summaryrefslogtreecommitdiff
path: root/tests/filter
diff options
context:
space:
mode:
Diffstat (limited to 'tests/filter')
-rw-r--r--tests/filter/get_filter_2.phpt33
-rw-r--r--tests/filter/post_filter_1.phpt43
-rw-r--r--tests/filter/post_filter_2.phpt33
3 files changed, 109 insertions, 0 deletions
diff --git a/tests/filter/get_filter_2.phpt b/tests/filter/get_filter_2.phpt
new file mode 100644
index 0000000..189ac28
--- /dev/null
+++ b/tests/filter/get_filter_2.phpt
@@ -0,0 +1,33 @@
1--TEST--
2suhosin GET filter (suhosin.get.max_vars)
3--INI--
4suhosin.log.syslog=0
5suhosin.log.sapi=0
6suhosin.log.stdout=255
7suhosin.log.script=0
8suhosin.get.max_vars=5
9--SKIPIF--
10<?php include('skipif.inc'); ?>
11--COOKIE--
12--GET--
13A=A&B=B&C=C&D=D&E=E&F=F&G=G&
14--POST--
15--FILE--
16<?php
17var_dump($_GET);
18?>
19--EXPECTF--
20array(5) {
21 ["A"]=>
22 string(1) "A"
23 ["B"]=>
24 string(1) "B"
25 ["C"]=>
26 string(1) "C"
27 ["D"]=>
28 string(1) "D"
29 ["E"]=>
30 string(1) "E"
31}
32ALERT - configured GET variable limit exceeded - dropped variable 'F' - all further GET variables are dropped (attacker 'REMOTE_ADDR not set', file '%s')
33ALERT - dropped 2 request variables - (2 in GET, 0 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s')
diff --git a/tests/filter/post_filter_1.phpt b/tests/filter/post_filter_1.phpt
new file mode 100644
index 0000000..eee353d
--- /dev/null
+++ b/tests/filter/post_filter_1.phpt
@@ -0,0 +1,43 @@
1--TEST--
2suhosin POST filter (disallowed variable names)
3--INI--
4suhosin.log.syslog=0
5suhosin.log.sapi=0
6suhosin.log.stdout=255
7suhosin.log.script=0
8--SKIPIF--
9<?php include('skipif.inc'); ?>
10--COOKIE--
11--GET--
12--POST--
13HTTP_RAW_POST_DATA=HTTP_RAW_POST_DATA&HTTP_SESSION_VARS=HTTP_SESSION_VARS&harmless1=harmless1&HTTP_SERVER_VARS=HTTP_SERVER_VARS&HTTP_COOKIE_VARS=HTTP_COOKIE_VARS&HTTP_POST_FILES=HTTP_POST_FILES&HTTP_POST_VARS=HTTP_POST_VARS&HTTP_GET_VARS=HTTP_GET_VARS&HTTP_ENV_VARS=HTTP_ENV_VARS&_SESSION=_SESSION&_REQUEST=_REQUEST&GLOBALS=GLOBALS&_COOKIE=_COOKIE&_SERVER=_SERVER&_FILES=_FILES&_POST=_POST&_ENV=_ENV&_GET=_GET&harmless2=harmless2&
14--FILE--
15<?php
16var_dump($_POST);
17?>
18--EXPECTF--
19array(2) {
20 ["harmless1"]=>
21 string(9) "harmless1"
22 ["harmless2"]=>
23 string(9) "harmless2"
24}
25ALERT - tried to register forbidden variable 'HTTP_RAW_POST_DATA' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
26ALERT - tried to register forbidden variable 'HTTP_SESSION_VARS' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
27ALERT - tried to register forbidden variable 'HTTP_SERVER_VARS' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
28ALERT - tried to register forbidden variable 'HTTP_COOKIE_VARS' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
29ALERT - tried to register forbidden variable 'HTTP_POST_FILES' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
30ALERT - tried to register forbidden variable 'HTTP_POST_VARS' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
31ALERT - tried to register forbidden variable 'HTTP_GET_VARS' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
32ALERT - tried to register forbidden variable 'HTTP_ENV_VARS' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
33ALERT - tried to register forbidden variable '_SESSION' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
34ALERT - tried to register forbidden variable '_REQUEST' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
35ALERT - tried to register forbidden variable 'GLOBALS' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
36ALERT - tried to register forbidden variable '_COOKIE' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
37ALERT - tried to register forbidden variable '_SERVER' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
38ALERT - tried to register forbidden variable '_FILES' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
39ALERT - tried to register forbidden variable '_POST' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
40ALERT - tried to register forbidden variable '_ENV' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
41ALERT - tried to register forbidden variable '_GET' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
42ALERT - dropped 17 request variables - (0 in GET, 17 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s')
43
diff --git a/tests/filter/post_filter_2.phpt b/tests/filter/post_filter_2.phpt
new file mode 100644
index 0000000..22e773a
--- /dev/null
+++ b/tests/filter/post_filter_2.phpt
@@ -0,0 +1,33 @@
1--TEST--
2suhosin POST filter (suhosin.post.max_vars)
3--INI--
4suhosin.log.syslog=0
5suhosin.log.sapi=0
6suhosin.log.stdout=255
7suhosin.log.script=0
8suhosin.post.max_vars=5
9--SKIPIF--
10<?php include('skipif.inc'); ?>
11--COOKIE--
12--GET--
13--POST--
14A=A&B=B&C=C&D=D&E=E&F=F&G=G&
15--FILE--
16<?php
17var_dump($_POST);
18?>
19--EXPECTF--
20array(5) {
21 ["A"]=>
22 string(1) "A"
23 ["B"]=>
24 string(1) "B"
25 ["C"]=>
26 string(1) "C"
27 ["D"]=>
28 string(1) "D"
29 ["E"]=>
30 string(1) "E"
31}
32ALERT - configured POST variable limit exceeded - dropped variable 'F' - all further POST variables are dropped (attacker 'REMOTE_ADDR not set', file '%s')
33ALERT - dropped 2 request variables - (0 in GET, 2 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s')