From 25d32b98d7aa6477b78fdf595ae66cf903da3344 Mon Sep 17 00:00:00 2001
From: Stefan Esser
Date: Wed, 12 Feb 2014 13:28:13 +0100
Subject: Add some testcases

---
 tests/filter/get_filter_2.phpt  | 33 +++++++++++++++++++++++++++++++
 tests/filter/post_filter_1.phpt | 43 +++++++++++++++++++++++++++++++++++++++++
 tests/filter/post_filter_2.phpt | 33 +++++++++++++++++++++++++++++++
 3 files changed, 109 insertions(+)
 create mode 100644 tests/filter/get_filter_2.phpt
 create mode 100644 tests/filter/post_filter_1.phpt
 create mode 100644 tests/filter/post_filter_2.phpt

(limited to 'tests/filter')

diff --git a/tests/filter/get_filter_2.phpt b/tests/filter/get_filter_2.phpt
new file mode 100644
index 0000000..189ac28
--- /dev/null
+++ b/tests/filter/get_filter_2.phpt
@@ -0,0 +1,33 @@
+--TEST--
+suhosin GET filter (suhosin.get.max_vars)
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=0
+suhosin.log.stdout=255
+suhosin.log.script=0
+suhosin.get.max_vars=5
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--COOKIE--
+--GET--
+A=A&B=B&C=C&D=D&E=E&F=F&G=G&
+--POST--
+--FILE--
+<?php
+var_dump($_GET);
+?>
+--EXPECTF--
+array(5) {
+  ["A"]=>
+  string(1) "A"
+  ["B"]=>
+  string(1) "B"
+  ["C"]=>
+  string(1) "C"
+  ["D"]=>
+  string(1) "D"
+  ["E"]=>
+  string(1) "E"
+}
+ALERT - configured GET variable limit exceeded - dropped variable 'F' - all further GET variables are dropped (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - dropped 2 request variables - (2 in GET, 0 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s')
diff --git a/tests/filter/post_filter_1.phpt b/tests/filter/post_filter_1.phpt
new file mode 100644
index 0000000..eee353d
--- /dev/null
+++ b/tests/filter/post_filter_1.phpt
@@ -0,0 +1,43 @@
+--TEST--
+suhosin POST filter (disallowed variable names)
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=0
+suhosin.log.stdout=255
+suhosin.log.script=0
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--COOKIE--
+--GET--
+--POST--
+HTTP_RAW_POST_DATA=HTTP_RAW_POST_DATA&HTTP_SESSION_VARS=HTTP_SESSION_VARS&harmless1=harmless1&HTTP_SERVER_VARS=HTTP_SERVER_VARS&HTTP_COOKIE_VARS=HTTP_COOKIE_VARS&HTTP_POST_FILES=HTTP_POST_FILES&HTTP_POST_VARS=HTTP_POST_VARS&HTTP_GET_VARS=HTTP_GET_VARS&HTTP_ENV_VARS=HTTP_ENV_VARS&_SESSION=_SESSION&_REQUEST=_REQUEST&GLOBALS=GLOBALS&_COOKIE=_COOKIE&_SERVER=_SERVER&_FILES=_FILES&_POST=_POST&_ENV=_ENV&_GET=_GET&harmless2=harmless2&
+--FILE--
+<?php
+var_dump($_POST);
+?>
+--EXPECTF--
+array(2) {
+  ["harmless1"]=>
+  string(9) "harmless1"
+  ["harmless2"]=>
+  string(9) "harmless2"
+}
+ALERT - tried to register forbidden variable 'HTTP_RAW_POST_DATA' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - tried to register forbidden variable 'HTTP_SESSION_VARS' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - tried to register forbidden variable 'HTTP_SERVER_VARS' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - tried to register forbidden variable 'HTTP_COOKIE_VARS' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - tried to register forbidden variable 'HTTP_POST_FILES' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - tried to register forbidden variable 'HTTP_POST_VARS' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - tried to register forbidden variable 'HTTP_GET_VARS' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - tried to register forbidden variable 'HTTP_ENV_VARS' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - tried to register forbidden variable '_SESSION' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - tried to register forbidden variable '_REQUEST' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - tried to register forbidden variable 'GLOBALS' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - tried to register forbidden variable '_COOKIE' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - tried to register forbidden variable '_SERVER' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - tried to register forbidden variable '_FILES' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - tried to register forbidden variable '_POST' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - tried to register forbidden variable '_ENV' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - tried to register forbidden variable '_GET' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - dropped 17 request variables - (0 in GET, 17 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s')
+
diff --git a/tests/filter/post_filter_2.phpt b/tests/filter/post_filter_2.phpt
new file mode 100644
index 0000000..22e773a
--- /dev/null
+++ b/tests/filter/post_filter_2.phpt
@@ -0,0 +1,33 @@
+--TEST--
+suhosin POST filter (suhosin.post.max_vars)
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=0
+suhosin.log.stdout=255
+suhosin.log.script=0
+suhosin.post.max_vars=5
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--COOKIE--
+--GET--
+--POST--
+A=A&B=B&C=C&D=D&E=E&F=F&G=G&
+--FILE--
+<?php
+var_dump($_POST);
+?>
+--EXPECTF--
+array(5) {
+  ["A"]=>
+  string(1) "A"
+  ["B"]=>
+  string(1) "B"
+  ["C"]=>
+  string(1) "C"
+  ["D"]=>
+  string(1) "D"
+  ["E"]=>
+  string(1) "E"
+}
+ALERT - configured POST variable limit exceeded - dropped variable 'F' - all further POST variables are dropped (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - dropped 2 request variables - (0 in GET, 2 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s')
-- 
cgit v1.3