summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--config.m46
-rw-r--r--ex_imp.c318
-rw-r--r--ifilter.c15
-rw-r--r--php_suhosin7.h25
-rw-r--r--post_handler.c145
-rw-r--r--rfc1867.c1370
-rw-r--r--suhosin7.c18
-rw-r--r--suhosin_rfc1867.h91
-rw-r--r--tests/filter/cookie_disallow_nul.phpt32
-rw-r--r--tests/filter/cookie_disallow_ws.phpt31
-rw-r--r--tests/filter/cookie_max_array_depth.phpt66
-rw-r--r--tests/filter/cookie_max_array_index_length.phpt53
-rw-r--r--tests/filter/cookie_max_name_length.phpt43
-rw-r--r--tests/filter/cookie_max_totalname_length.phpt44
-rw-r--r--tests/filter/cookie_max_value_length.phpt35
-rw-r--r--tests/filter/cookie_max_vars.phpt30
-rw-r--r--tests/filter/filter_logging_statistics.phpt43
-rw-r--r--tests/filter/get_allow_ws.phpt56
-rw-r--r--tests/filter/get_disallow_nul.phpt32
-rw-r--r--tests/filter/get_disallow_ws.phpt30
-rw-r--r--tests/filter/get_filter_1.phpt45
-rw-r--r--tests/filter/get_filter_2.phpt36
-rw-r--r--tests/filter/get_globals.phpt24
-rw-r--r--tests/filter/get_max_array_depth.phpt66
-rw-r--r--tests/filter/get_max_array_index_length.phpt53
-rw-r--r--tests/filter/get_max_name_length.phpt43
-rw-r--r--tests/filter/get_max_totalname_length.phpt44
-rw-r--r--tests/filter/get_max_value_length.phpt35
-rw-r--r--tests/filter/input_filter_allow_nul.phptbin0 -> 949 bytes
-rw-r--r--tests/filter/input_filter_request_max_value_length.phpt61
-rw-r--r--tests/filter/post_disallow_nul.phpt32
-rw-r--r--tests/filter/post_disallow_nul_rfc1867.phptbin0 -> 1497 bytes
-rw-r--r--tests/filter/post_disallow_ws.phpt31
-rw-r--r--tests/filter/post_fileupload_array_index_blacklist.phpt44
-rw-r--r--tests/filter/post_fileupload_array_index_whitelist.phpt44
-rw-r--r--tests/filter/post_fileupload_filter_1.phpt118
-rw-r--r--tests/filter/post_fileupload_filter_2.phpt67
-rw-r--r--tests/filter/post_filter_1.phpt45
-rw-r--r--tests/filter/post_filter_2.phpt36
-rw-r--r--tests/filter/post_filter_empty_avar.phpt27
-rw-r--r--tests/filter/post_filter_empty_var.phpt24
-rw-r--r--tests/filter/post_max_array_depth.phpt66
-rw-r--r--tests/filter/post_max_array_depth_rfc1867.phpt91
-rw-r--r--tests/filter/post_max_array_index_length.phpt53
-rw-r--r--tests/filter/post_max_array_index_length_rfc1867.phpt80
-rw-r--r--tests/filter/post_max_name_length.phpt43
-rw-r--r--tests/filter/post_max_name_length_rfc1867.phpt72
-rw-r--r--tests/filter/post_max_totalname_length.phpt44
-rw-r--r--tests/filter/post_max_totalname_length_rfc1867.phpt73
-rw-r--r--tests/filter/post_max_value_length.phpt36
-rw-r--r--tests/filter/post_max_value_length_rfc1867.phptbin0 -> 1895 bytes
-rw-r--r--tests/filter/request_array_index_blacklist.phpt56
-rw-r--r--tests/filter/request_array_index_whitelist.phpt54
-rw-r--r--tests/filter/request_disallow_nul.phpt51
-rw-r--r--tests/filter/request_disallow_ws.phpt30
-rw-r--r--tests/filter/request_max_array_depth.phpt153
-rw-r--r--tests/filter/request_max_array_index_length.phpt114
-rw-r--r--tests/filter/request_max_name_length.phpt85
-rw-r--r--tests/filter/request_max_totalname_length.phpt87
-rw-r--r--tests/filter/server_encode_off.phpt31
-rw-r--r--tests/filter/server_encode_on.phpt30
-rw-r--r--tests/filter/server_filter.phpt36
-rw-r--r--tests/filter/server_strip_off.phpt27
-rw-r--r--tests/filter/server_strip_on.phpt27
-rw-r--r--tests/filter/server_user_agent_strip_off.phpt27
-rw-r--r--tests/filter/server_user_agent_strip_on.phpt27
-rw-r--r--tests/filter/suhosin_upload_disallow_binary_off.phptbin0 -> 9474 bytes
-rw-r--r--tests/filter/suhosin_upload_disallow_binary_on.phptbin0 -> 12264 bytes
-rw-r--r--tests/filter/suhosin_upload_disallow_binary_utf8.phpt46
-rw-r--r--tests/filter/suhosin_upload_disallow_binary_utf8fail.phpt50
-rw-r--r--tests/filter/suhosin_upload_disallow_elf.phpt61
-rw-r--r--tests/filter/suhosin_upload_disallow_elf_off.phpt57
-rw-r--r--tests/filter/suhosin_upload_max_uploads.phpt87
-rw-r--r--tests/filter/suhosin_upload_remove_binary.phptbin0 -> 799 bytes
-rw-r--r--tests/filter/suhosin_upload_remove_binary_utf8.phpt34
-rw-r--r--tests/filter/suhosin_upload_remove_binary_utf8fail.phpt34
-rw-r--r--ufilter.c425
77 files changed, 5522 insertions, 23 deletions
diff --git a/config.m4 b/config.m4
index a6dade9..23081dd 100644
--- a/config.m4
+++ b/config.m4
@@ -5,7 +5,7 @@ PHP_ARG_ENABLE(suhosin7, whether to enable suhosin support,
5[ --enable-suhosin7 Enable suhosin support]) 5[ --enable-suhosin7 Enable suhosin support])
6 6
7if test "$PHP_SUHOSIN7" != "no"; then 7if test "$PHP_SUHOSIN7" != "no"; then
8 PHP_NEW_EXTENSION(suhosin7, suhosin7.c ifilter.c memory_limit.c aes.c treat_data.c log.c execute.c execute_ih.c execute_rnd.c crypt.c cookiecrypt.c header.c session.c, $ext_shared,, [-DZEND_ENABLE_STATIC_TSRMLS_CACHE=1]) 8 PHP_NEW_EXTENSION(suhosin7, suhosin7.c ifilter.c memory_limit.c aes.c treat_data.c log.c execute.c execute_ih.c execute_rnd.c crypt.c cookiecrypt.c header.c session.c ex_imp.c rfc1867.c ufilter.c post_handler.c, $ext_shared,, [-DZEND_ENABLE_STATIC_TSRMLS_CACHE=1])
9 PHP_ADD_EXTENSION_DEP(suhosin7, hash) 9 PHP_ADD_EXTENSION_DEP(suhosin7, hash)
10 echo "===== WARNING ============================================" 10 echo "===== WARNING ============================================"
11 echo " Suhosin7 for PHP 7 is in alpha stage at the moment and" 11 echo " Suhosin7 for PHP 7 is in alpha stage at the moment and"
@@ -29,7 +29,7 @@ fi
29 29
30AC_MSG_CHECKING([for C11 support with -std=c11]) 30AC_MSG_CHECKING([for C11 support with -std=c11])
31old_CFLAGS="$CFLAGS" 31old_CFLAGS="$CFLAGS"
32CFLAGS+=" -std=c11" 32CFLAGS="${CFLAGS} -std=c11"
33AC_COMPILE_IFELSE([AC_LANG_PROGRAM([],[])],[AC_MSG_RESULT([yes])],[ 33AC_COMPILE_IFELSE([AC_LANG_PROGRAM([],[])],[AC_MSG_RESULT([yes])],[
34 AC_MSG_RESULT([no]) 34 AC_MSG_RESULT([no])
35 CFLAGS="$old_CFLAGS" 35 CFLAGS="$old_CFLAGS"
@@ -38,7 +38,7 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([],[])],[AC_MSG_RESULT([yes])],[
38 echo " support. Trying C99 instead, but compiling may fail." 38 echo " support. Trying C99 instead, but compiling may fail."
