_whitelist.phpt
new file mode 100644
index 0000000..b910c44
--- /dev/null
+++ b/tests/filter/post_fileupload_array_index_whitelist.phpt
@@ -0,0 +1,44 @@
+--TEST--
+suhosin file upload filter (array index whitelist)
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=0
+suhosin.log.script=0
+suhosin.log.file=255
+suhosin.log.file.time=0
+suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
+auto_append_file={PWD}/suhosintest.$$.log.tmp
+file_uploads=1
+suhosin.request.array_index_whitelist=abcdefghijklmnopqrstuvwxyz
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--COOKIE--
+--GET--
+--POST_RAW--
+Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="fn[foo][bar]"
+
+ok
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="fn[foo][BAR]"
+
+bad
+-----------------------------20896060251896012921717172737--
+--FILE--
+<?php
+var_dump($_POST);
+?>
+--EXPECTF--
+array(1) {
+  ["fn"]=>
+  array(1) {
+    ["foo"]=>
+    array(1) {
+      ["bar"]=>
+      string(2) "ok"
+    }
+  }
+}
+ALERT - array index contains not whitelisted characters - dropped variable 'fn[foo][BAR]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - dropped 1 request variables - (0 in GET, 1 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s')
diff --git a/tests/filter/post_fileupload_filter_1.phpt b/tests/filter/post_fileupload_filter_1.phpt
index 453c38d..4cb67fd 100644
--- a/tests/filter/post_fileupload_filter_1.phpt
+++ b/tests/filter/post_fileupload_filter_1.phpt
@@ -3,12 +3,15 @@ suhosin rfc1867 file upload filter (disallowed variable names)
 --INI--
 suhosin.log.syslog=0
 suhosin.log.sapi=0
-suhosin.log.stdout=255
 suhosin.log.script=0
+suhosin.log.file=255
+suhosin.log.file.time=0
+suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
+auto_append_file={PWD}/suhosintest.$$.log.tmp
 file_uploads=1
 upload_max_filesize=1024
 --SKIPIF--
-<?php include('skipif.inc'); ?>
+<?php include('../skipif.inc'); ?>
 --COOKIE--
 --GET--
 --POST_RAW--
diff --git a/tests/filter/post_fileupload_filter_2.phpt b/tests/filter/post_fileupload_filter_2.phpt
index 48c63dc..51064f2 100644
--- a/tests/filter/post_fileupload_filter_2.phpt
+++ b/tests/filter/post_fileupload_filter_2.phpt
@@ -3,13 +3,16 @@ suhosin rfc1867 file upload filter (suhosin.post.max_vars)
 --INI--
 suhosin.log.syslog=0
 suhosin.log.sapi=0
-suhosin.log.stdout=255
 suhosin.log.script=0
+suhosin.log.file=255
+suhosin.log.file.time=0
+suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
+auto_append_file={PWD}/suhosintest.$$.log.tmp
 suhosin.post.max_vars=5
 file_uploads=1
 upload_max_filesize=1024
 --SKIPIF--
-<?php include('skipif.inc'); ?>
+<?php include('../skipif.inc'); ?>
 --COOKIE--
 --GET--
 --POST_RAW--
diff --git a/tests/filter/post_filter_1.phpt b/tests/filter/post_filter_1.phpt
index eee353d..61eee24 100644
--- a/tests/filter/post_filter_1.phpt
+++ b/tests/filter/post_filter_1.phpt
@@ -3,10 +3,13 @@ suhosin POST filter (disallowed variable names)
 --INI--
 suhosin.log.syslog=0
 suhosin.log.sapi=0
-suhosin.log.stdout=255
 suhosin.log.script=0
+suhosin.log.file=255
+suhosin.log.file.time=0
+suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
+auto_append_file={PWD}/suhosintest.$$.log.tmp
 --SKIPIF--
-<?php include('skipif.inc'); ?>
+<?php include('../skipif.inc'); ?>
 --COOKIE--
 --GET--
 --POST--
diff --git a/tests/filter/post_filter_2.phpt b/tests/filter/post_filter_2.phpt
index 22e773a..b64ffd0 100644
--- a/tests/filter/post_filter_2.phpt
+++ b/tests/filter/post_filter_2.phpt
@@ -3,11 +3,14 @@ suhosin POST filter (suhosin.post.max_vars)
 --INI--
 suhosin.log.syslog=0
 suhosin.log.sapi=0
-suhosin.log.stdout=255
 suhosin.log.script=0
+suhosin.log.file=255
+suhosin.log.file.time=0
+suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
+auto_append_file={PWD}/suhosintest.$$.log.tmp
 suhosin.post.max_vars=5
 --SKIPIF--
-<?php include('skipif.inc'); ?>
+<?php include('../skipif.inc'); ?>
 --COOKIE--
 --GET--
 --POST--
diff --git a/tests/filter/post_filter_empty_var.phpt b/tests/filter/post_filter_empty_var.phpt
new file mode 100644
