13 files changed, 239 insertions, 0 deletions
diff --git a/tests/include/include_constant.phpt b/tests/include/include_constant.phpt
new file mode 100644
index 0000000..180aa69
--- /dev/null
+++ b/tests/include/include_constant.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Include "Constant URL";
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=255
+suhosin.log.script=0
+suhosin.log.phpscript=0
+suhosin.executor.include.whitelist=
+suhosin.executor.include.blacklist=
+--FILE--
+<?php
+    include "http://127.0.0.1/";
+?>
+--EXPECTF--
+ALERT - Include filename ('http://127.0.0.1/') is an URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 2)
diff --git a/tests/include/include_etc_passwd.phpt b/tests/include/include_etc_passwd.phpt
new file mode 100644
index 0000000..fb3c4e2
--- /dev/null
+++ b/tests/include/include_etc_passwd.phpt
@@ -0,0 +1,23 @@
+--TEST--
+Include "../../../../../../../../../../../etc/passwd";
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=255
+suhosin.log.script=0
+suhosin.log.phpscript=0
+suhosin.executor.include.whitelist=
+suhosin.executor.include.blacklist=
+suhosin.executor.include.max_traversal=3
+--FILE--
+<?php
+        $var = dirname(__FILE__)."/../empty.inc";
+        include $var;
+        echo $value,"\n";
+    $var = dirname(__FILE__)."/../../../../../../../../../../../etc/passwd";
+    include $var;
+?>
+--EXPECTF--
+value-from-empty.inc
+ALERT - Include filename ('%s../../../../../../../../../../../etc/passwd') contains too many '../' (attacker 'REMOTE_ADDR not set', file '%s', line 6)
diff --git a/tests/include/include_once_constant.phpt b/tests/include/include_once_constant.phpt
new file mode 100644
index 0000000..3faac33
--- /dev/null
+++ b/tests/include/include_once_constant.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Include_once "Constant URL";
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=255
+suhosin.log.script=0
+suhosin.log.phpscript=0
+suhosin.executor.include.whitelist=
+suhosin.executor.include.blacklist=
+--FILE--
+<?php
+    include_once "http://127.0.0.1/";
+?>
+--EXPECTF--
+ALERT - Include filename ('http://127.0.0.1/') is an URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 2)
diff --git a/tests/include/include_once_tmpvar.phpt b/tests/include/include_once_tmpvar.phpt
new file mode 100644
index 0000000..1f94c5a
--- /dev/null
+++ b/tests/include/include_once_tmpvar.phpt
@@ -0,0 +1,19 @@
+--TEST--
+Include_once "Temp Variable URL";
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=255
+suhosin.log.script=0
+suhosin.log.phpscript=0
+suhosin.executor.include.whitelist=
+suhosin.executor.include.blacklist=
+--FILE--
+<?php
+    $var = "http://127.0.0.1/";
+    $app = "?";
+    include_once $var.$app;
+?>
+--EXPECTF--
+ALERT - Include filename ('http://127.0.0.1/?') is an URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 4)
diff --git a/tests/include/include_once_var.phpt b/tests/include/include_once_var.phpt
new file mode 100644
index 0000000..bf38377
--- /dev/null
+++ b/tests/include/include_once_var.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Include_once "Variable URL";
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=255
+suhosin.log.script=0
+suhosin.log.phpscript=0
+suhosin.executor.include.whitelist=
+suhosin.executor.include.blacklist=
+--FILE--
+<?php
+    $var = "http://127.0.0.1/";
+    include_once $var;
+?>
+--EXPECTF--
+ALERT - Include filename ('http://127.0.0.1/') is an URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 3)
diff --git a/tests/include/include_tmpvar.phpt b/tests/include/include_tmpvar.phpt
new file mode 100644
index 0000000..8ad26d7
--- /dev/null
+++ b/tests/include/include_tmpvar.phpt
@@ -0,0 +1,19 @@
+--TEST--
+Include "Temp Variable URL";
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=255
+suhosin.log.script=0
+suhosin.log.phpscript=0
+suhosin.executor.include.whitelist=
+suhosin.executor.include.blacklist=
+--FILE--
+<?php
+    $var = "http://127.0.0.1/";
+    $app = "?";
+    include $var.$app;
+?>
+--EXPECTF--
+ALERT - Include filename ('http://127.0.0.1/?') is an URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 4)
diff --git a/tests/include/include_var.phpt b/tests/include/include_var.phpt
new file mode 100644
index 0000000..7431240
--- /dev/null