39 echo "==========================================================" 39 echo "=========================================================="
40 AC_MSG_CHECKING([for C99 support with -std=c99]) 40 AC_MSG_CHECKING([for C99 support with -std=c99])
41 CFLAGS+=" -std=c99" 41 CFLAGS="${CFLAGS} -std=c99"
42 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([],[])],[AC_MSG_RESULT([yes])],[ 42 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([],[])],[AC_MSG_RESULT([yes])],[
43 AC_MSG_RESULT([no]) 43 AC_MSG_RESULT([no])
44 CFLAGS="$old_CFLAGS" 44 CFLAGS="$old_CFLAGS"
diff --git a/ex_imp.c b/ex_imp.c
new file mode 100644
index 0000000..fd940ce
--- /dev/null
+++ b/ex_imp.c
@@ -0,0 +1,318 @@
1/*
2 +----------------------------------------------------------------------+
3 | Suhosin Version 1 |
4 +----------------------------------------------------------------------+
5 | Copyright (c) 2006-2007 The Hardened-PHP Project |
6 | Copyright (c) 2007-2016 SektionEins GmbH |
7 +----------------------------------------------------------------------+
8 | This source file is subject to version 3.01 of the PHP license, |
9 | that is bundled with this package in the file LICENSE, and is |
10 | available through the world-wide-web at the following url: |
11 | http://www.php.net/license/3_01.txt |
12 | If you did not receive a copy of the PHP license and are unable to |
13 | obtain it through the world-wide-web, please send a note to |
14 | license@php.net so we can mail you a copy immediately. |
15 +----------------------------------------------------------------------+
16 | Authors: Stefan Esser <sesser@sektioneins.de> |
17 | Ben Fuhrmannek <ben.fuhrmannek@sektioneins.de> |
18 +----------------------------------------------------------------------+
19
20 Note: The following code is based on ext/standard/array.c from PHP 7.
21 | Copyright (c) 1997-2016 The PHP Group |
22 Original PHP Version 7 Authors:
23 | Andi Gutmans <andi@zend.com> |
24 | Zeev Suraski <zeev@zend.com> |
25 | Rasmus Lerdorf <rasmus@php.net> |
26 | Andrei Zmievski <andrei@php.net> |
27 | Stig Venaas <venaas@php.net> |
28 | Jason Greene <jason@php.net> |
29
30*/
31
32#ifdef HAVE_CONFIG_H
33#include "config.h"
34#endif
35
36#include "php.h"
37#include "php_ini.h"
38#include "ext/standard/php_smart_string.h"
39#include "ext/standard/php_var.h"
40#include "php_suhosin7.h"
41
42
43#define EXTR_OVERWRITE 0
44#define EXTR_SKIP 1
45#define EXTR_PREFIX_SAME 2
46#define EXTR_PREFIX_ALL 3
47#define EXTR_PREFIX_INVALID 4
48#define EXTR_PREFIX_IF_EXISTS 5
49#define EXTR_IF_EXISTS 6
50
51#define EXTR_REFS 0x100
52
53
54static zend_always_inline int php_valid_var_name(char *var_name, size_t var_name_len) /* {{{ */
55{
56#if 1
57 /* first 256 bits for first character, and second 256 bits for the next */
58 static const uint32_t charset[16] = {
59 /* 31 0 63 32 95 64 127 96 */
60 0x00000000, 0x00000000, 0x87fffffe, 0x07fffffe,
61 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff,
62 /* 31 0 63 32 95 64 127 96 */
63 0x00000000, 0x03ff0000, 0x87fffffe, 0x07fffffe,
64 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff
65 };
66#endif
67 size_t i;
68 uint32_t ch;
69
70 if (UNEXPECTED(!var_name_len)) {
71 return 0;
72 }
73
74 /* These are allowed as first char: [a-zA-Z_\x7f-\xff] */
75 ch = (uint32_t)((unsigned char *)var_name)[0];
76#if 1
77 if (UNEXPECTED(!(charset[ch >> 5] & (1 << (ch & 0x1f))))) {
78#else
79 if (var_name[0] != '_' &&
80 (ch < 65 /* A */ || /* Z */ ch > 90) &&
81 (ch < 97 /* a */ || /* z */ ch > 122) &&
82 (ch < 127 /* 0x7f */ || /* 0xff */ ch > 255)
83 ) {
84#endif
85 return 0;
86 }
87
88 /* And these as the rest: [a-zA-Z0-9_\x7f-\xff] */
89 if (var_name_len > 1) {
90 i = 1;
91 do {
92 ch = (uint32_t)((unsigned char *)var_name)[i];
93#if 1
94 if (UNEXPECTED(!(charset[8 + (ch >> 5)] & (1 << (ch & 0x1f))))) {
95#else
96 if (var_name[i] != '_' &&
97 (ch < 48 /* 0 */ || /* 9 */ ch > 57) &&
98 (ch < 65 /* A */ || /* Z */ ch > 90) &&
99 (ch < 97 /* a */ || /* z */ ch > 122) &&
100 (ch < 127 /* 0x7f */ || /* 0xff */ ch > 255)
101 ) {
102#endif
103 return 0;
104 }
105 } while (++i < var_name_len);
106 }
107
108 if (suhosin_is_protected_varname(var_name, var_name_len)) {
109 return 0;
110 }
111
112 return 1;
113}
114
115/* {{{ proto int extract(array var_array [, int extract_type [, string prefix]])
116 Imports variables into symbol table from an array */
117PHP_FUNCTION(suhosin_extract)
118{
119 zval *var_array_param, *prefix = NULL;
120 zend_long extract_type = EXTR_OVERWRITE;
121 zval *entry;
122 zend_string *var_name;
123 zend_ulong num_key;
124 int var_exists, count = 0;
125 int extract_refs = 0;
126 zend_array *symbol_table;
127 zval var_array;
128
129#ifndef FAST_ZPP
130 if (zend_parse_parameters(ZEND_NUM_ARGS(), "a|lz/", &var_array_param, &extract_type, &prefix) == FAILURE) {
131 return;
132 }
133#else
134 ZEND_PARSE_PARAMETERS_START(1, 3)
135 Z_PARAM_ARRAY(var_array_param)
136 Z_PARAM_OPTIONAL
137 Z_PARAM_LONG(extract_type)
138 Z_PARAM_ZVAL_EX(prefix, 0, 1)
139 ZEND_PARSE_PARAMETERS_END();
140#endif
141
142 extract_refs = (extract_type & EXTR_REFS);
143 if (extract_refs) {
144 SEPARATE_ZVAL(var_array_param);
145 }
146 extract_type &= 0xff;
147
148 if (extract_type < EXTR_OVERWRITE || extract_type > EXTR_IF_EXISTS) {
149 php_error_docref(NULL, E_WARNING, "Invalid extract type");
150 return;
151 }
152
153 if (extract_type > EXTR_SKIP && extract_type <= EXTR_PREFIX_IF_EXISTS && ZEND_NUM_ARGS() < 3) {
154 php_error_docref(NULL, E_WARNING, "specified extract type requires the prefix parameter");
155 return;
156 }
157
158 if (prefix) {
159 convert_to_string(prefix);
160 if (Z_STRLEN_P(prefix) && !php_valid_var_name(Z_STRVAL_P(prefix), Z_STRLEN_P(prefix))) {
161 php_error_docref(NULL, E_WARNING, "prefix is not a valid identifier");
162 return;
163 }
164 }
165
166 symbol_table = zend_rebuild_symbol_table();
167#if 0
168 if (!symbol_table) {
169 php_error_docref(NULL, E_WARNING, "failed to build symbol table");
170 return;
171 }
172#endif
173
174 /* The array might be stored in a local variable that will be overwritten. To avoid losing the
175 * reference in that case we work on a copy. */
176 ZVAL_COPY(&var_array, var_array_param);
177
178 ZEND_HASH_FOREACH_KEY_VAL_IND(Z_ARRVAL(var_array), num_key, var_name, entry) {
179 zval final_name;
180
181 ZVAL_NULL(&final_name);
182 var_exists = 0;