index 0000000..87866e2
--- /dev/null
+++ b/tests/filter/post_filter_empty_var.phpt
@@ -0,0 +1,24 @@
+--TEST--
+suhosin POST filter with empty variable
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=0
+suhosin.log.stdout=255
+suhosin.log.script=0
+--SKIPIF--
+<?php include('../skipif.inc'); ?>
+--COOKIE--
+--GET--
+--POST--
+A=&B=test
+--FILE--
+<?php
+var_dump($_POST);
+?>
+--EXPECTF--
+array(2) {
+  ["A"]=>
+  string(0) ""
+  ["B"]=>
+  string(4) "test"
+}
diff --git a/tests/filter/server_encode_off.phpt b/tests/filter/server_encode_off.phpt
index 8daccea..69793fd 100644
--- a/tests/filter/server_encode_off.phpt
+++ b/tests/filter/server_encode_off.phpt
@@ -9,7 +9,7 @@ suhosin.log.stdout=255
 suhosin.log.script=0
 suhosin.server.encode=Off
 --SKIPIF--
-<?php include('skipif.inc'); ?>
+<?php include('../skipif.inc'); ?>
 --ENV--
 return <<<END
 REQUEST_URI=AAA<>"'`!AAA
diff --git a/tests/filter/server_encode_on.phpt b/tests/filter/server_encode_on.phpt
index 4cd7a66..3b02ce4 100644
--- a/tests/filter/server_encode_on.phpt
+++ b/tests/filter/server_encode_on.phpt
@@ -9,7 +9,7 @@ suhosin.log.stdout=255
 suhosin.log.script=0
 suhosin.server.encode=On
 --SKIPIF--
-<?php include('skipif.inc'); ?>
+<?php include('../skipif.inc'); ?>
 --ENV--
 return <<<END
 REQUEST_URI=AAA<>"'`!AAA
diff --git a/tests/filter/server_filter.phpt b/tests/filter/server_filter.phpt
index b1271bd..f2afdf7 100644
--- a/tests/filter/server_filter.phpt
+++ b/tests/filter/server_filter.phpt
@@ -3,10 +3,13 @@ suhosin SERVER filter
 --INI--
 suhosin.log.syslog=0
 suhosin.log.sapi=0
-suhosin.log.stdout=255
 suhosin.log.script=0
+suhosin.log.file=255
+suhosin.log.file.time=0
+suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
+auto_append_file={PWD}/suhosintest.$$.log.tmp
 --SKIPIF--
-<?php include('skipif.inc'); ?>
+<?php include('../skipif.inc'); ?>
 --ENV--
 return <<<END
 HTTP_POST_VARS=HTTP_POST_VARS
diff --git a/tests/filter/server_strip_off.phpt b/tests/filter/server_strip_off.phpt
index 75c326e..57b2e97 100644
--- a/tests/filter/server_strip_off.phpt
+++ b/tests/filter/server_strip_off.phpt
@@ -9,7 +9,7 @@ suhosin.log.stdout=255
 suhosin.log.script=0
 suhosin.server.strip=Off
 --SKIPIF--
-<?php include('skipif.inc'); ?>
+<?php include('../skipif.inc'); ?>
 --ENV--
 return <<<END
 SCRIPT_NAME=X/index.php/THIS_IS_A_FAKE_NAME<>"'`!AAA
diff --git a/tests/filter/server_strip_on.phpt b/tests/filter/server_strip_on.phpt
index c595e95..9e9d991 100644
--- a/tests/filter/server_strip_on.phpt
+++ b/tests/filter/server_strip_on.phpt
@@ -9,7 +9,7 @@ suhosin.log.stdout=255
 suhosin.log.script=0
 suhosin.server.strip=On
 --SKIPIF--
-<?php include('skipif.inc'); ?>
+<?php include('../skipif.inc'); ?>
 --ENV--
 return <<<END
 SCRIPT_NAME=X/index.php/THIS_IS_A_FAKE_NAME<>"'`!AAA
diff --git a/tests/filter/server_user_agent_strip_off.phpt b/tests/filter/server_user_agent_strip_off.phpt
index 36c6580..1f58007 100644
--- a/tests/filter/server_user_agent_strip_off.phpt
+++ b/tests/filter/server_user_agent_strip_off.phpt
@@ -9,7 +9,7 @@ suhosin.log.stdout=255
 suhosin.log.script=0
 suhosin.server.strip=Off
 --SKIPIF--
-<?php include('skipif.inc'); ?>
+<?php include('../skipif.inc'); ?>
 --ENV--
 return <<<END
 HTTP_USER_AGENT=Mozilla/5.0 (Windows NT 6.0; rv:29.0) <script>alert('123');</script>Gecko/20100101 Firefox/29.0
diff --git a/tests/filter/server_user_agent_strip_on.phpt b/tests/filter/server_user_agent_strip_on.phpt
index 73d577c..df1d040 100644
--- a/tests/filter/server_user_agent_strip_on.phpt
+++ b/tests/filter/server_user_agent_strip_on.phpt
@@ -9,7 +9,7 @@ suhosin.log.stdout=255
 suhosin.log.script=0
 suhosin.server.strip=On
 --SKIPIF--
-<?php include('skipif.inc'); ?>
+<?php include('../skipif.inc'); ?>
 --ENV--
 return <<<END
 HTTP_USER_AGENT=Mozilla/5.0 (Windows NT 6.0; rv:29.0) <script>alert('123');</script>Gecko/20100101 Firefox/29.0
diff --git a/tests/filter/suhosin_upload_disallow_binary_off.phpt b/tests/filter/suhosin_upload_disallow_binary_off.phpt
index cde9ea7..bcb76be 100644
