From 36dbfacbe64697d959f524e537b15b73c090d898 Mon Sep 17 00:00:00 2001
From: Stefan Esser
Date: Sun, 21 Feb 2010 11:44:54 +0100
Subject: Inital commit

---
 tests/executor/disable_emod_off.phpt             | 18 +++++++++++++
 tests/executor/disable_emod_on.phpt              | 19 ++++++++++++++
 tests/executor/disable_eval_off.phpt             | 15 +++++++++++
 tests/executor/disable_eval_on.phpt              | 17 +++++++++++++
 tests/executor/memory_limit.phpt                 | 29 +++++++++++++++++++++
 tests/executor/memory_limit_other_hardlimit.phpt | 28 +++++++++++++++++++++
 tests/executor/negative_memory_limit.phpt        | 18 +++++++++++++
 tests/executor/preg_replace.phpt                 | 30 ++++++++++++++++++++++
 tests/executor/preg_replace_error.phpt           | 32 ++++++++++++++++++++++++
 tests/executor/recursion_maxdepth.phpt           | 31 +++++++++++++++++++++++
 10 files changed, 237 insertions(+)
 create mode 100644 tests/executor/disable_emod_off.phpt
 create mode 100644 tests/executor/disable_emod_on.phpt
 create mode 100644 tests/executor/disable_eval_off.phpt
 create mode 100644 tests/executor/disable_eval_on.phpt
 create mode 100644 tests/executor/memory_limit.phpt
 create mode 100644 tests/executor/memory_limit_other_hardlimit.phpt
 create mode 100644 tests/executor/negative_memory_limit.phpt
 create mode 100644 tests/executor/preg_replace.phpt
 create mode 100644 tests/executor/preg_replace_error.phpt
 create mode 100644 tests/executor/recursion_maxdepth.phpt

(limited to 'tests/executor')

diff --git a/tests/executor/disable_emod_off.phpt b/tests/executor/disable_emod_off.phpt
new file mode 100644
index 0000000..3c9cb01
--- /dev/null
+++ b/tests/executor/disable_emod_off.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Testing: suhosin.executor.disable_emodifier=0
+--SKIPIF--
+<?php include "../skipifnotcli.inc"; ?>
+--INI--
+suhosin.log.sapi=64
+suhosin.executor.disable_emodifier=0
+--FILE--
+<?php
+    $text = "HALLO";
+    var_dump(preg_replace('/[a-z]/e', "strtoupper('\\0')", $text));
+    $text = "HalLO";
+    var_dump(preg_replace('/[a-z]/e', "strtoupper('\\0')", $text));
+?>
+--EXPECTF--
+string(5) "HALLO"
+string(5) "HALLO"
+
diff --git a/tests/executor/disable_emod_on.phpt b/tests/executor/disable_emod_on.phpt
new file mode 100644
index 0000000..6daf82f
--- /dev/null
+++ b/tests/executor/disable_emod_on.phpt
@@ -0,0 +1,19 @@
+--TEST--
+Testing: suhosin.executor.disable_emodifier=1
+--SKIPIF--
+<?php include "../skipifnotcli.inc"; ?>
+--INI--
+suhosin.log.sapi=64
+suhosin.executor.disable_emodifier=1
+--FILE--
+<?php
+    $text = "HALLO";
+    var_dump(preg_replace('/[a-z]/e', "strtoupper('\\0')", $text));
+    $text = "HalLO";
+    var_dump(preg_replace('/[a-z]/e', "strtoupper('\\0')", $text));
+?>
+--EXPECTF--
+string(5) "HALLO"
+ALERT - use of preg_replace() with /e modifier is forbidden by configuration (attacker 'REMOTE_ADDR not set', file '%s', line 5)
+
+Fatal error: SUHOSIN - Use of preg_replace() with /e modifier is forbidden by configuration in %s(5) : regexp code on line 5
diff --git a/tests/executor/disable_eval_off.phpt b/tests/executor/disable_eval_off.phpt
new file mode 100644
index 0000000..1ee87f5
--- /dev/null
+++ b/tests/executor/disable_eval_off.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Testing: suhosin.executor.disable_eval=0
+--SKIPIF--
+<?php include "../skipifnotcli.inc"; ?>
+--INI--
+suhosin.log.sapi=64
+suhosin.executor.disable_eval=0
+--FILE--
+<?php
+    $x = 0;
+    eval('$x = 1;');
+    var_dump($x);
+?>
+--EXPECTF--
+int(1)
diff --git a/tests/executor/disable_eval_on.phpt b/tests/executor/disable_eval_on.phpt