183
184 if (var_name) {
185 var_exists = zend_hash_exists_ind(symbol_table, var_name);
186 } else if (extract_type == EXTR_PREFIX_ALL || extract_type == EXTR_PREFIX_INVALID) {
187 zend_string *str = zend_long_to_str(num_key);
188 php_prefix_varname(&final_name, prefix, ZSTR_VAL(str), ZSTR_LEN(str), 1);
189 zend_string_release(str);
190 } else {
191 continue;
192 }
193
194 switch (extract_type) {
195 case EXTR_IF_EXISTS:
196 if (!var_exists) break;
197 /* break omitted intentionally */
198
199 case EXTR_OVERWRITE:
200 /* GLOBALS protection */
201 if (var_exists && ZSTR_LEN(var_name) == sizeof("GLOBALS")-1 && !strcmp(ZSTR_VAL(var_name), "GLOBALS")) {
202 break;
203 }
204 if (var_exists && ZSTR_LEN(var_name) == sizeof("this")-1 && !strcmp(ZSTR_VAL(var_name), "this") && EG(scope) && ZSTR_LEN(EG(scope)->name) != 0) {
205 break;
206 }
207 ZVAL_STR_COPY(&final_name, var_name);
208 break;
209
210 case EXTR_PREFIX_IF_EXISTS:
211 if (var_exists) {
212 php_prefix_varname(&final_name, prefix, ZSTR_VAL(var_name), ZSTR_LEN(var_name), 1);
213 }
214 break;
215
216 case EXTR_PREFIX_SAME:
217 if (!var_exists && ZSTR_LEN(var_name) != 0) {
218 ZVAL_STR_COPY(&final_name, var_name);
219 }
220 /* break omitted intentionally */
221
222 case EXTR_PREFIX_ALL:
223 if (Z_TYPE(final_name) == IS_NULL && ZSTR_LEN(var_name) != 0) {
224 php_prefix_varname(&final_name, prefix, ZSTR_VAL(var_name), ZSTR_LEN(var_name), 1);
225 }
226 break;
227
228 case EXTR_PREFIX_INVALID:
229 if (Z_TYPE(final_name) == IS_NULL) {
230 if (!php_valid_var_name(ZSTR_VAL(var_name), ZSTR_LEN(var_name))) {
231 php_prefix_varname(&final_name, prefix, ZSTR_VAL(var_name), ZSTR_LEN(var_name), 1);
232 } else {
233 ZVAL_STR_COPY(&final_name, var_name);
234 }
235 }
236 break;
237
238 default:
239 if (!var_exists) {
240 ZVAL_STR_COPY(&final_name, var_name);
241 }
242 break;
243 }
244
245 if (Z_TYPE(final_name) == IS_STRING && php_valid_var_name(Z_STRVAL(final_name), Z_STRLEN(final_name))) {
246 zval *orig_var;
247 if (extract_refs) {
248
249 ZVAL_MAKE_REF(entry);
250 Z_ADDREF_P(entry);
251
252 if ((orig_var = zend_hash_find(symbol_table, Z_STR(final_name))) != NULL) {
253 if (Z_TYPE_P(orig_var) == IS_INDIRECT) {
254 orig_var = Z_INDIRECT_P(orig_var);
255 }
256 zval_ptr_dtor(orig_var);
257 ZVAL_COPY_VALUE(orig_var, entry);
258 } else {
259 zend_hash_update(symbol_table, Z_STR(final_name), entry);
260 }
261 } else {
262 ZVAL_DEREF(entry);
263 if (Z_REFCOUNTED_P(entry)) Z_ADDREF_P(entry);
264 if ((orig_var = zend_hash_find(symbol_table, Z_STR(final_name))) != NULL) {
265 if (Z_TYPE_P(orig_var) == IS_INDIRECT) {
266 orig_var = Z_INDIRECT_P(orig_var);
267 }
268 ZVAL_DEREF(orig_var);
269 zval_ptr_dtor(orig_var);
270 ZVAL_COPY_VALUE(orig_var, entry);
271 } else {
272 zend_hash_update(symbol_table, Z_STR(final_name), entry);
273 }
274 }
275 count++;
276 }
277 zval_dtor(&final_name);
278 } ZEND_HASH_FOREACH_END();
279 zval_ptr_dtor(&var_array);
280
281 RETURN_LONG(count);
282}
283/* }}} */
284
285
286
287
288ZEND_BEGIN_ARG_INFO_EX(suhosin_arginfo_extract, 0, 0, 1)
289 ZEND_ARG_INFO(ZEND_SEND_PREFER_REF, arg) /* ARRAY_INFO(0, arg, 0) */
290 ZEND_ARG_INFO(0, extract_type)
291 ZEND_ARG_INFO(0, prefix)
292ZEND_END_ARG_INFO()
293
294
295/* {{{ suhosin_ex_imp_functions[]
296 */
297zend_function_entry suhosin_ex_imp_functions[] = {
298 PHP_NAMED_FE(extract, PHP_FN(suhosin_extract), suhosin_arginfo_extract)
299 {NULL, NULL, NULL}
300};
301/* }}} */
302
303void suhosin_hook_ex_imp()
304{
305 /* replace the extract and import_request_variables functions */
306 zend_hash_str_del(CG(function_table), ZEND_STRL("extract"));
307 zend_register_functions(NULL, suhosin_ex_imp_functions, NULL, MODULE_PERSISTENT);
308}
309
310
311/*
312 * Local variables:
313 * tab-width: 4
314 * c-basic-offset: 4
315 * End:
316 * vim600: noet sw=4 ts=4 fdm=marker
317 * vim<600: noet sw=4 ts=4
318 */
diff --git a/ifilter.c b/ifilter.c
index 2d41048..a8fa8e2 100644
--- a/ifilter.c
+++ b/ifilter.c
@@ -41,7 +41,7 @@ static size_t strnlen(const char *s, size_t maxlen) {
41} 41}
42#endif 42#endif
43 43
44static size_t suhosin_strnspn(const char *input, size_t n, const char *accept) 44size_t suhosin_strnspn(const char *input, size_t n, const char *accept)
45{ 45{
46 size_t count = 0; 46 size_t count = 0;
47 for (; *input != '\0' && count < n; input++, count++) { 47 for (; *input != '\0' && count < n; input++, count++) {
@@ -51,7 +51,7 @@ static size_t suhosin_strnspn(const char *input, size_t n, const char *accept)
51 return count; 51 return count;
52} 52}
53 53
54static size_t suhosin_strncspn(const char *input, size_t n, const char *reject) 54size_t suhosin_strncspn(const char *input, size_t n, const char *reject)
55{ 55{
56 size_t count = 0; 56 size_t count = 0;
57 for (; *input != '\0' && count < n; input++, count++) { 57 for (; *input != '\0' && count < n; input++, count++) {
@@ -635,7 +635,7 @@ SAPI_INPUT_FILTER_FUNC(suhosin_input_filter_wrapper)
635 // } 635 // }
636 636
637 // if (!already_scanned) { 637 // if (!already_scanned) {
638 if (suhosin_input_filter(arg, var, val, val_len, new_val_len)==0) { 638 if (suhosin_input_filter(arg, var, val, val_len, new_val_len) == 0) {
639 SUHOSIN7_G(abort_request)=1; 639 SUHOSIN7_G(abort_request)=1;
640 return 0; 640 return 0;
641 } 641 }
@@ -644,7 +644,14 @@ SAPI_INPUT_FILTER_FUNC(suhosin_input_filter_wrapper)
644 } 644 }
645 // } 645 // }
646 if (orig_input_filter) { 646 if (orig_input_filter) {
647 return orig_input_filter(arg, var, val, val_len, new_val_len); 647
648 if (orig_input_filter(arg, var, val, val_len, new_val_len) == 0) {
649 SUHOSIN7_G(abort_request)=1;
650 return 0;
651 } else {
652 return 1;
653 }
654
648 } else { 655 } else {
649 return 1; 656 return 1;
650 } 657 }
diff --git a/php_suhosin7.h b/php_suhosin7.h
index 75244fe..6c515ba 100644
--- a/php_suhosin7.h
+++ b/php_suhosin7.h
@@ -205,16 +205,16 @@ ZEND_BEGIN_MODULE_GLOBALS(suhosin7)
205 zend_bool disallow_post_ws; 205 zend_bool disallow_post_ws;
206 206
207/* fileupload */ 207/* fileupload */
208 // zend_long upload_limit; 208 zend_long upload_max_newlines;
209 // zend_long upload_max_newlines; 209 zend_long upload_limit;
210 // zend_long num_uploads; 210 zend_long num_uploads;
211 // zend_bool upload_disallow_elf; 211 zend_bool upload_disallow_elf;
212 // zend_bool upload_disallow_binary; 212 zend_bool upload_disallow_binary;
