From 04f02a230d40c2d86b9d477a7810de24b15a7590 Mon Sep 17 00:00:00 2001
From: Stefan Esser
Date: Sun, 16 Feb 2014 10:45:17 +0100
Subject: Add various tests for include filename checks

---
 tests/include/include_max_traversal.phpt           | 32 ++++++++++++++++++++++
 tests/include/include_nul_in_filename.phpt         | 23 ++++++++++++++++
 tests/include/include_too_long.phpt                | 18 ++++++++++++
 .../include_uploaded_file_diff_filename.phpt       | 25 +++++++++++++++++
 .../include/include_uploaded_file_from_FILES.phpt  | 25 +++++++++++++++++
 5 files changed, 123 insertions(+)
 create mode 100644 tests/include/include_max_traversal.phpt
 create mode 100644 tests/include/include_nul_in_filename.phpt
 create mode 100644 tests/include/include_too_long.phpt
 create mode 100644 tests/include/include_uploaded_file_diff_filename.phpt
 create mode 100644 tests/include/include_uploaded_file_from_FILES.phpt

(limited to 'tests')

diff --git a/tests/include/include_max_traversal.phpt b/tests/include/include_max_traversal.phpt
new file mode 100644
index 0000000..1ed083d
--- /dev/null
+++ b/tests/include/include_max_traversal.phpt
@@ -0,0 +1,32 @@
+--TEST--
+Testing suhosin.executor.include.max_traversal=10
+--DESCRIPTION--
+Seems to work fine, maybe split up later into multiple test cases.
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=255
+suhosin.log.script=0
+suhosin.log.phpscript=0
+error_reporting=0
+suhosin.executor.include.whitelist=
+suhosin.executor.include.blacklist=
+suhosin.executor.include.max_traversal=10
+--FILE--
+<?php
+if ($included === TRUE) { echo "$case INCLUDED!\n";return; }
+$included = TRUE;
+
+$case = "C1"; include("/../../../../../../../../../" . __FILE__);
+$case = "C2"; include("/.././.././.././.././.././.././.././.././../" . __FILE__);
+$case = "C3"; include("/.././.././.././.././.././.././.././.././.././../" . __FILE__);
+$case = "C4"; include("/../../../../../../../../../../" . __FILE__);
+$case = "C5"; include("/../../../../../../../../../../../" . __FILE__);
+$case = "C6"; include("/.././.././.././.././.././.././.././.././../" . __FILE__);
+
+?>
+--EXPECTF--
+C1 INCLUDED!
+C2 INCLUDED!
+ALERT - Include filename ('/.././.././.././.././.././.././.././.././.././../%s') contains too many '../' (attacker 'REMOTE_ADDR not set', file '%s', line 7)
diff --git a/tests/include/include_nul_in_filename.phpt b/tests/include/include_nul_in_filename.phpt
new file mode 100644
index 0000000..05c2823
--- /dev/null
+++ b/tests/include/include_nul_in_filename.phpt
@@ -0,0 +1,23 @@
+--TEST--
+Testing include of filename including ASCIIZ character
+--DESCRIPTION--
+
+This test will only trigger the PHP internal protection.
+If this test case ever breaks then PHP has failed and hopefully Suhosin has kicked in.
+
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=255
+suhosin.log.script=0
+suhosin.log.phpscript=0
+suhosin.executor.include.whitelist=
+suhosin.executor.include.blacklist=
+--FILE--
+<?php
+$filename1 = "AAAA".chr(0)."AAAA";
+include $filename1;
+?>
+--EXPECTF--
+Warning: include(): Failed opening 'AAAA' for inclusion (include_path='%s') in %s on line 3
\ No newline at end of file
diff --git a/tests/include/include_too_long.phpt b/tests/include/include_too_long.phpt
new file mode 100644
index 0000000..91c9958
--- /dev/null
+++ b/tests/include/include_too_long.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Testing include of too long filename
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=255
+suhosin.log.script=0
+suhosin.log.phpscript=0
+suhosin.executor.include.whitelist=
+suhosin.executor.include.blacklist=
+--FILE--
+<?php
+$filename1 = str_repeat("A", PHP_MAXPATHLEN+1);
+include $filename1;
+?>
+--EXPECTF--
+ALERT - Include filename ('AAAA%sAAAA') is too long (attacker 'REMOTE_ADDR not set', file '%s', line 3)
\ No newline at end of file
diff --git a/tests/include/include_uploaded_file_diff_filename.phpt b/tests/include/include_uploaded_file_diff_filename.phpt
new file mode 100644
index 0000000..8d3bca5
--- /dev/null
+++ b/tests/include/include_uploaded_file_diff_filename.phpt
@@ -0,0 +1,25 @@
+--TEST--
+Testing include file from $_FILES (but change name a bit)
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=0
+suhosin.log.stdout=255
+suhosin.log.script=0
+suhosin.log.phpscript=0
+suhosin.executor.include.whitelist=
+suhosin.executor.include.blacklist=
+--POST_RAW--
+Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="f1"; filename="filename2"
+
+<?php echo "NO_GOOD/n";
+-----------------------------20896060251896012921717172737--
+--FILE--
+<?php
+include "/../../../" . $_FILES['f1']['tmp_name'];
+?>
+--EXPECTF--
+ALERT - Include filename is an uploaded file (attacker 'REMOTE_ADDR not set', file '%s', line 2)
\ No newline at end of file
diff --git a/tests/include/include_uploaded_file_from_FILES.phpt b/tests/include/include_uploaded_file_from_FILES.phpt
new file mode 100644
index 0000000..1ec20f3
--- /dev/null
+++ b/tests/include/include_uploaded_file_from_FILES.phpt
@@ -0,0 +1,25 @@
+--TEST--
+Testing include file from $_FILES
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=0
+suhosin.log.stdout=255
+suhosin.log.script=0
+suhosin.log.phpscript=0
+suhosin.executor.include.whitelist=
+suhosin.executor.include.blacklist=
+--POST_RAW--
+Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="f1"; filename="filename2"
+
+<?php echo "NO_GOOD/n";
+-----------------------------20896060251896012921717172737--
+--FILE--
+<?php
+include $_FILES['f1']['tmp_name'];
+?>
+--EXPECTF--
+ALERT - Include filename is an uploaded file (attacker 'REMOTE_ADDR not set', file '%s', line 2)
\ No newline at end of file
-- 
cgit v1.3