From 36dbfacbe64697d959f524e537b15b73c090d898 Mon Sep 17 00:00:00 2001
From: Stefan Esser
Date: Sun, 21 Feb 2010 11:44:54 +0100
Subject: Inital commit

---
 tests/include/include_constant.phpt      | 17 +++++++++++++++++
 tests/include/include_etc_passwd.phpt    | 23 +++++++++++++++++++++++
 tests/include/include_once_constant.phpt | 17 +++++++++++++++++
 tests/include/include_once_tmpvar.phpt   | 19 +++++++++++++++++++
 tests/include/include_once_var.phpt      | 18 ++++++++++++++++++
 tests/include/include_tmpvar.phpt        | 19 +++++++++++++++++++
 tests/include/include_var.phpt           | 18 ++++++++++++++++++
 tests/include/require_constant.phpt      | 17 +++++++++++++++++
 tests/include/require_once_constant.phpt | 17 +++++++++++++++++
 tests/include/require_once_tmpvar.phpt   | 19 +++++++++++++++++++
 tests/include/require_once_var.phpt      | 18 ++++++++++++++++++
 tests/include/require_tmpvar.phpt        | 19 +++++++++++++++++++
 tests/include/require_var.phpt           | 18 ++++++++++++++++++
 13 files changed, 239 insertions(+)
 create mode 100644 tests/include/include_constant.phpt
 create mode 100644 tests/include/include_etc_passwd.phpt
 create mode 100644 tests/include/include_once_constant.phpt
 create mode 100644 tests/include/include_once_tmpvar.phpt
 create mode 100644 tests/include/include_once_var.phpt
 create mode 100644 tests/include/include_tmpvar.phpt
 create mode 100644 tests/include/include_var.phpt
 create mode 100644 tests/include/require_constant.phpt
 create mode 100644 tests/include/require_once_constant.phpt
 create mode 100644 tests/include/require_once_tmpvar.phpt
 create mode 100644 tests/include/require_once_var.phpt
 create mode 100644 tests/include/require_tmpvar.phpt
 create mode 100644 tests/include/require_var.phpt

(limited to 'tests/include')