213 // zend_bool upload_remove_binary; 213 zend_bool upload_remove_binary;
214#ifdef SUHOSIN7_EXPERIMENTAL 214#ifdef SUHOSIN7_EXPERIMENTAL
215 // zend_bool upload_allow_utf8; 215 zend_bool upload_allow_utf8;
216#endif 216#endif
217 // char *upload_verification_script; 217 char *upload_verification_script;
218 218
219 zend_bool no_more_variables; 219 zend_bool no_more_variables;
220 zend_bool no_more_get_variables; 220 zend_bool no_more_get_variables;
@@ -389,12 +389,18 @@ void suhosin_hook_header_handler();
389void suhosin_unhook_header_handler(); 389void suhosin_unhook_header_handler();
390void suhosin_hook_execute(); 390void suhosin_hook_execute();
391// void suhosin_hook_sha256(); 391// void suhosin_hook_sha256();
392void suhosin_hook_ex_imp();
393
392#ifdef HAVE_PHP_SESSION 394#ifdef HAVE_PHP_SESSION
393void suhosin_hook_session(); 395void suhosin_hook_session();
394#endif 396#endif
395 397
398void suhosin_hook_post_handlers();
399
396// ifilter.c 400// ifilter.c
397void suhosin_normalize_varname(char *varname); 401void suhosin_normalize_varname(char *varname);
402size_t suhosin_strnspn(const char *input, size_t n, const char *accept);
403size_t suhosin_strncspn(const char *input, size_t n, const char *reject);
398 404
399// cookiecrypt.c 405// cookiecrypt.c
400char *suhosin_cookie_decryptor(char *raw_cookie); 406char *suhosin_cookie_decryptor(char *raw_cookie);
@@ -413,6 +419,7 @@ void suhosin_aes_gkey(int nb,int nk,char *key);
413void suhosin_aes_encrypt(char *buff); 419void suhosin_aes_encrypt(char *buff);
414void suhosin_aes_decrypt(char *buff); 420void suhosin_aes_decrypt(char *buff);
415 421
422
416// 423//
417 424
418static inline void suhosin_bailout() 425static inline void suhosin_bailout()
@@ -431,7 +438,7 @@ static inline char *suhosin_get_active_function_name() {
431} 438}
432 439
433#ifdef SUHOSIN_STRCASESTR 440#ifdef SUHOSIN_STRCASESTR
434char *suhosin_strcasestr(char *haystack, char *needle) 441char *suhosin_strcasestr(char *haystack, char *needle);
435#else 442#else
436#define suhosin_strcasestr(a, b) strcasestr(a, b) 443#define suhosin_strcasestr(a, b) strcasestr(a, b)
437#endif 444#endif
diff --git a/post_handler.c b/post_handler.c
new file mode 100644
index 0000000..1a2374c
--- /dev/null
+++ b/post_handler.c
@@ -0,0 +1,145 @@
1/*
2 +----------------------------------------------------------------------+
3 | Suhosin Version 1 |
4 +----------------------------------------------------------------------+
5 | Copyright (c) 2006-2007 The Hardened-PHP Project |
6 | Copyright (c) 2007-2016 SektionEins GmbH |
7 +----------------------------------------------------------------------+
8 | This source file is subject to version 3.01 of the PHP license, |
9 | that is bundled with this package in the file LICENSE, and is |
10 | available through the world-wide-web at the following url: |
11 | http://www.php.net/license/3_01.txt |
12 | If you did not receive a copy of the PHP license and are unable to |
13 | obtain it through the world-wide-web, please send a note to |
14 | license@php.net so we can mail you a copy immediately. |
15 +----------------------------------------------------------------------+
16 | Authors: Stefan Esser <sesser@sektioneins.de> |
17 | Ben Fuhrmannek <ben.fuhrmannek@sektioneins.de> |
18 +----------------------------------------------------------------------+
19*/
20/*
21 $Id: post_handler.c,v 1.1.1.1 2007-11-28 01:15:35 sesser Exp $
22*/
23
24#ifdef HAVE_CONFIG_H
25#include "config.h"
26#endif
27
28#include "php.h"
29#include "php_ini.h"
30#include "php_suhosin7.h"
31#include "SAPI.h"
32#include "php_variables.h"
33#include "php_content_types.h"
34#include "suhosin_rfc1867.h"
35#include "ext/standard/url.h"
36#include "ext/standard/php_smart_string.h"
37
38#if defined(PHP_WIN32)
39#include "win32/php_inttypes.h"
40#endif
41
42SAPI_POST_HANDLER_FUNC(suhosin_rfc1867_post_handler);
43
44static void suhosin_post_handler_modification(sapi_post_entry *spe)
45{
46 char *content_type = estrndup(spe->content_type, spe->content_type_len);
47 suhosin_log(S_VARS, "some extension replaces the POST handler for %s - Suhosin's protection might be incomplete", content_type);
48 efree(content_type);
49}
50
51// static PHP_INI_MH((*old_OnUpdate_mbstring_encoding_translation)) = NULL;
52//
53// /* {{{ static PHP_INI_MH(suhosin_OnUpdate_mbstring_encoding_translation) */
54// static PHP_INI_MH(suhosin_OnUpdate_mbstring_encoding_translation)
55// {
56// zend_bool *p;
57// #ifndef ZTS
58// char *base = (char *) mh_arg2;
59// #else
60// char *base;
61//
62// base = (char *) ts_resource(*((int *) mh_arg2));
63// #endif
64//
65// p = (zend_bool *) (base+(size_t) mh_arg1);
66//
67// if (new_value_length == 2 && strcasecmp("on", new_value) == 0) {
68// *p = (zend_bool) 1;
69// }
70// else if (new_value_length == 3 && strcasecmp("yes", new_value) == 0) {
71// *p = (zend_bool) 1;
72// }
73// else if (new_value_length == 4 && strcasecmp("true", new_value) == 0) {
74// *p = (zend_bool) 1;
75// }
76// else {
77// *p = (zend_bool) atoi(new_value);
78// }
79// if (*p) {
80// suhosin_log(S_VARS, "Dynamic configuration (maybe a .htaccess file) tried to activate mbstring.encoding_translation which is incompatible with suhosin");
81// }
82// return SUCCESS;
83// }
84/* }}} */
85
86/* {{{ php_post_entries[]
87 */
88static sapi_post_entry suhosin_post_entries[] = {
89 // { DEFAULT_POST_CONTENT_TYPE, sizeof(DEFAULT_POST_CONTENT_TYPE)-1, sapi_read_standard_form_data, suhosin_std_post_handler },
90 { ZEND_STRL(MULTIPART_CONTENT_TYPE), NULL, suhosin_rfc1867_post_handler },
91 { NULL, 0, NULL, NULL }
92};
93/* }}} */
94
95void suhosin_hook_post_handlers()
96{
97 HashTable tempht;
98 // zend_ini_entry *ini_entry;
99
100 sapi_unregister_post_entry(&suhosin_post_entries[0]);
101 // sapi_unregister_post_entry(&suhosin_post_entries[1]);
102 sapi_register_post_entries(suhosin_post_entries);
103
104 /* we want to get notified if another extension deregisters the suhosin post handlers */
105
106 /* we need to tell suhosin patch that there is a new valid destructor */
107 /* therefore we have create HashTable that has this destructor */
108 // zend_hash_init(&tempht, 0, NULL, (dtor_func_t)suhosin_post_handler_modification, 0);
109 // zend_hash_destroy(&tempht);
110 /* And now we can overwrite the destructor for post entries */
