From a4d148c28015a590ad41af80027b3ca4f446586c Mon Sep 17 00:00:00 2001 From: Ben Fuhrmannek Date: Wed, 5 Oct 2016 19:03:20 +0200 Subject: renamed tests --- tests/executor/memory_limit_negative.phpt | 18 +++ tests/executor/negative_memory_limit.phpt | 18 --- tests/filter/cookie_disallow_nul.phpt | 32 +++++ tests/filter/cookie_disallow_ws.phpt | 31 +++++ tests/filter/cookie_max_array_depth.phpt | 66 +++++++++ tests/filter/cookie_max_array_index_length.phpt | 53 +++++++ tests/filter/cookie_max_name_length.phpt | 44 ++++++ tests/filter/cookie_max_totalname_length.phpt | 45 ++++++ tests/filter/cookie_max_value_length.phpt | 36 +++++ tests/filter/cookie_max_vars.phpt | 30 ++++ tests/filter/get_allow_ws.phpt | 56 ++++++++ tests/filter/get_disallow_nul.phpt | 32 +++++ tests/filter/get_disallow_ws.phpt | 30 ++++ tests/filter/get_filter_allow_ws.phpt | 56 -------- tests/filter/get_filter_cookie_disallow_ws.phpt | 31 ----- tests/filter/get_filter_get_disallow_ws.phpt | 30 ---- tests/filter/get_filter_post_disallow_ws.phpt | 30 ---- tests/filter/get_filter_request_disallow_ws.phpt | 30 ---- tests/filter/get_max_array_depth.phpt | 66 +++++++++ tests/filter/get_max_array_index_length.phpt | 53 +++++++ tests/filter/get_max_name_length.phpt | 44 ++++++ tests/filter/get_max_totalname_length.phpt | 45 ++++++ tests/filter/get_max_value_length.phpt | 36 +++++ tests/filter/input_filter_cookie_disallow_nul.phpt | 32 ----- .../input_filter_cookie_max_array_depth.phpt | 66 --------- ...input_filter_cookie_max_array_index_length.phpt | 53 ------- .../input_filter_cookie_max_name_length.phpt | 44 ------ .../input_filter_cookie_max_totalname_length.phpt | 45 ------ .../input_filter_cookie_max_value_length.phpt | 36 ----- tests/filter/input_filter_cookie_max_vars.phpt | 30 ---- tests/filter/input_filter_get_disallow_nul.phpt | 32 ----- tests/filter/input_filter_get_max_array_depth.phpt | 66 --------- .../input_filter_get_max_array_index_length.phpt | 53 ------- tests/filter/input_filter_get_max_name_length.phpt | 44 ------ .../input_filter_get_max_totalname_length.phpt | 45 ------ .../filter/input_filter_get_max_value_length.phpt | 36 ----- tests/filter/input_filter_post_disallow_nul.phpt | 32 ----- .../input_filter_post_disallow_nul_rfc1867.phpt | Bin 1508 -> 0 bytes .../filter/input_filter_post_max_array_depth.phpt | 66 --------- .../input_filter_post_max_array_depth_rfc1867.phpt | 91 ------------ .../input_filter_post_max_array_index_length.phpt | 53 ------- ...filter_post_max_array_index_length_rfc1867.phpt | 80 ----------- .../filter/input_filter_post_max_name_length.phpt | 44 ------ .../input_filter_post_max_name_length_rfc1867.phpt | 73 ---------- .../input_filter_post_max_totalname_length.phpt | 44 ------ ...t_filter_post_max_totalname_length_rfc1867.phpt | 73 ---------- .../filter/input_filter_post_max_value_length.phpt | 36 ----- ...input_filter_post_max_value_length_rfc1867.phpt | Bin 1912 -> 0 bytes ...input_filter_request_array_index_blacklist.phpt | 56 -------- ...input_filter_request_array_index_whitelist.phpt | 54 -------- .../filter/input_filter_request_disallow_nul.phpt | 51 ------- .../input_filter_request_max_array_depth.phpt | 153 --------------------- ...nput_filter_request_max_array_index_length.phpt | 114 --------------- .../input_filter_request_max_name_length.phpt | 85 ------------ .../input_filter_request_max_totalname_length.phpt | 88 ------------ tests/filter/post_disallow_nul.phpt | 32 +++++ tests/filter/post_disallow_nul_rfc1867.phpt | Bin 0 -> 1508 bytes tests/filter/post_disallow_ws.phpt | 30 ++++ tests/filter/post_max_array_depth.phpt | 66 +++++++++ tests/filter/post_max_array_depth_rfc1867.phpt | 91 ++++++++++++ tests/filter/post_max_array_index_length.phpt | 53 +++++++ .../post_max_array_index_length_rfc1867.phpt | 80 +++++++++++ tests/filter/post_max_name_length.phpt | 44 ++++++ tests/filter/post_max_name_length_rfc1867.phpt | 73 ++++++++++ tests/filter/post_max_totalname_length.phpt | 44 ++++++ .../filter/post_max_totalname_length_rfc1867.phpt | 73 ++++++++++ tests/filter/post_max_value_length.phpt | 36 +++++ tests/filter/post_max_value_length_rfc1867.phpt | Bin 0 -> 1912 bytes tests/filter/request_array_index_blacklist.phpt | 56 ++++++++ tests/filter/request_array_index_whitelist.phpt | 54 ++++++++ tests/filter/request_disallow_nul.phpt | 51 +++++++ tests/filter/request_disallow_ws.phpt | 30 ++++ tests/filter/request_max_array_depth.phpt | 153 +++++++++++++++++++++ tests/filter/request_max_array_index_length.phpt | 114 +++++++++++++++ tests/filter/request_max_name_length.phpt | 85 ++++++++++++ tests/filter/request_max_totalname_length.phpt | 88 ++++++++++++ 76 files changed, 1970 insertions(+), 1970 deletions(-) create mode 100644 tests/executor/memory_limit_negative.phpt delete mode 100644 tests/executor/negative_memory_limit.phpt create mode 100644 tests/filter/cookie_disallow_nul.phpt create mode 100644 tests/filter/cookie_disallow_ws.phpt create mode 100644 tests/filter/cookie_max_array_depth.phpt create mode 100644 tests/filter/cookie_max_array_index_length.phpt create mode 100644 tests/filter/cookie_max_name_length.phpt create mode 100644 tests/filter/cookie_max_totalname_length.phpt create mode 100644 tests/filter/cookie_max_value_length.phpt create mode 100644 tests/filter/cookie_max_vars.phpt create mode 100644 tests/filter/get_allow_ws.phpt create mode 100644 tests/filter/get_disallow_nul.phpt create mode 100644 tests/filter/get_disallow_ws.phpt delete mode 100644 tests/filter/get_filter_allow_ws.phpt delete mode 100644 tests/filter/get_filter_cookie_disallow_ws.phpt delete mode 100644 tests/filter/get_filter_get_disallow_ws.phpt delete mode 100644 tests/filter/get_filter_post_disallow_ws.phpt delete mode 100644 tests/filter/get_filter_request_disallow_ws.phpt create mode 100644 tests/filter/get_max_array_depth.phpt create mode 100644 tests/filter/get_max_array_index_length.phpt create mode 100644 tests/filter/get_max_name_length.phpt create mode 100644 tests/filter/get_max_totalname_length.phpt create mode 100644 tests/filter/get_max_value_length.phpt delete mode 100644 tests/filter/input_filter_cookie_disallow_nul.phpt delete mode 100644 tests/filter/input_filter_cookie_max_array_depth.phpt delete mode 100644 tests/filter/input_filter_cookie_max_array_index_length.phpt delete mode 100644 tests/filter/input_filter_cookie_max_name_length.phpt delete mode 100644 tests/filter/input_filter_cookie_max_totalname_length.phpt delete mode 100644 tests/filter/input_filter_cookie_max_value_length.phpt delete mode 100644 tests/filter/input_filter_cookie_max_vars.phpt delete mode 100644 tests/filter/input_filter_get_disallow_nul.phpt delete mode 100644 tests/filter/input_filter_get_max_array_depth.phpt delete mode 100644 tests/filter/input_filter_get_max_array_index_length.phpt delete mode 100644 tests/filter/input_filter_get_max_name_length.phpt delete mode 100644 tests/filter/input_filter_get_max_totalname_length.phpt delete mode 100644 tests/filter/input_filter_get_max_value_length.phpt delete mode 100644 tests/filter/input_filter_post_disallow_nul.phpt delete mode 100644 tests/filter/input_filter_post_disallow_nul_rfc1867.phpt delete mode 100644 tests/filter/input_filter_post_max_array_depth.phpt delete mode 100644 tests/filter/input_filter_post_max_array_depth_rfc1867.phpt delete mode 100644 tests/filter/input_filter_post_max_array_index_length.phpt delete mode 100644 tests/filter/input_filter_post_max_array_index_length_rfc1867.phpt delete mode 100644 tests/filter/input_filter_post_max_name_length.phpt delete mode 100644 tests/filter/input_filter_post_max_name_length_rfc1867.phpt delete mode 100644 tests/filter/input_filter_post_max_totalname_length.phpt delete mode 100644 tests/filter/input_filter_post_max_totalname_length_rfc1867.phpt delete mode 100644 tests/filter/input_filter_post_max_value_length.phpt delete mode 100644 tests/filter/input_filter_post_max_value_length_rfc1867.phpt delete mode 100644 tests/filter/input_filter_request_array_index_blacklist.phpt delete mode 100644 tests/filter/input_filter_request_array_index_whitelist.phpt delete mode 100644 tests/filter/input_filter_request_disallow_nul.phpt delete mode 100644 tests/filter/input_filter_request_max_array_depth.phpt delete mode 100644 tests/filter/input_filter_request_max_array_index_length.phpt delete mode 100644 tests/filter/input_filter_request_max_name_length.phpt delete mode 100644 tests/filter/input_filter_request_max_totalname_length.phpt create mode 100644 tests/filter/post_disallow_nul.phpt create mode 100644 tests/filter/post_disallow_nul_rfc1867.phpt create mode 100644 tests/filter/post_disallow_ws.phpt create mode 100644 tests/filter/post_max_array_depth.phpt create mode 100644 tests/filter/post_max_array_depth_rfc1867.phpt create mode 100644 tests/filter/post_max_array_index_length.phpt create mode 100644 tests/filter/post_max_array_index_length_rfc1867.phpt create mode 100644 tests/filter/post_max_name_length.phpt create mode 100644 tests/filter/post_max_name_length_rfc1867.phpt create mode 100644 tests/filter/post_max_totalname_length.phpt create mode 100644 tests/filter/post_max_totalname_length_rfc1867.phpt create mode 100644 tests/filter/post_max_value_length.phpt create mode 100644 tests/filter/post_max_value_length_rfc1867.phpt create mode 100644 tests/filter/request_array_index_blacklist.phpt create mode 100644 tests/filter/request_array_index_whitelist.phpt create mode 100644 tests/filter/request_disallow_nul.phpt create mode 100644 tests/filter/request_disallow_ws.phpt create mode 100644 tests/filter/request_max_array_depth.phpt create mode 100644 tests/filter/request_max_array_index_length.phpt create mode 100644 tests/filter/request_max_name_length.phpt create mode 100644 tests/filter/request_max_totalname_length.phpt (limited to 'tests') diff --git a/tests/executor/memory_limit_negative.phpt b/tests/executor/memory_limit_negative.phpt new file mode 100644 index 0000000..7fad546 --- /dev/null +++ b/tests/executor/memory_limit_negative.phpt @@ -0,0 +1,18 @@ +--TEST-- +memory_limit test: trying to set memory_limit to a negative value +--SKIPIF-- + +--INI-- +memory_limit=16M +suhosin.memory_limit=17M +suhosin.log.syslog=0 +suhosin.log.script=0 +suhosin.log.sapi=2 +--FILE-- + +--EXPECTF-- +ALERT - script tried to disable memory_limit by setting it to a negative value -%d bytes which is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 2) +16M + diff --git a/tests/executor/negative_memory_limit.phpt b/tests/executor/negative_memory_limit.phpt deleted file mode 100644 index 7fad546..0000000 --- a/tests/executor/negative_memory_limit.phpt +++ /dev/null @@ -1,18 +0,0 @@ ---TEST-- -memory_limit test: trying to set memory_limit to a negative value ---SKIPIF-- - ---INI-- -memory_limit=16M -suhosin.memory_limit=17M -suhosin.log.syslog=0 -suhosin.log.script=0 -suhosin.log.sapi=2 ---FILE-- - ---EXPECTF-- -ALERT - script tried to disable memory_limit by setting it to a negative value -%d bytes which is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 2) -16M - diff --git a/tests/filter/cookie_disallow_nul.phpt b/tests/filter/cookie_disallow_nul.phpt new file mode 100644 index 0000000..ae05ac6 --- /dev/null +++ b/tests/filter/cookie_disallow_nul.phpt @@ -0,0 +1,32 @@ +--TEST-- +suhosin input filter (suhosin.cookie.disallow_nul) +--INI-- +suhosin.log.syslog=0 +suhosin.log.sapi=0 +suhosin.log.script=0 +suhosin.log.file=255 +suhosin.log.file.time=0 +suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp +auto_append_file={PWD}/suhosintest.$$.log.tmp +suhosin.request.disallow_nul=0 +suhosin.cookie.disallow_nul=1 +--SKIPIF-- + +--COOKIE-- +var1=xx%001;var2=2;var3=xx%003;var4=4; +--GET-- +--POST-- +--FILE-- + +--EXPECTF-- +array(2) { + ["var2"]=> + string(1) "2" + ["var4"]=> + string(1) "4" +} +ALERT - ASCII-NUL chars not allowed within COOKIE variables - dropped variable 'var1' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - ASCII-NUL chars not allowed within COOKIE variables - dropped variable 'var3' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - dropped 2 request variables - (0 in GET, 0 in POST, 2 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') diff --git a/tests/filter/cookie_disallow_ws.phpt b/tests/filter/cookie_disallow_ws.phpt new file mode 100644 index 0000000..3065b7d --- /dev/null +++ b/tests/filter/cookie_disallow_ws.phpt @@ -0,0 +1,31 @@ +--TEST-- +suhosin input filter (suhosin.cookie.disallow_ws) +--INI-- +suhosin.log.syslog=0 +suhosin.log.sapi=0 +suhosin.log.script=0 +suhosin.log.file=255 +suhosin.log.file.time=0 +suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp +auto_append_file={PWD}/suhosintest.$$.log.tmp +suhosin.cookie.disallow_ws=1 +--SKIPIF-- + +--COOKIE-- ++var1=1;var2=2;%20var3=3; var4=4; +--GET-- +--POST-- +--FILE-- + +--EXPECTF-- +array(2) { + ["var2"]=> + string(1) "2" + ["var4"]=> + string(1) "4" +} +ALERT - COOKIE variable name begins with disallowed whitespace - dropped variable ' var1' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - COOKIE variable name begins with disallowed whitespace - dropped variable ' var3' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - dropped 2 request variables - (0 in GET, 0 in POST, 2 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') \ No newline at end of file diff --git a/tests/filter/cookie_max_array_depth.phpt b/tests/filter/cookie_max_array_depth.phpt new file mode 100644 index 0000000..327fa36 --- /dev/null +++ b/tests/filter/cookie_max_array_depth.phpt @@ -0,0 +1,66 @@ +--TEST-- +suhosin input filter (suhosin.cookie.max_array_depth) +--INI-- +suhosin.log.syslog=0 +suhosin.log.sapi=0 +suhosin.log.script=0 +suhosin.log.file=255 +suhosin.log.file.time=0 +suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp +auto_append_file={PWD}/suhosintest.$$.log.tmp +suhosin.request.max_array_depth=0 +suhosin.cookie.max_array_depth=4 +--SKIPIF-- + +--COOKIE-- +var1[]=1;var2[][]=2;var3[][][]=3;var4[][][][]=4;var5[][][][][]=5;var6[][][][][][]=6; +--GET-- +--POST-- +--FILE-- + +--EXPECTF-- +array(4) { + ["var1"]=> + array(1) { + [0]=> + string(1) "1" + } + ["var2"]=> + array(1) { + [0]=> + array(1) { + [0]=> + string(1) "2" + } + } + ["var3"]=> + array(1) { + [0]=> + array(1) { + [0]=> + array(1) { + [0]=> + string(1) "3" + } + } + } + ["var4"]=> + array(1) { + [0]=> + array(1) { + [0]=> + array(1) { + [0]=> + array(1) { + [0]=> + string(1) "4" + } + } + } + } +} +ALERT - configured COOKIE variable array depth limit exceeded - dropped variable 'var5[][][][][]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - configured COOKIE variable array depth limit exceeded - dropped variable 'var6[][][][][][]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - dropped 2 request variables - (0 in GET, 0 in POST, 2 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') diff --git a/tests/filter/cookie_max_array_index_length.phpt b/tests/filter/cookie_max_array_index_length.phpt new file mode 100644 index 0000000..b954e63 --- /dev/null +++ b/tests/filter/cookie_max_array_index_length.phpt @@ -0,0 +1,53 @@ +--TEST-- +suhosin input filter (suhosin.cookie.max_array_index_length) +--INI-- +suhosin.log.syslog=0 +suhosin.log.sapi=0 +suhosin.log.script=0 +suhosin.log.file=255 +suhosin.log.file.time=0 +suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp +auto_append_file={PWD}/suhosintest.