--- a/tests/filter/suhosin_upload_disallow_binary_off.phpt
+++ b/tests/filter/suhosin_upload_disallow_binary_off.phpt
diff --git a/tests/filter/suhosin_upload_disallow_binary_on.phpt b/tests/filter/suhosin_upload_disallow_binary_on.phpt
index 1e3444e..bc2c7ea 100644
--- a/tests/filter/suhosin_upload_disallow_binary_on.phpt
+++ b/tests/filter/suhosin_upload_disallow_binary_on.phpt
diff --git a/tests/filter/suhosin_upload_disallow_binary_utf8.phpt b/tests/filter/suhosin_upload_disallow_binary_utf8.phpt
index 557a8d5..d14f041 100644
--- a/tests/filter/suhosin_upload_disallow_binary_utf8.phpt
+++ b/tests/filter/suhosin_upload_disallow_binary_utf8.phpt
@@ -11,7 +11,9 @@ suhosin.upload.allow_utf8=On
 max_file_uploads=40
 suhosin.upload.max_uploads=40
 --SKIPIF--
-<?php include('skipif.inc'); ?>
+<?php include('../skipif.inc');
+if (ini_get('suhosin.upload.allow_utf8') === FALSE) { die("skip feature not compiled in"); }
+?>
 --COOKIE--
 --GET--
 --POST_RAW--
diff --git a/tests/filter/suhosin_upload_disallow_binary_utf8fail.phpt b/tests/filter/suhosin_upload_disallow_binary_utf8fail.phpt
index 413d25a..95e4864 100644
--- a/tests/filter/suhosin_upload_disallow_binary_utf8fail.phpt
+++ b/tests/filter/suhosin_upload_disallow_binary_utf8fail.phpt
@@ -3,15 +3,20 @@ Testing: suhosin.upload.disallow_binary=On with UTF-8 and allow_utf8=Off
 --INI--
 suhosin.log.syslog=0
 suhosin.log.sapi=0
-suhosin.log.stdout=255
 suhosin.log.script=0
+suhosin.log.file=255
+suhosin.log.file.time=0
+suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
+auto_append_file={PWD}/suhosintest.$$.log.tmp
 file_uploads=1
 suhosin.upload.disallow_binary=On
 suhosin.upload.allow_utf8=Off
 max_file_uploads=40
 suhosin.upload.max_uploads=40
 --SKIPIF--
-<?php include('skipif.inc'); ?>
+<?php include('../skipif.inc');
+if (ini_get('suhosin.upload.allow_utf8') === FALSE) { die("skip feature not compiled in"); }
+?>
 --COOKIE--
 --GET--
 --POST_RAW--
diff --git a/tests/filter/suhosin_upload_disallow_elf.phpt b/tests/filter/suhosin_upload_disallow_elf.phpt
index 4ad2071..7b074f7 100644
--- a/tests/filter/suhosin_upload_disallow_elf.phpt
+++ b/tests/filter/suhosin_upload_disallow_elf.phpt
@@ -3,12 +3,15 @@ Testing: suhosin.upload.disallow_elf=On
 --INI--
 suhosin.log.syslog=0
 suhosin.log.sapi=0
-suhosin.log.stdout=255
 suhosin.log.script=0
+suhosin.log.file=255
+suhosin.log.file.time=0
+suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
+auto_append_file={PWD}/suhosintest.$$.log.tmp
 file_uploads=1
 suhosin.upload.disallow_elf=On
 --SKIPIF--
-<?php include('skipif.inc'); ?>
+<?php include('../skipif.inc'); ?>
 --COOKIE--
 --GET--
 --POST_RAW--
diff --git a/tests/filter/suhosin_upload_disallow_elf_off.phpt b/tests/filter/suhosin_upload_disallow_elf_off.phpt
index 8be8301..832692c 100644
--- a/tests/filter/suhosin_upload_disallow_elf_off.phpt
+++ b/tests/filter/suhosin_upload_disallow_elf_off.phpt
@@ -8,7 +8,7 @@ suhosin.log.script=0
 file_uploads=1
 suhosin.upload.disallow_elf=Off
 --SKIPIF--
-<?php include('skipif.inc'); ?>
+<?php include('../skipif.inc'); ?>
 --COOKIE--
 --GET--
 --POST_RAW--
diff --git a/tests/filter/suhosin_upload_max_uploads.phpt b/tests/filter/suhosin_upload_max_uploads.phpt
index 2e984bc..fb6f249 100644
--- a/tests/filter/suhosin_upload_max_uploads.phpt
+++ b/tests/filter/suhosin_upload_max_uploads.phpt
@@ -3,13 +3,16 @@ suhosin.upload.max_uploads
 --INI--
 suhosin.log.syslog=0
 suhosin.log.sapi=0
-suhosin.log.stdout=255
 suhosin.log.script=0
+suhosin.log.file=255
+suhosin.log.file.time=0
+suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
+auto_append_file={PWD}/suhosintest.$$.log.tmp
 suhosin.post.max_vars=5
 file_uploads=1
 suhosin.upload.max_uploads=3
 --SKIPIF--
-<?php include('skipif.inc'); ?>
+<?php include('../skipif.inc'); ?>
 --COOKIE--
 --GET--
 --POST_RAW--
diff --git a/tests/filter/suhosin_upload_remove_binary.phpt b/tests/filter/suhosin_upload_remove_binary.phpt
index f4337d9..8d158c3 100644
--- a/tests/filter/suhosin_upload_remove_binary.phpt
+++ b/tests/filter/suhosin_upload_remove_binary.phpt