+++ b/tests/include/include_var.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Include "Variable URL";
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=255
+suhosin.log.script=0
+suhosin.log.phpscript=0
+suhosin.executor.include.whitelist=
+suhosin.executor.include.blacklist=
+--FILE--
+<?php
+    $var = "http://127.0.0.1/";
+    include $var;
+?>
+--EXPECTF--
+ALERT - Include filename ('http://127.0.0.1/') is an URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 3)
diff --git a/tests/include/require_constant.phpt b/tests/include/require_constant.phpt
new file mode 100644
index 0000000..6ee79fb
--- /dev/null
+++ b/tests/include/require_constant.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Require "Constant URL";
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=255
+suhosin.log.script=0
+suhosin.log.phpscript=0
+suhosin.executor.include.whitelist=
+suhosin.executor.include.blacklist=
+--FILE--
+<?php
+    require "http://127.0.0.1/";
+?>
+--EXPECTF--
+ALERT - Include filename ('http://127.0.0.1/') is an URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 2)
diff --git a/tests/include/require_once_constant.phpt b/tests/include/require_once_constant.phpt
new file mode 100644
index 0000000..43c69c8
--- /dev/null
+++ b/tests/include/require_once_constant.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Require_once "Constant URL";
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=255
+suhosin.log.script=0
+suhosin.log.phpscript=0
+suhosin.executor.include.whitelist=
+suhosin.executor.include.blacklist=
+--FILE--
+<?php
+    require_once "http://127.0.0.1/";
+?>
+--EXPECTF--
+ALERT - Include filename ('http://127.0.0.1/') is an URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 2)
diff --git a/tests/include/require_once_tmpvar.phpt b/tests/include/require_once_tmpvar.phpt
new file mode 100644
index 0000000..2be24b2
--- /dev/null
+++ b/tests/include/require_once_tmpvar.phpt
@@ -0,0 +1,19 @@
+--TEST--
+Require_once "Temp Variable URL";
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=255
+suhosin.log.script=0
+suhosin.log.phpscript=0
+suhosin.executor.include.whitelist=
+suhosin.executor.include.blacklist=
+--FILE--
+<?php
+    $var = "http://127.0.0.1/";
+    $app = "?";
+    require_once $var.$app;
+?>
+--EXPECTF--
+ALERT - Include filename ('http://127.0.0.1/?') is an URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 4)
diff --git a/tests/include/require_once_var.phpt b/tests/include/require_once_var.phpt
new file mode 100644
index 0000000..b3857f5
--- /dev/null
+++ b/tests/include/require_once_var.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Require_once "Variable URL";
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=255
+suhosin.log.script=0
+suhosin.log.phpscript=0
+suhosin.executor.include.whitelist=
+suhosin.executor.include.blacklist=
+--FILE--
+<?php
+    $var = "http://127.0.0.1/";
+    require_once $var;
+?>
+--EXPECTF--
+ALERT - Include filename ('http://127.0.0.1/') is an URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 3)
diff --git a/tests/include/require_tmpvar.phpt b/tests/include/require_tmpvar.phpt
new file mode 100644
index 0000000..d411067
--- /dev/null
+++ b/tests/include/require_tmpvar.phpt
@@ -0,0 +1,19 @@
+--TEST--
+Require "Temp Variable URL";
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=255
+suhosin.log.script=0
+suhosin.log.phpscript=0
+suhosin.executor.include.whitelist=
+suhosin.executor.include.blacklist=
+--FILE--
+<?php
+    $var = "http://127.0.0.1/";
+    $app = "?";
+    require $var.$app;
+?>
+--EXPECTF--
+ALERT - Include filename ('http://127.0.0.1/?') is an URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 4)
diff --git a/tests/include/require_var.phpt b/tests/include/require_var.phpt
new file mode 100644
index 0000000..20468d4
--- /dev/null
+++ b/tests/include/require_var.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Require "Variable URL";
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=255
+suhosin.log.script=0
+suhosin.log.phpscript=0
+suhosin.executor.include.whitelist=
+suhosin.executor.include.blacklist=
+--FILE--
+<?php
+    $var = "http://127.0.0.1/";
+    require $var;
+?>
+--EXPECTF--
+ALERT - Include filename ('http://127.0.0.1/') is an URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 3)