$$.log.tmp +suhosin.request.max_array_index_length=0 +suhosin.cookie.max_array_index_length=3 +--SKIPIF-- + +--COOKIE-- +var1[AAA]=1;var2[BBBB]=1;var3[AAA][BBB]=1;var4[AAA][BBBB]=4;var5[AAA][BBB][CCC]=1;var6[AAA][BBBB][CCC]=1; +--GET-- +--POST-- +--FILE-- + +--EXPECTF-- +array(3) { + ["var1"]=> + array(1) { + ["AAA"]=> + string(1) "1" + } + ["var3"]=> + array(1) { + ["AAA"]=> + array(1) { + ["BBB"]=> + string(1) "1" + } + } + ["var5"]=> + array(1) { + ["AAA"]=> + array(1) { + ["BBB"]=> + array(1) { + ["CCC"]=> + string(1) "1" + } + } + } +} +ALERT - configured COOKIE variable array index length limit exceeded - dropped variable 'var2[BBBB]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - configured COOKIE variable array index length limit exceeded - dropped variable 'var4[AAA][BBBB]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - configured COOKIE variable array index length limit exceeded - dropped variable 'var6[AAA][BBBB][CCC]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - dropped 3 request variables - (0 in GET, 0 in POST, 3 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') \ No newline at end of file diff --git a/tests/filter/cookie_max_name_length.phpt b/tests/filter/cookie_max_name_length.phpt new file mode 100644 index 0000000..38b8558 --- /dev/null +++ b/tests/filter/cookie_max_name_length.phpt @@ -0,0 +1,44 @@ +--TEST-- +suhosin input filter (suhosin.cookie.max_name_length) +--INI-- +suhosin.log.syslog=0 +suhosin.log.sapi=0 +suhosin.log.script=0 +suhosin.log.file=255 +suhosin.log.file.time=0 +suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp +auto_append_file={PWD}/suhosintest.$$.log.tmp +suhosin.request.max_varname_length=0 +suhosin.cookie.max_name_length=4 +--SKIPIF-- + +--COOKIE-- +var=0;var1=1;var2[]=2;var3[xxx]=3;var04=4;var05[]=5;var06[xxx]=6; +--GET-- +--POST-- +--FILE-- + +--EXPECTF-- +array(4) { + ["var"]=> + string(1) "0" + ["var1"]=> + string(1) "1" + ["var2"]=> + array(1) { + [0]=> + string(1) "2" + } + ["var3"]=> + array(1) { + ["xxx"]=> + string(1) "3" + } +} +ALERT - configured COOKIE variable name length limit exceeded - dropped variable 'var04' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - configured COOKIE variable name length limit exceeded - dropped variable 'var05[]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - configured COOKIE variable name length limit exceeded - dropped variable 'var06[xxx]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - dropped 3 request variables - (0 in GET, 0 in POST, 3 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') + diff --git a/tests/filter/cookie_max_totalname_length.phpt b/tests/filter/cookie_max_totalname_length.phpt new file mode 100644 index 0000000..b9324fc --- /dev/null +++ b/tests/filter/cookie_max_totalname_length.phpt @@ -0,0 +1,45 @@ +--TEST-- +suhosin input filter (suhosin.cookie.max_totalname_length) +--INI-- +suhosin.log.syslog=0 +suhosin.log.sapi=0 +suhosin.log.script=0 +suhosin.log.file=255 +suhosin.log.file.time=0 +suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp +auto_append_file={PWD}/suhosintest.$$.log.tmp +suhosin.request.max_totalname_length=0 +suhosin.cookie.max_totalname_length=7 +--SKIPIF-- + +--COOKIE-- +var=0;var1=1;var2[]=2;var3[xxx]=3;var04=4;var05[]=5;var06[xxx]=6; +--GET-- +--POST-- +--FILE-- + +--EXPECTF-- +array(5) { + ["var"]=> + string(1) "0" + ["var1"]=> + string(1) "1" + ["var2"]=> + array(1) { + [0]=> + string(1) "2" + } + ["var04"]=> + string(1) "4" + ["var05"]=> + array(1) { + [0]=> + string(1) "5" + } +} +ALERT - configured COOKIE variable total name length limit exceeded - dropped variable 'var3[xxx]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - configured COOKIE variable total name length limit exceeded - dropped variable 'var06[xxx]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - dropped 2 request variables - (0 in GET, 0 in POST, 2 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') + diff --git a/tests/filter/cookie_max_value_length.phpt b/tests/filter/cookie_max_value_length.phpt new file mode 100644 index 0000000..d691c9e --- /dev/null +++ b/tests/filter/cookie_max_value_length.phpt @@ -0,0 +1,36 @@ +--TEST-- +suhosin input filter (suhosin.cookie.max_value_length) +--INI-- +suhosin.log.syslog=0 +suhosin.log.sapi=0 +suhosin.log.script=0 +suhosin.log.file=255 +suhosin.log.file.time=0 +suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp +auto_append_file={PWD}/suhosintest.$$.log.tmp +suhosin.request.max_value_length=0 +suhosin.cookie.max_value_length=3 +--SKIPIF-- + +--COOKIE-- +var1=1;var2=22;var3=333;var4=4444;var5=55%00555;var6=666666; +--GET-- +--POST-- +--FILE-- + +--EXPECTF-- +array(3) { + ["var1"]=> + string(1) "1" + ["var2"]=> + string(2) "22" + ["var3"]=> + string(3) "333" +} +ALERT - configured COOKIE variable value length limit exceeded - dropped variable 'var4' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - configured COOKIE variable value length limit exceeded - dropped variable 'var5' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - configured COOKIE variable value length limit exceeded - dropped variable 'var6' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - dropped 3 request variables - (0 in GET, 0 in POST, 3 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') + diff --git a/tests/filter/cookie_max_vars.phpt b/tests/filter/cookie_max_vars.phpt new file mode 100644 index 0000000..fed391e --- /dev/null +++ b/tests/filter/cookie_max_vars.phpt @@ -0,0 +1,30 @@ +--TEST-- +suhosin input filter (suhosin.cookie.max_vars) +--SKIPIF-- + +--INI-- +suhosin.log.syslog=0 +suhosin.log.sapi=0 +suhosin.log.script=0 +suhosin.log.file=255 +suhosin.log.file.time=0 +suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp +auto_append_file={PWD}/suhosintest.$$.log.tmp +suhosin.cookie.max_vars=3 +--COOKIE-- +a=1; b=2; c=3; d=4 +--FILE-- + +--EXPECTF-- +array(3) { + ["a"]=> + string(1) "1" + ["b"]=> + string(1) "2" + ["c"]=> + string(1) "3" +} +ALERT - configured COOKIE variable limit exceeded - dropped variable 'd' - all further COOKIE variables are dropped (attacker '%s', file '%s') +ALERT - dropped 1 request variables - (0 in GET, 0 in POST, 1 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') diff --git a/tests/filter/get_allow_ws.phpt b/tests/filter/get_allow_ws.phpt new file mode 100644 index 0000000..2a0445c --- /dev/null +++ b/tests/filter/get_allow_ws.phpt @@ -0,0 +1,56 @@ +--TEST-- +suhosin input filter (allow whitespace) +--INI-- +suhosin.log.syslog=0 +suhosin.log.sapi=0 +suhosin.log.stdout=255 +suhosin.log.script=0 +suhosin.request.disallow_ws=0 +suhosin.get.disallow_ws=0 +suhosin.post.disallow_ws=0 +suhosin.cookie.disallow_ws=0 +--SKIPIF-- + +--COOKIE-- ++var1=1;var2=2;%20var3=3; var4=4; +--GET-- ++var1=1&var2=2&%20var3=3& var4=4& +--POST-- ++var1=1&var2=2&%20var3=3& var4=4& +--FILE-- + +--EXPECTF-- +array(4) { + ["var1"]=> + string(1) "1" + ["var2"]=> + string(1) "2" + ["var3"]=> + string(1) "3" + ["var4"]=> + string(1) "4" +} +array(4) { + ["var1"]=> + string(1) "1" + ["var2"]=> + string(1) "2" + ["var3"]=> + string(1) "3" + ["var4"]=> + string(1) "4" +} +array(4) { + ["var1"]=> + string(1) "1" + ["var2"]=> + string(1) "2" + ["var3"]=> + string(1) "3" + ["var4"]=> + string(1) "4" +} \ No newline at end of file diff --git a/tests/filter/get_disallow_nul.phpt b/tests/filter/get_disallow_nul.phpt new file mode 100644 index 0000000..5a5b506 --- /dev/null +++ b/tests/filter/get_disallow_nul.phpt @@ -0,0 +1,32 @@ +--TEST-- +suhosin input filter (suhosin.get.disallow_nul) +--INI-- +suhosin.log.syslog=0 +suhosin.log.sapi=0 +suhosin.log.script=0 +suhosin.log.file=255 +suhosin.log.file.time=0 +suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp +auto_append_file={PWD}/suhosintest.$$.log.tmp +suhosin.request.disallow_nul=0 +suhosin.get.disallow_nul=1 +--SKIPIF-- + +--COOKIE-- +--GET-- +var1=xx%001&var2=2&var3=xx%003&var4=4& +--POST-- +--FILE-- + +--EXPECTF-- +array(2) { + ["var2"]=> + string(1) "2" + ["var4"]=> + string(1) "4" +} +ALERT - ASCII-NUL chars not allowed within GET variables - dropped variable 'var1' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - ASCII-NUL chars not allowed within GET variables - dropped variable 'var3' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - dropped 2 request variables - (2 in GET, 0 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') diff --git a/tests/filter/get_disallow_ws.phpt b/tests/filter/get_disallow_ws.phpt new file mode 100644 index 0000000..9495486 --- /dev/null +++ b/tests/filter/get_disallow_ws.phpt @@ -0,0 +1,30 @@ +--TEST-- +suhosin input filter (suhosin.get.disallow_ws) +--INI-- +suhosin.log.syslog=0 +suhosin.log.sapi=0 +suhosin.log.script=0 +suhosin.log.file=255 +suhosin.log.file.time=0 +suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp +auto_append_file={PWD}/suhosintest.$$.log.tmp +suhosin.get.disallow_ws=1 +--SKIPIF-- + +--COOKIE-- +--GET-- ++var1=1&var2=2&%20var3=3& var4=4& +--POST-- +--FILE-- + +--EXPECTF-- +array(1) { + ["var2"]=> + string(1) "2" +} +ALERT - GET variable name begins with disallowed whitespace - dropped variable ' var1' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - GET variable name begins with disallowed whitespace - dropped variable ' var3' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - GET variable name begins with disallowed whitespace - dropped variable ' var4' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - dropped 3 request variables - (3 in GET, 0 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') \ No newline at end of file diff --git a/tests/filter/get_filter_allow_ws.phpt b/tests/filter/get_filter_allow_ws.phpt deleted file mode 100644 index 2a0445c..0000000 --- a/tests/filter/get_filter_allow_ws.phpt +++ /dev/null @@ -1,56 +0,0 @@ ---TEST-- -suhosin input filter (allow whitespace) ---INI-- -suhosin.log.syslog=0 -suhosin.log.sapi=0 -suhosin.log.stdout=255 -suhosin.log.script=0 -suhosin.request.disallow_ws=0 -suhosin.get.disallow_ws=0 -suhosin.post.disallow_ws=0 -suhosin.cookie.disallow_ws=0 ---SKIPIF-- - ---COOKIE-- -+var1=1;var2=2;%20var3=3; var4=4; ---GET-- -+var1=1&var2=2&%20var3=3& var4=4& ---POST-- -+var1=1&var2=2&%20var3=3& var4=4& ---FILE-- - ---EXPECTF-- -array(4) { - ["var1"]=> - string(1) "1" - ["var2"]=> - string(1) "2" - ["var3"]=> - string(1) "3" - ["var4"]=> - string(1) "4" -} -array(4) { - ["var1"]=> - string(1) "1" - ["var2"]=> - string(1) "2" - ["var3"]=> - string(1) "3" - ["var4"]=> - string(1) "4" -} -array(4) { - ["var1"]=> - string(1) "1" - ["var2"]=> - string(1) "2" - ["var3"]=> - string(1) "3" - ["var4"]=> - string(1) "4" -} \ No newline at end of file diff --git a/tests/filter/get_filter_cookie_disallow_ws.phpt b/tests/filter/get_filter_cookie_disallow_ws.phpt deleted file mode 100644 index 3065b7d..0000000 --- a/tests/filter/get_filter_cookie_disallow_ws.phpt +++ /dev/null @@ -1,31 +0,0 @@ ---TEST-- -suhosin input filter (suhosin.cookie.disallow_ws) ---INI-- -suhosin.log.syslog=0 -suhosin.log.sapi=0 -suhosin.log.script=0 -suhosin.log.file=255 -suhosin.log.file.time=0 -suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp -auto_append_file={PWD}/suhosintest.$$.log.tmp -suhosin.cookie.disallow_ws=1 ---SKIPIF-- - ---COOKIE-- -+var1=1;var2=2;%20var3=3; var4=4; ---GET-- ---POST-- ---FILE-- - ---EXPECTF-- -array(2) { - ["var2"]=> - string(1) "2" - ["var4"]=> - string(1) "4" -} -ALERT - COOKIE variable name begins with disallowed whitespace - dropped variable ' var1' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - COOKIE variable name begins with disallowed whitespace - dropped variable ' var3' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - dropped 2 request variables - (0 in GET, 0 in POST, 2 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') \ No newline at end of file diff --git a/tests/filter/get_filter_get_disallow_ws.phpt b/tests/filter/get_filter_get_disallow_ws.phpt deleted file mode 100644 index 9495486..0000000 --- a/tests/filter/get_filter_get_disallow_ws.phpt +++ /dev/null @@ -1,30 +0,0 @@ ---TEST-- -suhosin input filter (suhosin.get.disallow_ws) ---INI-- -suhosin.log.syslog=0 -suhosin.log.sapi=0 -suhosin.log.script=0 -suhosin.log.file=255 -suhosin.log.file.time=0 -suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp -auto_append_file={PWD}/suhosintest.$$.log.tmp -suhosin.get.disallow_ws=1 ---SKIPIF-- - ---COOKIE-- ---GET-- -+var1=1&var2=2&%20var3=3& var4=4& ---POST-- ---FILE-- - ---EXPECTF-- -array(1) { - ["var2"]=> - string(1) "2" -} -ALERT - GET variable name begins with disallowed whitespace - dropped variable ' var1' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - GET variable name begins with disallowed whitespace - dropped variable ' var3' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - GET variable name begins with disallowed whitespace - dropped variable ' var4' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - dropped 3 request variables - (3 in GET, 0 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') \ No newline at end of file diff --git a/tests/filter/get_filter_post_disallow_ws.phpt b/tests/filter/get_filter_post_disallow_ws.phpt deleted file mode 100644 index 003afa5..0000000 --- a/tests/filter/get_filter_post_disallow_ws.phpt +++ /dev/null @@ -1,30 +0,0 @@ ---TEST-- -suhosin input filter (suhosin.post.disallow_ws) ---INI-- -suhosin.log.syslog=0 -suhosin.log.sapi=0 -suhosin.log.script=0 -suhosin.log.file=255 -suhosin.log.file.time=0 -suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp -auto_append_file={PWD}/suhosintest.$$.log.tmp -suhosin.post.disallow_ws=1 ---SKIPIF-- - ---COOKIE-- ---GET-- ---POST-- -+var1=1&var2=2&%20var3=3& var4=4& ---FILE-- - ---EXPECTF-- -array(1) { - ["var2"]=> - string(1) "2" -} -ALERT - POST variable name begins with disallowed whitespace - dropped variable ' var1' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - POST variable name begins with disallowed whitespace - dropped variable ' var3' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - POST variable name begins with disallowed whitespace - dropped variable ' var4' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - dropped 3 request variables - (0 in GET, 3 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') \ No newline at end of file diff --git a/tests/filter/get_filter_request_disallow_ws.phpt b/tests/filter/get_filter_request_disallow_ws.phpt deleted file mode 100644 index fe69e78..0000000 --- a/tests/filter/get_filter_request_disallow_ws.phpt +++ /dev/null @@ -1,30 +0,0 @@ ---TEST-- -suhosin input filter (suhosin.request.disallow_ws) ---INI-- -suhosin.log.syslog=0 -suhosin.log.sapi=0 -suhosin.log.script=0 -suhosin.log.file=255 -suhosin.log.file.time=0 -suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp -auto_append_file={PWD}/suhosintest.$$.log.tmp -suhosin.request.disallow_ws=1 ---SKIPIF-- - ---COOKIE-- ---GET-- -+var1=1&var2=2&%20var3=3& var4=4& ---POST-- ---FILE-- - ---EXPECTF-- -array(1) { - ["var2"]=> - string(1) "2" -} -ALERT - request variable name begins with disallowed whitespace - dropped variable ' var1' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - request variable name begins with disallowed whitespace - dropped variable ' var3' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - request variable name begins with disallowed whitespace - dropped variable ' var4' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - dropped 3 request variables - (3 in GET, 0 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') \ No newline at end of file diff --git a/tests/filter/get_max_array_depth.phpt b/tests/filter/get_max_array_depth.phpt new file mode 100644 index 0000000..99fb666 --- /dev/null +++ b/tests/filter/get_max_array_depth.phpt @@ -0,0 +1,66 @@ +--TEST-- +suhosin input filter (suhosin.get.max_array_depth) +--INI-- +suhosin.log.syslog=0 +suhosin.log.sapi=0 +suhosin.log.script=0 +suhosin.log.file=255 +suhosin.log.file.time=0 +suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp +auto_append_file={PWD}/suhosintest.$$.log.tmp +suhosin.request.max_array_depth=0 +suhosin.get.max_array_depth=4 +--SKIPIF-- + +--COOKIE-- +--GET-- +var1[]=1&var2[][]=2&var3[][][]=3&var4[][][][]=4&var5[][][][][]=5&var6[][][][][][]=6& +--POST-- +--FILE-- + +--EXPECTF-- +array(4) { + ["var1"]=> + array(1) { + [0]=> + string(1) "1" + } + ["var2"]=> + array(1) { + [0]=> + array(1) { + [0]=> + string(1) "2" + } + } + ["var3"]=> + array(1) { + [0]=> + array(1) { + [0]=> + array(1) { + [0]=> + string(1) "3" + } + } + } + ["var4"]=> + array(1) { + [0]=> + array(1) { + [0]=> + array(1) { + [0]=> + array(1) { + [0]=> + string(1) "4" + } + } + } + } +} +ALERT - configured GET variable array depth limit exceeded - dropped variable 'var5[][][][][]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - configured GET variable array depth limit exceeded - dropped variable 'var6[][][][][][]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - dropped 2 request variables - (2 in GET, 0 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') diff --git a/tests/filter/get_max_array_index_length.phpt b/tests/filter/get_max_array_index_length.phpt new file mode 100644 index 0000000..54bf610 --- /dev/null +++ b/tests/filter/get_max_array_index_length.phpt @@ -0,0 +1,53 @@ +--TEST-- +suhosin input filter (suhosin.get.max_array_index_length) +--INI-- +suhosin.log.syslog=0 +suhosin.log.sapi=0 +suhosin.log.script=0 +suhosin.log.file=255 +suhosin.log.file.time=0 +suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp +auto_append_file={PWD}/suhosintest.