From 49a4321cec080d61ff112aaf27f55257e62402f9 Mon Sep 17 00:00:00 2001
From: Ben Fuhrmannek
Date: Thu, 25 Sep 2014 18:07:55 +0200
Subject: array index whitelist/blacklist for multipart formdata

---
 .../post_fileupload_array_index_blacklist.phpt     | 41 ++++++++++++++++++++++
 .../post_fileupload_array_index_whitelist.phpt     | 41 ++++++++++++++++++++++
 2 files changed, 82 insertions(+)
 create mode 100644 tests/filter/post_fileupload_array_index_blacklist.phpt
 create mode 100644 tests/filter/post_fileupload_array_index_whitelist.phpt

(limited to 'tests')

diff --git a/tests/filter/post_fileupload_array_index_blacklist.phpt b/tests/filter/post_fileupload_array_index_blacklist.phpt
new file mode 100644
index 0000000..f0e003b
--- /dev/null
+++ b/tests/filter/post_fileupload_array_index_blacklist.phpt
@@ -0,0 +1,41 @@
+--TEST--
+suhosin file upload filter (array index whitelist)
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=0
+suhosin.log.stdout=255
+suhosin.log.script=0
+file_uploads=1
+suhosin.request.array_index_blacklist=ABC
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--COOKIE--
+--GET--
+--POST_RAW--
+Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="fn[foo][bar]"
+
+ok
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="fn[foo][BAR]"
+
+bad
+-----------------------------20896060251896012921717172737--
+--FILE--
+<?php
+var_dump($_POST);
+?>
+--EXPECTF--
+array(1) {
+  ["fn"]=>
+  array(1) {
+    ["foo"]=>
+    array(1) {
+      ["bar"]=>
+      string(2) "ok"
+    }
+  }
+}
+ALERT - array index contains blacklisted characters - dropped variable 'fn[foo][BAR]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - dropped 1 request variables - (0 in GET, 1 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s')
diff --git a/tests/filter/post_fileupload_array_index_whitelist.phpt b/tests/filter/post_fileupload_array_index_whitelist.phpt
new file mode 100644
index 0000000..f2fe8c8
--- /dev/null
+++ b/tests/filter/post_fileupload_array_index_whitelist.phpt
@@ -0,0 +1,41 @@
+--TEST--
+suhosin file upload filter (array index whitelist)
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=0
+suhosin.log.stdout=255
+suhosin.log.script=0
+file_uploads=1
+suhosin.request.array_index_whitelist=abcdefghijklmnopqrstuvwxyz
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--COOKIE--
+--GET--
+--POST_RAW--
+Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="fn[foo][bar]"
+
+ok
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="fn[foo][BAR]"
+
+bad
+-----------------------------20896060251896012921717172737--
+--FILE--
+<?php
+var_dump($_POST);
+?>
+--EXPECTF--
+array(1) {
+  ["fn"]=>
+  array(1) {
+    ["foo"]=>
+    array(1) {
+      ["bar"]=>
+      string(2) "ok"
+    }
+  }
+}
+ALERT - array index contains not whitelisted characters - dropped variable 'fn[foo][BAR]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - dropped 1 request variables - (0 in GET, 1 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s')
-- 
cgit v1.3