diff --git a/tests/filter/suhosin_upload_remove_binary_utf8.phpt b/tests/filter/suhosin_upload_remove_binary_utf8.phpt
index 6fbd240..564c095 100644
--- a/tests/filter/suhosin_upload_remove_binary_utf8.phpt
+++ b/tests/filter/suhosin_upload_remove_binary_utf8.phpt
@@ -12,7 +12,9 @@ suhosin.upload.allow_utf8=On
 max_file_uploads=40
 suhosin.upload.max_uploads=40
 --SKIPIF--
-<?php include('skipif.inc'); ?>
+<?php include('../skipif.inc');
+if (ini_get('suhosin.upload.allow_utf8') === FALSE) { die("skip feature not compiled in"); }
+?>
 --COOKIE--
 --GET--
 --POST_RAW--
diff --git a/tests/filter/suhosin_upload_remove_binary_utf8fail.phpt b/tests/filter/suhosin_upload_remove_binary_utf8fail.phpt
index 5c31115..4787a3a 100644
--- a/tests/filter/suhosin_upload_remove_binary_utf8fail.phpt
+++ b/tests/filter/suhosin_upload_remove_binary_utf8fail.phpt
@@ -12,7 +12,9 @@ suhosin.upload.allow_utf8=Off
 max_file_uploads=40
 suhosin.upload.max_uploads=40
 --SKIPIF--
-<?php include('skipif.inc'); ?>
+<?php include('../skipif.inc');
+if (ini_get('suhosin.upload.allow_utf8') === FALSE) { die("skip feature not compiled in"); }
+?>
 --COOKIE--
 --GET--
 --POST_RAW--
diff --git a/tests/include/include_uploaded_file_diff_filename.phpt b/tests/include/include_uploaded_file_diff_filename.phpt
index 8d3bca5..2c28340 100644
--- a/tests/include/include_uploaded_file_diff_filename.phpt
+++ b/tests/include/include_uploaded_file_diff_filename.phpt
@@ -5,9 +5,8 @@ Testing include file from $_FILES (but change name a bit)
 --INI--
 suhosin.log.syslog=0
 suhosin.log.sapi=0
-suhosin.log.stdout=255
 suhosin.log.script=0
-suhosin.log.phpscript=0
+suhosin.log.stdout=255
 suhosin.executor.include.whitelist=
 suhosin.executor.include.blacklist=
 --POST_RAW--
diff --git a/tests/include/include_uploaded_file_from_FILES.phpt b/tests/include/include_uploaded_file_from_FILES.phpt
index 1ec20f3..2c782b4 100644
--- a/tests/include/include_uploaded_file_from_FILES.phpt
+++ b/tests/include/include_uploaded_file_from_FILES.phpt
@@ -5,9 +5,8 @@ Testing include file from $_FILES
 --INI--
 suhosin.log.syslog=0
 suhosin.log.sapi=0
-suhosin.log.stdout=255
 suhosin.log.script=0
-suhosin.log.phpscript=0
+suhosin.log.stdout=255
 suhosin.executor.include.whitelist=
 suhosin.executor.include.blacklist=
 --POST_RAW--
diff --git a/tests/logging/use_x_forwarded_for_off.phpt b/tests/logging/use_x_forwarded_for_off.phpt
index 6b31d53..2820523 100644
--- a/tests/logging/use_x_forwarded_for_off.phpt
+++ b/tests/logging/use_x_forwarded_for_off.phpt
@@ -3,12 +3,16 @@ Testing: suhosin.log.use-x-forwarded-for=Off
 --SKIPIF--
 <?php include "../skipifnotcli.inc"; ?>
 --INI--
+suhosin.log.syslog=0
 suhosin.log.sapi=0
-suhosin.log.stdout=255
 suhosin.log.script=0
-suhosin.log.syslog=0
+suhosin.log.file=255
+suhosin.log.file.time=0
+suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
+auto_append_file={PWD}/suhosintest.$$.log.tmp
 suhosin.executor.func.blacklist=max
 suhosin.log.use-x-forwarded-for=Off
+suhosin.simulation=1
 --ENV--
 return <<<END
 REMOTE_ADDR=101.102.103.104
@@ -19,5 +23,5 @@ END;
         max(1,2);
 ?>
 --EXPECTF--
-Warning: max() has been disabled for security reasons in %s on line 2
-ALERT - function within blacklist called: max() (attacker '101.102.103.104', file '%s', line 2)
\ No newline at end of file
+Warning: SIMULATION - max() has been disabled for security reasons in %s on line 2
+ALERT-SIMULATION - function within blacklist called: max() (attacker '101.102.103.104', file '%s', line 2)
\ No newline at end of file
diff --git a/tests/logging/use_x_forwarded_for_off_no_remote_addr.phpt b/tests/logging/use_x_forwarded_for_off_no_remote_addr.phpt
index bd4c72b..1a30e81 100644
--- a/tests/logging/use_x_forwarded_for_off_no_remote_addr.phpt
+++ b/tests/logging/use_x_forwarded_for_off_no_remote_addr.phpt
@@ -3,16 +3,20 @@ Testing: suhosin.log.use-x-forwarded-for=Off (without REMOTE_ADDR set)
 --SKIPIF--
 <?php include "../skipifnotcli.inc"; ?>
 --INI--
+suhosin.log.syslog=0
 suhosin.log.sapi=0
-suhosin.log.stdout=255
 suhosin.log.script=0
