From 71c70de8df61ff1446efb1c168d3c2deccf58586 Mon Sep 17 00:00:00 2001
From: Stefan Esser
Date: Sat, 15 Feb 2014 12:13:19 +0100
Subject: Add a bunch of session id / session encryption tests from Ben.

---
 tests/session/crypt.checkraddr_4.phpt           | 29 +++++++++++++++++
 tests/session/crypt.checkraddr_4_incorrect.phpt | 27 ++++++++++++++++
 tests/session/crypt.docroot.phpt                | 25 +++++++++++++++
 tests/session/crypt.key_default.phpt            | 21 +++++++++++++
 tests/session/crypt.key_empty.phpt              | 21 +++++++++++++
 tests/session/crypt.key_empty_remote_addr.phpt  | 25 +++++++++++++++
 tests/session/crypt.no_encryption.phpt          | 15 +++++++++
 tests/session/crypt.raddr_1.phpt                | 25 +++++++++++++++
 tests/session/crypt.raddr_2.phpt                | 25 +++++++++++++++
 tests/session/crypt.raddr_3.phpt                | 25 +++++++++++++++
 tests/session/crypt.raddr_4.phpt                | 25 +++++++++++++++
 tests/session/crypt.ua.phpt                     | 25 +++++++++++++++
 tests/session/max_id_length_ok.phpt             | 14 +++++++++
 tests/session/max_id_length_toolong.phpt        | 14 +++++++++
 tests/session/sessionhandler.inc                | 41 +++++++++++++++++++++++++
 15 files changed, 357 insertions(+)
 create mode 100644 tests/session/crypt.checkraddr_4.phpt
 create mode 100644 tests/session/crypt.checkraddr_4_incorrect.phpt
 create mode 100644 tests/session/crypt.docroot.phpt
 create mode 100644 tests/session/crypt.key_default.phpt
 create mode 100644 tests/session/crypt.key_empty.phpt
 create mode 100644 tests/session/crypt.key_empty_remote_addr.phpt
 create mode 100644 tests/session/crypt.no_encryption.phpt
 create mode 100644 tests/session/crypt.raddr_1.phpt
 create mode 100644 tests/session/crypt.raddr_2.phpt
 create mode 100644 tests/session/crypt.raddr_3.phpt
 create mode 100644 tests/session/crypt.raddr_4.phpt
 create mode 100644 tests/session/crypt.ua.phpt
 create mode 100644 tests/session/max_id_length_ok.phpt
 create mode 100644 tests/session/max_id_length_toolong.phpt
 create mode 100644 tests/session/sessionhandler.inc

diff --git a/tests/session/crypt.checkraddr_4.phpt b/tests/session/crypt.checkraddr_4.phpt
new file mode 100644
index 0000000..42ac96a
--- /dev/null
+++ b/tests/session/crypt.checkraddr_4.phpt
@@ -0,0 +1,29 @@
+--TEST--
+session encryption with checkraddr=4
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--ENV--
+return <<<END
+REMOTE_ADDR=127.0.0.1
+PHPSESSID=test
+END;
+--INI--
+suhosin.session.encrypt=On
+suhosin.session.cryptkey=D3F4UL7
+suhosin.session.cryptua=Off
+suhosin.session.cryptdocroot=Off
+suhosin.session.cryptraddr=0
+suhosin.session.checkraddr=4
+--FILE--
+<?php
+include "sessionhandler.inc";
+
+session_test_start(new RemoteAddrSessionHandler());
+var_dump($_SESSION);
+
+?>
+--EXPECTF--
+array(1) {
+  ["a"]=>
+  string(1) "b"
+}
diff --git a/tests/session/crypt.checkraddr_4_incorrect.phpt b/tests/session/crypt.checkraddr_4_incorrect.phpt
new file mode 100644
index 0000000..cc468b8
--- /dev/null
+++ b/tests/session/crypt.checkraddr_4_incorrect.phpt
@@ -0,0 +1,27 @@
+--TEST--
+session encryption with checkraddr=4 and incorrect REMOTE_ADDR