diff --git a/tests/include/include_constant.phpt b/tests/include/include_constant.phpt new file mode 100644 index 0000000..180aa69 --- /dev/null +++ b/tests/include/include_constant.phpt
@@ -0,0 +1,17 @@
	1	--TEST--
	2	Include "Constant URL";
	3	--SKIPIF--
	4	<?php include "../skipifcli.inc"; ?>
	5	--INI--
	6	suhosin.log.syslog=0
	7	suhosin.log.sapi=255
	8	suhosin.log.script=0
	9	suhosin.log.phpscript=0
	10	suhosin.executor.include.whitelist=
	11	suhosin.executor.include.blacklist=
	12	--FILE--
	13	<?php
	14	include "http://127.0.0.1/";
	15	?>
	16	--EXPECTF--
	17	ALERT - Include filename ('http://127.0.0.1/') is an URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 2)


diff --git a/tests/include/include_etc_passwd.phpt b/tests/include/include_etc_passwd.phpt new file mode 100644 index 0000000..fb3c4e2 --- /dev/null +++ b/tests/include/include_etc_passwd.phpt
@@ -0,0 +1,23 @@
	1	--TEST--
	2	Include "../../../../../../../../../../../etc/passwd";
	3	--SKIPIF--
	4	<?php include "../skipifcli.inc"; ?>
	5	--INI--
	6	suhosin.log.syslog=0
	7	suhosin.log.sapi=255
	8	suhosin.log.script=0
	9	suhosin.log.phpscript=0
	10	suhosin.executor.include.whitelist=
	11	suhosin.executor.include.blacklist=
	12	suhosin.executor.include.max_traversal=3
	13	--FILE--
	14	<?php
	15	$var = dirname(__FILE__)."/../empty.inc";
	16	include $var;
	17	echo $value,"\n";
	18	$var = dirname(__FILE__)."/../../../../../../../../../../../etc/passwd";
	19	include $var;
	20	?>
	21	--EXPECTF--
	22	value-from-empty.inc
	23	ALERT - Include filename ('%s../../../../../../../../../../../etc/passwd') contains too many '../' (attacker 'REMOTE_ADDR not set', file '%s', line 6)


diff --git a/tests/include/include_once_constant.phpt b/tests/include/include_once_constant.phpt new file mode 100644 index 0000000..3faac33 --- /dev/null +++ b/tests/include/include_once_constant.phpt
@@ -0,0 +1,17 @@
	1	--TEST--
	2	Include_once "Constant URL";
	3	--SKIPIF--
	4	<?php include "../skipifcli.inc"; ?>
	5	--INI--
	6	suhosin.log.syslog=0
	7	suhosin.log.sapi=255
	8	suhosin.log.script=0
	9	suhosin.log.phpscript=0
	10	suhosin.executor.include.whitelist=
	11	suhosin.executor.include.blacklist=
	12	--FILE--
	13	<?php
	14	include_once "http://127.0.0.1/";
	15	?>
	16	--EXPECTF--
	17	ALERT - Include filename ('http://127.0.0.1/') is an URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 2)


diff --git a/tests/include/include_once_tmpvar.phpt b/tests/include/include_once_tmpvar.phpt new file mode 100644 index 0000000..1f94c5a --- /dev/null +++ b/tests/include/include_once_tmpvar.phpt
@@ -0,0 +1,19 @@
	1	--TEST--
	2	Include_once "Temp Variable URL";
	3	--SKIPIF--
	4	<?php include "../skipifcli.inc"; ?>
	5	--INI--
	6	suhosin.log.syslog=0
	7	suhosin.log.sapi=255
	8	suhosin.log.script=0
	9	suhosin.log.phpscript=0
	10	suhosin.executor.include.whitelist=
	11	suhosin.executor.include.blacklist=
	12	--FILE--
	13	<?php
	14	$var = "http://127.0.0.1/";
	15	$app = "?";
	16	include_once $var.$app;
	17	?>
	18	--EXPECTF--
	19	ALERT - Include filename ('http://127.0.0.1/?') is an URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 4)