-suhosin.log.syslog=0
+suhosin.log.file=255
+suhosin.log.file.time=0
+suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
+auto_append_file={PWD}/suhosintest.$$.log.tmp
 suhosin.executor.func.blacklist=max
 suhosin.log.use-x-forwarded-for=Off
+suhosin.simulation=1
 --FILE--
 <?php
         max(1,2);
 ?>
 --EXPECTF--
-Warning: max() has been disabled for security reasons in %s on line 2
-ALERT - function within blacklist called: max() (attacker 'REMOTE_ADDR not set', file '%s', line 2)
\ No newline at end of file
+Warning: SIMULATION - max() has been disabled for security reasons in %s on line 2
+ALERT-SIMULATION - function within blacklist called: max() (attacker 'REMOTE_ADDR not set', file '%s', line 2)
\ No newline at end of file
diff --git a/tests/logging/use_x_forwarded_for_on.phpt b/tests/logging/use_x_forwarded_for_on.phpt
index 5f37ca9..e476ba7 100644
--- a/tests/logging/use_x_forwarded_for_on.phpt
+++ b/tests/logging/use_x_forwarded_for_on.phpt
@@ -3,12 +3,16 @@ Testing: suhosin.log.use-x-forwarded-for=On
 --SKIPIF--
 <?php include "../skipifnotcli.inc"; ?>
 --INI--
+suhosin.log.syslog=0
 suhosin.log.sapi=0
-suhosin.log.stdout=255
 suhosin.log.script=0
-suhosin.log.syslog=0
+suhosin.log.file=255
+suhosin.log.file.time=0
+suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
+auto_append_file={PWD}/suhosintest.$$.log.tmp
 suhosin.executor.func.blacklist=max
 suhosin.log.use-x-forwarded-for=On
+suhosin.simulation=1
 --ENV--
 return <<<END
 REMOTE_ADDR=101.102.103.104
@@ -19,5 +23,5 @@ END;
         max(1,2);
 ?>
 --EXPECTF--
-Warning: max() has been disabled for security reasons in %s on line 2
-ALERT - function within blacklist called: max() (attacker '1.2.3.4', file '%s', line 2)
\ No newline at end of file
+Warning: SIMULATION - max() has been disabled for security reasons in %s on line 2
+ALERT-SIMULATION - function within blacklist called: max() (attacker '1.2.3.4', file '%s', line 2)
\ No newline at end of file
diff --git a/tests/logging/use_x_forwarded_for_on_no_x_forwarded.phpt b/tests/logging/use_x_forwarded_for_on_no_x_forwarded.phpt
index aea6e06..b3e26de 100644
--- a/tests/logging/use_x_forwarded_for_on_no_x_forwarded.phpt
+++ b/tests/logging/use_x_forwarded_for_on_no_x_forwarded.phpt
@@ -3,16 +3,20 @@ Testing: suhosin.log.use-x-forwarded-for=On (without X-Forwarded-For set)
 --SKIPIF--
 <?php include "../skipifnotcli.inc"; ?>
 --INI--
+suhosin.log.syslog=0
 suhosin.log.sapi=0
-suhosin.log.stdout=255
 suhosin.log.script=0
-suhosin.log.syslog=0
+suhosin.log.file=255
+suhosin.log.file.time=0
+suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
+auto_append_file={PWD}/suhosintest.$$.log.tmp
 suhosin.executor.func.blacklist=max
 suhosin.log.use-x-forwarded-for=On
+suhosin.simulation=1
 --FILE--
 <?php
         max(1,2);
 ?>
 --EXPECTF--
-Warning: max() has been disabled for security reasons in %s on line 2
-ALERT - function within blacklist called: max() (attacker 'X-FORWARDED-FOR not set', file '%s', line 2)
\ No newline at end of file
+Warning: SIMULATION - max() has been disabled for security reasons in %s on line 2
+ALERT-SIMULATION - function within blacklist called: max() (attacker 'X-FORWARDED-FOR not set', file '%s', line 2)
\ No newline at end of file
diff --git a/tests/sql/mysqli_comment_conditional.phpt b/tests/sql/mysqli_comment_conditional.phpt
index 0436c64..02366c0 100644
--- a/tests/sql/mysqli_comment_conditional.phpt
+++ b/tests/sql/mysqli_comment_conditional.phpt
@@ -11,7 +11,7 @@ suhosin.log.stdout=32
 --SKIPIF--
 <?php
 include('skipifmysqli.inc');
-include('skipif.inc');
+include('../skipif.inc');
 ?>
 --FILE--
 <?php
diff --git a/tests/sql/mysqli_comment_cstyle_fail.phpt b/tests/sql/mysqli_comment_cstyle_fail.phpt
index 56a8ccb..5a4c5e7 100644
--- a/tests/sql/mysqli_comment_cstyle_fail.phpt
+++ b/tests/sql/mysqli_comment_cstyle_fail.phpt
@@ -11,7 +11,7 @@ suhosin.log.stdout=32
 --SKIPIF--
 <?php
 include('skipifmysqli.inc');
-include('skipif.inc');
+include('../skipif.inc');
 ?>
 --FILE--
 <?php
