From 04f02a230d40c2d86b9d477a7810de24b15a7590 Mon Sep 17 00:00:00 2001
From: Stefan Esser
Date: Sun, 16 Feb 2014 10:45:17 +0100
Subject: Add various tests for include filename checks

---
 tests/include/include_max_traversal.phpt | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)
 create mode 100644 tests/include/include_max_traversal.phpt

(limited to 'tests/include/include_max_traversal.phpt')

diff --git a/tests/include/include_max_traversal.phpt b/tests/include/include_max_traversal.phpt
new file mode 100644
index 0000000..1ed083d
--- /dev/null
+++ b/tests/include/include_max_traversal.phpt
@@ -0,0 +1,32 @@
+--TEST--
+Testing suhosin.executor.include.max_traversal=10
+--DESCRIPTION--
+Seems to work fine, maybe split up later into multiple test cases.
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=255
+suhosin.log.script=0
+suhosin.log.phpscript=0
+error_reporting=0
+suhosin.executor.include.whitelist=
+suhosin.executor.include.blacklist=
+suhosin.executor.include.max_traversal=10
+--FILE--
+<?php
+if ($included === TRUE) { echo "$case INCLUDED!\n";return; }
+$included = TRUE;
+
+$case = "C1"; include("/../../../../../../../../../" . __FILE__);
+$case = "C2"; include("/.././.././.././.././.././.././.././.././../" . __FILE__);
+$case = "C3"; include("/.././.././.././.././.././.././.././.././.././../" . __FILE__);
+$case = "C4"; include("/../../../../../../../../../../" . __FILE__);
+$case = "C5"; include("/../../../../../../../../../../../" . __FILE__);
+$case = "C6"; include("/.././.././.././.././.././.././.././.././../" . __FILE__);
+
+?>
+--EXPECTF--
+C1 INCLUDED!
+C2 INCLUDED!
+ALERT - Include filename ('/.././.././.././.././.././.././.././.././.././../%s') contains too many '../' (attacker 'REMOTE_ADDR not set', file '%s', line 7)
-- 
cgit v1.3