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--ENV--
+return <<<END
+REMOTE_ADDR=127.0.0.2
+PHPSESSID=test
+END;
+--INI--
+suhosin.session.encrypt=On
+suhosin.session.cryptkey=D3F4UL7
+suhosin.session.cryptua=Off
+suhosin.session.cryptdocroot=Off
+suhosin.session.cryptraddr=0
+suhosin.session.checkraddr=4
+--FILE--
+<?php
+include "sessionhandler.inc";
+
+session_test_start(new RemoteAddrSessionHandler());
+var_dump($_SESSION);
+
+?>
+--EXPECTF--
+array(0) {
+}
diff --git a/tests/session/crypt.docroot.phpt b/tests/session/crypt.docroot.phpt
new file mode 100644
index 0000000..d5b6fc6
--- /dev/null
+++ b/tests/session/crypt.docroot.phpt
@@ -0,0 +1,25 @@
+--TEST--
+session with encryption using docroot
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--ENV--
+return <<<END
+DOCUMENT_ROOT=/var/www
+END;
+--INI--
+suhosin.session.encrypt=On
+suhosin.session.cryptkey=D3F4UL7
+suhosin.session.cryptua=Off
+suhosin.session.cryptdocroot=On
+suhosin.session.cryptraddr=0
+suhosin.session.checkraddr=0
+--FILE--
+<?php
+include "sessionhandler.inc";
+session_test_start();
+$_SESSION['a'] = 'b';
+
+
+?>
+--EXPECTF--
+SESSION: NKChb1rdctXd-Acz0uzOYVnJT_J2mxYRVUgSh0w5mlk.
diff --git a/tests/session/crypt.key_default.phpt b/tests/session/crypt.key_default.phpt
new file mode 100644
index 0000000..8e4f12a
--- /dev/null
+++ b/tests/session/crypt.key_default.phpt
@@ -0,0 +1,21 @@
+--TEST--
+session with encryption default key
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.session.encrypt=On
+suhosin.session.cryptkey=D3F4UL7
+suhosin.session.cryptua=Off
+suhosin.session.cryptdocroot=Off
+suhosin.session.cryptraddr=0
+suhosin.session.checkraddr=0
+--FILE--
+<?php
+include "sessionhandler.inc";
+session_test_start();
+$_SESSION['a'] = 'b';
+
+
+?>
+--EXPECTF--
+SESSION: RIuy2LSSd3_s3hhDCnN89bNWyCnhvNAO0YUq7OQKuJc.
diff --git a/tests/session/crypt.key_empty.phpt b/tests/session/crypt.key_empty.phpt
new file mode 100644
index 0000000..3e5da11
--- /dev/null
+++ b/tests/session/crypt.key_empty.phpt
@@ -0,0 +1,21 @@
+--TEST--
+session with encryption key empty
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.session.encrypt=On
+suhosin.session.cryptkey=
+suhosin.session.cryptua=Off
+suhosin.session.cryptdocroot=Off
+suhosin.session.cryptraddr=0
+suhosin.session.checkraddr=0
+--FILE--
+<?php
+include "sessionhandler.inc";
+session_test_start();
+$_SESSION['a'] = 'b';
+
+
+?>
+--EXPECTF--
+SESSION: RIuy2LSSd3_s3hhDCnN89bNWyCnhvNAO0YUq7OQKuJc.
diff --git a/tests/session/crypt.key_empty_remote_addr.phpt b/tests/session/crypt.key_empty_remote_addr.phpt
new file mode 100644
index 0000000..cf1292a
--- /dev/null
+++ b/tests/session/crypt.key_empty_remote_addr.phpt
@@ -0,0 +1,25 @@
+--TEST--
+session with encryption key empty and REMOTE_ADDR set
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--ENV--
+return <<<END
+REMOTE_ADDR=127.0.0.1
+END;
+--INI--
+suhosin.session.encrypt=On
+suhosin.session.cryptkey=
+suhosin.session.cryptua=Off
+suhosin.session.cryptdocroot=Off
+suhosin.session.cryptraddr=0
+suhosin.session.checkraddr=0
+--FILE--
+<?php
+include "sessionhandler.inc";
+session_test_start();
+$_SESSION['a'] = 'b';
+
+
+?>
+--EXPECTF--
+SESSION: j1YTvIOAUqxZMjuJ_ZnHPHWY5XEayycsr7O94aMzmBQ.