111 // SG(known_post_content_types).pDestructor = (dtor_func_t)suhosin_post_handler_modification;
112
113 /* we have to stop mbstring from replacing our post handler */
114 // if (zend_hash_find(EG(ini_directives), "mbstring.encoding_translation", sizeof("mbstring.encoding_translation"), (void **) &ini_entry) == FAILURE) {
115 // return;
116 // }
117 /* replace OnUpdate_mbstring_encoding_translation handler */
118 // old_OnUpdate_mbstring_encoding_translation = ini_entry->on_modify;
119 // ini_entry->on_modify = suhosin_OnUpdate_mbstring_encoding_translation;
120}
121
122// void suhosin_unhook_post_handlers()
123// {
124// zend_ini_entry *ini_entry;
125//
126// /* Restore to an empty destructor */
127// SG(known_post_content_types).pDestructor = NULL;
128//
129// /* Now restore the ini entry handler */
130// if (zend_hash_find(EG(ini_directives), "mbstring.encoding_translation", sizeof("mbstring.encoding_translation"), (void **) &ini_entry) == FAILURE) {
131// return;
132// }
133// /* replace OnUpdate_mbstring_encoding_translation handler */
134// ini_entry->on_modify = old_OnUpdate_mbstring_encoding_translation;
135// old_OnUpdate_mbstring_encoding_translation = NULL;
136// }
137
138/*
139 * Local variables:
140 * tab-width: 4
141 * c-basic-offset: 4
142 * End:
143 * vim600: noet sw=4 ts=4 fdm=marker
144 * vim<600: noet sw=4 ts=4
145 */
diff --git a/rfc1867.c b/rfc1867.c
new file mode 100644
index 0000000..8daa0e8
--- /dev/null
+++ b/rfc1867.c
@@ -0,0 +1,1370 @@
1/*
2 +----------------------------------------------------------------------+
3 | Suhosin Version 1 |
4 +----------------------------------------------------------------------+
5 | Copyright (c) 2006-2007 The Hardened-PHP Project |
6 | Copyright (c) 2007-2016 SektionEins GmbH |
7 +----------------------------------------------------------------------+
8 | This source file is subject to version 3.01 of the PHP license, |
9 | that is bundled with this package in the file LICENSE, and is |
10 | available through the world-wide-web at the following url: |
11 | http://www.php.net/license/3_01.txt |
12 | If you did not receive a copy of the PHP license and are unable to |
13 | obtain it through the world-wide-web, please send a note to |
14 | license@php.net so we can mail you a copy immediately. |
15 +----------------------------------------------------------------------+
16 | Authors: Stefan Esser <sesser@sektioneins.de> |
17 | Ben Fuhrmannek <ben.fuhrmannek@sektioneins.de> |
18 +----------------------------------------------------------------------+
19
20 Note: The following code is based on main/rfc1867.c from PHP 7.
21 | Copyright (c) 1997-2016 The PHP Group |
22 Original PHP Version 7 Authors:
23 | Authors: Rasmus Lerdorf <rasmus@php.net> |
24 | Jani Taskinen <jani@php.net> |
25
26 */
27
28/* $Id$ */
29
30/*
31 * This product includes software developed by the Apache Group
32 * for use in the Apache HTTP server project (http://www.apache.org/).
33 *
34 */
35
36#include <stdio.h>
37#include "php.h"
38#include "php_open_temporary_file.h"
39#include "zend_globals.h"
40#include "php_globals.h"
41#include "php_variables.h"
42// #include "rfc1867.h"
43#include "suhosin_rfc1867.h"
44#include "php_suhosin7.h"
45#include "ext/standard/php_string.h"
46#include "ext/standard/php_smart_string.h"
47
48#if defined(PHP_WIN32) && !defined(HAVE_ATOLL)
49# define atoll(s) _atoi64(s)
50# define HAVE_ATOLL 1
51#endif
52
53#define DEBUG_FILE_UPLOAD ZEND_DEBUG
54
55static int dummy_encoding_translation(void)
56{
57 return 0;
58}
59
60static char *php_ap_getword(const zend_encoding *encoding, char **line, char stop);
61static char *php_ap_getword_conf(const zend_encoding *encoding, char *str);
62
63static php_rfc1867_encoding_translation_t php_rfc1867_encoding_translation = dummy_encoding_translation;
64static php_rfc1867_get_detect_order_t php_rfc1867_get_detect_order = NULL;
65static php_rfc1867_set_input_encoding_t php_rfc1867_set_input_encoding = NULL;
66static php_rfc1867_getword_t php_rfc1867_getword = php_ap_getword;
67static php_rfc1867_getword_conf_t php_rfc1867_getword_conf = php_ap_getword_conf;
68static php_rfc1867_basename_t php_rfc1867_basename = NULL;
69
70#define php_rfc1867_callback suhosin_rfc1867_filter
71// PHPAPI int (*php_rfc1867_callback)(unsigned int event, void *event_data, void **extra) = NULL;
72
73static void safe_php_register_variable(char *var, char *strval, size_t val_len, zval *track_vars_array, zend_bool override_protection);
74
75/* The longest property name we use in an uploaded file array */
76#define MAX_SIZE_OF_INDEX sizeof("[tmp_name]")
77
78/* The longest anonymous name */
79#define MAX_SIZE_ANONNAME 33
80
81/* Errors */
82#define UPLOAD_ERROR_OK 0 /* File upload successful */
83#define UPLOAD_ERROR_A 1 /* Uploaded file exceeded upload_max_filesize */
84#define UPLOAD_ERROR_B 2 /* Uploaded file exceeded MAX_FILE_SIZE */
85#define UPLOAD_ERROR_C 3 /* Partially uploaded */
86#define UPLOAD_ERROR_D 4 /* No file uploaded */
87#define UPLOAD_ERROR_E 6 /* Missing /tmp or similar directory */
88#define UPLOAD_ERROR_F 7 /* Failed to write file to disk */
89#define UPLOAD_ERROR_X 8 /* File upload stopped by extension */
90
91// void php_rfc1867_register_constants(void) /* {{{ */
92// {
93// REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_OK", UPLOAD_ERROR_OK, CONST_CS | CONST_PERSISTENT);
94// REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_INI_SIZE", UPLOAD_ERROR_A, CONST_CS | CONST_PERSISTENT);
95// REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_FORM_SIZE", UPLOAD_ERROR_B, CONST_CS | CONST_PERSISTENT);
96// REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_PARTIAL", UPLOAD_ERROR_C, CONST_CS | CONST_PERSISTENT);
97// REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_NO_FILE", UPLOAD_ERROR_D, CONST_CS | CONST_PERSISTENT);
98// REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_NO_TMP_DIR", UPLOAD_ERROR_E, CONST_CS | CONST_PERSISTENT);
99// REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_CANT_WRITE", UPLOAD_ERROR_F, CONST_CS | CONST_PERSISTENT);
100// REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_EXTENSION", UPLOAD_ERROR_X, CONST_CS | CONST_PERSISTENT);
101// }
102/* }}} */
103
104static void normalize_protected_variable(char *varname) /* {{{ */
105{
106 char *s = varname, *index = NULL, *indexend = NULL, *p;
107