diff --git a/tests/sql/mysqli_comment_hashstyle_fail.phpt b/tests/sql/mysqli_comment_hashstyle_fail.phpt
index 6f5b517..c67cf44 100644
--- a/tests/sql/mysqli_comment_hashstyle_fail.phpt
+++ b/tests/sql/mysqli_comment_hashstyle_fail.phpt
@@ -11,7 +11,7 @@ suhosin.log.stdout=32
 --SKIPIF--
 <?php
 include('skipifmysqli.inc');
-include('skipif.inc');
+include('../skipif.inc');
 ?>
 --FILE--
 <?php
diff --git a/tests/sql/mysqli_comment_sqlstyle.phpt b/tests/sql/mysqli_comment_sqlstyle.phpt
index c32c76a..d0e454e 100644
--- a/tests/sql/mysqli_comment_sqlstyle.phpt
+++ b/tests/sql/mysqli_comment_sqlstyle.phpt
@@ -11,7 +11,7 @@ suhosin.log.stdout=32
 --SKIPIF--
 <?php
 include('skipifmysqli.inc');
-include('skipif.inc');
+include('../skipif.inc');
 ?>
 --FILE--
 <?php
diff --git a/tests/sql/mysqli_comment_sqlstyle_fail.phpt b/tests/sql/mysqli_comment_sqlstyle_fail.phpt
index 83e63c5..9894d96 100644
--- a/tests/sql/mysqli_comment_sqlstyle_fail.phpt
+++ b/tests/sql/mysqli_comment_sqlstyle_fail.phpt
@@ -11,7 +11,7 @@ suhosin.log.stdout=32
 --SKIPIF--
 <?php
 include('skipifmysqli.inc');
-include('skipif.inc');
+include('../skipif.inc');
 ?>
 --FILE--
 <?php
diff --git a/tests/sql/mysqli_connect_invalid_username.phpt b/tests/sql/mysqli_connect_invalid_username.phpt
index 532254f..c83bf1e 100644
--- a/tests/sql/mysqli_connect_invalid_username.phpt
+++ b/tests/sql/mysqli_connect_invalid_username.phpt
@@ -6,7 +6,7 @@ suhosin.log.stdout=32
 --SKIPIF--
 <?php
 include('skipifmysqli.inc');
-include('skipif.inc');
+include('../skipif.inc');
 ?>
 --FILE--
 <?php
diff --git a/tests/sql/mysqli_multiselect.phpt b/tests/sql/mysqli_multiselect.phpt
index 63d6c19..2595441 100644
--- a/tests/sql/mysqli_multiselect.phpt
+++ b/tests/sql/mysqli_multiselect.phpt
@@ -11,7 +11,7 @@ suhosin.log.stdout=32
 --SKIPIF--
 <?php
 include('skipifmysqli.inc');
-include('skipif.inc');
+include('../skipif.inc');
 ?>
 --FILE--
 <?php
diff --git a/tests/sql/mysqli_multiselect_fail.phpt b/tests/sql/mysqli_multiselect_fail.phpt
index 2bee62a..9f4216f 100644
--- a/tests/sql/mysqli_multiselect_fail.phpt
+++ b/tests/sql/mysqli_multiselect_fail.phpt
@@ -11,7 +11,7 @@ suhosin.log.stdout=32
 --SKIPIF--
 <?php
 include('skipifmysqli.inc');
-include('skipif.inc');
+include('../skipif.inc');
 ?>
 --FILE--
 <?php
diff --git a/tests/sql/mysqli_multiselect_subselect.phpt b/tests/sql/mysqli_multiselect_subselect.phpt
index e629720..6308cfa 100644
--- a/tests/sql/mysqli_multiselect_subselect.phpt
+++ b/tests/sql/mysqli_multiselect_subselect.phpt
@@ -11,7 +11,7 @@ suhosin.log.stdout=32
 --SKIPIF--
 <?php
 include('skipifmysqli.inc');
-include('skipif.inc');
+include('../skipif.inc');
 ?>
 --FILE--
 <?php
diff --git a/tests/sql/mysqli_no_constraints.phpt b/tests/sql/mysqli_no_constraints.phpt
index 1d7fff6..1ba2875 100644
--- a/tests/sql/mysqli_no_constraints.phpt
+++ b/tests/sql/mysqli_no_constraints.phpt
@@ -11,7 +11,7 @@ suhosin.sql.union=0
 --SKIPIF--
 <?php
 include('skipifmysqli.inc');
-include('skipif.inc');
+include('../skipif.inc');
 ?>
 --FILE--
 <?php
diff --git a/tests/sql/mysqli_open_comment.phpt b/tests/sql/mysqli_open_comment.phpt
index 29d3536..e65ebd5 100644
--- a/tests/sql/mysqli_open_comment.phpt
+++ b/tests/sql/mysqli_open_comment.phpt
@@ -11,7 +11,7 @@ suhosin.log.stdout=32
 --SKIPIF--
 <?php
 include('skipifmysqli.inc');
-include('skipif.inc');
+include('../skipif.inc');
 ?>
 --FILE--
 <?php
diff --git a/tests/sql/mysqli_open_comment_fail.phpt b/tests/sql/mysqli_open_comment_fail.phpt
index 4645523..a898153 100644
--- a/tests/sql/mysqli_open_comment_fail.phpt
+++ b/tests/sql/mysqli_open_comment_fail.phpt
@@ -11,7 +11,7 @@ suhosin.log.stdout=32
 --SKIPIF--
 <?php
 include('skipifmysqli.inc');
-include('skipif.inc');
+include('../skipif.inc');
 ?>
 --FILE--
 <?php
diff --git a/tests/sql/mysqli_union.phpt b/tests/sql/mysqli_union.phpt
index 9af9c61..77eb8e4 100644
--- a/tests/sql/mysqli_union.phpt
+++ b/tests/sql/mysqli_union.phpt
@@ -11,7 +11,7 @@ suhosin.log.stdout=32
 --SKIPIF--
 <?php
 include('skipifmysqli.inc');
-include('skipif.inc');
+include('../skipif.inc');