diff --git a/tests/session/crypt.no_encryption.phpt b/tests/session/crypt.no_encryption.phpt
new file mode 100644
index 0000000..6b6bc97
--- /dev/null
+++ b/tests/session/crypt.no_encryption.phpt
@@ -0,0 +1,15 @@
+--TEST--
+session without encryption
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.session.encrypt=Off
+--FILE--
+<?php
+include "sessionhandler.inc";
+session_test_start();
+$_SESSION['a'] = 'b';
+
+?>
+--EXPECTF--
+SESSION: a|s:1:"b";
\ No newline at end of file
diff --git a/tests/session/crypt.raddr_1.phpt b/tests/session/crypt.raddr_1.phpt
new file mode 100644
index 0000000..2070d03
--- /dev/null
+++ b/tests/session/crypt.raddr_1.phpt
@@ -0,0 +1,25 @@
+--TEST--
+session with encryption using REMOTE_ADDR (cryptraddr=1)
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--ENV--
+return <<<END
+REMOTE_ADDR=127.0.0.1
+END;
+--INI--
+suhosin.session.encrypt=On
+suhosin.session.cryptkey=D3F4UL7
+suhosin.session.cryptua=Off
+suhosin.session.cryptdocroot=Off
+suhosin.session.cryptraddr=1
+suhosin.session.checkraddr=0
+--FILE--
+<?php
+include "sessionhandler.inc";
+session_test_start();
+$_SESSION['a'] = 'b';
+
+
+?>
+--EXPECTF--
+SESSION: wkiQGgZgWnBFDyCs_4QYD_oaw_m35l_5I35XRg0wX_g.
diff --git a/tests/session/crypt.raddr_2.phpt b/tests/session/crypt.raddr_2.phpt
new file mode 100644
index 0000000..b8c21bc
--- /dev/null
+++ b/tests/session/crypt.raddr_2.phpt
@@ -0,0 +1,25 @@
+--TEST--
+session with encryption using REMOTE_ADDR (cryptraddr=2)
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--ENV--
+return <<<END
+REMOTE_ADDR=127.0.0.1
+END;
+--INI--
+suhosin.session.encrypt=On
+suhosin.session.cryptkey=D3F4UL7
+suhosin.session.cryptua=Off
+suhosin.session.cryptdocroot=Off
+suhosin.session.cryptraddr=2
+suhosin.session.checkraddr=0
+--FILE--
+<?php
+include "sessionhandler.inc";
+session_test_start();
+$_SESSION['a'] = 'b';
+
+
+?>
+--EXPECTF--
+SESSION: WDyvE0R4mUqvOG6e5VzhfgWMjfCWSFC5bNNI_3dIT3w.
diff --git a/tests/session/crypt.raddr_3.phpt b/tests/session/crypt.raddr_3.phpt
new file mode 100644
index 0000000..afe2729
--- /dev/null
+++ b/tests/session/crypt.raddr_3.phpt
@@ -0,0 +1,25 @@
+--TEST--
+session with encryption using REMOTE_ADDR (cryptraddr=3)
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--ENV--
+return <<<END
+REMOTE_ADDR=127.0.0.1
+END;
+--INI--
+suhosin.session.encrypt=On
+suhosin.session.cryptkey=D3F4UL7
+suhosin.session.cryptua=Off
+suhosin.session.cryptdocroot=Off
+suhosin.session.cryptraddr=3
+suhosin.session.checkraddr=0
+--FILE--
+<?php
+include "sessionhandler.inc";
+session_test_start();
+$_SESSION['a'] = 'b';
+
+
+?>
+--EXPECTF--
+SESSION: 6kLKLrgCmlOuEPXPON_K5SWHLuIbHdLsh4MJ0QtTFj8.