108 /* overjump leading space */
109 while (*s == ' ') {
110 s++;
111 }
112
113 /* and remove it */
114 if (s != varname) {
115 memmove(varname, s, strlen(s)+1);
116 }
117
118 for (p = varname; *p && *p != '['; p++) {
119 switch(*p) {
120 case ' ':
121 case '.':
122 *p = '_';
123 break;
124 }
125 }
126
127 /* find index */
128 index = strchr(varname, '[');
129 if (index) {
130 index++;
131 s = index;
132 } else {
133 return;
134 }
135
136 /* done? */
137 while (index) {
138 while (*index == ' ' || *index == '\r' || *index == '\n' || *index=='\t') {
139 index++;
140 }
141 indexend = strchr(index, ']');
142 indexend = indexend ? indexend + 1 : index + strlen(index);
143
144 if (s != index) {
145 memmove(s, index, strlen(index)+1);
146 s += indexend-index;
147 } else {
148 s = indexend;
149 }
150
151 if (*s == '[') {
152 s++;
153 index = s;
154 } else {
155 index = NULL;
156 }
157 }
158 *s = '\0';
159}
160/* }}} */
161
162static void add_protected_variable(char *varname) /* {{{ */
163{
164 normalize_protected_variable(varname);
165 zend_hash_str_add_empty_element(&PG(rfc1867_protected_variables), varname, strlen(varname));
166}
167/* }}} */
168
169static zend_bool is_protected_variable(char *varname) /* {{{ */
170{
171 normalize_protected_variable(varname);
172 return zend_hash_str_exists(&PG(rfc1867_protected_variables), varname, strlen(varname));
173}
174/* }}} */
175
176static void safe_php_register_variable(char *var, char *strval, size_t val_len, zval *track_vars_array, zend_bool override_protection) /* {{{ */
177{
178 if (override_protection || !is_protected_variable(var)) {
179 php_register_variable_safe(var, strval, val_len, track_vars_array);
180 }
181}
182/* }}} */
183
184static void safe_php_register_variable_ex(char *var, zval *val, zval *track_vars_array, zend_bool override_protection) /* {{{ */
185{
186 if (override_protection || !is_protected_variable(var)) {
187 php_register_variable_ex(var, val, track_vars_array);
188 }
189}
190/* }}} */
191
192static void register_http_post_files_variable(char *strvar, char *val, zval *http_post_files, zend_bool override_protection) /* {{{ */
193{
194 safe_php_register_variable(strvar, val, strlen(val), http_post_files, override_protection);
195}
196/* }}} */
197
198static void register_http_post_files_variable_ex(char *var, zval *val, zval *http_post_files, zend_bool override_protection) /* {{{ */
199{
200 safe_php_register_variable_ex(var, val, http_post_files, override_protection);
201}
202/* }}} */
203
204static int unlink_filename(zval *el) /* {{{ */
205{
206 zend_string *filename = Z_STR_P(el);
207 VCWD_UNLINK(ZSTR_VAL(filename));
208 return 0;
209}
210/* }}} */
211
212
213static void free_filename(zval *el) {
214 zend_string *filename = Z_STR_P(el);
215 zend_string_release(filename);
216}
217
218PHPAPI void destroy_uploaded_files_hash(void) /* {{{ */
219{
220 zend_hash_apply(SG(rfc1867_uploaded_files), unlink_filename);
221 zend_hash_destroy(SG(rfc1867_uploaded_files));
222 FREE_HASHTABLE(SG(rfc1867_uploaded_files));
223}
224/* }}} */
225
226/* {{{ Following code is based on apache_multipart_buffer.c from libapreq-0.33 package. */
227
228#define FILLUNIT (1024 * 5)
229
230typedef struct {
231
232 /* read buffer */
233 char *buffer;
234 char *buf_begin;
235 int bufsize;
236 int bytes_in_buffer;
237
238 /* boundary info */
239 char *boundary;
240 char *boundary_next;
241 int boundary_next_len;
242
243 const zend_encoding *input_encoding;
244 const zend_encoding **detect_order;
245 size_t detect_order_size;
246} multipart_buffer;
247
248typedef struct {
249 char *key;
250 char *value;
251} mime_header_entry;
252
253/*
254 * Fill up the buffer with client data.
255 * Returns number of bytes added to buffer.
256 */
257static int fill_buffer(multipart_buffer *self)
258{
259 int bytes_to_read, total_read = 0, actual_read = 0;
260
261 /* shift the existing data if necessary */
262 if (self->bytes_in_buffer > 0 && self->buf_begin != self->buffer) {
263 memmove(self->buffer, self->buf_begin, self->bytes_in_buffer);
264 }
265
266 self->buf_begin = self->buffer;
267
268 /* calculate the free space in the buffer */
269 bytes_to_read = self->bufsize - self->bytes_in_buffer;
270
271 /* read the required number of bytes */
272 while (bytes_to_read > 0) {
273
274 char *buf = self->buffer + self->bytes_in_buffer;
275
276 actual_read = (int)sapi_module.read_post(buf, bytes_to_read);
277
278 /* update the buffer length */
279 if (actual_read > 0) {
280 self->bytes_in_buffer += actual_read;
281 SG(read_post_bytes) += actual_read;
282 total_read += actual_read;
283 bytes_to_read -= actual_read;
284 } else {
285 break;
286 }
287 }
288
289 return total_read;
290}
291
292/* eof if we are out of bytes, or if we hit the final boundary */
293static int multipart_buffer_eof(multipart_buffer *self)
294{
295 if ( (self->bytes_in_buffer == 0 && fill_buffer(self) < 1) ) {
296 return 1;
297 } else {
298 return 0;
299 }
300}
301
302/* create new multipart_buffer structure */
303static multipart_buffer *multipart_buffer_new(char *boundary, int boundary_len)
304{
305 multipart_buffer *self = (multipart_buffer *) ecalloc(1, sizeof(multipart_buffer));
306
307 int minsize = boundary_len + 6;
308 if (minsize < FILLUNIT) minsize = FILLUNIT;
309
310 self->buffer = (char *) ecalloc(1, minsize + 1);
311 self->bufsize = minsize;
312
313 spprintf(&self->boundary, 0, "--%s", boundary);
314
315 self->boundary_next_len = (int)spprintf(&self->boundary_next, 0, "\n--%s", boundary);
316
317 self->buf_begin = self->buffer;
318 self->bytes_in_buffer = 0;
319
320 if (php_rfc1867_encoding_translation()) {
321 php_rfc1867_get_detect_order(&self->detect_order, &self->detect_order_size);
322 } else {
323 self->detect_order = NULL;
324 self->detect_order_size = 0;
325 }
326
327 self->input_encoding = NULL;
328
329 return self;
330}
331
332/*
333 * Gets the next CRLF terminated line from the input buffer.
334 * If it doesn't find a CRLF, and the buffer isn't completely full, returns
335 * NULL; otherwise, returns the beginning of the null-terminated line,
336 * minus the CRLF.
337 *
338 * Note that we really just look for LF terminated lines. This works
339 * around a bug in internet explorer for the macintosh which sends mime
340 * boundaries that are only LF terminated when you use an image submit
341 * button in a multipart/form-data form.