 ?>
 --FILE--
 <?php
diff --git a/tests/sql/mysqli_union_fail.phpt b/tests/sql/mysqli_union_fail.phpt
index ee51a79..ddcfd0e 100644
--- a/tests/sql/mysqli_union_fail.phpt
+++ b/tests/sql/mysqli_union_fail.phpt
@@ -11,7 +11,7 @@ suhosin.log.stdout=32
 --SKIPIF--
 <?php
 include('skipifmysqli.inc');
-include('skipif.inc');
+include('../skipif.inc');
 ?>
 --FILE--
 <?php
diff --git a/tests/sql/mysqli_user_match_error.phpt b/tests/sql/mysqli_user_match_error.phpt
index 69db081..a8d1068 100644
--- a/tests/sql/mysqli_user_match_error.phpt
+++ b/tests/sql/mysqli_user_match_error.phpt
@@ -7,7 +7,7 @@ suhosin.log.stdout=32
 --SKIPIF--
 <?php
 include('skipifmysqli.inc');
-include('skipif.inc');
+include('../skipif.inc');
 ?>
 --FILE--
 <?php
diff --git a/tests/sql/mysqli_user_match_ok.phpt b/tests/sql/mysqli_user_match_ok.phpt
index a2ad832..a1365ed 100644
--- a/tests/sql/mysqli_user_match_ok.phpt
+++ b/tests/sql/mysqli_user_match_ok.phpt
@@ -7,7 +7,7 @@ suhosin.log.stdout=32
 --SKIPIF--
 <?php
 include('skipifmysqli.inc');
-include('skipif.inc');
+include('../skipif.inc');
 ?>
 --FILE--
 <?php
diff --git a/tests/sql/mysqli_user_postfix.phpt b/tests/sql/mysqli_user_postfix.phpt
index 11e3fe6..90be13f 100644
--- a/tests/sql/mysqli_user_postfix.phpt
+++ b/tests/sql/mysqli_user_postfix.phpt
@@ -7,7 +7,7 @@ suhosin.log.stdout=32
 --SKIPIF--
 <?php
 include('skipifmysqli.inc');
-include('skipif.inc');
+include('../skipif.inc');
 ?>
 --FILE--
 <?php
diff --git a/tests/sql/mysqli_user_prefix.phpt b/tests/sql/mysqli_user_prefix.phpt
index bb229f0..5ec793f 100644
--- a/tests/sql/mysqli_user_prefix.phpt
+++ b/tests/sql/mysqli_user_prefix.phpt
@@ -7,7 +7,7 @@ suhosin.log.stdout=32
 --SKIPIF--
 <?php
 include('skipifmysqli.inc');
-include('skipif.inc');
+include('../skipif.inc');
 ?>
 --FILE--
 <?php
diff --git a/tests/sql/skipifmysqli.inc b/tests/sql/skipifmysqli.inc
index ee16cf1..99c235d 100644
--- a/tests/sql/skipifmysqli.inc
+++ b/tests/sql/skipifmysqli.inc
@@ -2,4 +2,7 @@
 if (!extension_loaded("mysqli")) {
         die('skip - mysqli extension not available');
 }
+if (!getenv("TEST_SUHOSIN_MYSQL")) {
+    die("skip TEST_SUHOSIN_MYSQL is not set");
+}
 ?>
\ No newline at end of file
diff --git a/ufilter.c b/ufilter.c
index 1669e88..b6c5986 100644
--- a/ufilter.c
+++ b/ufilter.c
@@ -113,6 +113,24 @@ static int check_fileupload_varname(char *varname)
                         }
                 } 
                 
+                /* index whitelist/blacklist */
+                if (SUHOSIN_G(array_index_whitelist) && *(SUHOSIN_G(array_index_whitelist))) {
+                        if (suhosin_strnspn(index, index_length, SUHOSIN_G(array_index_whitelist)) != index_length) {
+                                suhosin_log(S_VARS, "array index contains not whitelisted characters - dropped variable '%s'", var);
+                                if (!SUHOSIN_G(simulation)) {
+                                        goto return_failure;
+                                }
+                        }
+                } else if (SUHOSIN_G(array_index_blacklist) && *(SUHOSIN_G(array_index_blacklist))) {
+                        if (suhosin_strncspn(index, index_length, SUHOSIN_G(array_index_blacklist)) != index_length) {
+                                suhosin_log(S_VARS, "array index contains blacklisted characters - dropped variable '%s'", var);
+                                if (!SUHOSIN_G(simulation)) {
+                                        goto return_failure;
+                                }
+                        }
+                }
+                
+                
                 index = strchr(index, '[');             
         }
         
@@ -149,19 +167,23 @@ return_failure:
 }
 /* }}} */
 
-static inline int suhosin_validate_utf8_multibyte(const char* cp)
+#ifdef SUHOSIN_EXPERIMENTAL
+static inline int suhosin_validate_utf8_multibyte(const char* cp, size_t maxlen)
 {
+        if (maxlen < 2 || !(*cp & 0x80)) { return 0; }
         if ((*cp & 0xe0) == 0xc0 &&                                     // 1st byte is 110xxxxx
