From 8d6af664df1e6a05c3e8840f3366c24af44ea424 Mon Sep 17 00:00:00 2001
From: Stefan Esser
Date: Sun, 16 Feb 2014 13:06:01 +0100
Subject: Add tests for max_array_index_length filter

---
 ...input_filter_cookie_max_array_index_length.phpt |  50 ++++++++++
 .../input_filter_get_max_array_index_length.phpt   |  50 ++++++++++
 .../input_filter_post_max_array_index_length.phpt  |  50 ++++++++++
 ...filter_post_max_array_index_length_rfc1867.phpt |  77 ++++++++++++++
 ...nput_filter_request_max_array_index_length.phpt | 111 +++++++++++++++++++++
 5 files changed, 338 insertions(+)
 create mode 100644 tests/filter/input_filter_cookie_max_array_index_length.phpt
 create mode 100644 tests/filter/input_filter_get_max_array_index_length.phpt
 create mode 100644 tests/filter/input_filter_post_max_array_index_length.phpt
 create mode 100644 tests/filter/input_filter_post_max_array_index_length_rfc1867.phpt
 create mode 100644 tests/filter/input_filter_request_max_array_index_length.phpt

(limited to 'tests')

diff --git a/tests/filter/input_filter_cookie_max_array_index_length.phpt b/tests/filter/input_filter_cookie_max_array_index_length.phpt
new file mode 100644
index 0000000..76dcad4
--- /dev/null
+++ b/tests/filter/input_filter_cookie_max_array_index_length.phpt
@@ -0,0 +1,50 @@
+--TEST--
+suhosin input filter (suhosin.cookie.max_array_index_length)
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=0
+suhosin.log.stdout=255
+suhosin.log.script=0
+suhosin.request.max_array_index_length=0
+suhosin.cookie.max_array_index_length=3
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--COOKIE--
+var1[AAA]=1;var2[BBBB]=1;var3[AAA][BBB]=1;var4[AAA][BBBB]=4;var5[AAA][BBB][CCC]=1;var6[AAA][BBBB][CCC]=1;
+--GET--
+--POST--
+--FILE--
+<?php
+var_dump($_COOKIE);
+?>
+--EXPECTF--
+array(3) {
+  ["var1"]=>
+  array(1) {
+    ["AAA"]=>
+    string(1) "1"
+  }
+  ["var3"]=>
+  array(1) {
+    ["AAA"]=>
+    array(1) {
+      ["BBB"]=>
+      string(1) "1"
+    }
+  }
+  ["var5"]=>
+  array(1) {
+    ["AAA"]=>
+    array(1) {
+      ["BBB"]=>
+      array(1) {
+        ["CCC"]=>
+        string(1) "1"
+      }
+    }
+  }
+}
+ALERT - configured COOKIE variable array index length limit exceeded - dropped variable 'var2[BBBB]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - configured COOKIE variable array index length limit exceeded - dropped variable 'var4[AAA][BBBB]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - configured COOKIE variable array index length limit exceeded - dropped variable 'var6[AAA][BBBB][CCC]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - dropped 3 request variables - (0 in GET, 0 in POST, 3 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s')
\ No newline at end of file
diff --git a/tests/filter/input_filter_get_max_array_index_length.phpt b/tests/filter/input_filter_get_max_array_index_length.phpt
new file mode 100644
index 0000000..890ec8e
--- /dev/null
+++ b/tests/filter/input_filter_get_max_array_index_length.phpt
@@ -0,0 +1,50 @@
+--TEST--
+suhosin input filter (suhosin.get.max_array_index_length)
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=0
+suhosin.log.stdout=255
+suhosin.log.script=0
+suhosin.request.max_array_index_length=0
+suhosin.get.max_array_index_length=3
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--COOKIE--
+--GET--
+var1[AAA]=1&var2[BBBB]=1&var3[AAA][BBB]=1&var4[AAA][BBBB]=4&var5[AAA][BBB][CCC]=1&var6[AAA][BBBB][CCC]=1
+--POST--
+--FILE--
+<?php
+var_dump($_GET);
+?>
+--EXPECTF--
+array(3) {
+  ["var1"]=>
+  array(1) {
+    ["AAA"]=>
+    string(1) "1"
+  }
+  ["var3"]=>
+  array(1) {
+    ["AAA"]=>
+    array(1) {
+      ["BBB"]=>
+      string(1) "1"
+    }
+  }
+  ["var5"]=>
+  array(1) {
+    ["AAA"]=>
+    array(1) {
+      ["BBB"]=>
+      array(1) {
+        ["CCC"]=>
+        string(1) "1"
+      }
+    }
+  }
+}