diff --git a/tests/session/crypt.raddr_4.phpt b/tests/session/crypt.raddr_4.phpt
new file mode 100644
index 0000000..28b4098
--- /dev/null
+++ b/tests/session/crypt.raddr_4.phpt
@@ -0,0 +1,25 @@
+--TEST--
+session with encryption using REMOTE_ADDR (cryptraddr=4)
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--ENV--
+return <<<END
+REMOTE_ADDR=127.0.0.1
+END;
+--INI--
+suhosin.session.encrypt=On
+suhosin.session.cryptkey=D3F4UL7
+suhosin.session.cryptua=Off
+suhosin.session.cryptdocroot=Off
+suhosin.session.cryptraddr=4
+suhosin.session.checkraddr=0
+--FILE--
+<?php
+include "sessionhandler.inc";
+session_test_start();
+$_SESSION['a'] = 'b';
+
+
+?>
+--EXPECTF--
+SESSION: QYSbWh8enETvdtKfao8G6aiXqK7_lhzFmRNYa2lo-UM.
diff --git a/tests/session/crypt.ua.phpt b/tests/session/crypt.ua.phpt
new file mode 100644
index 0000000..4c53273
--- /dev/null
+++ b/tests/session/crypt.ua.phpt
@@ -0,0 +1,25 @@
+--TEST--
+session with encryption using ua
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--ENV--
+return <<<END
+HTTP_USER_AGENT=test
+END;
+--INI--
+suhosin.session.encrypt=On
+suhosin.session.cryptkey=D3F4UL7
+suhosin.session.cryptua=On
+suhosin.session.cryptdocroot=Off
+suhosin.session.cryptraddr=0
+suhosin.session.checkraddr=0
+--FILE--
+<?php
+include "sessionhandler.inc";
+session_test_start();
+$_SESSION['a'] = 'b';
+
+
+?>
+--EXPECTF--
+SESSION: 3pVZdIv7vHG-PwO_rLQLUGerd4L_UX60xJoAM-IoVC4.
diff --git a/tests/session/max_id_length_ok.phpt b/tests/session/max_id_length_ok.phpt
new file mode 100644
index 0000000..9f91c94
--- /dev/null
+++ b/tests/session/max_id_length_ok.phpt
@@ -0,0 +1,14 @@
+--TEST--
+session id not too long
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.session.max_id_length=32
+--FILE--
+<?php
+session_id('12345678901234567890123456789012');
+session_start();
+echo session_id();
+?>
+--EXPECTF--
+12345678901234567890123456789012
\ No newline at end of file
diff --git a/tests/session/max_id_length_toolong.phpt b/tests/session/max_id_length_toolong.phpt
new file mode 100644
index 0000000..0e16621
--- /dev/null
+++ b/tests/session/max_id_length_toolong.phpt
@@ -0,0 +1,14 @@
+--TEST--
+session id too long
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.session.max_id_length=32
+--FILE--
+<?php
+session_id('123456789012345678901234567890123');
+session_start();
+echo strlen(session_id());
+?>
+--EXPECTF--
+32
\ No newline at end of file
diff --git a/tests/session/sessionhandler.inc b/tests/session/sessionhandler.inc
new file mode 100644
index 0000000..31b7546
--- /dev/null
+++ b/tests/session/sessionhandler.inc
@@ -0,0 +1,41 @@
+<?php
+class GenericSessionHandler implements SessionHandlerInterface
+{
+	function open($savePath, $sessionName) { return true; }
+
+	function close() { return true; }
+
+	function read($id) { return (string)""; }
+
+	function write($id, $data) { return true; }
+
+	function destroy($id) { return true; }
+
+	function gc($maxlifetime) { return true; }
+
+}
+class WriteSessionHandler extends GenericSessionHandler
+{
+	function write($id, $data)
+	{
+		echo "SESSION: $data\n";
+		return true;
+	}
+}
+class RemoteAddrSessionHandler extends GenericSessionHandler
+{
+	## key empty and REMOTE_ADDR set to 127.0.0.1
+	function read($id) { return (string)"j1YTvIOAUqxZMjuJ_ZnHPHWY5XEayycsr7O94aMzmBQ."; }
+}
+
+
+function session_test_start($handler=null) {
+	if (!$handler) {
+		$handler = new WriteSessionHandler();
+	}
+	session_set_save_handler($handler, true);
+	session_start();
+	return $handler;
+}
+
+?>
-- 
cgit v1.3