$$.log.tmp +suhosin.request.max_array_index_length=0 +suhosin.get.max_array_index_length=3 +--SKIPIF-- + +--COOKIE-- +--GET-- +var1[AAA]=1&var2[BBBB]=1&var3[AAA][BBB]=1&var4[AAA][BBBB]=4&var5[AAA][BBB][CCC]=1&var6[AAA][BBBB][CCC]=1 +--POST-- +--FILE-- + +--EXPECTF-- +array(3) { + ["var1"]=> + array(1) { + ["AAA"]=> + string(1) "1" + } + ["var3"]=> + array(1) { + ["AAA"]=> + array(1) { + ["BBB"]=> + string(1) "1" + } + } + ["var5"]=> + array(1) { + ["AAA"]=> + array(1) { + ["BBB"]=> + array(1) { + ["CCC"]=> + string(1) "1" + } + } + } +} +ALERT - configured GET variable array index length limit exceeded - dropped variable 'var2[BBBB]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - configured GET variable array index length limit exceeded - dropped variable 'var4[AAA][BBBB]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - configured GET variable array index length limit exceeded - dropped variable 'var6[AAA][BBBB][CCC]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - dropped 3 request variables - (3 in GET, 0 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') \ No newline at end of file diff --git a/tests/filter/get_max_name_length.phpt b/tests/filter/get_max_name_length.phpt new file mode 100644 index 0000000..76ca5f6 --- /dev/null +++ b/tests/filter/get_max_name_length.phpt @@ -0,0 +1,44 @@ +--TEST-- +suhosin input filter (suhosin.get.max_name_length) +--INI-- +suhosin.log.syslog=0 +suhosin.log.sapi=0 +suhosin.log.script=0 +suhosin.log.file=255 +suhosin.log.file.time=0 +suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp +auto_append_file={PWD}/suhosintest.$$.log.tmp +suhosin.request.max_varname_length=0 +suhosin.get.max_name_length=4 +--SKIPIF-- + +--COOKIE-- +--GET-- +var=0&var1=1&var2[]=2&var3[xxx]=3&var04=4&var05[]=5&var06[xxx]=6& +--POST-- +--FILE-- + +--EXPECTF-- +array(4) { + ["var"]=> + string(1) "0" + ["var1"]=> + string(1) "1" + ["var2"]=> + array(1) { + [0]=> + string(1) "2" + } + ["var3"]=> + array(1) { + ["xxx"]=> + string(1) "3" + } +} +ALERT - configured GET variable name length limit exceeded - dropped variable 'var04' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - configured GET variable name length limit exceeded - dropped variable 'var05[]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - configured GET variable name length limit exceeded - dropped variable 'var06[xxx]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - dropped 3 request variables - (3 in GET, 0 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') + diff --git a/tests/filter/get_max_totalname_length.phpt b/tests/filter/get_max_totalname_length.phpt new file mode 100644 index 0000000..675708d --- /dev/null +++ b/tests/filter/get_max_totalname_length.phpt @@ -0,0 +1,45 @@ +--TEST-- +suhosin input filter (suhosin.get.max_totalname_length) +--INI-- +suhosin.log.syslog=0 +suhosin.log.sapi=0 +suhosin.log.script=0 +suhosin.log.file=255 +suhosin.log.file.time=0 +suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp +auto_append_file={PWD}/suhosintest.$$.log.tmp +suhosin.request.max_totalname_length=0 +suhosin.get.max_totalname_length=7 +--SKIPIF-- + +--COOKIE-- +--GET-- +var=0&var1=1&var2[]=2&var3[xxx]=3&var04=4&var05[]=5&var06[xxx]=6& +--POST-- +--FILE-- + +--EXPECTF-- +array(5) { + ["var"]=> + string(1) "0" + ["var1"]=> + string(1) "1" + ["var2"]=> + array(1) { + [0]=> + string(1) "2" + } + ["var04"]=> + string(1) "4" + ["var05"]=> + array(1) { + [0]=> + string(1) "5" + } +} +ALERT - configured GET variable total name length limit exceeded - dropped variable 'var3[xxx]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - configured GET variable total name length limit exceeded - dropped variable 'var06[xxx]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - dropped 2 request variables - (2 in GET, 0 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') + diff --git a/tests/filter/get_max_value_length.phpt b/tests/filter/get_max_value_length.phpt new file mode 100644 index 0000000..3fa0cb7 --- /dev/null +++ b/tests/filter/get_max_value_length.phpt @@ -0,0 +1,36 @@ +--TEST-- +suhosin input filter (suhosin.get.max_value_length) +--INI-- +suhosin.log.syslog=0 +suhosin.log.sapi=0 +suhosin.log.script=0 +suhosin.log.file=255 +suhosin.log.file.time=0 +suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp +auto_append_file={PWD}/suhosintest.$$.log.tmp +suhosin.request.max_value_length=0 +suhosin.get.max_value_length=3 +--SKIPIF-- + +--COOKIE-- +--GET-- +var1=1&var2=22&var3=333&var4=4444&var5=55%00555&var6=666666& +--POST-- +--FILE-- + +--EXPECTF-- +array(3) { + ["var1"]=> + string(1) "1" + ["var2"]=> + string(2) "22" + ["var3"]=> + string(3) "333" +} +ALERT - configured GET variable value length limit exceeded - dropped variable 'var4' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - configured GET variable value length limit exceeded - dropped variable 'var5' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - configured GET variable value length limit exceeded - dropped variable 'var6' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - dropped 3 request variables - (3 in GET, 0 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') + diff --git a/tests/filter/input_filter_cookie_disallow_nul.phpt b/tests/filter/input_filter_cookie_disallow_nul.phpt deleted file mode 100644 index ae05ac6..0000000 --- a/tests/filter/input_filter_cookie_disallow_nul.phpt +++ /dev/null @@ -1,32 +0,0 @@ ---TEST-- -suhosin input filter (suhosin.cookie.disallow_nul) ---INI-- -suhosin.log.syslog=0 -suhosin.log.sapi=0 -suhosin.log.script=0 -suhosin.log.file=255 -suhosin.log.file.time=0 -suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp -auto_append_file={PWD}/suhosintest.$$.log.tmp -suhosin.request.disallow_nul=0 -suhosin.cookie.disallow_nul=1 ---SKIPIF-- - ---COOKIE-- -var1=xx%001;var2=2;var3=xx%003;var4=4; ---GET-- ---POST-- ---FILE-- - ---EXPECTF-- -array(2) { - ["var2"]=> - string(1) "2" - ["var4"]=> - string(1) "4" -} -ALERT - ASCII-NUL chars not allowed within COOKIE variables - dropped variable 'var1' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - ASCII-NUL chars not allowed within COOKIE variables - dropped variable 'var3' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - dropped 2 request variables - (0 in GET, 0 in POST, 2 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') diff --git a/tests/filter/input_filter_cookie_max_array_depth.phpt b/tests/filter/input_filter_cookie_max_array_depth.phpt deleted file mode 100644 index 327fa36..0000000 --- a/tests/filter/input_filter_cookie_max_array_depth.phpt +++ /dev/null @@ -1,66 +0,0 @@ ---TEST-- -suhosin input filter (suhosin.cookie.max_array_depth) ---INI-- -suhosin.log.syslog=0 -suhosin.log.sapi=0 -suhosin.log.script=0 -suhosin.log.file=255 -suhosin.log.file.time=0 -suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp -auto_append_file={PWD}/suhosintest.$$.log.tmp -suhosin.request.max_array_depth=0 -suhosin.cookie.max_array_depth=4 ---SKIPIF-- - ---COOKIE-- -var1[]=1;var2[][]=2;var3[][][]=3;var4[][][][]=4;var5[][][][][]=5;var6[][][][][][]=6; ---GET-- ---POST-- ---FILE-- - ---EXPECTF-- -array(4) { - ["var1"]=> - array(1) { - [0]=> - string(1) "1" - } - ["var2"]=> - array(1) { - [0]=> - array(1) { - [0]=> - string(1) "2" - } - } - ["var3"]=> - array(1) { - [0]=> - array(1) { - [0]=> - array(1) { - [0]=> - string(1) "3" - } - } - } - ["var4"]=> - array(1) { - [0]=> - array(1) { - [0]=> - array(1) { - [0]=> - array(1) { - [0]=> - string(1) "4" - } - } - } - } -} -ALERT - configured COOKIE variable array depth limit exceeded - dropped variable 'var5[][][][][]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - configured COOKIE variable array depth limit exceeded - dropped variable 'var6[][][][][][]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - dropped 2 request variables - (0 in GET, 0 in POST, 2 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') diff --git a/tests/filter/input_filter_cookie_max_array_index_length.phpt b/tests/filter/input_filter_cookie_max_array_index_length.phpt deleted file mode 100644 index b954e63..0000000 --- a/tests/filter/input_filter_cookie_max_array_index_length.phpt +++ /dev/null @@ -1,53 +0,0 @@ ---TEST-- -suhosin input filter (suhosin.cookie.max_array_index_length) ---INI-- -suhosin.log.syslog=0 -suhosin.log.sapi=0 -suhosin.log.script=0 -suhosin.log.file=255 -suhosin.log.file.time=0 -suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp -auto_append_file={PWD}/suhosintest.$$.log.tmp -suhosin.request.max_array_index_length=0 -suhosin.cookie.max_array_index_length=3 ---SKIPIF-- - ---COOKIE-- -var1[AAA]=1;var2[BBBB]=1;var3[AAA][BBB]=1;var4[AAA][BBBB]=4;var5[AAA][BBB][CCC]=1;var6[AAA][BBBB][CCC]=1; ---GET-- ---POST-- ---FILE-- - ---EXPECTF-- -array(3) { - ["var1"]=> - array(1) { - ["AAA"]=> - string(1) "1" - } - ["var3"]=> - array(1) { - ["AAA"]=> - array(1) { - ["BBB"]=> - string(1) "1" - } - } - ["var5"]=> - array(1) { - ["AAA"]=> - array(1) { - ["BBB"]=> - array(1) { - ["CCC"]=> - string(1) "1" - } - } - } -} -ALERT - configured COOKIE variable array index length limit exceeded - dropped variable 'var2[BBBB]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - configured COOKIE variable array index length limit exceeded - dropped variable 'var4[AAA][BBBB]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - configured COOKIE variable array index length limit exceeded - dropped variable 'var6[AAA][BBBB][CCC]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - dropped 3 request variables - (0 in GET, 0 in POST, 3 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') \ No newline at end of file diff --git a/tests/filter/input_filter_cookie_max_name_length.phpt b/tests/filter/input_filter_cookie_max_name_length.phpt deleted file mode 100644 index 38b8558..0000000 --- a/tests/filter/input_filter_cookie_max_name_length.phpt +++ /dev/null @@ -1,44 +0,0 @@ ---TEST-- -suhosin input filter (suhosin.cookie.max_name_length) ---INI-- -suhosin.log.syslog=0 -suhosin.log.sapi=0 -suhosin.log.script=0 -suhosin.log.file=255 -suhosin.log.file.time=0 -suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp -auto_append_file={PWD}/suhosintest.$$.log.tmp -suhosin.request.max_varname_length=0 -suhosin.cookie.max_name_length=4 ---SKIPIF-- - ---COOKIE-- -var=0;var1=1;var2[]=2;var3[xxx]=3;var04=4;var05[]=5;var06[xxx]=6; ---GET-- ---POST-- ---FILE-- - ---EXPECTF-- -array(4) { - ["var"]=> - string(1) "0" - ["var1"]=> - string(1) "1" - ["var2"]=> - array(1) { - [0]=> - string(1) "2" - } - ["var3"]=> - array(1) { - ["xxx"]=> - string(1) "3" - } -} -ALERT - configured COOKIE variable name length limit exceeded - dropped variable 'var04' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - configured COOKIE variable name length limit exceeded - dropped variable 'var05[]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - configured COOKIE variable name length limit exceeded - dropped variable 'var06[xxx]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - dropped 3 request variables - (0 in GET, 0 in POST, 3 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') - diff --git a/tests/filter/input_filter_cookie_max_totalname_length.phpt b/tests/filter/input_filter_cookie_max_totalname_length.phpt deleted file mode 100644 index b9324fc..0000000 --- a/tests/filter/input_filter_cookie_max_totalname_length.phpt +++ /dev/null @@ -1,45 +0,0 @@ ---TEST-- -suhosin input filter (suhosin.cookie.max_totalname_length) ---INI-- -suhosin.log.syslog=0 -suhosin.log.sapi=0 -suhosin.log.script=0 -suhosin.log.file=255 -suhosin.log.file.time=0 -suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp -auto_append_file={PWD}/suhosintest.$$.log.tmp -suhosin.request.max_totalname_length=0 -suhosin.cookie.max_totalname_length=7 ---SKIPIF-- - ---COOKIE-- -var=0;var1=1;var2[]=2;var3[xxx]=3;var04=4;var05[]=5;var06[xxx]=6; ---GET-- ---POST-- ---FILE-- - ---EXPECTF-- -array(5) { - ["var"]=> - string(1) "0" - ["var1"]=> - string(1) "1" - ["var2"]=> - array(1) { - [0]=> - string(1) "2" - } - ["var04"]=> - string(1) "4" - ["var05"]=> - array(1) { - [0]=> - string(1) "5" - } -} -ALERT - configured COOKIE variable total name length limit exceeded - dropped variable 'var3[xxx]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - configured COOKIE variable total name length limit exceeded - dropped variable 'var06[xxx]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - dropped 2 request variables - (0 in GET, 0 in POST, 2 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') - diff --git a/tests/filter/input_filter_cookie_max_value_length.phpt b/tests/filter/input_filter_cookie_max_value_length.phpt deleted file mode 100644 index d691c9e..0000000 --- a/tests/filter/input_filter_cookie_max_value_length.phpt +++ /dev/null @@ -1,36 +0,0 @@ ---TEST-- -suhosin input filter (suhosin.cookie.max_value_length) ---INI-- -suhosin.log.syslog=0 -suhosin.log.sapi=0 -suhosin.log.script=0 -suhosin.log.file=255 -suhosin.log.file.time=0 -suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp -auto_append_file={PWD}/suhosintest.$$.log.tmp -suhosin.request.max_value_length=0 -suhosin.cookie.max_value_length=3 ---SKIPIF-- - ---COOKIE-- -var1=1;var2=22;var3=333;var4=4444;var5=55%00555;var6=666666; ---GET-- ---POST-- ---FILE-- - ---EXPECTF-- -array(3) { - ["var1"]=> - string(1) "1" - ["var2"]=> - string(2) "22" - ["var3"]=> - string(3) "333" -} -ALERT - configured COOKIE variable value length limit exceeded - dropped variable 'var4' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - configured COOKIE variable value length limit exceeded - dropped variable 'var5' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - configured COOKIE variable value length limit exceeded - dropped variable 'var6' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - dropped 3 request variables - (0 in GET, 0 in POST, 3 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') - diff --git a/tests/filter/input_filter_cookie_max_vars.phpt b/tests/filter/input_filter_cookie_max_vars.phpt deleted file mode 100644 index fed391e..0000000 --- a/tests/filter/input_filter_cookie_max_vars.phpt +++ /dev/null @@ -1,30 +0,0 @@ ---TEST-- -suhosin input filter (suhosin.cookie.max_vars) ---SKIPIF-- - ---INI-- -suhosin.log.syslog=0 -suhosin.log.sapi=0 -suhosin.log.script=0 -suhosin.log.file=255 -suhosin.log.file.time=0 -suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp -auto_append_file={PWD}/suhosintest.$$.log.tmp -suhosin.cookie.max_vars=3 ---COOKIE-- -a=1; b=2; c=3; d=4 ---FILE-- - ---EXPECTF-- -array(3) { - ["a"]=> - string(1) "1" - ["b"]=> - string(1) "2" - ["c"]=> - string(1) "3" -} -ALERT - configured COOKIE variable limit exceeded - dropped variable 'd' - all further COOKIE variables are dropped (attacker '%s', file '%s') -ALERT - dropped 1 request variables - (0 in GET, 0 in POST, 1 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') diff --git a/tests/filter/input_filter_get_disallow_nul.phpt b/tests/filter/input_filter_get_disallow_nul.phpt deleted file mode 100644 index 5a5b506..0000000 --- a/tests/filter/input_filter_get_disallow_nul.phpt +++ /dev/null @@ -1,32 +0,0 @@ ---TEST-- -suhosin input filter (suhosin.get.disallow_nul) ---INI-- -suhosin.log.syslog=0 -suhosin.log.sapi=0 -suhosin.log.script=0 -suhosin.log.file=255 -suhosin.log.file.time=0 -suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp -auto_append_file={PWD}/suhosintest.