new file mode 100644
index 0000000..49f4936
--- /dev/null
+++ b/tests/executor/disable_eval_on.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Testing: suhosin.executor.disable_eval=1
+--SKIPIF--
+<?php include "../skipifnotcli.inc"; ?>
+--INI--
+suhosin.log.sapi=64
+suhosin.executor.disable_eval=1
+--FILE--
+<?php
+    $x = 0;
+    eval('$x = 1;');
+    var_dump($x);
+?>
+--EXPECTF--
+ALERT - use of eval is forbidden by configuration (attacker 'REMOTE_ADDR not set', file '%s', line 3)
+
+Fatal error: SUHOSIN - Use of eval is forbidden by configuration in %s(3) : eval()'d code on line 3
diff --git a/tests/executor/memory_limit.phpt b/tests/executor/memory_limit.phpt
new file mode 100644
index 0000000..404ab19
--- /dev/null
+++ b/tests/executor/memory_limit.phpt
@@ -0,0 +1,29 @@
+--TEST--
+memory_limit test: set suhosin hard_limit to normal limit
+--SKIPIF--
+<?php if (!function_exists("memory_get_usage")) print "skip PHP not compiled with memory_limit support"; ?>
+--INI--
+memory_limit=16M
+suhosin.memory_limit=0
+suhosin.log.syslog=0
+suhosin.log.script=0
+suhosin.log.sapi=2
+--FILE--
+<?php
+    ini_set("memory_limit", "13M"); echo ini_get("memory_limit"), "\n";
+    ini_set("memory_limit", "14M"); echo ini_get("memory_limit"), "\n";
+    ini_set("memory_limit", "15M"); echo ini_get("memory_limit"), "\n";
+    ini_set("memory_limit", "16M"); echo ini_get("memory_limit"), "\n";
+    ini_set("memory_limit", "17M"); echo ini_get("memory_limit"), "\n";
+    ini_set("memory_limit", "18M"); echo ini_get("memory_limit"), "\n";
+?>
+--EXPECTF--
+13M
+14M
+15M
+16M
+ALERT - script tried to increase memory_limit to 17825792 bytes which is above the allowed value (attacker 'REMOTE_ADDR not set', file '%s', line 6)
+16M
+ALERT - script tried to increase memory_limit to 18874368 bytes which is above the allowed value (attacker 'REMOTE_ADDR not set', file '%s', line 7)
+16M
+
diff --git a/tests/executor/memory_limit_other_hardlimit.phpt b/tests/executor/memory_limit_other_hardlimit.phpt
new file mode 100644
index 0000000..cac11dc
--- /dev/null
+++ b/tests/executor/memory_limit_other_hardlimit.phpt
@@ -0,0 +1,28 @@
+--TEST--
+memory_limit test: set suhosin hard_limit to normal limit + 1M
+--SKIPIF--
+<?php if (!function_exists("memory_get_usage")) print "skip PHP not compiled with memory_limit support"; ?>
+--INI--
+memory_limit=16M
+suhosin.memory_limit=17M
+suhosin.log.syslog=0
+suhosin.log.script=0
+suhosin.log.sapi=2
+--FILE--
+<?php
+    ini_set("memory_limit", "13M"); echo ini_get("memory_limit"), "\n";
+    ini_set("memory_limit", "14M"); echo ini_get("memory_limit"), "\n";
+    ini_set("memory_limit", "15M"); echo ini_get("memory_limit"), "\n";
+    ini_set("memory_limit", "16M"); echo ini_get("memory_limit"), "\n";
+    ini_set("memory_limit", "17M"); echo ini_get("memory_limit"), "\n";
+    ini_set("memory_limit", "18M"); echo ini_get("memory_limit"), "\n";
+?>
+--EXPECTF--
+13M
+14M
+15M
+16M
+17M
+ALERT - script tried to increase memory_limit to %d bytes which is above the allowed value (attacker 'REMOTE_ADDR not set', file '%s', line 7)
+17M
+
diff --git a/tests/executor/negative_memory_limit.phpt b/tests/executor/negative_memory_limit.phpt
new file mode 100644
index 0000000..8582cc9
--- /dev/null
+++ b/tests/executor/negative_memory_limit.phpt
@@ -0,0 +1,18 @@
+--TEST--
+memory_limit test: trying to set memory_limit to a negative value
+--SKIPIF--
+<?php if (!function_exists("memory_get_usage")) print "skip PHP not compiled with memory_limit support"; ?>
+--INI--
+memory_limit=16M
+suhosin.memory_limit=17M
