From 3741554097cc73f03a9a6a4fa4d65dc01c120bd8 Mon Sep 17 00:00:00 2001
From: Ben Fuhrmannek
Date: Fri, 6 Feb 2015 22:38:35 +0100
Subject: tests for eval white/blacklist + include white/blacklist

---
 tests/executor/eval_blacklist.phpt                 | 18 ++++++++++++++++
 tests/executor/eval_blacklist_printf.phpt          | 16 +++++++++++++++
 .../eval_blacklist_printf_function_exists.phpt     | 23 +++++++++++++++++++++
 tests/executor/eval_whitelist_absmax.phpt          | 16 +++++++++++++++
 tests/executor/eval_whitelist_call_user_func.phpt  | 15 ++++++++++++++
 tests/executor/function_whiletist_absmax.phpt      | 15 --------------
 tests/executor/function_whitelist_absmax.phpt      | 15 ++++++++++++++
 tests/include/include_blacklist.phpt               | 24 ++++++++++++++++++++++
 tests/include/include_blackwhitelist_empty.phpt    | 24 ++++++++++++++++++++++
 tests/include/include_whitelist.phpt               | 24 ++++++++++++++++++++++
 10 files changed, 175 insertions(+), 15 deletions(-)
 create mode 100644 tests/executor/eval_blacklist.phpt
 create mode 100644 tests/executor/eval_blacklist_printf.phpt
 create mode 100644 tests/executor/eval_blacklist_printf_function_exists.phpt
 create mode 100644 tests/executor/eval_whitelist_absmax.phpt
 create mode 100644 tests/executor/eval_whitelist_call_user_func.phpt
 delete mode 100644 tests/executor/function_whiletist_absmax.phpt
 create mode 100644 tests/executor/function_whitelist_absmax.phpt
 create mode 100644 tests/include/include_blacklist.phpt
 create mode 100644 tests/include/include_blackwhitelist_empty.phpt
 create mode 100644 tests/include/include_whitelist.phpt

diff --git a/tests/executor/eval_blacklist.phpt b/tests/executor/eval_blacklist.phpt
new file mode 100644
index 0000000..586bebc
--- /dev/null
+++ b/tests/executor/eval_blacklist.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Testing: suhosin.executor.eval.blacklist=max
+--SKIPIF--
+<?php include "../skipifnotcli.inc"; ?>
+--INI--
+suhosin.log.sapi=64
+suhosin.executor.disable_eval=0
+suhosin.executor.eval.blacklist=max
+--FILE--
+<?php
+	eval('abs(1);
+	max(1,2);
+	abs(1);');
+?>
+--EXPECTF--
+ALERT - function within eval blacklist called: max() (attacker 'REMOTE_ADDR not set', file '%s', line 4)
+
+Warning: max() has been disabled for security reasons in %s : eval()'d code on line 2
diff --git a/tests/executor/eval_blacklist_printf.phpt b/tests/executor/eval_blacklist_printf.phpt
new file mode 100644
index 0000000..596036e
--- /dev/null
+++ b/tests/executor/eval_blacklist_printf.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Testing: suhosin.executor.eval.blacklist=printf via call_user_func
+--SKIPIF--
+<?php include "../skipifnotcli.inc"; ?>
+--INI--
+suhosin.log.sapi=64
+suhosin.executor.disable_eval=0
+suhosin.executor.eval.blacklist=printf
+--FILE--
+<?php
+	eval('call_user_func("printf", "hello\n");');
+?>
+--EXPECTF--
+ALERT - function within eval blacklist called: printf() (attacker 'REMOTE_ADDR not set', file '%s : eval()'d code', line 1)
+
+Warning: printf() has been disabled for security reasons in %s : eval()'d code on line 1
diff --git a/tests/executor/eval_blacklist_printf_function_exists.phpt b/tests/executor/eval_blacklist_printf_function_exists.phpt
new file mode 100644
index 0000000..d9b842c
--- /dev/null
+++ b/tests/executor/eval_blacklist_printf_function_exists.phpt
@@ -0,0 +1,23 @@
+--TEST--
+Testing: suhosin.executor.eval.blacklist=printf with function_exists()
+--SKIPIF--
+<?php include "../skipifnotcli.inc"; ?>
+--INI--
+suhosin.log.sapi=64
+suhosin.executor.disable_eval=0
+suhosin.executor.eval.blacklist=printf,max
+--FILE--
+<?php
+	eval('var_dump(function_exists("abs"));');
+	eval('var_dump(function_exists("max"));');
+	eval('var_dump(function_exists("ord"));');
+	eval('var_dump(function_exists("printf"));');
+	eval('var_dump(function_exists("chr"));');
+?>
+--EXPECTF--
+bool(true)
+bool(false)
+bool(true)
+bool(false)
+bool(true)
+
diff --git a/tests/executor/eval_whitelist_absmax.phpt b/tests/executor/eval_whitelist_absmax.phpt
new file mode 100644
index 0000000..fff7345
--- /dev/null
+++ b/tests/executor/eval_whitelist_absmax.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Testing: suhosin.executor.eval.whitelist=abs,max
+--SKIPIF--
+<?php include "../skipifnotcli.inc"; ?>
+--INI--
+suhosin.log.sapi=64
+suhosin.executor.disable_eval=0
+suhosin.executor.eval.whitelist=abs,max
+--FILE--