+ALERT - configured GET variable array index length limit exceeded - dropped variable 'var2[BBBB]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - configured GET variable array index length limit exceeded - dropped variable 'var4[AAA][BBBB]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - configured GET variable array index length limit exceeded - dropped variable 'var6[AAA][BBBB][CCC]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - dropped 3 request variables - (3 in GET, 0 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s')
\ No newline at end of file
diff --git a/tests/filter/input_filter_post_max_array_index_length.phpt b/tests/filter/input_filter_post_max_array_index_length.phpt
new file mode 100644
index 0000000..2c5adef
--- /dev/null
+++ b/tests/filter/input_filter_post_max_array_index_length.phpt
@@ -0,0 +1,50 @@
+--TEST--
+suhosin input filter (suhosin.post.max_array_index_length)
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=0
+suhosin.log.stdout=255
+suhosin.log.script=0
+suhosin.request.max_array_index_length=0
+suhosin.post.max_array_index_length=3
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--COOKIE--
+--GET--
+--POST--
+var1[AAA]=1&var2[BBBB]=1&var3[AAA][BBB]=1&var4[AAA][BBBB]=4&var5[AAA][BBB][CCC]=1&var6[AAA][BBBB][CCC]=1
+--FILE--
+<?php
+var_dump($_POST);
+?>
+--EXPECTF--
+array(3) {
+  ["var1"]=>
+  array(1) {
+    ["AAA"]=>
+    string(1) "1"
+  }
+  ["var3"]=>
+  array(1) {
+    ["AAA"]=>
+    array(1) {
+      ["BBB"]=>
+      string(1) "1"
+    }
+  }
+  ["var5"]=>
+  array(1) {
+    ["AAA"]=>
+    array(1) {
+      ["BBB"]=>
+      array(1) {
+        ["CCC"]=>
+        string(1) "1"
+      }
+    }
+  }
+}
+ALERT - configured POST variable array index length limit exceeded - dropped variable 'var2[BBBB]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - configured POST variable array index length limit exceeded - dropped variable 'var4[AAA][BBBB]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - configured POST variable array index length limit exceeded - dropped variable 'var6[AAA][BBBB][CCC]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - dropped 3 request variables - (0 in GET, 3 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s')
\ No newline at end of file
diff --git a/tests/filter/input_filter_post_max_array_index_length_rfc1867.phpt b/tests/filter/input_filter_post_max_array_index_length_rfc1867.phpt
new file mode 100644
index 0000000..58f0ed2
--- /dev/null
+++ b/tests/filter/input_filter_post_max_array_index_length_rfc1867.phpt
@@ -0,0 +1,77 @@
+--TEST--
+suhosin input filter (suhosin.post.max_array_index_length - RFC1867 version)
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=0
+suhosin.log.stdout=255
+suhosin.log.script=0
+suhosin.request.max_array_index_length=0
+suhosin.post.max_array_index_length=3
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--COOKIE--
+--GET--
+--POST--
+var1[AAA]=1&var2[BBBB]=1&var3[AAA][BBB]=1&var4[AAA][BBBB]=4&var5[AAA][BBB][CCC]=1&var6[AAA][BBBB][CCC]=1
+--POST_RAW--
+Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="var1[AAA]"
+
+1
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="var2[BBBB]"
+
+1
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="var3[AAA][BBB]"
+
+1
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="var4[AAA][BBBB]"
+
+1
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="var5[AAA][BBB][CCC]"
+
+1
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="var6[AAA][BBBB][CCC]"
+
+1
+-----------------------------20896060251896012921717172737--
+--FILE--
+<?php
+var_dump($_POST);
+?>
+--EXPECTF--
+array(3) {
+  ["var1"]=>
+  array(1) {
+    ["AAA"]=>
+    string(1) "1"
+  }
+  ["var3"]=>
+  array(1) {
+    ["AAA"]=>
+    array(1) {
+      ["BBB"]=>
+      string(1) "1"
+    }
+  }
+  ["var5"]=>
+  array(1) {
+    ["AAA"]=>
+    array(1) {
+      ["BBB"]=>
+      array(1) {
+        ["CCC"]=>
+        string(1) "1"
+      }
+    }
+  }
+}
