From 3741554097cc73f03a9a6a4fa4d65dc01c120bd8 Mon Sep 17 00:00:00 2001
From: Ben Fuhrmannek
Date: Fri, 6 Feb 2015 22:38:35 +0100
Subject: tests for eval white/blacklist + include white/blacklist

---
 tests/include/include_blacklist.phpt            | 24 ++++++++++++++++++++++++
 tests/include/include_blackwhitelist_empty.phpt | 24 ++++++++++++++++++++++++
 tests/include/include_whitelist.phpt            | 24 ++++++++++++++++++++++++
 3 files changed, 72 insertions(+)
 create mode 100644 tests/include/include_blacklist.phpt
 create mode 100644 tests/include/include_blackwhitelist_empty.phpt
 create mode 100644 tests/include/include_whitelist.phpt

(limited to 'tests/include')

diff --git a/tests/include/include_blacklist.phpt b/tests/include/include_blacklist.phpt
new file mode 100644
index 0000000..f4c3df0
--- /dev/null
+++ b/tests/include/include_blacklist.phpt
@@ -0,0 +1,24 @@
+--TEST--
+Include blacklist
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=255
+suhosin.log.script=0
+suhosin.log.phpscript=0
+suhosin.executor.include.whitelist=
+suhosin.executor.include.blacklist=foo,boo
+--FILE--
+<?php
+	$var = "file://" . dirname(__FILE__) . "/../empty.inc";
+	include $var;
+	echo $value,"\n";
+    $var = "foo://test";
+    include $var;
+	$var = "boo://test"; // this point is never reached (famous last words)
+	include $var;
+?>
+--EXPECTF--
+value-from-empty.inc
+ALERT - Include filename ('foo://test') is a URL that is forbidden by the blacklist (attacker 'REMOTE_ADDR not set', file '%s', line 6)
\ No newline at end of file
diff --git a/tests/include/include_blackwhitelist_empty.phpt b/tests/include/include_blackwhitelist_empty.phpt
new file mode 100644
index 0000000..33380fd
--- /dev/null
+++ b/tests/include/include_blackwhitelist_empty.phpt
@@ -0,0 +1,24 @@
+--TEST--
+Include URL with empty black-/whitelist
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=255
+suhosin.log.script=0
+suhosin.log.phpscript=0
+suhosin.executor.include.whitelist=
+suhosin.executor.include.blacklist=
+--FILE--
+<?php
+	$var = dirname(__FILE__) . "/../empty.inc";
+	include $var;
+	echo $value,"\n";
+    $var = "foo://test";
+    include $var;
+	$var = "boo://test"; // this point is never reached (famous last words)
+	include $var;
+?>
+--EXPECTF--
+value-from-empty.inc
+ALERT - Include filename ('foo://test') is a URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 6)
\ No newline at end of file
diff --git a/tests/include/include_whitelist.phpt b/tests/include/include_whitelist.phpt
new file mode 100644
index 0000000..a0c771f
--- /dev/null
+++ b/tests/include/include_whitelist.phpt
@@ -0,0 +1,24 @@
+--TEST--
+Include whitelist
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=255
+suhosin.log.script=0
+suhosin.log.phpscript=0
+suhosin.executor.include.whitelist=file
+suhosin.executor.include.blacklist=
+--FILE--
+<?php
+	$var = "file://" . dirname(__FILE__) . "/../empty.inc";
+	include $var;
+	echo $value,"\n";
+    $var = "foo://test";
+    include $var;
+	$var = "boo://test"; // this point is never reached (famous last words)
+	include $var;
+?>
+--EXPECTF--
+value-from-empty.inc
+ALERT - Include filename ('foo://test') is a URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 6)
\ No newline at end of file
-- 
cgit v1.3