+suhosin.log.syslog=0
+suhosin.log.script=0
+suhosin.log.sapi=2
+--FILE--
+<?php
+    ini_set("memory_limit", "-200000"); echo ini_get("memory_limit"), "\n";
+?>
+--EXPECTF--
+ALERT - script tried to increase memory_limit to %d bytes which is above the allowed value (attacker 'REMOTE_ADDR not set', file '%s', line 2)
+16M
+
diff --git a/tests/executor/preg_replace.phpt b/tests/executor/preg_replace.phpt
new file mode 100644
index 0000000..9060a29
--- /dev/null
+++ b/tests/executor/preg_replace.phpt
@@ -0,0 +1,30 @@
+--TEST--
+Testing protection against "\0" in preg_replace() first parameter
+--SKIPIF--
+<?php include "../skipif.inc"; ?>
+--INI--
+suhosin.log.sapi=0
+--FILE--
+<?php
+    
+    $text1 = "One little boy with two dogs, three cats and four birds";
+    $text2 = "The three cats eat the four birds";
+
+    $regex_array = array("/one/", "/two/", "/three/");
+    $regex_array0 = array("/one/\0", "/two/", "/three/");
+    $replace_array = array("1", "2", "3");
+    $regex = "/eat/";
+    $regex0 = "/ea\0t/";
+    $replace = "play with";
+    
+    var_dump(preg_replace($regex_array, $replace_array, $text1));
+    var_dump(preg_replace($regex_array0, $replace_array, $text1));
+    var_dump(preg_replace($regex, $replace, $text2));
+    var_dump(preg_replace($regex0, $replace, $text2));
+    
+?>
+--EXPECT--
+string(49) "One little boy with 2 dogs, 3 cats and four birds"
+bool(false)
+string(39) "The three cats play with the four birds"
+bool(false)
diff --git a/tests/executor/preg_replace_error.phpt b/tests/executor/preg_replace_error.phpt
new file mode 100644
index 0000000..39e0aee
--- /dev/null
+++ b/tests/executor/preg_replace_error.phpt
@@ -0,0 +1,32 @@
+--TEST--
+Testing protection against "\0" in preg_replace() first parameter (INCL. SUHOSIN ERROR MESSAGES)
+--SKIPIF--
+<?php include "../skipifnotcli.inc"; ?>
+--INI--
+suhosin.log.sapi=64
+--FILE--
+<?php
+    
+    $text1 = "One little boy with two dogs, three cats and four birds";
+    $text2 = "The three cats eat the four birds";
+
+    $regex_array = array("/one/", "/two/", "/three/");
+    $regex_array0 = array("/one/\0", "/two/", "/three/");
+    $replace_array = array("1", "2", "3");
+    $regex = "/eat/";
+    $regex0 = "/ea\0t/";
+    $replace = "play with";
+    
+    var_dump(preg_replace($regex_array, $replace_array, $text1));
+    var_dump(preg_replace($regex_array0, $replace_array, $text1));
+    var_dump(preg_replace($regex, $replace, $text2));
+    var_dump(preg_replace($regex0, $replace, $text2));
+    
+?>
+--EXPECTF--
+string(49) "One little boy with 2 dogs, 3 cats and four birds"
+ALERT - string termination attack on first preg_replace parameter detected (attacker 'REMOTE_ADDR not set', file '%s', line 14)
+bool(false)
+string(39) "The three cats play with the four birds"
+ALERT - string termination attack on first preg_replace parameter detected (attacker 'REMOTE_ADDR not set', file '%s', line 16)
+bool(false)
diff --git a/tests/executor/recursion_maxdepth.phpt b/tests/executor/recursion_maxdepth.phpt
new file mode 100644
index 0000000..31fe9c2
--- /dev/null
+++ b/tests/executor/recursion_maxdepth.phpt
@@ -0,0 +1,31 @@
+--TEST--
+Testing: suhosin.executor.max_depth
+--SKIPIF--
+<?php include "../skipifnotcli.inc"; ?>
+--INI--
+suhosin.log.sapi=64
+suhosin.executor.max_depth=13
+--FILE--
+<?php
+    function rec($level)
+    {
+	echo $level,"\n";
+	rec(++$level);
+    }
+    
+    rec(2);
+?>
+--EXPECTF--
+2
+3
+4
+5
+6
+7
+8
+9
+10
+11
+12
+13
+ALERT - maximum execution depth reached - script terminated (attacker 'REMOTE_ADDR not set', file '%s', line 5)
-- 
cgit v1.3