+ALERT - configured POST variable array index length limit exceeded - dropped variable 'var2[BBBB]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - configured POST variable array index length limit exceeded - dropped variable 'var4[AAA][BBBB]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - configured POST variable array index length limit exceeded - dropped variable 'var6[AAA][BBBB][CCC]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - dropped 3 request variables - (0 in GET, 3 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s')
\ No newline at end of file
diff --git a/tests/filter/input_filter_request_max_array_index_length.phpt b/tests/filter/input_filter_request_max_array_index_length.phpt
new file mode 100644
index 0000000..bb4c2ef
--- /dev/null
+++ b/tests/filter/input_filter_request_max_array_index_length.phpt
@@ -0,0 +1,111 @@
+--TEST--
+suhosin input filter (suhosin.request.max_array_index_length)
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=0
+suhosin.log.stdout=255
+suhosin.log.script=0
+suhosin.request.max_array_index_length=3
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--COOKIE--
+var1[AAA]=1;var2[BBBB]=1;var3[AAA][BBB]=1;var4[AAA][BBBB]=4;var5[AAA][BBB][CCC]=1;var6[AAA][BBBB][CCC]=1;
+--GET--
+var1[AAA]=1&var2[BBBB]=1&var3[AAA][BBB]=1&var4[AAA][BBBB]=4&var5[AAA][BBB][CCC]=1&var6[AAA][BBBB][CCC]=1
+--POST--
+var1[AAA]=1&var2[BBBB]=1&var3[AAA][BBB]=1&var4[AAA][BBBB]=4&var5[AAA][BBB][CCC]=1&var6[AAA][BBBB][CCC]=1
+--FILE--
+<?php
+var_dump($_GET);
+var_dump($_POST);
+var_dump($_COOKIE);
+?>
+--EXPECTF--
+array(3) {
+  ["var1"]=>
+  array(1) {
+    ["AAA"]=>
+    string(1) "1"
+  }
+  ["var3"]=>
+  array(1) {
+    ["AAA"]=>
+    array(1) {
+      ["BBB"]=>
+      string(1) "1"
+    }
+  }
+  ["var5"]=>
+  array(1) {
+    ["AAA"]=>
+    array(1) {
+      ["BBB"]=>
+      array(1) {
+        ["CCC"]=>
+        string(1) "1"
+      }
+    }
+  }
+}
+array(3) {
+  ["var1"]=>
+  array(1) {
+    ["AAA"]=>
+    string(1) "1"
+  }
+  ["var3"]=>
+  array(1) {
+    ["AAA"]=>
+    array(1) {
+      ["BBB"]=>
+      string(1) "1"
+    }
+  }
+  ["var5"]=>
+  array(1) {
+    ["AAA"]=>
+    array(1) {
+      ["BBB"]=>
+      array(1) {
+        ["CCC"]=>
+        string(1) "1"
+      }
+    }
+  }
+}
+array(3) {
+  ["var1"]=>
+  array(1) {
+    ["AAA"]=>
+    string(1) "1"
+  }
+  ["var3"]=>
+  array(1) {
+    ["AAA"]=>
+    array(1) {
+      ["BBB"]=>
+      string(1) "1"
+    }
+  }
+  ["var5"]=>
+  array(1) {
+    ["AAA"]=>
+    array(1) {
+      ["BBB"]=>
+      array(1) {
+        ["CCC"]=>
+        string(1) "1"
+      }
+    }
+  }
+}
+ALERT - configured request variable array index length limit exceeded - dropped variable 'var2[BBBB]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - configured request variable array index length limit exceeded - dropped variable 'var4[AAA][BBBB]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - configured request variable array index length limit exceeded - dropped variable 'var6[AAA][BBBB][CCC]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - configured request variable array index length limit exceeded - dropped variable 'var2[BBBB]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - configured request variable array index length limit exceeded - dropped variable 'var4[AAA][BBBB]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - configured request variable array index length limit exceeded - dropped variable 'var6[AAA][BBBB][CCC]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - configured request variable array index length limit exceeded - dropped variable 'var2[BBBB]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - configured request variable array index length limit exceeded - dropped variable 'var4[AAA][BBBB]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - configured request variable array index length limit exceeded - dropped variable 'var6[AAA][BBBB][CCC]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - dropped 9 request variables - (3 in GET, 3 in POST, 3 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s')
\ No newline at end of file
-- 
cgit v1.3