$$.log.tmp -suhosin.request.disallow_nul=0 -suhosin.get.disallow_nul=1 ---SKIPIF-- - ---COOKIE-- ---GET-- -var1=xx%001&var2=2&var3=xx%003&var4=4& ---POST-- ---FILE-- - ---EXPECTF-- -array(2) { - ["var2"]=> - string(1) "2" - ["var4"]=> - string(1) "4" -} -ALERT - ASCII-NUL chars not allowed within GET variables - dropped variable 'var1' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - ASCII-NUL chars not allowed within GET variables - dropped variable 'var3' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - dropped 2 request variables - (2 in GET, 0 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') diff --git a/tests/filter/input_filter_get_max_array_depth.phpt b/tests/filter/input_filter_get_max_array_depth.phpt deleted file mode 100644 index 99fb666..0000000 --- a/tests/filter/input_filter_get_max_array_depth.phpt +++ /dev/null @@ -1,66 +0,0 @@ ---TEST-- -suhosin input filter (suhosin.get.max_array_depth) ---INI-- -suhosin.log.syslog=0 -suhosin.log.sapi=0 -suhosin.log.script=0 -suhosin.log.file=255 -suhosin.log.file.time=0 -suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp -auto_append_file={PWD}/suhosintest.$$.log.tmp -suhosin.request.max_array_depth=0 -suhosin.get.max_array_depth=4 ---SKIPIF-- - ---COOKIE-- ---GET-- -var1[]=1&var2[][]=2&var3[][][]=3&var4[][][][]=4&var5[][][][][]=5&var6[][][][][][]=6& ---POST-- ---FILE-- - ---EXPECTF-- -array(4) { - ["var1"]=> - array(1) { - [0]=> - string(1) "1" - } - ["var2"]=> - array(1) { - [0]=> - array(1) { - [0]=> - string(1) "2" - } - } - ["var3"]=> - array(1) { - [0]=> - array(1) { - [0]=> - array(1) { - [0]=> - string(1) "3" - } - } - } - ["var4"]=> - array(1) { - [0]=> - array(1) { - [0]=> - array(1) { - [0]=> - array(1) { - [0]=> - string(1) "4" - } - } - } - } -} -ALERT - configured GET variable array depth limit exceeded - dropped variable 'var5[][][][][]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - configured GET variable array depth limit exceeded - dropped variable 'var6[][][][][][]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - dropped 2 request variables - (2 in GET, 0 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') diff --git a/tests/filter/input_filter_get_max_array_index_length.phpt b/tests/filter/input_filter_get_max_array_index_length.phpt deleted file mode 100644 index 54bf610..0000000 --- a/tests/filter/input_filter_get_max_array_index_length.phpt +++ /dev/null @@ -1,53 +0,0 @@ ---TEST-- -suhosin input filter (suhosin.get.max_array_index_length) ---INI-- -suhosin.log.syslog=0 -suhosin.log.sapi=0 -suhosin.log.script=0 -suhosin.log.file=255 -suhosin.log.file.time=0 -suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp -auto_append_file={PWD}/suhosintest.$$.log.tmp -suhosin.request.max_array_index_length=0 -suhosin.get.max_array_index_length=3 ---SKIPIF-- - ---COOKIE-- ---GET-- -var1[AAA]=1&var2[BBBB]=1&var3[AAA][BBB]=1&var4[AAA][BBBB]=4&var5[AAA][BBB][CCC]=1&var6[AAA][BBBB][CCC]=1 ---POST-- ---FILE-- - ---EXPECTF-- -array(3) { - ["var1"]=> - array(1) { - ["AAA"]=> - string(1) "1" - } - ["var3"]=> - array(1) { - ["AAA"]=> - array(1) { - ["BBB"]=> - string(1) "1" - } - } - ["var5"]=> - array(1) { - ["AAA"]=> - array(1) { - ["BBB"]=> - array(1) { - ["CCC"]=> - string(1) "1" - } - } - } -} -ALERT - configured GET variable array index length limit exceeded - dropped variable 'var2[BBBB]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - configured GET variable array index length limit exceeded - dropped variable 'var4[AAA][BBBB]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - configured GET variable array index length limit exceeded - dropped variable 'var6[AAA][BBBB][CCC]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - dropped 3 request variables - (3 in GET, 0 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') \ No newline at end of file diff --git a/tests/filter/input_filter_get_max_name_length.phpt b/tests/filter/input_filter_get_max_name_length.phpt deleted file mode 100644 index 76ca5f6..0000000 --- a/tests/filter/input_filter_get_max_name_length.phpt +++ /dev/null @@ -1,44 +0,0 @@ ---TEST-- -suhosin input filter (suhosin.get.max_name_length) ---INI-- -suhosin.log.syslog=0 -suhosin.log.sapi=0 -suhosin.log.script=0 -suhosin.log.file=255 -suhosin.log.file.time=0 -suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp -auto_append_file={PWD}/suhosintest.$$.log.tmp -suhosin.request.max_varname_length=0 -suhosin.get.max_name_length=4 ---SKIPIF-- - ---COOKIE-- ---GET-- -var=0&var1=1&var2[]=2&var3[xxx]=3&var04=4&var05[]=5&var06[xxx]=6& ---POST-- ---FILE-- - ---EXPECTF-- -array(4) { - ["var"]=> - string(1) "0" - ["var1"]=> - string(1) "1" - ["var2"]=> - array(1) { - [0]=> - string(1) "2" - } - ["var3"]=> - array(1) { - ["xxx"]=> - string(1) "3" - } -} -ALERT - configured GET variable name length limit exceeded - dropped variable 'var04' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - configured GET variable name length limit exceeded - dropped variable 'var05[]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - configured GET variable name length limit exceeded - dropped variable 'var06[xxx]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - dropped 3 request variables - (3 in GET, 0 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') - diff --git a/tests/filter/input_filter_get_max_totalname_length.phpt b/tests/filter/input_filter_get_max_totalname_length.phpt deleted file mode 100644 index 675708d..0000000 --- a/tests/filter/input_filter_get_max_totalname_length.phpt +++ /dev/null @@ -1,45 +0,0 @@ ---TEST-- -suhosin input filter (suhosin.get.max_totalname_length) ---INI-- -suhosin.log.syslog=0 -suhosin.log.sapi=0 -suhosin.log.script=0 -suhosin.log.file=255 -suhosin.log.file.time=0 -suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp -auto_append_file={PWD}/suhosintest.$$.log.tmp -suhosin.request.max_totalname_length=0 -suhosin.get.max_totalname_length=7 ---SKIPIF-- - ---COOKIE-- ---GET-- -var=0&var1=1&var2[]=2&var3[xxx]=3&var04=4&var05[]=5&var06[xxx]=6& ---POST-- ---FILE-- - ---EXPECTF-- -array(5) { - ["var"]=> - string(1) "0" - ["var1"]=> - string(1) "1" - ["var2"]=> - array(1) { - [0]=> - string(1) "2" - } - ["var04"]=> - string(1) "4" - ["var05"]=> - array(1) { - [0]=> - string(1) "5" - } -} -ALERT - configured GET variable total name length limit exceeded - dropped variable 'var3[xxx]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - configured GET variable total name length limit exceeded - dropped variable 'var06[xxx]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - dropped 2 request variables - (2 in GET, 0 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') - diff --git a/tests/filter/input_filter_get_max_value_length.phpt b/tests/filter/input_filter_get_max_value_length.phpt deleted file mode 100644 index 3fa0cb7..0000000 --- a/tests/filter/input_filter_get_max_value_length.phpt +++ /dev/null @@ -1,36 +0,0 @@ ---TEST-- -suhosin input filter (suhosin.get.max_value_length) ---INI-- -suhosin.log.syslog=0 -suhosin.log.sapi=0 -suhosin.log.script=0 -suhosin.log.file=255 -suhosin.log.file.time=0 -suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp -auto_append_file={PWD}/suhosintest.$$.log.tmp -suhosin.request.max_value_length=0 -suhosin.get.max_value_length=3 ---SKIPIF-- - ---COOKIE-- ---GET-- -var1=1&var2=22&var3=333&var4=4444&var5=55%00555&var6=666666& ---POST-- ---FILE-- - ---EXPECTF-- -array(3) { - ["var1"]=> - string(1) "1" - ["var2"]=> - string(2) "22" - ["var3"]=> - string(3) "333" -} -ALERT - configured GET variable value length limit exceeded - dropped variable 'var4' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - configured GET variable value length limit exceeded - dropped variable 'var5' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - configured GET variable value length limit exceeded - dropped variable 'var6' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - dropped 3 request variables - (3 in GET, 0 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') - diff --git a/tests/filter/input_filter_post_disallow_nul.phpt b/tests/filter/input_filter_post_disallow_nul.phpt deleted file mode 100644 index 99462b8..0000000 --- a/tests/filter/input_filter_post_disallow_nul.phpt +++ /dev/null @@ -1,32 +0,0 @@ ---TEST-- -suhosin input filter (suhosin.post.disallow_nul) ---INI-- -suhosin.log.syslog=0 -suhosin.log.sapi=0 -suhosin.log.script=0 -suhosin.log.file=255 -suhosin.log.file.time=0 -suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp -auto_append_file={PWD}/suhosintest.$$.log.tmp -suhosin.request.disallow_nul=0 -suhosin.post.disallow_nul=1 ---SKIPIF-- - ---COOKIE-- ---GET-- ---POST-- -var1=xx%001&var2=2&var3=xx%003&var4=4& ---FILE-- - ---EXPECTF-- -array(2) { - ["var2"]=> - string(1) "2" - ["var4"]=> - string(1) "4" -} -ALERT - ASCII-NUL chars not allowed within POST variables - dropped variable 'var1' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - ASCII-NUL chars not allowed within POST variables - dropped variable 'var3' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - dropped 2 request variables - (0 in GET, 2 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') diff --git a/tests/filter/input_filter_post_disallow_nul_rfc1867.phpt b/tests/filter/input_filter_post_disallow_nul_rfc1867.phpt deleted file mode 100644 index 21fba1f..0000000 Binary files a/tests/filter/input_filter_post_disallow_nul_rfc1867.phpt and /dev/null differ diff --git a/tests/filter/input_filter_post_max_array_depth.phpt b/tests/filter/input_filter_post_max_array_depth.phpt deleted file mode 100644 index 5bf8858..0000000 --- a/tests/filter/input_filter_post_max_array_depth.phpt +++ /dev/null @@ -1,66 +0,0 @@ ---TEST-- -suhosin input filter (suhosin.post.max_array_depth) ---INI-- -suhosin.log.syslog=0 -suhosin.log.sapi=0 -suhosin.log.script=0 -suhosin.log.file=255 -suhosin.log.file.time=0 -suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp -auto_append_file={PWD}/suhosintest.$$.log.tmp -suhosin.request.max_array_depth=0 -suhosin.post.max_array_depth=4 ---SKIPIF-- - ---COOKIE-- ---GET-- ---POST-- -var1[]=1&var2[][]=2&var3[][][]=3&var4[][][][]=4&var5[][][][][]=5&var6[][][][][][]=6& ---FILE-- - ---EXPECTF-- -array(4) { - ["var1"]=> - array(1) { - [0]=> - string(1) "1" - } - ["var2"]=> - array(1) { - [0]=> - array(1) { - [0]=> - string(1) "2" - } - } - ["var3"]=> - array(1) { - [0]=> - array(1) { - [0]=> - array(1) { - [0]=> - string(1) "3" - } - } - } - ["var4"]=> - array(1) { - [0]=> - array(1) { - [0]=> - array(1) { - [0]=> - array(1) { - [0]=> - string(1) "4" - } - } - } - } -} -ALERT - configured POST variable array depth limit exceeded - dropped variable 'var5[][][][][]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - configured POST variable array depth limit exceeded - dropped variable 'var6[][][][][][]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - dropped 2 request variables - (0 in GET, 2 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') diff --git a/tests/filter/input_filter_post_max_array_depth_rfc1867.phpt b/tests/filter/input_filter_post_max_array_depth_rfc1867.phpt deleted file mode 100644 index b2eab71..0000000 --- a/tests/filter/input_filter_post_max_array_depth_rfc1867.phpt +++ /dev/null @@ -1,91 +0,0 @@ ---TEST-- -suhosin input filter (suhosin.post.max_array_depth - RFC1867 version) ---INI-- -suhosin.log.syslog=0 -suhosin.log.sapi=0 -suhosin.log.script=0 -suhosin.log.file=255 -suhosin.log.file.time=0 -suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp -auto_append_file={PWD}/suhosintest.$$.log.tmp -suhosin.request.max_array_depth=0 -suhosin.post.max_array_depth=4 ---SKIPIF-- - ---COOKIE-- ---GET-- ---POST_RAW-- -Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737 ------------------------------20896060251896012921717172737 -Content-Disposition: form-data; name="var1[]" - -1 ------------------------------20896060251896012921717172737 -Content-Disposition: form-data; name="var2[][]" - -2 ------------------------------20896060251896012921717172737 -Content-Disposition: form-data; name="var3[][][]" - -3 ------------------------------20896060251896012921717172737 -Content-Disposition: form-data; name="var4[][][][]" - -4 ------------------------------20896060251896012921717172737 -Content-Disposition: form-data; name="var5[][][][][]" - -5 ------------------------------20896060251896012921717172737 -Content-Disposition: form-data; name="var6[][][][][][]" - -6 ------------------------------20896060251896012921717172737-- ---FILE-- - ---EXPECTF-- -array(4) { - ["var1"]=> - array(1) { - [0]=> - string(1) "1" - } - ["var2"]=> - array(1) { - [0]=> - array(1) { - [0]=> - string(1) "2" - } - } - ["var3"]=> - array(1) { - [0]=> - array(1) { - [0]=> - array(1) { - [0]=> - string(1) "3" - } - } - } - ["var4"]=> - array(1) { - [0]=> - array(1) { - [0]=> - array(1) { - [0]=> - array(1) { - [0]=> - string(1) "4" - } - } - } - } -} -ALERT - configured POST variable array depth limit exceeded - dropped variable 'var5[][][][][]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - configured POST variable array depth limit exceeded - dropped variable 'var6[][][][][][]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - dropped 2 request variables - (0 in GET, 2 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') diff --git a/tests/filter/input_filter_post_max_array_index_length.phpt b/tests/filter/input_filter_post_max_array_index_length.phpt deleted file mode 100644 index 285b30e..0000000 --- a/tests/filter/input_filter_post_max_array_index_length.phpt +++ /dev/null @@ -1,53 +0,0 @@ ---TEST-- -suhosin input filter (suhosin.post.max_array_index_length) ---INI-- -suhosin.log.syslog=0 -suhosin.log.sapi=0 -suhosin.log.script=0 -suhosin.log.file=255 -suhosin.log.file.time=0 -suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp -auto_append_file={PWD}/suhosintest.$$.log.tmp -suhosin.request.max_array_index_length=0 -suhosin.post.max_array_index_length=3 ---SKIPIF-- - ---COOKIE-- ---GET-- ---POST-- -var1[AAA]=1&var2[BBBB]=1&var3[AAA][BBB]=1&var4[AAA][BBBB]=4&var5[AAA][BBB][CCC]=1&var6[AAA][BBBB][CCC]=1 ---FILE-- - ---EXPECTF-- -array(3) { - ["var1"]=> - array(1) { - ["AAA"]=> - string(1) "1" - } - ["var3"]=> - array(1) { - ["AAA"]=> - array(1) { - ["BBB"]=> - string(1) "1" - } - } - ["var5"]=> - array(1) { - ["AAA"]=> - array(1) { - ["BBB"]=> - array(1) { - ["CCC"]=> - string(1) "1" - } - } - } -} -ALERT - configured POST variable array index length limit exceeded - dropped variable 'var2[BBBB]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - configured POST variable array index length limit exceeded - dropped variable 'var4[AAA][BBBB]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - configured POST variable array index length limit exceeded - dropped variable 'var6[AAA][BBBB][CCC]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - dropped 3 request variables - (0 in GET, 3 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') \ No newline at end of file diff --git a/tests/filter/input_filter_post_max_array_index_length_rfc1867.phpt b/tests/filter/input_filter_post_max_array_index_length_rfc1867.phpt deleted file mode 100644 index a3a19fa..0000000 --- a/tests/filter/input_filter_post_max_array_index_length_rfc1867.phpt +++ /dev/null @@ -1,80 +0,0 @@ ---TEST-- -suhosin input filter (suhosin.post.max_array_index_length - RFC1867 version) ---INI-- -suhosin.log.syslog=0 -suhosin.log.sapi=0 -suhosin.log.script=0 -suhosin.log.file=255 -suhosin.log.file.time=0 -suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp -auto_append_file={PWD}/suhosintest.