From f7ef68966204b2ac1e45f1c7e8c72aae2becc382 Mon Sep 17 00:00:00 2001
From: Stefan Esser
Date: Sun, 16 Feb 2014 12:21:44 +0100
Subject: Add tests for suhosin.get/post/cookie/request.max_value_length

---
 .../input_filter_cookie_max_value_length.phpt      |  33 ++++++++++++
 .../filter/input_filter_get_max_value_length.phpt  |  33 ++++++++++++
 .../filter/input_filter_post_max_value_length.phpt |  33 ++++++++++++
 ...input_filter_post_max_value_length_rfc1867.phpt | Bin 0 -> 1790 bytes
 .../input_filter_request_max_value_length.phpt     |  58 +++++++++++++++++++++
 5 files changed, 157 insertions(+)
 create mode 100644 tests/filter/input_filter_cookie_max_value_length.phpt
 create mode 100644 tests/filter/input_filter_get_max_value_length.phpt
 create mode 100644 tests/filter/input_filter_post_max_value_length.phpt
 create mode 100644 tests/filter/input_filter_post_max_value_length_rfc1867.phpt
 create mode 100644 tests/filter/input_filter_request_max_value_length.phpt

(limited to 'tests')

diff --git a/tests/filter/input_filter_cookie_max_value_length.phpt b/tests/filter/input_filter_cookie_max_value_length.phpt
new file mode 100644
index 0000000..fb8b3d8
--- /dev/null
+++ b/tests/filter/input_filter_cookie_max_value_length.phpt
@@ -0,0 +1,33 @@
+--TEST--
+suhosin input filter (suhosin.cookie.max_value_length)
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=0
+suhosin.log.stdout=255
+suhosin.log.script=0
+suhosin.request.max_value_length=0
+suhosin.cookie.max_value_length=3
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--COOKIE--
+var1=1;var2=22;var3=333;var4=4444;var5=55%00555;var6=666666;
+--GET--
+--POST--
+--FILE--
+<?php
+var_dump($_COOKIE);
+?>
+--EXPECTF--
+array(3) {
+  ["var1"]=>
+  string(1) "1"
+  ["var2"]=>
+  string(2) "22"
+  ["var3"]=>
+  string(3) "333"
+}
+ALERT - configured COOKIE variable value length limit exceeded - dropped variable 'var4' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - configured COOKIE variable value length limit exceeded - dropped variable 'var5' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - configured COOKIE variable value length limit exceeded - dropped variable 'var6' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - dropped 3 request variables - (0 in GET, 0 in POST, 3 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s')
+
diff --git a/tests/filter/input_filter_get_max_value_length.phpt b/tests/filter/input_filter_get_max_value_length.phpt
new file mode 100644
index 0000000..a5eaf5b
--- /dev/null
+++ b/tests/filter/input_filter_get_max_value_length.phpt
@@ -0,0 +1,33 @@
+--TEST--
+suhosin input filter (suhosin.get.max_value_length)
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=0
+suhosin.log.stdout=255
+suhosin.log.script=0
+suhosin.request.max_value_length=0
+suhosin.get.max_value_length=3
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--COOKIE--
+--GET--
+var1=1&var2=22&var3=333&var4=4444&var5=55%00555&var6=666666&
+--POST--
+--FILE--
+<?php
+var_dump($_GET);
+?>
+--EXPECTF--
+array(3) {
+  ["var1"]=>
+  string(1) "1"
+  ["var2"]=>
+  string(2) "22"
+  ["var3"]=>
+  string(3) "333"
+}
+ALERT - configured GET variable value length limit exceeded - dropped variable 'var4' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - configured GET variable value length limit exceeded - dropped variable 'var5' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - configured GET variable value length limit exceeded - dropped variable 'var6' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - dropped 3 request variables - (3 in GET, 0 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s')
+
diff --git a/tests/filter/input_filter_post_max_value_length.phpt b/tests/filter/input_filter_post_max_value_length.phpt
new file mode 100644
index 0000000..b560bde
--- /dev/null
+++ b/tests/filter/input_filter_post_max_value_length.phpt
@@ -0,0 +1,33 @@
+--TEST--
+suhosin input filter (suhosin.post.max_value_length)
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=0
+suhosin.log.stdout=255
+suhosin.log.script=0
+suhosin.request.max_value_length=0
+suhosin.post.max_value_length=3
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--COOKIE--
+--GET--
+--POST--
+var1=1&var2=22&var3=333&var4=4444&var5=55%00555&var6=666666&
+--FILE--
+<?php
+var_dump($_POST);
+?>
+--EXPECTF--
+array(3) {
+  ["var1"]=>
+  string(1) "1"
+  ["var2"]=>
+  string(2) "22"
+  ["var3"]=>
+  string(3) "333"
+}
+ALERT - configured POST variable value length limit exceeded - dropped variable 'var4' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - configured POST variable value length limit exceeded - dropped variable 'var5' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - configured POST variable value length limit exceeded - dropped variable 'var6' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - dropped 3 request variables - (0 in GET, 3 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s')
+
diff --git a/tests/filter/input_filter_post_max_value_length_rfc1867.phpt b/tests/filter/input_filter_post_max_value_length_rfc1867.phpt
new file mode 100644
index 0000000..7552255
Binary files /dev/null and b/tests/filter/input_filter_post_max_value_length_rfc1867.phpt differ
diff --git a/tests/filter/input_filter_request_max_value_length.phpt b/tests/filter/input_filter_request_max_value_length.phpt
new file mode 100644
index 0000000..6906fb0
--- /dev/null
+++ b/tests/filter/input_filter_request_max_value_length.phpt
@@ -0,0 +1,58 @@
+--TEST--
+suhosin input filter (suhosin.request.max_value_length)
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=0
+suhosin.log.stdout=255
+suhosin.log.script=0
+suhosin.request.max_value_length=3
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--COOKIE--
+var1=1;var2=22;var3=333;var4=4444;var5=55%00555;var6=666666;
+--GET--
+var1=1&var2=22&var3=333&var4=4444&var5=55%00555&var6=666666&
+--POST--
+var1=1&var2=22&var3=333&var4=4444&var5=55%00555&var6=666666&
+--FILE--
+<?php
+var_dump($_GET);
+var_dump($_POST);
+var_dump($_COOKIE);
+?>
+--EXPECTF--
+array(3) {
+  ["var1"]=>
+  string(1) "1"
+  ["var2"]=>
+  string(2) "22"
+  ["var3"]=>
+  string(3) "333"
+}
+array(3) {
+  ["var1"]=>
+  string(1) "1"
+  ["var2"]=>
+  string(2) "22"
+  ["var3"]=>
+  string(3) "333"
+}
+array(3) {
+  ["var1"]=>
+  string(1) "1"
+  ["var2"]=>
+  string(2) "22"
+  ["var3"]=>
+  string(3) "333"
+}
+ALERT - configured request variable value length limit exceeded - dropped variable 'var4' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - configured request variable value length limit exceeded - dropped variable 'var5' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - configured request variable value length limit exceeded - dropped variable 'var6' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - configured request variable value length limit exceeded - dropped variable 'var4' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - configured request variable value length limit exceeded - dropped variable 'var5' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - configured request variable value length limit exceeded - dropped variable 'var6' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - configured request variable value length limit exceeded - dropped variable 'var4' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - configured request variable value length limit exceeded - dropped variable 'var5' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - configured request variable value length limit exceeded - dropped variable 'var6' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - dropped 9 request variables - (3 in GET, 3 in POST, 3 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s')
+
-- 
cgit v1.3