From 3777acec1612a1c380ed3124b26de0bc3febc88d Mon Sep 17 00:00:00 2001
From: Stefan Esser
Date: Sun, 16 Feb 2014 12:04:56 +0100
Subject: Add tests for suhosin.get/post/cookie.max_totalname_length filter

---
 .../input_filter_cookie_max_totalname_length.phpt  | 42 +++++++++++++
 .../input_filter_get_max_totalname_length.phpt     | 42 +++++++++++++
 .../input_filter_post_max_totalname_length.phpt    | 41 +++++++++++++
 ...t_filter_post_max_totalname_length_rfc1867.phpt | 70 ++++++++++++++++++++++
 4 files changed, 195 insertions(+)
 create mode 100644 tests/filter/input_filter_cookie_max_totalname_length.phpt
 create mode 100644 tests/filter/input_filter_get_max_totalname_length.phpt
 create mode 100644 tests/filter/input_filter_post_max_totalname_length.phpt
 create mode 100644 tests/filter/input_filter_post_max_totalname_length_rfc1867.phpt

(limited to 'tests')

diff --git a/tests/filter/input_filter_cookie_max_totalname_length.phpt b/tests/filter/input_filter_cookie_max_totalname_length.phpt
new file mode 100644
index 0000000..b356dc6
--- /dev/null
+++ b/tests/filter/input_filter_cookie_max_totalname_length.phpt
@@ -0,0 +1,42 @@
+--TEST--
+suhosin input filter (suhosin.cookie.max_totalname_length)
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=0
+suhosin.log.stdout=255
+suhosin.log.script=0
+suhosin.request.max_totalname_length=0
+suhosin.cookie.max_totalname_length=7
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--COOKIE--
+var=0;var1=1;var2[]=2;var3[xxx]=3;var04=4;var05[]=5;var06[xxx]=6;
+--GET--
+--POST--
+--FILE--
+<?php
+var_dump($_COOKIE);
+?>
+--EXPECTF--
+array(5) {
+  ["var"]=>
+  string(1) "0"
+  ["var1"]=>
+  string(1) "1"
+  ["var2"]=>
+  array(1) {
+    [0]=>
+    string(1) "2"
+  }
+  ["var04"]=>
+  string(1) "4"
+  ["var05"]=>
+  array(1) {
+    [0]=>
+    string(1) "5"
+  }
+}
+ALERT - configured COOKIE variable total name length limit exceeded - dropped variable 'var3[xxx]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - configured COOKIE variable total name length limit exceeded - dropped variable 'var06[xxx]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - dropped 2 request variables - (0 in GET, 0 in POST, 2 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s')
+
diff --git a/tests/filter/input_filter_get_max_totalname_length.phpt b/tests/filter/input_filter_get_max_totalname_length.phpt
new file mode 100644
index 0000000..1353ee0
--- /dev/null
+++ b/tests/filter/input_filter_get_max_totalname_length.phpt
@@ -0,0 +1,42 @@
+--TEST--
+suhosin input filter (suhosin.get.max_totalname_length)
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=0
+suhosin.log.stdout=255
+suhosin.log.script=0
+suhosin.request.max_totalname_length=0
+suhosin.get.max_totalname_length=7
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--COOKIE--
+--GET--
+var=0&var1=1&var2[]=2&var3[xxx]=3&var04=4&var05[]=5&var06[xxx]=6&
+--POST--
+--FILE--
+<?php
+var_dump($_GET);
+?>
+--EXPECTF--
+array(5) {
+  ["var"]=>
+  string(1) "0"
+  ["var1"]=>
+  string(1) "1"
+  ["var2"]=>
+  array(1) {
+    [0]=>
+    string(1) "2"
+  }
+  ["var04"]=>
+  string(1) "4"
+  ["var05"]=>
+  array(1) {
+    [0]=>
+    string(1) "5"
+  }
+}
+ALERT - configured GET variable total name length limit exceeded - dropped variable 'var3[xxx]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - configured GET variable total name length limit exceeded - dropped variable 'var06[xxx]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - dropped 2 request variables - (2 in GET, 0 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s')
+
diff --git a/tests/filter/input_filter_post_max_totalname_length.phpt b/tests/filter/input_filter_post_max_totalname_length.phpt
new file mode 100644
index 0000000..b922302
--- /dev/null
+++ b/tests/filter/input_filter_post_max_totalname_length.phpt
@@ -0,0 +1,41 @@
+--TEST--
+suhosin input filter (suhosin.post.max_totalname_length)
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=0
+suhosin.log.stdout=255
+suhosin.log.script=0
+suhosin.request.max_totalname_length=0
+suhosin.post.max_totalname_length=7
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--COOKIE--
+--GET--
+--POST--
+var=0&var1=1&var2[]=2&var3[xxx]=3&var04=4&var05[]=5&var06[xxx]=6&
+--FILE--
+<?php
+var_dump($_POST);
+?>
+--EXPECTF--
+array(5) {
+  ["var"]=>
+  string(1) "0"
+  ["var1"]=>
+  string(1) "1"
+  ["var2"]=>
+  array(1) {
+    [0]=>
+    string(1) "2"
+  }
+  ["var04"]=>
+  string(1) "4"
+  ["var05"]=>
+  array(1) {
+    [0]=>
+    string(1) "5"
+  }
+}
+ALERT - configured POST variable total name length limit exceeded - dropped variable 'var3[xxx]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - configured POST variable total name length limit exceeded - dropped variable 'var06[xxx]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - dropped 2 request variables - (0 in GET, 2 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s')
diff --git a/tests/filter/input_filter_post_max_totalname_length_rfc1867.phpt b/tests/filter/input_filter_post_max_totalname_length_rfc1867.phpt
new file mode 100644
index 0000000..bbbcca4
--- /dev/null
+++ b/tests/filter/input_filter_post_max_totalname_length_rfc1867.phpt
@@ -0,0 +1,70 @@
+--TEST--
+suhosin input filter (suhosin.post.max_totalname_length - RFC1867 version)
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=0
+suhosin.log.stdout=255
+suhosin.log.script=0
+suhosin.request.max_totalname_length=0
+suhosin.post.max_totalname_length=7
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--COOKIE--
+--GET--
+--POST_RAW--
+Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="var"
+
+0
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="var1"
+
+1
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="var2[]"
+
+2
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="var3[xxx]"
+
+3
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="var04"
+
+4
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="var05[]"
+
+5
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="var06[xxx]"
+
+6
+-----------------------------20896060251896012921717172737--
+--FILE--
+<?php
+var_dump($_POST);
+?>
+--EXPECTF--
+array(5) {
+  ["var"]=>
+  string(1) "0"
+  ["var1"]=>
+  string(1) "1"
+  ["var2"]=>
+  array(1) {
+    [0]=>
+    string(1) "2"
+  }
+  ["var04"]=>
+  string(1) "4"
+  ["var05"]=>
+  array(1) {
+    [0]=>
+    string(1) "5"
+  }
+}
+ALERT - configured POST variable total name length limit exceeded - dropped variable 'var3[xxx]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - configured POST variable total name length limit exceeded - dropped variable 'var06[xxx]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - dropped 2 request variables - (0 in GET, 2 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s')
-- 
cgit v1.3