$$.log.tmp -suhosin.request.max_array_index_length=0 -suhosin.post.max_array_index_length=3 ---SKIPIF-- - ---COOKIE-- ---GET-- ---POST-- -var1[AAA]=1&var2[BBBB]=1&var3[AAA][BBB]=1&var4[AAA][BBBB]=4&var5[AAA][BBB][CCC]=1&var6[AAA][BBBB][CCC]=1 ---POST_RAW-- -Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737 ------------------------------20896060251896012921717172737 -Content-Disposition: form-data; name="var1[AAA]" - -1 ------------------------------20896060251896012921717172737 -Content-Disposition: form-data; name="var2[BBBB]" - -1 ------------------------------20896060251896012921717172737 -Content-Disposition: form-data; name="var3[AAA][BBB]" - -1 ------------------------------20896060251896012921717172737 -Content-Disposition: form-data; name="var4[AAA][BBBB]" - -1 ------------------------------20896060251896012921717172737 -Content-Disposition: form-data; name="var5[AAA][BBB][CCC]" - -1 ------------------------------20896060251896012921717172737 -Content-Disposition: form-data; name="var6[AAA][BBBB][CCC]" - -1 ------------------------------20896060251896012921717172737-- ---FILE-- - ---EXPECTF-- -array(3) { - ["var1"]=> - array(1) { - ["AAA"]=> - string(1) "1" - } - ["var3"]=> - array(1) { - ["AAA"]=> - array(1) { - ["BBB"]=> - string(1) "1" - } - } - ["var5"]=> - array(1) { - ["AAA"]=> - array(1) { - ["BBB"]=> - array(1) { - ["CCC"]=> - string(1) "1" - } - } - } -} -ALERT - configured POST variable array index length limit exceeded - dropped variable 'var2[BBBB]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - configured POST variable array index length limit exceeded - dropped variable 'var4[AAA][BBBB]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - configured POST variable array index length limit exceeded - dropped variable 'var6[AAA][BBBB][CCC]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - dropped 3 request variables - (0 in GET, 3 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') \ No newline at end of file diff --git a/tests/filter/input_filter_post_max_name_length.phpt b/tests/filter/input_filter_post_max_name_length.phpt deleted file mode 100644 index cf7b35d..0000000 --- a/tests/filter/input_filter_post_max_name_length.phpt +++ /dev/null @@ -1,44 +0,0 @@ ---TEST-- -suhosin input filter (suhosin.post.max_name_length) ---INI-- -suhosin.log.syslog=0 -suhosin.log.sapi=0 -suhosin.log.script=0 -suhosin.log.file=255 -suhosin.log.file.time=0 -suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp -auto_append_file={PWD}/suhosintest.$$.log.tmp -suhosin.request.max_varname_length=0 -suhosin.post.max_name_length=4 ---SKIPIF-- - ---COOKIE-- ---GET-- ---POST-- -var=0&var1=1&var2[]=2&var3[xxx]=3&var04=4&var05[]=5&var06[xxx]=6& ---FILE-- - ---EXPECTF-- -array(4) { - ["var"]=> - string(1) "0" - ["var1"]=> - string(1) "1" - ["var2"]=> - array(1) { - [0]=> - string(1) "2" - } - ["var3"]=> - array(1) { - ["xxx"]=> - string(1) "3" - } -} -ALERT - configured POST variable name length limit exceeded - dropped variable 'var04' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - configured POST variable name length limit exceeded - dropped variable 'var05[]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - configured POST variable name length limit exceeded - dropped variable 'var06[xxx]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - dropped 3 request variables - (0 in GET, 3 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') - diff --git a/tests/filter/input_filter_post_max_name_length_rfc1867.phpt b/tests/filter/input_filter_post_max_name_length_rfc1867.phpt deleted file mode 100644 index 4ad072c..0000000 --- a/tests/filter/input_filter_post_max_name_length_rfc1867.phpt +++ /dev/null @@ -1,73 +0,0 @@ ---TEST-- -suhosin input filter (suhosin.post.max_name_length - RFC1867 version) ---INI-- -suhosin.log.syslog=0 -suhosin.log.sapi=0 -suhosin.log.script=0 -suhosin.log.file=255 -suhosin.log.file.time=0 -suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp -auto_append_file={PWD}/suhosintest.$$.log.tmp -suhosin.request.max_varname_length=0 -suhosin.post.max_name_length=4 ---SKIPIF-- - ---COOKIE-- ---GET-- ---POST_RAW-- -Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737 ------------------------------20896060251896012921717172737 -Content-Disposition: form-data; name="var" - -0 ------------------------------20896060251896012921717172737 -Content-Disposition: form-data; name="var1" - -1 ------------------------------20896060251896012921717172737 -Content-Disposition: form-data; name="var2[]" - -2 ------------------------------20896060251896012921717172737 -Content-Disposition: form-data; name="var3[xxx]" - -3 ------------------------------20896060251896012921717172737 -Content-Disposition: form-data; name="var04" - -4 ------------------------------20896060251896012921717172737 -Content-Disposition: form-data; name="var05[]" - -5 ------------------------------20896060251896012921717172737 -Content-Disposition: form-data; name="var06[xxx]" - -6 ------------------------------20896060251896012921717172737-- ---FILE-- - ---EXPECTF-- -array(4) { - ["var"]=> - string(1) "0" - ["var1"]=> - string(1) "1" - ["var2"]=> - array(1) { - [0]=> - string(1) "2" - } - ["var3"]=> - array(1) { - ["xxx"]=> - string(1) "3" - } -} -ALERT - configured POST variable name length limit exceeded - dropped variable 'var04' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - configured POST variable name length limit exceeded - dropped variable 'var05[]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - configured POST variable name length limit exceeded - dropped variable 'var06[xxx]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - dropped 3 request variables - (0 in GET, 3 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') - diff --git a/tests/filter/input_filter_post_max_totalname_length.phpt b/tests/filter/input_filter_post_max_totalname_length.phpt deleted file mode 100644 index 1fef2bb..0000000 --- a/tests/filter/input_filter_post_max_totalname_length.phpt +++ /dev/null @@ -1,44 +0,0 @@ ---TEST-- -suhosin input filter (suhosin.post.max_totalname_length) ---INI-- -suhosin.log.syslog=0 -suhosin.log.sapi=0 -suhosin.log.script=0 -suhosin.log.file=255 -suhosin.log.file.time=0 -suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp -auto_append_file={PWD}/suhosintest.$$.log.tmp -suhosin.request.max_totalname_length=0 -suhosin.post.max_totalname_length=7 ---SKIPIF-- - ---COOKIE-- ---GET-- ---POST-- -var=0&var1=1&var2[]=2&var3[xxx]=3&var04=4&var05[]=5&var06[xxx]=6& ---FILE-- - ---EXPECTF-- -array(5) { - ["var"]=> - string(1) "0" - ["var1"]=> - string(1) "1" - ["var2"]=> - array(1) { - [0]=> - string(1) "2" - } - ["var04"]=> - string(1) "4" - ["var05"]=> - array(1) { - [0]=> - string(1) "5" - } -} -ALERT - configured POST variable total name length limit exceeded - dropped variable 'var3[xxx]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - configured POST variable total name length limit exceeded - dropped variable 'var06[xxx]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - dropped 2 request variables - (0 in GET, 2 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') diff --git a/tests/filter/input_filter_post_max_totalname_length_rfc1867.phpt b/tests/filter/input_filter_post_max_totalname_length_rfc1867.phpt deleted file mode 100644 index f8fa6db..0000000 --- a/tests/filter/input_filter_post_max_totalname_length_rfc1867.phpt +++ /dev/null @@ -1,73 +0,0 @@ ---TEST-- -suhosin input filter (suhosin.post.max_totalname_length - RFC1867 version) ---INI-- -suhosin.log.syslog=0 -suhosin.log.sapi=0 -suhosin.log.script=0 -suhosin.log.file=255 -suhosin.log.file.time=0 -suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp -auto_append_file={PWD}/suhosintest.$$.log.tmp -suhosin.request.max_totalname_length=0 -suhosin.post.max_totalname_length=7 ---SKIPIF-- - ---COOKIE-- ---GET-- ---POST_RAW-- -Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737 ------------------------------20896060251896012921717172737 -Content-Disposition: form-data; name="var" - -0 ------------------------------20896060251896012921717172737 -Content-Disposition: form-data; name="var1" - -1 ------------------------------20896060251896012921717172737 -Content-Disposition: form-data; name="var2[]" - -2 ------------------------------20896060251896012921717172737 -Content-Disposition: form-data; name="var3[xxx]" - -3 ------------------------------20896060251896012921717172737 -Content-Disposition: form-data; name="var04" - -4 ------------------------------20896060251896012921717172737 -Content-Disposition: form-data; name="var05[]" - -5 ------------------------------20896060251896012921717172737 -Content-Disposition: form-data; name="var06[xxx]" - -6 ------------------------------20896060251896012921717172737-- ---FILE-- - ---EXPECTF-- -array(5) { - ["var"]=> - string(1) "0" - ["var1"]=> - string(1) "1" - ["var2"]=> - array(1) { - [0]=> - string(1) "2" - } - ["var04"]=> - string(1) "4" - ["var05"]=> - array(1) { - [0]=> - string(1) "5" - } -} -ALERT - configured POST variable total name length limit exceeded - dropped variable 'var3[xxx]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - configured POST variable total name length limit exceeded - dropped variable 'var06[xxx]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - dropped 2 request variables - (0 in GET, 2 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') diff --git a/tests/filter/input_filter_post_max_value_length.phpt b/tests/filter/input_filter_post_max_value_length.phpt deleted file mode 100644 index 7c5493f..0000000 --- a/tests/filter/input_filter_post_max_value_length.phpt +++ /dev/null @@ -1,36 +0,0 @@ ---TEST-- -suhosin input filter (suhosin.post.max_value_length) ---INI-- -suhosin.log.syslog=0 -suhosin.log.sapi=0 -suhosin.log.script=0 -suhosin.log.file=255 -suhosin.log.file.time=0 -suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp -auto_append_file={PWD}/suhosintest.$$.log.tmp -suhosin.request.max_value_length=0 -suhosin.post.max_value_length=3 ---SKIPIF-- - ---COOKIE-- ---GET-- ---POST-- -var1=1&var2=22&var3=333&var4=4444&var5=55%00555&var6=666666& ---FILE-- - ---EXPECTF-- -array(3) { - ["var1"]=> - string(1) "1" - ["var2"]=> - string(2) "22" - ["var3"]=> - string(3) "333" -} -ALERT - configured POST variable value length limit exceeded - dropped variable 'var4' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - configured POST variable value length limit exceeded - dropped variable 'var5' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - configured POST variable value length limit exceeded - dropped variable 'var6' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - dropped 3 request variables - (0 in GET, 3 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') - diff --git a/tests/filter/input_filter_post_max_value_length_rfc1867.phpt b/tests/filter/input_filter_post_max_value_length_rfc1867.phpt deleted file mode 100644 index a788dfd..0000000 Binary files a/tests/filter/input_filter_post_max_value_length_rfc1867.phpt and /dev/null differ diff --git a/tests/filter/input_filter_request_array_index_blacklist.phpt b/tests/filter/input_filter_request_array_index_blacklist.phpt deleted file mode 100644 index d85c2e9..0000000 --- a/tests/filter/input_filter_request_array_index_blacklist.phpt +++ /dev/null @@ -1,56 +0,0 @@ ---TEST-- -suhosin input filter (suhosin.request.array_index_blacklist) ---INI-- -suhosin.log.syslog=0 -suhosin.log.sapi=0 -suhosin.log.script=0 -suhosin.log.file=255 -suhosin.log.file.time=0 -suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp -auto_append_file={PWD}/suhosintest.$$.log.tmp -suhosin.request.array_index_blacklist="=ABC%{}\\$;" ---SKIPIF-- - ---COOKIE-- -var1[aaa]=1;var2[bbB]=1;var3[ccc][ccC]=1 ---GET-- -var1[aaa]=1&var2[bbB]=1&var3[ccc][ccC]=1 ---POST-- -var1[aaa]=1&var2[bbB]=1&var3[ccc][ccC]=1 ---FILE-- - ---EXPECTF-- -string(10) "=ABC%{}\$;" -array(1) { - ["var1"]=> - array(1) { - ["aaa"]=> - string(1) "1" - } -} -array(1) { - ["var1"]=> - array(1) { - ["aaa"]=> - string(1) "1" - } -} -array(1) { - ["var1"]=> - array(1) { - ["aaa"]=> - string(1) "1" - } -} -ALERT - array index contains blacklisted characters - dropped variable 'var2[bbB]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - array index contains blacklisted characters - dropped variable 'var3[ccc][ccC]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - array index contains blacklisted characters - dropped variable 'var2[bbB]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - array index contains blacklisted characters - dropped variable 'var3[ccc][ccC]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - array index contains blacklisted characters - dropped variable 'var2[bbB]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - array index contains blacklisted characters - dropped variable 'var3[ccc][ccC]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - dropped 6 request variables - (2 in GET, 2 in POST, 2 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') diff --git a/tests/filter/input_filter_request_array_index_whitelist.phpt b/tests/filter/input_filter_request_array_index_whitelist.phpt deleted file mode 100644 index 131ad42..0000000 --- a/tests/filter/input_filter_request_array_index_whitelist.phpt +++ /dev/null @@ -1,54 +0,0 @@ ---TEST-- -suhosin input filter (suhosin.request.array_index_whitelist) ---INI-- -suhosin.log.syslog=0 -suhosin.log.sapi=0 -suhosin.log.script=0 -suhosin.log.file=255 -suhosin.log.file.time=0 -suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp -auto_append_file={PWD}/suhosintest.$$.log.tmp -suhosin.request.array_index_whitelist=abcdefghijklmnopqrstuvwxyz ---SKIPIF-- - ---COOKIE-- -var1[aaa]=1;var2[bbB]=1;var3[ccc][ccC]=1 ---GET-- -var1[aaa]=1&var2[bbB]=1&var3[ccc][ccC]=1 ---POST-- -var1[aaa]=1&var2[bbB]=1&var3[ccc][ccC]=1 ---FILE-- - ---EXPECTF-- -array(1) { - ["var1"]=> - array(1) { - ["aaa"]=> - string(1) "1" - } -} -array(1) { - ["var1"]=> - array(1) { - ["aaa"]=> - string(1) "1" - } -} -array(1) { - ["var1"]=> - array(1) { - ["aaa"]=> - string(1) "1" - } -} -ALERT - array index contains not whitelisted characters - dropped variable 'var2[bbB]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - array index contains not whitelisted characters - dropped variable 'var3[ccc][ccC]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - array index contains not whitelisted characters - dropped variable 'var2[bbB]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - array index contains not whitelisted characters - dropped variable 'var3[ccc][ccC]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - array index contains not whitelisted characters - dropped variable 'var2[bbB]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - array index contains not whitelisted characters - dropped variable 'var3[ccc][ccC]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - dropped 6 request variables - (2 in GET, 2 in POST, 2 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') diff --git a/tests/filter/input_filter_request_disallow_nul.phpt b/tests/filter/input_filter_request_disallow_nul.phpt deleted file mode 100644 index 0e9636f..0000000 --- a/tests/filter/input_filter_request_disallow_nul.phpt +++ /dev/null @@ -1,51 +0,0 @@ ---TEST-- -suhosin input filter (suhosin.request.disallow_nul) ---INI-- -suhosin.log.syslog=0 -suhosin.log.sapi=0 -suhosin.log.script=0 -suhosin.log.file=255 -suhosin.log.file.time=0 -suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp -auto_append_file={PWD}/suhosintest.$$.log.tmp -suhosin.request.disallow_nul=1 ---SKIPIF-- - ---COOKIE-- -var1=xx%001;var2=2;var3=xx%003;var4=4; ---GET-- -var1=xx%001&var2=2&var3=xx%003&var4=4& ---POST-- -var1=xx%001&var2=2&var3=xx%003&var4=4& ---FILE-- - ---EXPECTF-- -array(2) { - ["var2"]=> - string(1) "2" - ["var4"]=> - string(1) "4" -} -array(2) { - ["var2"]=> - string(1) "2" - ["var4"]=> - string(1) "4" -} -array(2) { - ["var2"]=> - string(1) "2" - ["var4"]=> - string(1) "4" -} -ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'var1' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'var3' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'var1' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'var3' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'var1' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'var3' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - dropped 6 request variables - (2 in GET, 2 in POST, 2 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') diff --git a/tests/filter/input_filter_request_max_array_depth.phpt b/tests/filter/input_filter_request_max_array_depth.phpt deleted file mode 100644 index 0f10afe..0000000 --- a/tests/filter/input_filter_request_max_array_depth.phpt +++ /dev/null @@ -1,153 +0,0 @@ ---TEST-- -suhosin input filter (suhosin.request.max_array_depth) ---INI-- -suhosin.log.syslog=0 -suhosin.log.sapi=0 -suhosin.log.script=0 -suhosin.log.file=255 -suhosin.log.file.time=0 -suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp -auto_append_file={PWD}/suhosintest.