diff --git a/tests/include/include_constant.phpt b/tests/include/include_constant.phpt
new file mode 100644
index 0000000..180aa69
--- /dev/null
+++ b/tests/include/include_constant.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Include "Constant URL";
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=255
+suhosin.log.script=0
+suhosin.log.phpscript=0
+suhosin.executor.include.whitelist=
+suhosin.executor.include.blacklist=
+--FILE--
+<?php
+    include "http://127.0.0.1/";
+?>
+--EXPECTF--
+ALERT - Include filename ('http://127.0.0.1/') is an URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 2)
diff --git a/tests/include/include_etc_passwd.phpt b/tests/include/include_etc_passwd.phpt
new file mode 100644
index 0000000..fb3c4e2
--- /dev/null
+++ b/tests/include/include_etc_passwd.phpt
@@ -0,0 +1,23 @@
+--TEST--
+Include "../../../../../../../../../../../etc/passwd";
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=255
+suhosin.log.script=0
+suhosin.log.phpscript=0
+suhosin.executor.include.whitelist=
+suhosin.executor.include.blacklist=
+suhosin.executor.include.max_traversal=3
+--FILE--
+<?php
+	$var = dirname(__FILE__)."/../empty.inc";
+	include $var;
+	echo $value,"\n";
+    $var = dirname(__FILE__)."/../../../../../../../../../../../etc/passwd";
+    include $var;
+?>
+--EXPECTF--
+value-from-empty.inc
+ALERT - Include filename ('%s../../../../../../../../../../../etc/passwd') contains too many '../' (attacker 'REMOTE_ADDR not set', file '%s', line 6)
diff --git a/tests/include/include_once_constant.phpt b/tests/include/include_once_constant.phpt
new file mode 100644
index 0000000..3faac33
--- /dev/null
+++ b/tests/include/include_once_constant.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Include_once "Constant URL";
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=255
+suhosin.log.script=0
+suhosin.log.phpscript=0
+suhosin.executor.include.whitelist=
+suhosin.executor.include.blacklist=
+--FILE--
+<?php
+    include_once "http://127.0.0.1/";
+?>
+--EXPECTF--
+ALERT - Include filename ('http://127.0.0.1/') is an URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 2)
diff --git a/tests/include/include_once_tmpvar.phpt b/tests/include/include_once_tmpvar.phpt
new file mode 100644
index 0000000..1f94c5a
--- /dev/null
+++ b/tests/include/include_once_tmpvar.phpt
@@ -0,0 +1,19 @@
+--TEST--
+Include_once "Temp Variable URL";
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=255
+suhosin.log.script=0
+suhosin.log.phpscript=0
+suhosin.executor.include.whitelist=
+suhosin.executor.include.blacklist=
+--FILE--
+<?php
+    $var = "http://127.0.0.1/";
+    $app = "?";
+    include_once $var.$app;
+?>
+--EXPECTF--
+ALERT - Include filename ('http://127.0.0.1/?') is an URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 4)
diff --git a/tests/include/include_once_var.phpt b/tests/include/include_once_var.phpt
new file mode 100644
index 0000000..bf38377
--- /dev/null
+++ b/tests/include/include_once_var.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Include_once "Variable URL";
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=255
+suhosin.log.script=0
+suhosin.log.phpscript=0
+suhosin.executor.include.whitelist=
+suhosin.executor.include.blacklist=
+--FILE--
+<?php
+    $var = "http://127.0.0.1/";
+    include_once $var;
+?>
+--EXPECTF--
+ALERT - Include filename ('http://127.0.0.1/') is an URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 3)
diff --git a/tests/include/include_tmpvar.phpt b/tests/include/include_tmpvar.phpt
new file mode 100644
index 0000000..8ad26d7
--- /dev/null
+++ b/tests/include/include_tmpvar.phpt
@@ -0,0 +1,19 @@
+--TEST--
+Include "Temp Variable URL";
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=255
+suhosin.log.script=0
+suhosin.log.phpscript=0
+suhosin.executor.include.whitelist=
+suhosin.executor.include.blacklist=
+--FILE--
+<?php
+    $var = "http://127.0.0.1/";
+    $app = "?";
+    include $var.$app;
+?>
+--EXPECTF--
+ALERT - Include filename ('http://127.0.0.1/?') is an URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 4)
diff --git a/tests/include/include_var.phpt b/tests/include/include_var.phpt
new file mode 100644
index 0000000..7431240
--- /dev/null
+++ b/tests/include/include_var.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Include "Variable URL";
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=255
+suhosin.log.script=0
+suhosin.log.phpscript=0
+suhosin.executor.include.whitelist=
+suhosin.executor.include.blacklist=
+--FILE--
+<?php
+    $var = "http://127.0.0.1/";
+    include $var;
+?>
+--EXPECTF--
+ALERT - Include filename ('http://127.0.0.1/') is an URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 3)
diff --git a/tests/include/require_constant.phpt b/tests/include/require_constant.phpt
new file mode 100644
index 0000000..6ee79fb
--- /dev/null
+++ b/tests/include/require_constant.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Require "Constant URL";
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=255
+suhosin.log.script=0
+suhosin.log.phpscript=0
+suhosin.executor.include.whitelist=
+suhosin.executor.include.blacklist=
+--FILE--
+<?php
+    require "http://127.0.0.1/";
+?>
+--EXPECTF--
+ALERT - Include filename ('http://127.0.0.1/') is an URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 2)
diff --git a/tests/include/require_once_constant.phpt b/tests/include/require_once_constant.phpt
new file mode 100644
index 0000000..43c69c8
--- /dev/null
+++ b/tests/include/require_once_constant.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Require_once "Constant URL";
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=255
+suhosin.log.script=0
+suhosin.log.phpscript=0
+suhosin.executor.include.whitelist=
+suhosin.executor.include.blacklist=
+--FILE--
+<?php
+    require_once "http://127.0.0.1/";
+?>
+--EXPECTF--
+ALERT - Include filename ('http://127.0.0.1/') is an URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 2)
diff --git a/tests/include/require_once_tmpvar.phpt b/tests/include/require_once_tmpvar.phpt
new file mode 100644
index 0000000..2be24b2
--- /dev/null
+++ b/tests/include/require_once_tmpvar.phpt
@@ -0,0 +1,19 @@
+--TEST--
+Require_once "Temp Variable URL";
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=255
+suhosin.log.script=0
+suhosin.log.phpscript=0
+suhosin.executor.include.whitelist=
+suhosin.executor.include.blacklist=
+--FILE--
+<?php
+    $var = "http://127.0.0.1/";
+    $app = "?";
+    require_once $var.$app;
+?>
+--EXPECTF--
+ALERT - Include filename ('http://127.0.0.1/?') is an URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 4)
diff --git a/tests/include/require_once_var.phpt b/tests/include/require_once_var.phpt
new file mode 100644
index 0000000..b3857f5
--- /dev/null
+++ b/tests/include/require_once_var.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Require_once "Variable URL";
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=255
+suhosin.log.script=0
+suhosin.log.phpscript=0
+suhosin.executor.include.whitelist=
+suhosin.executor.include.blacklist=
+--FILE--
+<?php
+    $var = "http://127.0.0.1/";
+    require_once $var;
+?>
+--EXPECTF--
+ALERT - Include filename ('http://127.0.0.1/') is an URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 3)
diff --git a/tests/include/require_tmpvar.phpt b/tests/include/require_tmpvar.phpt
new file mode 100644
index 0000000..d411067
--- /dev/null
+++ b/tests/include/require_tmpvar.phpt
@@ -0,0 +1,19 @@
+--TEST--
+Require "Temp Variable URL";
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=255
+suhosin.log.script=0
+suhosin.log.phpscript=0
+suhosin.executor.include.whitelist=
+suhosin.executor.include.blacklist=
+--FILE--
+<?php
+    $var = "http://127.0.0.1/";
+    $app = "?";
+    require $var.$app;
+?>
+--EXPECTF--
+ALERT - Include filename ('http://127.0.0.1/?') is an URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 4)
diff --git a/tests/include/require_var.phpt b/tests/include/require_var.phpt
new file mode 100644
index 0000000..20468d4
--- /dev/null
+++ b/tests/include/require_var.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Require "Variable URL";
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=255
+suhosin.log.script=0
+suhosin.log.phpscript=0
+suhosin.executor.include.whitelist=
+suhosin.executor.include.blacklist=
+--FILE--
+<?php
+    $var = "http://127.0.0.1/";
+    require $var;
+?>
+--EXPECTF--
+ALERT - Include filename ('http://127.0.0.1/') is an URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 3)
-- 
cgit v1.3