From 286ded52361e1cd31151cf945f4d8c7bb05da1c7 Mon Sep 17 00:00:00 2001 From: Stefan Esser Date: Wed, 12 Feb 2014 21:46:31 +0100 Subject: Tests for the suhosin.XXX.disallow_nul feature --- tests/filter/input_filter_allow_nul.phpt | Bin 0 -> 934 bytes tests/filter/input_filter_cookie_disallow_nul.phpt | 29 +++++++++++++ tests/filter/input_filter_get_disallow_nul.phpt | 29 +++++++++++++ tests/filter/input_filter_post_disallow_nul.phpt | 29 +++++++++++++ .../filter/input_filter_request_disallow_nul.phpt | 48 +++++++++++++++++++++ 5 files changed, 135 insertions(+) create mode 100644 tests/filter/input_filter_allow_nul.phpt create mode 100644 tests/filter/input_filter_cookie_disallow_nul.phpt create mode 100644 tests/filter/input_filter_get_disallow_nul.phpt create mode 100644 tests/filter/input_filter_post_disallow_nul.phpt create mode 100644 tests/filter/input_filter_request_disallow_nul.phpt (limited to 'tests/filter') diff --git a/tests/filter/input_filter_allow_nul.phpt b/tests/filter/input_filter_allow_nul.phpt new file mode 100644 index 0000000..015d211 Binary files /dev/null and b/tests/filter/input_filter_allow_nul.phpt differ diff --git a/tests/filter/input_filter_cookie_disallow_nul.phpt b/tests/filter/input_filter_cookie_disallow_nul.phpt new file mode 100644 index 0000000..dab9241 --- /dev/null +++ b/tests/filter/input_filter_cookie_disallow_nul.phpt @@ -0,0 +1,29 @@ +--TEST-- +suhosin input filter (suhosin.cookie.disallow_nul) +--INI-- +suhosin.log.syslog=0 +suhosin.log.sapi=0 +suhosin.log.stdout=255 +suhosin.log.script=0 +suhosin.request.disallow_nul=0 +suhosin.cookie.disallow_nul=1 +--SKIPIF-- + +--COOKIE-- +var1=xx%001;var2=2;var3=xx%003;var4=4; +--GET-- +--POST-- +--FILE-- + +--EXPECTF-- +array(2) { + ["var2"]=> + string(1) "2" + ["var4"]=> + string(1) "4" +} +ALERT - ASCII-NUL chars not allowed within COOKIE variables - dropped variable 'var1' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - ASCII-NUL chars not allowed within COOKIE variables - dropped variable 'var3' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - dropped 2 request variables - (0 in GET, 0 in POST, 2 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') diff --git a/tests/filter/input_filter_get_disallow_nul.phpt b/tests/filter/input_filter_get_disallow_nul.phpt new file mode 100644 index 0000000..b7c2ad4 --- /dev/null +++ b/tests/filter/input_filter_get_disallow_nul.phpt @@ -0,0 +1,29 @@ +--TEST-- +suhosin input filter (suhosin.get.disallow_nul) +--INI-- +suhosin.log.syslog=0 +suhosin.log.sapi=0 +suhosin.log.stdout=255 +suhosin.log.script=0 +suhosin.request.disallow_nul=0 +suhosin.get.disallow_nul=1 +--SKIPIF-- + +--COOKIE-- +--GET-- +var1=xx%001&var2=2&var3=xx%003&var4=4& +--POST-- +--FILE-- + +--EXPECTF-- +array(2) { + ["var2"]=> + string(1) "2" + ["var4"]=> + string(1) "4" +} +ALERT - ASCII-NUL chars not allowed within GET variables - dropped variable 'var1' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - ASCII-NUL chars not allowed within GET variables - dropped variable 'var3' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - dropped 2 request variables - (2 in GET, 0 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') diff --git a/tests/filter/input_filter_post_disallow_nul.phpt b/tests/filter/input_filter_post_disallow_nul.phpt new file mode 100644 index 0000000..60c797e --- /dev/null +++ b/tests/filter/input_filter_post_disallow_nul.phpt @@ -0,0 +1,29 @@ +--TEST-- +suhosin input filter (suhosin.post.disallow_nul) +--INI-- +suhosin.log.syslog=0 +suhosin.log.sapi=0 +suhosin.log.stdout=255 +suhosin.log.script=0 +suhosin.request.disallow_nul=0 +suhosin.post.disallow_nul=1 +--SKIPIF-- + +--COOKIE-- +--GET-- +--POST-- +var1=xx%001&var2=2&var3=xx%003&var4=4& +--FILE-- + +--EXPECTF-- +array(2) { + ["var2"]=> + string(1) "2" + ["var4"]=> + string(1) "4" +} +ALERT - ASCII-NUL chars not allowed within POST variables - dropped variable 'var1' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - ASCII-NUL chars not allowed within POST variables - dropped variable 'var3' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - dropped 2 request variables - (0 in GET, 2 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') diff --git a/tests/filter/input_filter_request_disallow_nul.phpt b/tests/filter/input_filter_request_disallow_nul.phpt new file mode 100644 index 0000000..09903ec --- /dev/null +++ b/tests/filter/input_filter_request_disallow_nul.phpt @@ -0,0 +1,48 @@ +--TEST-- +suhosin input filter (suhosin.request.disallow_nul) +--INI-- +suhosin.log.syslog=0 +suhosin.log.sapi=0 +suhosin.log.stdout=255 +suhosin.log.script=0 +suhosin.request.disallow_nul=1 +--SKIPIF-- + +--COOKIE-- +var1=xx%001;var2=2;var3=xx%003;var4=4; +--GET-- +var1=xx%001&var2=2&var3=xx%003&var4=4& +--POST-- +var1=xx%001&var2=2&var3=xx%003&var4=4& +--FILE-- + +--EXPECTF-- +array(2) { + ["var2"]=> + string(1) "2" + ["var4"]=> + string(1) "4" +} +array(2) { + ["var2"]=> + string(1) "2" + ["var4"]=> + string(1) "4" +} +array(2) { + ["var2"]=> + string(1) "2" + ["var4"]=> + string(1) "4" +} +ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'var1' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'var3' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'var1' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'var3' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'var1' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'var3' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - dropped 6 request variables - (2 in GET, 2 in POST, 2 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') -- cgit v1.3