$$.log.tmp -suhosin.request.max_array_depth=4 ---SKIPIF-- - ---COOKIE-- -var1[]=1;var2[][]=2;var3[][][]=3;var4[][][][]=4;var5[][][][][]=5;var6[][][][][][]=6; ---GET-- -var1[]=1&var2[][]=2&var3[][][]=3&var4[][][][]=4&var5[][][][][]=5&var6[][][][][][]=6& ---POST-- -var1[]=1&var2[][]=2&var3[][][]=3&var4[][][][]=4&var5[][][][][]=5&var6[][][][][][]=6& ---FILE-- - ---EXPECTF-- -array(4) { - ["var1"]=> - array(1) { - [0]=> - string(1) "1" - } - ["var2"]=> - array(1) { - [0]=> - array(1) { - [0]=> - string(1) "2" - } - } - ["var3"]=> - array(1) { - [0]=> - array(1) { - [0]=> - array(1) { - [0]=> - string(1) "3" - } - } - } - ["var4"]=> - array(1) { - [0]=> - array(1) { - [0]=> - array(1) { - [0]=> - array(1) { - [0]=> - string(1) "4" - } - } - } - } -} -array(4) { - ["var1"]=> - array(1) { - [0]=> - string(1) "1" - } - ["var2"]=> - array(1) { - [0]=> - array(1) { - [0]=> - string(1) "2" - } - } - ["var3"]=> - array(1) { - [0]=> - array(1) { - [0]=> - array(1) { - [0]=> - string(1) "3" - } - } - } - ["var4"]=> - array(1) { - [0]=> - array(1) { - [0]=> - array(1) { - [0]=> - array(1) { - [0]=> - string(1) "4" - } - } - } - } -} -array(4) { - ["var1"]=> - array(1) { - [0]=> - string(1) "1" - } - ["var2"]=> - array(1) { - [0]=> - array(1) { - [0]=> - string(1) "2" - } - } - ["var3"]=> - array(1) { - [0]=> - array(1) { - [0]=> - array(1) { - [0]=> - string(1) "3" - } - } - } - ["var4"]=> - array(1) { - [0]=> - array(1) { - [0]=> - array(1) { - [0]=> - array(1) { - [0]=> - string(1) "4" - } - } - } - } -} -ALERT - configured request variable array depth limit exceeded - dropped variable 'var5[][][][][]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - configured request variable array depth limit exceeded - dropped variable 'var6[][][][][][]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - configured request variable array depth limit exceeded - dropped variable 'var5[][][][][]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - configured request variable array depth limit exceeded - dropped variable 'var6[][][][][][]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - configured request variable array depth limit exceeded - dropped variable 'var5[][][][][]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - configured request variable array depth limit exceeded - dropped variable 'var6[][][][][][]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - dropped 6 request variables - (2 in GET, 2 in POST, 2 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') diff --git a/tests/filter/input_filter_request_max_array_index_length.phpt b/tests/filter/input_filter_request_max_array_index_length.phpt deleted file mode 100644 index 84b3849..0000000 --- a/tests/filter/input_filter_request_max_array_index_length.phpt +++ /dev/null @@ -1,114 +0,0 @@ ---TEST-- -suhosin input filter (suhosin.request.max_array_index_length) ---INI-- -suhosin.log.syslog=0 -suhosin.log.sapi=0 -suhosin.log.script=0 -suhosin.log.file=255 -suhosin.log.file.time=0 -suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp -auto_append_file={PWD}/suhosintest.$$.log.tmp -suhosin.request.max_array_index_length=3 ---SKIPIF-- - ---COOKIE-- -var1[AAA]=1;var2[BBBB]=1;var3[AAA][BBB]=1;var4[AAA][BBBB]=4;var5[AAA][BBB][CCC]=1;var6[AAA][BBBB][CCC]=1; ---GET-- -var1[AAA]=1&var2[BBBB]=1&var3[AAA][BBB]=1&var4[AAA][BBBB]=4&var5[AAA][BBB][CCC]=1&var6[AAA][BBBB][CCC]=1 ---POST-- -var1[AAA]=1&var2[BBBB]=1&var3[AAA][BBB]=1&var4[AAA][BBBB]=4&var5[AAA][BBB][CCC]=1&var6[AAA][BBBB][CCC]=1 ---FILE-- - ---EXPECTF-- -array(3) { - ["var1"]=> - array(1) { - ["AAA"]=> - string(1) "1" - } - ["var3"]=> - array(1) { - ["AAA"]=> - array(1) { - ["BBB"]=> - string(1) "1" - } - } - ["var5"]=> - array(1) { - ["AAA"]=> - array(1) { - ["BBB"]=> - array(1) { - ["CCC"]=> - string(1) "1" - } - } - } -} -array(3) { - ["var1"]=> - array(1) { - ["AAA"]=> - string(1) "1" - } - ["var3"]=> - array(1) { - ["AAA"]=> - array(1) { - ["BBB"]=> - string(1) "1" - } - } - ["var5"]=> - array(1) { - ["AAA"]=> - array(1) { - ["BBB"]=> - array(1) { - ["CCC"]=> - string(1) "1" - } - } - } -} -array(3) { - ["var1"]=> - array(1) { - ["AAA"]=> - string(1) "1" - } - ["var3"]=> - array(1) { - ["AAA"]=> - array(1) { - ["BBB"]=> - string(1) "1" - } - } - ["var5"]=> - array(1) { - ["AAA"]=> - array(1) { - ["BBB"]=> - array(1) { - ["CCC"]=> - string(1) "1" - } - } - } -} -ALERT - configured request variable array index length limit exceeded - dropped variable 'var2[BBBB]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - configured request variable array index length limit exceeded - dropped variable 'var4[AAA][BBBB]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - configured request variable array index length limit exceeded - dropped variable 'var6[AAA][BBBB][CCC]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - configured request variable array index length limit exceeded - dropped variable 'var2[BBBB]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - configured request variable array index length limit exceeded - dropped variable 'var4[AAA][BBBB]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - configured request variable array index length limit exceeded - dropped variable 'var6[AAA][BBBB][CCC]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - configured request variable array index length limit exceeded - dropped variable 'var2[BBBB]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - configured request variable array index length limit exceeded - dropped variable 'var4[AAA][BBBB]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - configured request variable array index length limit exceeded - dropped variable 'var6[AAA][BBBB][CCC]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - dropped 9 request variables - (3 in GET, 3 in POST, 3 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') \ No newline at end of file diff --git a/tests/filter/input_filter_request_max_name_length.phpt b/tests/filter/input_filter_request_max_name_length.phpt deleted file mode 100644 index e231447..0000000 --- a/tests/filter/input_filter_request_max_name_length.phpt +++ /dev/null @@ -1,85 +0,0 @@ ---TEST-- -suhosin input filter (suhosin.request.max_varname_length) ---INI-- -suhosin.log.syslog=0 -suhosin.log.sapi=0 -suhosin.log.script=0 -suhosin.log.file=255 -suhosin.log.file.time=0 -suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp -auto_append_file={PWD}/suhosintest.$$.log.tmp -suhosin.request.max_varname_length=4 ---SKIPIF-- - ---COOKIE-- -var=0;var1=1;var2[]=2;var3[xxx]=3;var04=4;var05[]=5;var06[xxx]=6; ---GET-- -var=0&var1=1&var2[]=2&var3[xxx]=3&var04=4&var05[]=5&var06[xxx]=6& ---POST-- -var=0&var1=1&var2[]=2&var3[xxx]=3&var04=4&var05[]=5&var06[xxx]=6& ---FILE-- - ---EXPECTF-- -array(4) { - ["var"]=> - string(1) "0" - ["var1"]=> - string(1) "1" - ["var2"]=> - array(1) { - [0]=> - string(1) "2" - } - ["var3"]=> - array(1) { - ["xxx"]=> - string(1) "3" - } -} -array(4) { - ["var"]=> - string(1) "0" - ["var1"]=> - string(1) "1" - ["var2"]=> - array(1) { - [0]=> - string(1) "2" - } - ["var3"]=> - array(1) { - ["xxx"]=> - string(1) "3" - } -} -array(4) { - ["var"]=> - string(1) "0" - ["var1"]=> - string(1) "1" - ["var2"]=> - array(1) { - [0]=> - string(1) "2" - } - ["var3"]=> - array(1) { - ["xxx"]=> - string(1) "3" - } -} -ALERT - configured request variable name length limit exceeded - dropped variable 'var04' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - configured request variable name length limit exceeded - dropped variable 'var05[]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - configured request variable name length limit exceeded - dropped variable 'var06[xxx]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - configured request variable name length limit exceeded - dropped variable 'var04' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - configured request variable name length limit exceeded - dropped variable 'var05[]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - configured request variable name length limit exceeded - dropped variable 'var06[xxx]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - configured request variable name length limit exceeded - dropped variable 'var04' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - configured request variable name length limit exceeded - dropped variable 'var05[]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - configured request variable name length limit exceeded - dropped variable 'var06[xxx]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - dropped 9 request variables - (3 in GET, 3 in POST, 3 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') - diff --git a/tests/filter/input_filter_request_max_totalname_length.phpt b/tests/filter/input_filter_request_max_totalname_length.phpt deleted file mode 100644 index e4ddd5b..0000000 --- a/tests/filter/input_filter_request_max_totalname_length.phpt +++ /dev/null @@ -1,88 +0,0 @@ ---TEST-- -suhosin input filter (suhosin.request.max_totalname_length) ---INI-- -suhosin.log.syslog=0 -suhosin.log.sapi=0 -suhosin.log.script=0 -suhosin.log.file=255 -suhosin.log.file.time=0 -suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp -auto_append_file={PWD}/suhosintest.$$.log.tmp -suhosin.request.max_totalname_length=7 ---SKIPIF-- - ---COOKIE-- -var=0;var1=1;var2[]=2;var3[xxx]=3;var04=4;var05[]=5;var06[xxx]=6; ---GET-- -var=0&var1=1&var2[]=2&var3[xxx]=3&var04=4&var05[]=5&var06[xxx]=6& ---POST-- -var=0&var1=1&var2[]=2&var3[xxx]=3&var04=4&var05[]=5&var06[xxx]=6& ---FILE-- - ---EXPECTF-- -array(5) { - ["var"]=> - string(1) "0" - ["var1"]=> - string(1) "1" - ["var2"]=> - array(1) { - [0]=> - string(1) "2" - } - ["var04"]=> - string(1) "4" - ["var05"]=> - array(1) { - [0]=> - string(1) "5" - } -} -array(5) { - ["var"]=> - string(1) "0" - ["var1"]=> - string(1) "1" - ["var2"]=> - array(1) { - [0]=> - string(1) "2" - } - ["var04"]=> - string(1) "4" - ["var05"]=> - array(1) { - [0]=> - string(1) "5" - } -} -array(5) { - ["var"]=> - string(1) "0" - ["var1"]=> - string(1) "1" - ["var2"]=> - array(1) { - [0]=> - string(1) "2" - } - ["var04"]=> - string(1) "4" - ["var05"]=> - array(1) { - [0]=> - string(1) "5" - } -} -ALERT - configured request variable total name length limit exceeded - dropped variable 'var3[xxx]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - configured request variable total name length limit exceeded - dropped variable 'var06[xxx]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - configured request variable total name length limit exceeded - dropped variable 'var3[xxx]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - configured request variable total name length limit exceeded - dropped variable 'var06[xxx]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - configured request variable total name length limit exceeded - dropped variable 'var3[xxx]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - configured request variable total name length limit exceeded - dropped variable 'var06[xxx]' (attacker 'REMOTE_ADDR not set', file '%s') -ALERT - dropped 6 request variables - (2 in GET, 2 in POST, 2 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') - diff --git a/tests/filter/post_disallow_nul.phpt b/tests/filter/post_disallow_nul.phpt new file mode 100644 index 0000000..99462b8 --- /dev/null +++ b/tests/filter/post_disallow_nul.phpt @@ -0,0 +1,32 @@ +--TEST-- +suhosin input filter (suhosin.post.disallow_nul) +--INI-- +suhosin.log.syslog=0 +suhosin.log.sapi=0 +suhosin.log.script=0 +suhosin.log.file=255 +suhosin.log.file.time=0 +suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp +auto_append_file={PWD}/suhosintest.$$.log.tmp +suhosin.request.disallow_nul=0 +suhosin.post.disallow_nul=1 +--SKIPIF-- + +--COOKIE-- +--GET-- +--POST-- +var1=xx%001&var2=2&var3=xx%003&var4=4& +--FILE-- + +--EXPECTF-- +array(2) { + ["var2"]=> + string(1) "2" + ["var4"]=> + string(1) "4" +} +ALERT - ASCII-NUL chars not allowed within POST variables - dropped variable 'var1' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - ASCII-NUL chars not allowed within POST variables - dropped variable 'var3' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - dropped 2 request variables - (0 in GET, 2 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') diff --git a/tests/filter/post_disallow_nul_rfc1867.phpt b/tests/filter/post_disallow_nul_rfc1867.phpt new file mode 100644 index 0000000..21fba1f Binary files /dev/null and b/tests/filter/post_disallow_nul_rfc1867.phpt differ diff --git a/tests/filter/post_disallow_ws.phpt b/tests/filter/post_disallow_ws.phpt new file mode 100644 index 0000000..003afa5 --- /dev/null +++ b/tests/filter/post_disallow_ws.phpt @@ -0,0 +1,30 @@ +--TEST-- +suhosin input filter (suhosin.post.disallow_ws) +--INI-- +suhosin.log.syslog=0 +suhosin.log.sapi=0 +suhosin.log.script=0 +suhosin.log.file=255 +suhosin.log.file.time=0 +suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp +auto_append_file={PWD}/suhosintest.$$.log.tmp +suhosin.post.disallow_ws=1 +--SKIPIF-- + +--COOKIE-- +--GET-- +--POST-- ++var1=1&var2=2&%20var3=3& var4=4& +--FILE-- + +--EXPECTF-- +array(1) { + ["var2"]=> + string(1) "2" +} +ALERT - POST variable name begins with disallowed whitespace - dropped variable ' var1' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - POST variable name begins with disallowed whitespace - dropped variable ' var3' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - POST variable name begins with disallowed whitespace - dropped variable ' var4' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - dropped 3 request variables - (0 in GET, 3 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') \ No newline at end of file diff --git a/tests/filter/post_max_array_depth.phpt b/tests/filter/post_max_array_depth.phpt new file mode 100644 index 0000000..5bf8858 --- /dev/null +++ b/tests/filter/post_max_array_depth.phpt @@ -0,0 +1,66 @@ +--TEST-- +suhosin input filter (suhosin.post.max_array_depth) +--INI-- +suhosin.log.syslog=0 +suhosin.log.sapi=0 +suhosin.log.script=0 +suhosin.log.file=255 +suhosin.log.file.time=0 +suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp +auto_append_file={PWD}/suhosintest.$$.log.tmp +suhosin.request.max_array_depth=0 +suhosin.post.max_array_depth=4 +--SKIPIF-- + +--COOKIE-- +--GET-- +--POST-- +var1[]=1&var2[][]=2&var3[][][]=3&var4[][][][]=4&var5[][][][][]=5&var6[][][][][][]=6& +--FILE-- + +--EXPECTF-- +array(4) { + ["var1"]=> + array(1) { + [0]=> + string(1) "1" + } + ["var2"]=> + array(1) { + [0]=> + array(1) { + [0]=> + string(1) "2" + } + } + ["var3"]=> + array(1) { + [0]=> + array(1) { + [0]=> + array(1) { + [0]=> + string(1) "3" + } + } + } + ["var4"]=> + array(1) { + [0]=> + array(1) { + [0]=> + array(1) { + [0]=> + array(1) { + [0]=> + string(1) "4" + } + } + } + } +} +ALERT - configured POST variable array depth limit exceeded - dropped variable 'var5[][][][][]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - configured POST variable array depth limit exceeded - dropped variable 'var6[][][][][][]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - dropped 2 request variables - (0 in GET, 2 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') diff --git a/tests/filter/post_max_array_depth_rfc1867.phpt b/tests/filter/post_max_array_depth_rfc1867.phpt new file mode 100644 index 0000000..b2eab71 --- /dev/null +++ b/tests/filter/post_max_array_depth_rfc1867.phpt @@ -0,0 +1,91 @@ +--TEST-- +suhosin input filter (suhosin.post.max_array_depth - RFC1867 version) +--INI-- +suhosin.log.syslog=0 +suhosin.log.sapi=0 +suhosin.log.script=0 +suhosin.log.file=255 +suhosin.log.file.time=0 +suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp +auto_append_file={PWD}/suhosintest.