From 04f02a230d40c2d86b9d477a7810de24b15a7590 Mon Sep 17 00:00:00 2001
From: Stefan Esser
Date: Sun, 16 Feb 2014 10:45:17 +0100
Subject: Add various tests for include filename checks

---
 .../include_uploaded_file_diff_filename.phpt       | 25 ++++++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 tests/include/include_uploaded_file_diff_filename.phpt

(limited to 'tests/include/include_uploaded_file_diff_filename.phpt')

diff --git a/tests/include/include_uploaded_file_diff_filename.phpt b/tests/include/include_uploaded_file_diff_filename.phpt
new file mode 100644
index 0000000..8d3bca5
--- /dev/null
+++ b/tests/include/include_uploaded_file_diff_filename.phpt
@@ -0,0 +1,25 @@
+--TEST--
+Testing include file from $_FILES (but change name a bit)
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=0
+suhosin.log.stdout=255
+suhosin.log.script=0
+suhosin.log.phpscript=0
+suhosin.executor.include.whitelist=
+suhosin.executor.include.blacklist=
+--POST_RAW--
+Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="f1"; filename="filename2"
+
+<?php echo "NO_GOOD/n";
+-----------------------------20896060251896012921717172737--
+--FILE--
+<?php
+include "/../../../" . $_FILES['f1']['tmp_name'];
+?>
+--EXPECTF--
+ALERT - Include filename is an uploaded file (attacker 'REMOTE_ADDR not set', file '%s', line 2)
\ No newline at end of file
-- 
cgit v1.3