diff --git a/tests/include/include_once_var.phpt b/tests/include/include_once_var.phpt new file mode 100644 index 0000000..bf38377 --- /dev/null +++ b/tests/include/include_once_var.phpt
@@ -0,0 +1,18 @@
	1	--TEST--
	2	Include_once "Variable URL";
	3	--SKIPIF--
	4	<?php include "../skipifcli.inc"; ?>
	5	--INI--
	6	suhosin.log.syslog=0
	7	suhosin.log.sapi=255
	8	suhosin.log.script=0
	9	suhosin.log.phpscript=0
	10	suhosin.executor.include.whitelist=
	11	suhosin.executor.include.blacklist=
	12	--FILE--
	13	<?php
	14	$var = "http://127.0.0.1/";
	15	include_once $var;
	16	?>
	17	--EXPECTF--
	18	ALERT - Include filename ('http://127.0.0.1/') is an URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 3)


diff --git a/tests/include/include_tmpvar.phpt b/tests/include/include_tmpvar.phpt new file mode 100644 index 0000000..8ad26d7 --- /dev/null +++ b/tests/include/include_tmpvar.phpt
@@ -0,0 +1,19 @@
	1	--TEST--
	2	Include "Temp Variable URL";
	3	--SKIPIF--
	4	<?php include "../skipifcli.inc"; ?>
	5	--INI--
	6	suhosin.log.syslog=0
	7	suhosin.log.sapi=255
	8	suhosin.log.script=0
	9	suhosin.log.phpscript=0
	10	suhosin.executor.include.whitelist=
	11	suhosin.executor.include.blacklist=
	12	--FILE--
	13	<?php
	14	$var = "http://127.0.0.1/";
	15	$app = "?";
	16	include $var.$app;
	17	?>
	18	--EXPECTF--
	19	ALERT - Include filename ('http://127.0.0.1/?') is an URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 4)


diff --git a/tests/include/include_var.phpt b/tests/include/include_var.phpt new file mode 100644 index 0000000..7431240 --- /dev/null +++ b/tests/include/include_var.phpt
@@ -0,0 +1,18 @@
	1	--TEST--
	2	Include "Variable URL";
	3	--SKIPIF--
	4	<?php include "../skipifcli.inc"; ?>
	5	--INI--
	6	suhosin.log.syslog=0
	7	suhosin.log.sapi=255
	8	suhosin.log.script=0
	9	suhosin.log.phpscript=0
	10	suhosin.executor.include.whitelist=
	11	suhosin.executor.include.blacklist=
	12	--FILE--
	13	<?php
	14	$var = "http://127.0.0.1/";
	15	include $var;
	16	?>
	17	--EXPECTF--
	18	ALERT - Include filename ('http://127.0.0.1/') is an URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 3)


diff --git a/tests/include/require_constant.phpt b/tests/include/require_constant.phpt new file mode 100644 index 0000000..6ee79fb --- /dev/null +++ b/tests/include/require_constant.phpt
@@ -0,0 +1,17 @@
	1	--TEST--
	2	Require "Constant URL";
	3	--SKIPIF--
	4	<?php include "../skipifcli.inc"; ?>
	5	--INI--
	6	suhosin.log.syslog=0
	7	suhosin.log.sapi=255
	8	suhosin.log.script=0
	9	suhosin.log.phpscript=0
	10	suhosin.executor.include.whitelist=
	11	suhosin.executor.include.blacklist=
	12	--FILE--
	13	<?php
	14	require "http://127.0.0.1/";
	15	?>
	16	--EXPECTF--
	17	ALERT - Include filename ('http://127.0.0.1/') is an URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 2)