$$.log.tmp +suhosin.request.max_array_depth=0 +suhosin.post.max_array_depth=4 +--SKIPIF-- + +--COOKIE-- +--GET-- +--POST_RAW-- +Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737 +-----------------------------20896060251896012921717172737 +Content-Disposition: form-data; name="var1[]" + +1 +-----------------------------20896060251896012921717172737 +Content-Disposition: form-data; name="var2[][]" + +2 +-----------------------------20896060251896012921717172737 +Content-Disposition: form-data; name="var3[][][]" + +3 +-----------------------------20896060251896012921717172737 +Content-Disposition: form-data; name="var4[][][][]" + +4 +-----------------------------20896060251896012921717172737 +Content-Disposition: form-data; name="var5[][][][][]" + +5 +-----------------------------20896060251896012921717172737 +Content-Disposition: form-data; name="var6[][][][][][]" + +6 +-----------------------------20896060251896012921717172737-- +--FILE-- + +--EXPECTF-- +array(4) { + ["var1"]=> + array(1) { + [0]=> + string(1) "1" + } + ["var2"]=> + array(1) { + [0]=> + array(1) { + [0]=> + string(1) "2" + } + } + ["var3"]=> + array(1) { + [0]=> + array(1) { + [0]=> + array(1) { + [0]=> + string(1) "3" + } + } + } + ["var4"]=> + array(1) { + [0]=> + array(1) { + [0]=> + array(1) { + [0]=> + array(1) { + [0]=> + string(1) "4" + } + } + } + } +} +ALERT - configured POST variable array depth limit exceeded - dropped variable 'var5[][][][][]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - configured POST variable array depth limit exceeded - dropped variable 'var6[][][][][][]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - dropped 2 request variables - (0 in GET, 2 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') diff --git a/tests/filter/post_max_array_index_length.phpt b/tests/filter/post_max_array_index_length.phpt new file mode 100644 index 0000000..285b30e --- /dev/null +++ b/tests/filter/post_max_array_index_length.phpt @@ -0,0 +1,53 @@ +--TEST-- +suhosin input filter (suhosin.post.max_array_index_length) +--INI-- +suhosin.log.syslog=0 +suhosin.log.sapi=0 +suhosin.log.script=0 +suhosin.log.file=255 +suhosin.log.file.time=0 +suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp +auto_append_file={PWD}/suhosintest.$$.log.tmp +suhosin.request.max_array_index_length=0 +suhosin.post.max_array_index_length=3 +--SKIPIF-- + +--COOKIE-- +--GET-- +--POST-- +var1[AAA]=1&var2[BBBB]=1&var3[AAA][BBB]=1&var4[AAA][BBBB]=4&var5[AAA][BBB][CCC]=1&var6[AAA][BBBB][CCC]=1 +--FILE-- + +--EXPECTF-- +array(3) { + ["var1"]=> + array(1) { + ["AAA"]=> + string(1) "1" + } + ["var3"]=> + array(1) { + ["AAA"]=> + array(1) { + ["BBB"]=> + string(1) "1" + } + } + ["var5"]=> + array(1) { + ["AAA"]=> + array(1) { + ["BBB"]=> + array(1) { + ["CCC"]=> + string(1) "1" + } + } + } +} +ALERT - configured POST variable array index length limit exceeded - dropped variable 'var2[BBBB]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - configured POST variable array index length limit exceeded - dropped variable 'var4[AAA][BBBB]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - configured POST variable array index length limit exceeded - dropped variable 'var6[AAA][BBBB][CCC]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - dropped 3 request variables - (0 in GET, 3 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') \ No newline at end of file diff --git a/tests/filter/post_max_array_index_length_rfc1867.phpt b/tests/filter/post_max_array_index_length_rfc1867.phpt new file mode 100644 index 0000000..a3a19fa --- /dev/null +++ b/tests/filter/post_max_array_index_length_rfc1867.phpt @@ -0,0 +1,80 @@ +--TEST-- +suhosin input filter (suhosin.post.max_array_index_length - RFC1867 version) +--INI-- +suhosin.log.syslog=0 +suhosin.log.sapi=0 +suhosin.log.script=0 +suhosin.log.file=255 +suhosin.log.file.time=0 +suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp +auto_append_file={PWD}/suhosintest.$$.log.tmp +suhosin.request.max_array_index_length=0 +suhosin.post.max_array_index_length=3 +--SKIPIF-- + +--COOKIE-- +--GET-- +--POST-- +var1[AAA]=1&var2[BBBB]=1&var3[AAA][BBB]=1&var4[AAA][BBBB]=4&var5[AAA][BBB][CCC]=1&var6[AAA][BBBB][CCC]=1 +--POST_RAW-- +Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737 +-----------------------------20896060251896012921717172737 +Content-Disposition: form-data; name="var1[AAA]" + +1 +-----------------------------20896060251896012921717172737 +Content-Disposition: form-data; name="var2[BBBB]" + +1 +-----------------------------20896060251896012921717172737 +Content-Disposition: form-data; name="var3[AAA][BBB]" + +1 +-----------------------------20896060251896012921717172737 +Content-Disposition: form-data; name="var4[AAA][BBBB]" + +1 +-----------------------------20896060251896012921717172737 +Content-Disposition: form-data; name="var5[AAA][BBB][CCC]" + +1 +-----------------------------20896060251896012921717172737 +Content-Disposition: form-data; name="var6[AAA][BBBB][CCC]" + +1 +-----------------------------20896060251896012921717172737-- +--FILE-- + +--EXPECTF-- +array(3) { + ["var1"]=> + array(1) { + ["AAA"]=> + string(1) "1" + } + ["var3"]=> + array(1) { + ["AAA"]=> + array(1) { + ["BBB"]=> + string(1) "1" + } + } + ["var5"]=> + array(1) { + ["AAA"]=> + array(1) { + ["BBB"]=> + array(1) { + ["CCC"]=> + string(1) "1" + } + } + } +} +ALERT - configured POST variable array index length limit exceeded - dropped variable 'var2[BBBB]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - configured POST variable array index length limit exceeded - dropped variable 'var4[AAA][BBBB]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - configured POST variable array index length limit exceeded - dropped variable 'var6[AAA][BBBB][CCC]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - dropped 3 request variables - (0 in GET, 3 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') \ No newline at end of file diff --git a/tests/filter/post_max_name_length.phpt b/tests/filter/post_max_name_length.phpt new file mode 100644 index 0000000..cf7b35d --- /dev/null +++ b/tests/filter/post_max_name_length.phpt @@ -0,0 +1,44 @@ +--TEST-- +suhosin input filter (suhosin.post.max_name_length) +--INI-- +suhosin.log.syslog=0 +suhosin.log.sapi=0 +suhosin.log.script=0 +suhosin.log.file=255 +suhosin.log.file.time=0 +suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp +auto_append_file={PWD}/suhosintest.$$.log.tmp +suhosin.request.max_varname_length=0 +suhosin.post.max_name_length=4 +--SKIPIF-- + +--COOKIE-- +--GET-- +--POST-- +var=0&var1=1&var2[]=2&var3[xxx]=3&var04=4&var05[]=5&var06[xxx]=6& +--FILE-- + +--EXPECTF-- +array(4) { + ["var"]=> + string(1) "0" + ["var1"]=> + string(1) "1" + ["var2"]=> + array(1) { + [0]=> + string(1) "2" + } + ["var3"]=> + array(1) { + ["xxx"]=> + string(1) "3" + } +} +ALERT - configured POST variable name length limit exceeded - dropped variable 'var04' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - configured POST variable name length limit exceeded - dropped variable 'var05[]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - configured POST variable name length limit exceeded - dropped variable 'var06[xxx]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - dropped 3 request variables - (0 in GET, 3 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') + diff --git a/tests/filter/post_max_name_length_rfc1867.phpt b/tests/filter/post_max_name_length_rfc1867.phpt new file mode 100644 index 0000000..4ad072c --- /dev/null +++ b/tests/filter/post_max_name_length_rfc1867.phpt @@ -0,0 +1,73 @@ +--TEST-- +suhosin input filter (suhosin.post.max_name_length - RFC1867 version) +--INI-- +suhosin.log.syslog=0 +suhosin.log.sapi=0 +suhosin.log.script=0 +suhosin.log.file=255 +suhosin.log.file.time=0 +suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp +auto_append_file={PWD}/suhosintest.$$.log.tmp +suhosin.request.max_varname_length=0 +suhosin.post.max_name_length=4 +--SKIPIF-- + +--COOKIE-- +--GET-- +--POST_RAW-- +Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737 +-----------------------------20896060251896012921717172737 +Content-Disposition: form-data; name="var" + +0 +-----------------------------20896060251896012921717172737 +Content-Disposition: form-data; name="var1" + +1 +-----------------------------20896060251896012921717172737 +Content-Disposition: form-data; name="var2[]" + +2 +-----------------------------20896060251896012921717172737 +Content-Disposition: form-data; name="var3[xxx]" + +3 +-----------------------------20896060251896012921717172737 +Content-Disposition: form-data; name="var04" + +4 +-----------------------------20896060251896012921717172737 +Content-Disposition: form-data; name="var05[]" + +5 +-----------------------------20896060251896012921717172737 +Content-Disposition: form-data; name="var06[xxx]" + +6 +-----------------------------20896060251896012921717172737-- +--FILE-- + +--EXPECTF-- +array(4) { + ["var"]=> + string(1) "0" + ["var1"]=> + string(1) "1" + ["var2"]=> + array(1) { + [0]=> + string(1) "2" + } + ["var3"]=> + array(1) { + ["xxx"]=> + string(1) "3" + } +} +ALERT - configured POST variable name length limit exceeded - dropped variable 'var04' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - configured POST variable name length limit exceeded - dropped variable 'var05[]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - configured POST variable name length limit exceeded - dropped variable 'var06[xxx]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - dropped 3 request variables - (0 in GET, 3 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') + diff --git a/tests/filter/post_max_totalname_length.phpt b/tests/filter/post_max_totalname_length.phpt new file mode 100644 index 0000000..1fef2bb --- /dev/null +++ b/tests/filter/post_max_totalname_length.phpt @@ -0,0 +1,44 @@ +--TEST-- +suhosin input filter (suhosin.post.max_totalname_length) +--INI-- +suhosin.log.syslog=0 +suhosin.log.sapi=0 +suhosin.log.script=0 +suhosin.log.file=255 +suhosin.log.file.time=0 +suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp +auto_append_file={PWD}/suhosintest.$$.log.tmp +suhosin.request.max_totalname_length=0 +suhosin.post.max_totalname_length=7 +--SKIPIF-- + +--COOKIE-- +--GET-- +--POST-- +var=0&var1=1&var2[]=2&var3[xxx]=3&var04=4&var05[]=5&var06[xxx]=6& +--FILE-- + +--EXPECTF-- +array(5) { + ["var"]=> + string(1) "0" + ["var1"]=> + string(1) "1" + ["var2"]=> + array(1) { + [0]=> + string(1) "2" + } + ["var04"]=> + string(1) "4" + ["var05"]=> + array(1) { + [0]=> + string(1) "5" + } +} +ALERT - configured POST variable total name length limit exceeded - dropped variable 'var3[xxx]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - configured POST variable total name length limit exceeded - dropped variable 'var06[xxx]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - dropped 2 request variables - (0 in GET, 2 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') diff --git a/tests/filter/post_max_totalname_length_rfc1867.phpt b/tests/filter/post_max_totalname_length_rfc1867.phpt new file mode 100644 index 0000000..f8fa6db --- /dev/null +++ b/tests/filter/post_max_totalname_length_rfc1867.phpt @@ -0,0 +1,73 @@ +--TEST-- +suhosin input filter (suhosin.post.max_totalname_length - RFC1867 version) +--INI-- +suhosin.log.syslog=0 +suhosin.log.sapi=0 +suhosin.log.script=0 +suhosin.log.file=255 +suhosin.log.file.time=0 +suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp +auto_append_file={PWD}/suhosintest.$$.log.tmp +suhosin.request.max_totalname_length=0 +suhosin.post.max_totalname_length=7 +--SKIPIF-- + +--COOKIE-- +--GET-- +--POST_RAW-- +Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737 +-----------------------------20896060251896012921717172737 +Content-Disposition: form-data; name="var" + +0 +-----------------------------20896060251896012921717172737 +Content-Disposition: form-data; name="var1" + +1 +-----------------------------20896060251896012921717172737 +Content-Disposition: form-data; name="var2[]" + +2 +-----------------------------20896060251896012921717172737 +Content-Disposition: form-data; name="var3[xxx]" + +3 +-----------------------------20896060251896012921717172737 +Content-Disposition: form-data; name="var04" + +4 +-----------------------------20896060251896012921717172737 +Content-Disposition: form-data; name="var05[]" + +5 +-----------------------------20896060251896012921717172737 +Content-Disposition: form-data; name="var06[xxx]" + +6 +-----------------------------20896060251896012921717172737-- +--FILE-- + +--EXPECTF-- +array(5) { + ["var"]=> + string(1) "0" + ["var1"]=> + string(1) "1" + ["var2"]=> + array(1) { + [0]=> + string(1) "2" + } + ["var04"]=> + string(1) "4" + ["var05"]=> + array(1) { + [0]=> + string(1) "5" + } +} +ALERT - configured POST variable total name length limit exceeded - dropped variable 'var3[xxx]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - configured POST variable total name length limit exceeded - dropped variable 'var06[xxx]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - dropped 2 request variables - (0 in GET, 2 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') diff --git a/tests/filter/post_max_value_length.phpt b/tests/filter/post_max_value_length.phpt new file mode 100644 index 0000000..7c5493f --- /dev/null +++ b/tests/filter/post_max_value_length.phpt @@ -0,0 +1,36 @@ +--TEST-- +suhosin input filter (suhosin.post.max_value_length) +--INI-- +suhosin.log.syslog=0 +suhosin.log.sapi=0 +suhosin.log.script=0 +suhosin.log.file=255 +suhosin.log.file.time=0 +suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp +auto_append_file={PWD}/suhosintest.$$.log.tmp +suhosin.request.max_value_length=0 +suhosin.post.max_value_length=3 +--SKIPIF-- + +--COOKIE-- +--GET-- +--POST-- +var1=1&var2=22&var3=333&var4=4444&var5=55%00555&var6=666666& +--FILE-- + +--EXPECTF-- +array(3) { + ["var1"]=> + string(1) "1" + ["var2"]=> + string(2) "22" + ["var3"]=> + string(3) "333" +} +ALERT - configured POST variable value length limit exceeded - dropped variable 'var4' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - configured POST variable value length limit exceeded - dropped variable 'var5' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - configured POST variable value length limit exceeded - dropped variable 'var6' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - dropped 3 request variables - (0 in GET, 3 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') + diff --git a/tests/filter/post_max_value_length_rfc1867.phpt b/tests/filter/post_max_value_length_rfc1867.phpt new file mode 100644 index 0000000..a788dfd Binary files /dev/null and b/tests/filter/post_max_value_length_rfc1867.phpt differ diff --git a/tests/filter/request_array_index_blacklist.phpt b/tests/filter/request_array_index_blacklist.phpt new file mode 100644 index 0000000..d85c2e9 --- /dev/null +++ b/tests/filter/request_array_index_blacklist.phpt @@ -0,0 +1,56 @@ +--TEST-- +suhosin input filter (suhosin.request.array_index_blacklist) +--INI-- +suhosin.log.syslog=0 +suhosin.log.sapi=0 +suhosin.log.script=0 +suhosin.log.file=255 +suhosin.log.file.time=0 +suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp +auto_append_file={PWD}/suhosintest.$$.log.tmp +suhosin.request.array_index_blacklist="=ABC%{}\\$;" +--SKIPIF-- + +--COOKIE-- +var1[aaa]=1;var2[bbB]=1;var3[ccc][ccC]=1 +--GET-- +var1[aaa]=1&var2[bbB]=1&var3[ccc][ccC]=1 +--POST-- +var1[aaa]=1&var2[bbB]=1&var3[ccc][ccC]=1 +--FILE-- + +--EXPECTF-- +string(10) "=ABC%{}\$;" +array(1) { + ["var1"]=> + array(1) { + ["aaa"]=> + string(1) "1" + } +} +array(1) { + ["var1"]=> + array(1) { + ["aaa"]=> + string(1) "1" + } +} +array(1) { + ["var1"]=> + array(1) { + ["aaa"]=> + string(1) "1" + } +} +ALERT - array index contains blacklisted characters - dropped variable 'var2[bbB]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - array index contains blacklisted characters - dropped variable 'var3[ccc][ccC]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - array index contains blacklisted characters - dropped variable 'var2[bbB]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - array index contains blacklisted characters - dropped variable 'var3[ccc][ccC]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - array index contains blacklisted characters - dropped variable 'var2[bbB]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - array index contains blacklisted characters - dropped variable 'var3[ccc][ccC]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - dropped 6 request variables - (2 in GET, 2 in POST, 2 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') diff --git a/tests/filter/request_array_index_whitelist.phpt b/tests/filter/request_array_index_whitelist.phpt new file mode 100644 index 0000000..131ad42 --- /dev/null +++ b/tests/filter/request_array_index_whitelist.phpt @@ -0,0 +1,54 @@ +--TEST-- +suhosin input filter (suhosin.request.array_index_whitelist) +--INI-- +suhosin.log.syslog=0 +suhosin.log.sapi=0 +suhosin.log.script=0 +suhosin.log.file=255 +suhosin.log.file.time=0 +suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp +auto_append_file={PWD}/suhosintest.