342 */
343static char *next_line(multipart_buffer *self)
344{
345 /* look for LF in the data */
346 char* line = self->buf_begin;
347 char* ptr = memchr(self->buf_begin, '\n', self->bytes_in_buffer);
348
349 if (ptr) { /* LF found */
350
351 /* terminate the string, remove CRLF */
352 if ((ptr - line) > 0 && *(ptr-1) == '\r') {
353 *(ptr-1) = 0;
354 } else {
355 *ptr = 0;
356 }
357
358 /* bump the pointer */
359 self->buf_begin = ptr + 1;
360 self->bytes_in_buffer -= (self->buf_begin - line);
361
362 } else { /* no LF found */
363
364 /* buffer isn't completely full, fail */
365 if (self->bytes_in_buffer < self->bufsize) {
366 return NULL;
367 }
368 /* return entire buffer as a partial line */
369 line[self->bufsize] = 0;
370 self->buf_begin = ptr;
371 self->bytes_in_buffer = 0;
372 }
373
374 return line;
375}
376
377/* Returns the next CRLF terminated line from the client */
378static char *get_line(multipart_buffer *self)
379{
380 char* ptr = next_line(self);
381
382 if (!ptr) {
383 fill_buffer(self);
384 ptr = next_line(self);
385 }
386
387 return ptr;
388}
389
390/* Free header entry */
391static void php_free_hdr_entry(mime_header_entry *h)
392{
393 if (h->key) {
394 efree(h->key);
395 }
396 if (h->value) {
397 efree(h->value);
398 }
399}
400
401/* finds a boundary */
402static int find_boundary(multipart_buffer *self, char *boundary)
403{
404 char *line;
405
406 /* loop thru lines */
407 while( (line = get_line(self)) )
408 {
409 /* finished if we found the boundary */
410 if (!strcmp(line, boundary)) {
411 return 1;
412 }
413 }
414
415 /* didn't find the boundary */
416 return 0;
417}
418
419/* parse headers */
420static int multipart_buffer_headers(multipart_buffer *self, zend_llist *header)
421{
422 char *line;
423 mime_header_entry entry = {0};
424 smart_string buf_value = {0};
425 char *key = NULL;
426 size_t newlines = 0;
427
428 /* didn't find boundary, abort */
429 if (!find_boundary(self, self->boundary)) {
430 return 0;
431 }
432
433 /* get lines of text, or CRLF_CRLF */
434
435 while ((line = get_line(self)) && line[0] != '\0') {
436 /* add header to table */
437 char *value = NULL;
438
439 if (php_rfc1867_encoding_translation()) {
440 self->input_encoding = zend_multibyte_encoding_detector((const unsigned char *) line, strlen(line), self->detect_order, self->detect_order_size);
441 }
442
443 /* space in the beginning means same header */
444 if (!isspace(line[0])) {
445 value = strchr(line, ':');
446 }
447
448 if (value) {
449 if (buf_value.c && key) {
450 /* new entry, add the old one to the list */
451 smart_string_0(&buf_value);
452 entry.key = key;
453 entry.value = buf_value.c;
454 zend_llist_add_element(header, &entry);
455 buf_value.c = NULL;
456 key = NULL;
457 }
458
459 *value = '\0';
460 do { value++; } while (isspace(*value));
461
462 key = estrdup(line);
463 smart_string_appends(&buf_value, value);
464 newlines = 0;
465 } else if (buf_value.c) { /* If no ':' on the line, add to previous line */
466 newlines++;
467 if (newlines > SUHOSIN7_G(upload_max_newlines)) {
468 SUHOSIN7_G(abort_request) = 1;
469 suhosin_log(S_FILES, "configured maximum number of newlines in RFC1867 MIME headers limit exceeded - dropping rest of upload");
470 return 0;
471 }
472 smart_string_appends(&buf_value, line);
473
474 } else {
475 continue;
476 }
477 }
478
479 if (buf_value.c && key) {
480 /* add the last one to the list */
481 smart_string_0(&buf_value);
482 entry.key = key;
483 entry.value = buf_value.c;
484 zend_llist_add_element(header, &entry);
485 }
486
487 return 1;
488}
489
490static char *php_mime_get_hdr_value(zend_llist header, char *key)
491{
492 mime_header_entry *entry;
493
494 if (key == NULL) {
495 return NULL;
496 }
497
498 entry = zend_llist_get_first(&header);
499 while (entry) {
500 if (!strcasecmp(entry->key, key)) {
501 return entry->value;
502 }
503 entry = zend_llist_get_next(&header);
504 }
505
506 return NULL;
507}
508
509static char *php_ap_getword(const zend_encoding *encoding, char **line, char stop)
510{
511 char *pos = *line, quote;
512 char *res;
513
514 while (*pos && *pos != stop) {
515 if ((quote = *pos) == '"' || quote == '\'') {
516 ++pos;
517 while (*pos && *pos != quote) {
518 if (*pos == '\\' && pos[1] && pos[1] == quote) {
519 pos += 2;
520 } else {
521 ++pos;
522 }
523 }
524 if (*pos) {
525 ++pos;
526 }
527 } else ++pos;
528 }
529 if (*pos == '\0') {
530 res = estrdup(*line);
531 *line += strlen(*line);
532 return res;
533 }
534
535 res = estrndup(*line, pos - *line);
536
537 while (*pos == stop) {
538 ++pos;
539 }
540
541 *line = pos;
542 return res;
543}
544
545static char *substring_conf(char *start, int len, char quote)
546{
547 char *result = emalloc(len + 1);
548 char *resp = result;
549 int i;
550
551 for (i = 0; i < len && start[i] != quote; ++i) {
552 if (start[i] == '\\' && (start[i + 1] == '\\' || (quote && start[i + 1] == quote))) {
553 *resp++ = start[++i];
554 } else {
555 *resp++ = start[i];
556 }
557 }
558
559 *resp = '\0';
560 return result;
561}
562
563static char *php_ap_getword_conf(const zend_encoding *encoding, char *str)
564{
565 while (*str && isspace(*str)) {
566 ++str;
567 }
568
569 if (!*str) {
570 return estrdup("");
571 }
572
573 if (*str == '"' || *str == '\'') {
574 char quote = *str;
575
576 str++;
577 return substring_conf(str, (int)strlen(str), quote);
578 } else {
579 char *strend = str;
580
581 while (*strend && !isspace(*strend)) {
582 ++strend;
583 }
584 return substring_conf(str, strend - str, 0);
585 }
586}
587
588static char *php_ap_basename(const zend_encoding *encoding, char *path)
589{
590 char *s = strrchr(path, '\\');
591 char *s2 = strrchr(path, '/');
592
593 if (s && s2) {
594 if (s > s2) {
595 ++s;
596 } else {
597 s = ++s2;
598 }
599 return s;
600 } else if (s) {
601 return ++s;
602 } else if (s2) {
603 return ++s2;
604 }
605 return path;
606}
607
608/*
609 * Search for a string in a fixed-length byte string.
610 * If partial is true, partial matches are allowed at the end of the buffer.
611 * Returns NULL if not found, or a pointer to the start of the first match.
612 */
613static void *php_ap_memstr(char *haystack, int haystacklen, char *needle, int needlen, int partial)
614{
615 int len = haystacklen;
616 char *ptr = haystack;
617
618 /* iterate through first character matches */
619 while( (ptr = memchr(ptr, needle[0], len)) ) {
620
621 /* calculate length after match */
622 len = haystacklen - (ptr - (char *)haystack);
623
624 /* done if matches up to capacity of buffer */
625 if (memcmp(needle, ptr, needlen < len ? needlen : len) == 0 && (partial || len >= needlen)) {
626 break;
627 }
628
629 /* next character */
630 ptr++; len--;
631 }
632
633 return ptr;
634}
635
636/* read until a boundary condition */
637static int multipart_buffer_read(multipart_buffer *self, char *buf, size_t bytes, int *end)
638{
639 size_t len, max;
640 char *bound;
641
642 /* fill buffer if needed */
643 if (bytes > self->bytes_in_buffer) {
644 fill_buffer(self);
645 }
646
647 /* look for a potential boundary match, only read data up to that point */
648 if ((bound = php_ap_memstr(self->buf_begin, self->bytes_in_buffer, self->boundary_next, self->boundary_next_len, 1))) {
649 max = bound - self->buf_begin;
650 if (end && php_ap_memstr(self->buf_begin, self->bytes_in_buffer, self->boundary_next, self->boundary_next_len, 0)) {
651 *end = 1;
652 }
653 } else {
654 max = self->bytes_in_buffer;
655 }
656
657 /* maximum number of bytes we are reading */
658 len = max < bytes-1 ? max : bytes-1;
659
660 /* if we read any data... */
661 if (len > 0) {
662
663 /* copy the data */
664 memcpy(buf, self->buf_begin, len);
665 buf[len] = 0;
666
667 if (bound && len > 0 && buf[len-1] == '\r') {
668 buf[--len] = 0;
669 }
670
671 /* update the buffer */
672 self->bytes_in_buffer -= (int)len;
673 self->buf_begin += len;
674 }
675
676 return (int)len;
677}
678
679/*
680 XXX: this is horrible memory-usage-wise, but we only expect
681 to do this on small pieces of form data.