diff --git a/tests/include/require_once_constant.phpt b/tests/include/require_once_constant.phpt new file mode 100644 index 0000000..43c69c8 --- /dev/null +++ b/tests/include/require_once_constant.phpt
@@ -0,0 +1,17 @@
	1	--TEST--
	2	Require_once "Constant URL";
	3	--SKIPIF--
	4	<?php include "../skipifcli.inc"; ?>
	5	--INI--
	6	suhosin.log.syslog=0
	7	suhosin.log.sapi=255
	8	suhosin.log.script=0
	9	suhosin.log.phpscript=0
	10	suhosin.executor.include.whitelist=
	11	suhosin.executor.include.blacklist=
	12	--FILE--
	13	<?php
	14	require_once "http://127.0.0.1/";
	15	?>
	16	--EXPECTF--
	17	ALERT - Include filename ('http://127.0.0.1/') is an URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 2)


diff --git a/tests/include/require_once_tmpvar.phpt b/tests/include/require_once_tmpvar.phpt new file mode 100644 index 0000000..2be24b2 --- /dev/null +++ b/tests/include/require_once_tmpvar.phpt
@@ -0,0 +1,19 @@
	1	--TEST--
	2	Require_once "Temp Variable URL";
	3	--SKIPIF--
	4	<?php include "../skipifcli.inc"; ?>
	5	--INI--
	6	suhosin.log.syslog=0
	7	suhosin.log.sapi=255
	8	suhosin.log.script=0
	9	suhosin.log.phpscript=0
	10	suhosin.executor.include.whitelist=
	11	suhosin.executor.include.blacklist=
	12	--FILE--
	13	<?php
	14	$var = "http://127.0.0.1/";
	15	$app = "?";
	16	require_once $var.$app;
	17	?>
	18	--EXPECTF--
	19	ALERT - Include filename ('http://127.0.0.1/?') is an URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 4)


diff --git a/tests/include/require_once_var.phpt b/tests/include/require_once_var.phpt new file mode 100644 index 0000000..b3857f5 --- /dev/null +++ b/tests/include/require_once_var.phpt
@@ -0,0 +1,18 @@
	1	--TEST--
	2	Require_once "Variable URL";
	3	--SKIPIF--
	4	<?php include "../skipifcli.inc"; ?>
	5	--INI--
	6	suhosin.log.syslog=0
	7	suhosin.log.sapi=255
	8	suhosin.log.script=0
	9	suhosin.log.phpscript=0
	10	suhosin.executor.include.whitelist=
	11	suhosin.executor.include.blacklist=
	12	--FILE--
	13	<?php
	14	$var = "http://127.0.0.1/";
	15	require_once $var;
	16	?>
	17	--EXPECTF--
	18	ALERT - Include filename ('http://127.0.0.1/') is an URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 3)


diff --git a/tests/include/require_tmpvar.phpt b/tests/include/require_tmpvar.phpt new file mode 100644 index 0000000..d411067 --- /dev/null +++ b/tests/include/require_tmpvar.phpt
@@ -0,0 +1,19 @@
	1	--TEST--
	2	Require "Temp Variable URL";
	3	--SKIPIF--
	4	<?php include "../skipifcli.inc"; ?>
	5	--INI--
	6	suhosin.log.syslog=0
	7	suhosin.log.sapi=255
	8	suhosin.log.script=0
	9	suhosin.log.phpscript=0
	10	suhosin.executor.include.whitelist=
	11	suhosin.executor.include.blacklist=
	12	--FILE--
	13	<?php
	14	$var = "http://127.0.0.1/";
	15	$app = "?";
	16	require $var.$app;
	17	?>
	18	--EXPECTF--
	19	ALERT - Include filename ('http://127.0.0.1/?') is an URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 4)


diff --git a/tests/include/require_var.phpt b/tests/include/require_var.phpt new file mode 100644 index 0000000..20468d4 --- /dev/null +++ b/tests/include/require_var.phpt
@@ -0,0 +1,18 @@
	1	--TEST--
	2	Require "Variable URL";
	3	--SKIPIF--
	4	<?php include "../skipifcli.inc"; ?>
	5	--INI--
	6	suhosin.log.syslog=0
	7	suhosin.log.sapi=255
	8	suhosin.log.script=0
	9	suhosin.log.phpscript=0
	10	suhosin.executor.include.whitelist=
	11	suhosin.executor.include.blacklist=
	12	--FILE--
	13	<?php
	14	$var = "http://127.0.0.1/";
	15	require $var;
	16	?>
	17	--EXPECTF--
	18	ALERT - Include filename ('http://127.0.0.1/') is an URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 3)