$$.log.tmp +suhosin.request.array_index_whitelist=abcdefghijklmnopqrstuvwxyz +--SKIPIF-- + +--COOKIE-- +var1[aaa]=1;var2[bbB]=1;var3[ccc][ccC]=1 +--GET-- +var1[aaa]=1&var2[bbB]=1&var3[ccc][ccC]=1 +--POST-- +var1[aaa]=1&var2[bbB]=1&var3[ccc][ccC]=1 +--FILE-- + +--EXPECTF-- +array(1) { + ["var1"]=> + array(1) { + ["aaa"]=> + string(1) "1" + } +} +array(1) { + ["var1"]=> + array(1) { + ["aaa"]=> + string(1) "1" + } +} +array(1) { + ["var1"]=> + array(1) { + ["aaa"]=> + string(1) "1" + } +} +ALERT - array index contains not whitelisted characters - dropped variable 'var2[bbB]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - array index contains not whitelisted characters - dropped variable 'var3[ccc][ccC]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - array index contains not whitelisted characters - dropped variable 'var2[bbB]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - array index contains not whitelisted characters - dropped variable 'var3[ccc][ccC]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - array index contains not whitelisted characters - dropped variable 'var2[bbB]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - array index contains not whitelisted characters - dropped variable 'var3[ccc][ccC]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - dropped 6 request variables - (2 in GET, 2 in POST, 2 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') diff --git a/tests/filter/request_disallow_nul.phpt b/tests/filter/request_disallow_nul.phpt new file mode 100644 index 0000000..0e9636f --- /dev/null +++ b/tests/filter/request_disallow_nul.phpt @@ -0,0 +1,51 @@ +--TEST-- +suhosin input filter (suhosin.request.disallow_nul) +--INI-- +suhosin.log.syslog=0 +suhosin.log.sapi=0 +suhosin.log.script=0 +suhosin.log.file=255 +suhosin.log.file.time=0 +suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp +auto_append_file={PWD}/suhosintest.$$.log.tmp +suhosin.request.disallow_nul=1 +--SKIPIF-- + +--COOKIE-- +var1=xx%001;var2=2;var3=xx%003;var4=4; +--GET-- +var1=xx%001&var2=2&var3=xx%003&var4=4& +--POST-- +var1=xx%001&var2=2&var3=xx%003&var4=4& +--FILE-- + +--EXPECTF-- +array(2) { + ["var2"]=> + string(1) "2" + ["var4"]=> + string(1) "4" +} +array(2) { + ["var2"]=> + string(1) "2" + ["var4"]=> + string(1) "4" +} +array(2) { + ["var2"]=> + string(1) "2" + ["var4"]=> + string(1) "4" +} +ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'var1' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'var3' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'var1' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'var3' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'var1' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'var3' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - dropped 6 request variables - (2 in GET, 2 in POST, 2 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') diff --git a/tests/filter/request_disallow_ws.phpt b/tests/filter/request_disallow_ws.phpt new file mode 100644 index 0000000..fe69e78 --- /dev/null +++ b/tests/filter/request_disallow_ws.phpt @@ -0,0 +1,30 @@ +--TEST-- +suhosin input filter (suhosin.request.disallow_ws) +--INI-- +suhosin.log.syslog=0 +suhosin.log.sapi=0 +suhosin.log.script=0 +suhosin.log.file=255 +suhosin.log.file.time=0 +suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp +auto_append_file={PWD}/suhosintest.$$.log.tmp +suhosin.request.disallow_ws=1 +--SKIPIF-- + +--COOKIE-- +--GET-- ++var1=1&var2=2&%20var3=3& var4=4& +--POST-- +--FILE-- + +--EXPECTF-- +array(1) { + ["var2"]=> + string(1) "2" +} +ALERT - request variable name begins with disallowed whitespace - dropped variable ' var1' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - request variable name begins with disallowed whitespace - dropped variable ' var3' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - request variable name begins with disallowed whitespace - dropped variable ' var4' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - dropped 3 request variables - (3 in GET, 0 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') \ No newline at end of file diff --git a/tests/filter/request_max_array_depth.phpt b/tests/filter/request_max_array_depth.phpt new file mode 100644 index 0000000..0f10afe --- /dev/null +++ b/tests/filter/request_max_array_depth.phpt @@ -0,0 +1,153 @@ +--TEST-- +suhosin input filter (suhosin.request.max_array_depth) +--INI-- +suhosin.log.syslog=0 +suhosin.log.sapi=0 +suhosin.log.script=0 +suhosin.log.file=255 +suhosin.log.file.time=0 +suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp +auto_append_file={PWD}/suhosintest.$$.log.tmp +suhosin.request.max_array_depth=4 +--SKIPIF-- + +--COOKIE-- +var1[]=1;var2[][]=2;var3[][][]=3;var4[][][][]=4;var5[][][][][]=5;var6[][][][][][]=6; +--GET-- +var1[]=1&var2[][]=2&var3[][][]=3&var4[][][][]=4&var5[][][][][]=5&var6[][][][][][]=6& +--POST-- +var1[]=1&var2[][]=2&var3[][][]=3&var4[][][][]=4&var5[][][][][]=5&var6[][][][][][]=6& +--FILE-- + +--EXPECTF-- +array(4) { + ["var1"]=> + array(1) { + [0]=> + string(1) "1" + } + ["var2"]=> + array(1) { + [0]=> + array(1) { + [0]=> + string(1) "2" + } + } + ["var3"]=> + array(1) { + [0]=> + array(1) { + [0]=> + array(1) { + [0]=> + string(1) "3" + } + } + } + ["var4"]=> + array(1) { + [0]=> + array(1) { + [0]=> + array(1) { + [0]=> + array(1) { + [0]=> + string(1) "4" + } + } + } + } +} +array(4) { + ["var1"]=> + array(1) { + [0]=> + string(1) "1" + } + ["var2"]=> + array(1) { + [0]=> + array(1) { + [0]=> + string(1) "2" + } + } + ["var3"]=> + array(1) { + [0]=> + array(1) { + [0]=> + array(1) { + [0]=> + string(1) "3" + } + } + } + ["var4"]=> + array(1) { + [0]=> + array(1) { + [0]=> + array(1) { + [0]=> + array(1) { + [0]=> + string(1) "4" + } + } + } + } +} +array(4) { + ["var1"]=> + array(1) { + [0]=> + string(1) "1" + } + ["var2"]=> + array(1) { + [0]=> + array(1) { + [0]=> + string(1) "2" + } + } + ["var3"]=> + array(1) { + [0]=> + array(1) { + [0]=> + array(1) { + [0]=> + string(1) "3" + } + } + } + ["var4"]=> + array(1) { + [0]=> + array(1) { + [0]=> + array(1) { + [0]=> + array(1) { + [0]=> + string(1) "4" + } + } + } + } +} +ALERT - configured request variable array depth limit exceeded - dropped variable 'var5[][][][][]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - configured request variable array depth limit exceeded - dropped variable 'var6[][][][][][]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - configured request variable array depth limit exceeded - dropped variable 'var5[][][][][]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - configured request variable array depth limit exceeded - dropped variable 'var6[][][][][][]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - configured request variable array depth limit exceeded - dropped variable 'var5[][][][][]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - configured request variable array depth limit exceeded - dropped variable 'var6[][][][][][]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - dropped 6 request variables - (2 in GET, 2 in POST, 2 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') diff --git a/tests/filter/request_max_array_index_length.phpt b/tests/filter/request_max_array_index_length.phpt new file mode 100644 index 0000000..84b3849 --- /dev/null +++ b/tests/filter/request_max_array_index_length.phpt @@ -0,0 +1,114 @@ +--TEST-- +suhosin input filter (suhosin.request.max_array_index_length) +--INI-- +suhosin.log.syslog=0 +suhosin.log.sapi=0 +suhosin.log.script=0 +suhosin.log.file=255 +suhosin.log.file.time=0 +suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp +auto_append_file={PWD}/suhosintest.$$.log.tmp +suhosin.request.max_array_index_length=3 +--SKIPIF-- + +--COOKIE-- +var1[AAA]=1;var2[BBBB]=1;var3[AAA][BBB]=1;var4[AAA][BBBB]=4;var5[AAA][BBB][CCC]=1;var6[AAA][BBBB][CCC]=1; +--GET-- +var1[AAA]=1&var2[BBBB]=1&var3[AAA][BBB]=1&var4[AAA][BBBB]=4&var5[AAA][BBB][CCC]=1&var6[AAA][BBBB][CCC]=1 +--POST-- +var1[AAA]=1&var2[BBBB]=1&var3[AAA][BBB]=1&var4[AAA][BBBB]=4&var5[AAA][BBB][CCC]=1&var6[AAA][BBBB][CCC]=1 +--FILE-- + +--EXPECTF-- +array(3) { + ["var1"]=> + array(1) { + ["AAA"]=> + string(1) "1" + } + ["var3"]=> + array(1) { + ["AAA"]=> + array(1) { + ["BBB"]=> + string(1) "1" + } + } + ["var5"]=> + array(1) { + ["AAA"]=> + array(1) { + ["BBB"]=> + array(1) { + ["CCC"]=> + string(1) "1" + } + } + } +} +array(3) { + ["var1"]=> + array(1) { + ["AAA"]=> + string(1) "1" + } + ["var3"]=> + array(1) { + ["AAA"]=> + array(1) { + ["BBB"]=> + string(1) "1" + } + } + ["var5"]=> + array(1) { + ["AAA"]=> + array(1) { + ["BBB"]=> + array(1) { + ["CCC"]=> + string(1) "1" + } + } + } +} +array(3) { + ["var1"]=> + array(1) { + ["AAA"]=> + string(1) "1" + } + ["var3"]=> + array(1) { + ["AAA"]=> + array(1) { + ["BBB"]=> + string(1) "1" + } + } + ["var5"]=> + array(1) { + ["AAA"]=> + array(1) { + ["BBB"]=> + array(1) { + ["CCC"]=> + string(1) "1" + } + } + } +} +ALERT - configured request variable array index length limit exceeded - dropped variable 'var2[BBBB]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - configured request variable array index length limit exceeded - dropped variable 'var4[AAA][BBBB]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - configured request variable array index length limit exceeded - dropped variable 'var6[AAA][BBBB][CCC]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - configured request variable array index length limit exceeded - dropped variable 'var2[BBBB]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - configured request variable array index length limit exceeded - dropped variable 'var4[AAA][BBBB]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - configured request variable array index length limit exceeded - dropped variable 'var6[AAA][BBBB][CCC]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - configured request variable array index length limit exceeded - dropped variable 'var2[BBBB]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - configured request variable array index length limit exceeded - dropped variable 'var4[AAA][BBBB]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - configured request variable array index length limit exceeded - dropped variable 'var6[AAA][BBBB][CCC]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - dropped 9 request variables - (3 in GET, 3 in POST, 3 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') \ No newline at end of file diff --git a/tests/filter/request_max_name_length.phpt b/tests/filter/request_max_name_length.phpt new file mode 100644 index 0000000..e231447 --- /dev/null +++ b/tests/filter/request_max_name_length.phpt @@ -0,0 +1,85 @@ +--TEST-- +suhosin input filter (suhosin.request.max_varname_length) +--INI-- +suhosin.log.syslog=0 +suhosin.log.sapi=0 +suhosin.log.script=0 +suhosin.log.file=255 +suhosin.log.file.time=0 +suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp +auto_append_file={PWD}/suhosintest.$$.log.tmp +suhosin.request.max_varname_length=4 +--SKIPIF-- + +--COOKIE-- +var=0;var1=1;var2[]=2;var3[xxx]=3;var04=4;var05[]=5;var06[xxx]=6; +--GET-- +var=0&var1=1&var2[]=2&var3[xxx]=3&var04=4&var05[]=5&var06[xxx]=6& +--POST-- +var=0&var1=1&var2[]=2&var3[xxx]=3&var04=4&var05[]=5&var06[xxx]=6& +--FILE-- + +--EXPECTF-- +array(4) { + ["var"]=> + string(1) "0" + ["var1"]=> + string(1) "1" + ["var2"]=> + array(1) { + [0]=> + string(1) "2" + } + ["var3"]=> + array(1) { + ["xxx"]=> + string(1) "3" + } +} +array(4) { + ["var"]=> + string(1) "0" + ["var1"]=> + string(1) "1" + ["var2"]=> + array(1) { + [0]=> + string(1) "2" + } + ["var3"]=> + array(1) { + ["xxx"]=> + string(1) "3" + } +} +array(4) { + ["var"]=> + string(1) "0" + ["var1"]=> + string(1) "1" + ["var2"]=> + array(1) { + [0]=> + string(1) "2" + } + ["var3"]=> + array(1) { + ["xxx"]=> + string(1) "3" + } +} +ALERT - configured request variable name length limit exceeded - dropped variable 'var04' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - configured request variable name length limit exceeded - dropped variable 'var05[]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - configured request variable name length limit exceeded - dropped variable 'var06[xxx]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - configured request variable name length limit exceeded - dropped variable 'var04' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - configured request variable name length limit exceeded - dropped variable 'var05[]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - configured request variable name length limit exceeded - dropped variable 'var06[xxx]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - configured request variable name length limit exceeded - dropped variable 'var04' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - configured request variable name length limit exceeded - dropped variable 'var05[]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - configured request variable name length limit exceeded - dropped variable 'var06[xxx]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - dropped 9 request variables - (3 in GET, 3 in POST, 3 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') + diff --git a/tests/filter/request_max_totalname_length.phpt b/tests/filter/request_max_totalname_length.phpt new file mode 100644 index 0000000..e4ddd5b --- /dev/null +++ b/tests/filter/request_max_totalname_length.phpt @@ -0,0 +1,88 @@ +--TEST-- +suhosin input filter (suhosin.request.max_totalname_length) +--INI-- +suhosin.log.syslog=0 +suhosin.log.sapi=0 +suhosin.log.script=0 +suhosin.log.file=255 +suhosin.log.file.time=0 +suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp +auto_append_file={PWD}/suhosintest.$$.log.tmp +suhosin.request.max_totalname_length=7 +--SKIPIF-- + +--COOKIE-- +var=0;var1=1;var2[]=2;var3[xxx]=3;var04=4;var05[]=5;var06[xxx]=6; +--GET-- +var=0&var1=1&var2[]=2&var3[xxx]=3&var04=4&var05[]=5&var06[xxx]=6& +--POST-- +var=0&var1=1&var2[]=2&var3[xxx]=3&var04=4&var05[]=5&var06[xxx]=6& +--FILE-- + +--EXPECTF-- +array(5) { + ["var"]=> + string(1) "0" + ["var1"]=> + string(1) "1" + ["var2"]=> + array(1) { + [0]=> + string(1) "2" + } + ["var04"]=> + string(1) "4" + ["var05"]=> + array(1) { + [0]=> + string(1) "5" + } +} +array(5) { + ["var"]=> + string(1) "0" + ["var1"]=> + string(1) "1" + ["var2"]=> + array(1) { + [0]=> + string(1) "2" + } + ["var04"]=> + string(1) "4" + ["var05"]=> + array(1) { + [0]=> + string(1) "5" + } +} +array(5) { + ["var"]=> + string(1) "0" + ["var1"]=> + string(1) "1" + ["var2"]=> + array(1) { + [0]=> + string(1) "2" + } + ["var04"]=> + string(1) "4" + ["var05"]=> + array(1) { + [0]=> + string(1) "5" + } +} +ALERT - configured request variable total name length limit exceeded - dropped variable 'var3[xxx]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - configured request variable total name length limit exceeded - dropped variable 'var06[xxx]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - configured request variable total name length limit exceeded - dropped variable 'var3[xxx]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - configured request variable total name length limit exceeded - dropped variable 'var06[xxx]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - configured request variable total name length limit exceeded - dropped variable 'var3[xxx]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - configured request variable total name length limit exceeded - dropped variable 'var06[xxx]' (attacker 'REMOTE_ADDR not set', file '%s') +ALERT - dropped 6 request variables - (2 in GET, 2 in POST, 2 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s') + -- cgit v1.3