                 (*(cp+1) & 0xc0) == 0x80 &&                             // 2nd byte is 10xxxxxx
                 (*cp & 0x1e)) {                                                 // overlong check 110[xxxx]x 10xxxxxx
                          return 2;
         }
+        if (maxlen < 3) { return 0; }
         if ((*cp & 0xf0) == 0xe0 &&                                     // 1st byte is 1110xxxx
                 (*(cp+1) & 0xc0) == 0x80 &&                             // 2nd byte is 10xxxxxx
                 (*(cp+2) & 0xc0) == 0x80 &&                             // 3rd byte is 10xxxxxx
                 ((*cp & 0x0f) | (*(cp+1) & 0x20))) {    // 1110[xxxx] 10[x]xxxxx 10xxxxxx
                         return 3;
         }
+        if (maxlen < 4) { return 0; }
         if ((*cp & 0xf8) == 0xf0 &&                             // 1st byte is 11110xxx
                 (*(cp+1) & 0xc0) == 0x80 &&                             // 2nd byte is 10xxxxxx
                 (*(cp+2) & 0xc0) == 0x80 &&                             // 3rd byte is 10xxxxxx
@@ -171,6 +193,7 @@ static inline int suhosin_validate_utf8_multibyte(const char* cp)
         }
         return 0;
 }
+#endif
 
 int suhosin_rfc1867_filter(unsigned int event, void *event_data, void **extra TSRMLS_DC)
 {
@@ -236,14 +259,15 @@ int suhosin_rfc1867_filter(unsigned int event, void *event_data, void **extra TS
                                         if (*cp >= 32 || isspace(*cp)) {
                                                 continue;
                                         }
+#ifdef SUHOSIN_EXPERIMENTAL
                                         if ((*cp & 0x80) && SUHOSIN_G(upload_allow_utf8)) {
                                                 SDEBUG("checking char %x", *cp);
-                                                if ((n = suhosin_validate_utf8_multibyte(cp))) { // valid UTF8 multibyte character
+                                                if ((n = suhosin_validate_utf8_multibyte(cp, cpend-cp))) { // valid UTF8 multibyte character
                                                         cp += n - 1;
                                                         continue;
                                                 }
                                         }
-                                        
+#endif
                                         suhosin_log(S_FILES, "uploaded file contains binary data - file dropped");
                                         if (!SUHOSIN_G(simulation)) {
                                                 goto continue_with_failure;
@@ -261,15 +285,17 @@ int suhosin_rfc1867_filter(unsigned int event, void *event_data, void **extra TS
                                 for (i=0, j=0; i<mefd->length; i++) {
                                         if (mefd->data[i] >= 32 || isspace(mefd->data[i])) {
                                                 mefd->data[j++] = mefd->data[i];
-                                        } else if (SUHOSIN_G(upload_allow_utf8) && mefd->data[i] & 0x80) {
-                                                n = suhosin_validate_utf8_multibyte(mefd->data + i);
+                                        }
+#ifdef SUHOSIN_EXPERIMENTAL
+                                        else if (SUHOSIN_G(upload_allow_utf8) && mefd->data[i] & 0x80) {
+                                                n = suhosin_validate_utf8_multibyte(mefd->data + i, mefd->length - i);
                                                 if (!n) { continue; }
-                                                while (n) {
+                                                while (n--) {
                                                         mefd->data[j++] = mefd->data[i++];
-                                                        n--;
                                                 }
                                                 i--;
                                         }
+#endif
                                 }
                                 mefd->data[j] = '\0';