+<?php
+	eval('abs(1);
+	max(1,2);
+	abs(1);');
+?>
+--EXPECTF--
+
diff --git a/tests/executor/eval_whitelist_call_user_func.phpt b/tests/executor/eval_whitelist_call_user_func.phpt
new file mode 100644
index 0000000..6f09b50
--- /dev/null
+++ b/tests/executor/eval_whitelist_call_user_func.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Testing: suhosin.executor.eval.whitelist=printf via call_user_func
+--SKIPIF--
+<?php include "../skipifnotcli.inc"; ?>
+--INI--
+suhosin.log.sapi=64
+suhosin.executor.eval.whitelist=call_user_func
+--FILE--
+<?php
+	eval('call_user_func("printf", "hello\n");');
+?>
+--EXPECTF--
+ALERT - function outside of eval whitelist called: printf() (attacker 'REMOTE_ADDR not set', file '%s : eval()'d code', line 1)
+
+Warning: printf() has been disabled for security reasons in %s : eval()'d code on line 1
diff --git a/tests/executor/function_whiletist_absmax.phpt b/tests/executor/function_whiletist_absmax.phpt
deleted file mode 100644
index f240e69..0000000
--- a/tests/executor/function_whiletist_absmax.phpt
+++ /dev/null
@@ -1,15 +0,0 @@
---TEST--
-Testing: suhosin.executor.func.whitelist=abs,max
---SKIPIF--
-<?php include "../skipifnotcli.inc"; ?>
---INI--
-suhosin.log.sapi=64
-suhosin.executor.func.whitelist=abs,max
---FILE--
-<?php
-	abs(1);
-	max(1,2);
-	abs(1);
-?>
---EXPECTF--
-
diff --git a/tests/executor/function_whitelist_absmax.phpt b/tests/executor/function_whitelist_absmax.phpt
new file mode 100644
index 0000000..f240e69
--- /dev/null
+++ b/tests/executor/function_whitelist_absmax.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Testing: suhosin.executor.func.whitelist=abs,max
+--SKIPIF--
+<?php include "../skipifnotcli.inc"; ?>
+--INI--
+suhosin.log.sapi=64
+suhosin.executor.func.whitelist=abs,max
+--FILE--
+<?php
+	abs(1);
+	max(1,2);
+	abs(1);
+?>
+--EXPECTF--
+
diff --git a/tests/include/include_blacklist.phpt b/tests/include/include_blacklist.phpt
new file mode 100644
index 0000000..f4c3df0
--- /dev/null
+++ b/tests/include/include_blacklist.phpt
@@ -0,0 +1,24 @@
+--TEST--
+Include blacklist
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=255
+suhosin.log.script=0
+suhosin.log.phpscript=0
+suhosin.executor.include.whitelist=
+suhosin.executor.include.blacklist=foo,boo
+--FILE--
+<?php
+	$var = "file://" . dirname(__FILE__) . "/../empty.inc";
+	include $var;
+	echo $value,"\n";
+    $var = "foo://test";
+    include $var;
+	$var = "boo://test"; // this point is never reached (famous last words)
+	include $var;
+?>
+--EXPECTF--
+value-from-empty.inc
+ALERT - Include filename ('foo://test') is a URL that is forbidden by the blacklist (attacker 'REMOTE_ADDR not set', file '%s', line 6)
\ No newline at end of file
diff --git a/tests/include/include_blackwhitelist_empty.phpt b/tests/include/include_blackwhitelist_empty.phpt
new file mode 100644
index 0000000..33380fd
--- /dev/null
+++ b/tests/include/include_blackwhitelist_empty.phpt
@@ -0,0 +1,24 @@
+--TEST--
+Include URL with empty black-/whitelist
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=255
+suhosin.log.script=0
+suhosin.log.phpscript=0
+suhosin.executor.include.whitelist=
+suhosin.executor.include.blacklist=
+--FILE--
+<?php
+	$var = dirname(__FILE__) . "/../empty.inc";
+	include $var;
+	echo $value,"\n";
+    $var = "foo://test";
+    include $var;
+	$var = "boo://test"; // this point is never reached (famous last words)
+	include $var;
+?>
+--EXPECTF--
+value-from-empty.inc
+ALERT - Include filename ('foo://test') is a URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 6)
\ No newline at end of file
diff --git a/tests/include/include_whitelist.phpt b/tests/include/include_whitelist.phpt
new file mode 100644
index 0000000..a0c771f
--- /dev/null
+++ b/tests/include/include_whitelist.phpt
@@ -0,0 +1,24 @@
+--TEST--
+Include whitelist
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=255
+suhosin.log.script=0
+suhosin.log.phpscript=0
+suhosin.executor.include.whitelist=file
+suhosin.executor.include.blacklist=
+--FILE--
+<?php
+	$var = "file://" . dirname(__FILE__) . "/../empty.inc";
+	include $var;
+	echo $value,"\n";
+    $var = "foo://test";
+    include $var;
+	$var = "boo://test"; // this point is never reached (famous last words)
+	include $var;
+?>
+--EXPECTF--
+value-from-empty.inc
+ALERT - Include filename ('foo://test') is a URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 6)
\ No newline at end of file
-- 
cgit v1.3