682*/
683static char *multipart_buffer_read_body(multipart_buffer *self, size_t *len)
684{
685 char buf[FILLUNIT], *out=NULL;
686 int total_bytes=0, read_bytes=0;
687
688 while((read_bytes = multipart_buffer_read(self, buf, sizeof(buf), NULL))) {
689 out = erealloc(out, total_bytes + read_bytes + 1);
690 memcpy(out + total_bytes, buf, read_bytes);
691 total_bytes += read_bytes;
692 }
693
694 if (out) {
695 out[total_bytes] = '\0';
696 }
697 *len = total_bytes;
698
699 return out;
700}
701/* }}} */
702
703/*
704 * The combined READER/HANDLER
705 *
706 */
707
708SAPI_API SAPI_POST_HANDLER_FUNC(suhosin_rfc1867_post_handler) /* {{{ */
709{
710 char *boundary, *s = NULL, *boundary_end = NULL, *start_arr = NULL, *array_index = NULL;
711 char *lbuf = NULL, *abuf = NULL;
712 zend_string *temp_filename = NULL;
713 int boundary_len = 0, cancel_upload = 0, is_arr_upload = 0, array_len = 0;
714 int64_t total_bytes = 0, max_file_size = 0;
715 int skip_upload = 0, anonindex = 0, is_anonymous;
716 HashTable *uploaded_files = NULL;
717 multipart_buffer *mbuff;
718 zval *array_ptr = (zval *) arg;
719 int fd = -1;
720 zend_llist header;
721 void *event_extra_data = NULL;
722 unsigned int llen = 0;
723 int upload_cnt = INI_INT("max_file_uploads");
724 const zend_encoding *internal_encoding = zend_multibyte_get_internal_encoding();
725 php_rfc1867_getword_t getword;
726 php_rfc1867_getword_conf_t getword_conf;
727 php_rfc1867_basename_t _basename;
728 zend_long count = 0;
729
730 if (php_rfc1867_encoding_translation() && internal_encoding) {
731 getword = php_rfc1867_getword;
732 getword_conf = php_rfc1867_getword_conf;
733 _basename = php_rfc1867_basename;
734 } else {
735 getword = php_ap_getword;
736 getword_conf = php_ap_getword_conf;
737 _basename = php_ap_basename;
738 }
739
740 if (SG(post_max_size) > 0 && SG(request_info).content_length > SG(post_max_size)) {
741 sapi_module.sapi_error(E_WARNING, "POST Content-Length of " ZEND_LONG_FMT " bytes exceeds the limit of " ZEND_LONG_FMT " bytes", SG(request_info).content_length, SG(post_max_size));
742 return;
743 }
744
745 /* Get the boundary */
746 boundary = strstr(content_type_dup, "boundary");
747 if (!boundary) {
748 int content_type_len = (int)strlen(content_type_dup);
749 char *content_type_lcase = estrndup(content_type_dup, content_type_len);
750
751 php_strtolower(content_type_lcase, content_type_len);
752 boundary = strstr(content_type_lcase, "boundary");
753 if (boundary) {
754 boundary = content_type_dup + (boundary - content_type_lcase);
755 }
756 efree(content_type_lcase);
757 }
758
759 if (!boundary || !(boundary = strchr(boundary, '='))) {
760 sapi_module.sapi_error(E_WARNING, "Missing boundary in multipart/form-data POST data");
761 return;
762 }
763
764 boundary++;
765 boundary_len = (int)strlen(boundary);
766
767 if (boundary[0] == '"') {
768 boundary++;
769 boundary_end = strchr(boundary, '"');
770 if (!boundary_end) {
771 sapi_module.sapi_error(E_WARNING, "Invalid boundary in multipart/form-data POST data");
772 return;
773 }
774 } else {
775 /* search for the end of the boundary */
776 boundary_end = strpbrk(boundary, ",;");
777 }
778 if (boundary_end) {
779 boundary_end[0] = '\0';
780 boundary_len = boundary_end-boundary;
781 }
782
783 /* Initialize the buffer */
784 if (!(mbuff = multipart_buffer_new(boundary, boundary_len))) {
785 sapi_module.sapi_error(E_WARNING, "Unable to initialize the input buffer");
786 return;
787 }
788
789 /* Initialize $_FILES[] */
790 zend_hash_init(&PG(rfc1867_protected_variables), 8, NULL, NULL, 0);
791
792 ALLOC_HASHTABLE(uploaded_files);
793 zend_hash_init(uploaded_files, 8, NULL, free_filename, 0);
794 SG(rfc1867_uploaded_files) = uploaded_files;
795
796 if (Z_TYPE(PG(http_globals)[TRACK_VARS_FILES]) != IS_ARRAY) {
797 /* php_auto_globals_create_files() might have already done that */
798 array_init(&PG(http_globals)[TRACK_VARS_FILES]);
799 }
800
801 zend_llist_init(&header, sizeof(mime_header_entry), (llist_dtor_func_t) php_free_hdr_entry, 0);
802
803 if (php_rfc1867_callback != NULL) {
804 multipart_event_start event_start;
805
806 event_start.content_length = SG(request_info).content_length;
807 if (php_rfc1867_callback(MULTIPART_EVENT_START, &event_start, &event_extra_data) == FAILURE) {
808 goto fileupload_done;
809 }
810 }
811
812 while (!multipart_buffer_eof(mbuff))
813 {
814 char buff[FILLUNIT];
815 char *cd = NULL, *param = NULL, *filename = NULL, *tmp = NULL;
816 size_t blen = 0, wlen = 0;
817 zend_off_t offset;
818
819 zend_llist_clean(&header);
820
821 if (!multipart_buffer_headers(mbuff, &header)) {
822 goto fileupload_done;
823 }
824
825 if ((cd = php_mime_get_hdr_value(header, "Content-Disposition"))) {
826 char *pair = NULL;
827 int end = 0;
828
829 while (isspace(*cd)) {
830 ++cd;
831 }
832
833 while (*cd && (pair = getword(mbuff->input_encoding, &cd, ';')))
834 {
835 char *key = NULL, *word = pair;
836
837 while (isspace(*cd)) {
838 ++cd;
839 }
840
841 if (strchr(pair, '=')) {
842 key = getword(mbuff->input_encoding, &pair, '=');
843
844 if (!strcasecmp(key, "name")) {
845 if (param) {
846 efree(param);
847 }
848 param = getword_conf(mbuff->input_encoding, pair);
849 if (mbuff->input_encoding && internal_encoding) {
850 unsigned char *new_param;
851 size_t new_param_len;
852 if ((size_t)-1 != zend_multibyte_encoding_converter(&new_param, &new_param_len, (unsigned char *)param, strlen(param), internal_encoding, mbuff->input_encoding)) {
853 efree(param);
854 param = (char *)new_param;
855 }
856 }
857 } else if (!strcasecmp(key, "filename")) {
858 if (filename) {
859 efree(filename);
860 }
861 filename = getword_conf(mbuff->input_encoding, pair);
862 if (mbuff->input_encoding && internal_encoding) {
863 unsigned char *new_filename;
864 size_t new_filename_len;
865 if ((size_t)-1 != zend_multibyte_encoding_converter(&new_filename, &new_filename_len, (unsigned char *)filename, strlen(filename), internal_encoding, mbuff->input_encoding)) {
866 efree(filename);
867 filename = (char *)new_filename;
868 }
869 }
870 }
871 }
872 if (key) {
873 efree(key);
874 }
875 efree(word);
876 }
877
878 /* Normal form variable, safe to read all data into memory */
879 if (!filename && param) {
880 size_t value_len;
881 char *value = multipart_buffer_read_body(mbuff, &value_len);
882 size_t new_val_len; /* Dummy variable */
883
884 if (!value) {
885 value = estrdup("");
886 value_len = 0;
887 }
888
889 if (mbuff->input_encoding && internal_encoding) {
890 unsigned char *new_value;
891 size_t new_value_len;
892 if ((size_t)-1 != zend_multibyte_encoding_converter(&new_value, &new_value_len, (unsigned char *)value, value_len, internal_encoding, mbuff->input_encoding)) {
893 efree(value);
894 value = (char *)new_value;
895 value_len = new_value_len;
896 }
897 }
898
899 if (++count <= PG(max_input_vars) && sapi_module.input_filter(PARSE_POST, param, &value, value_len, &new_val_len)) {
900 if (php_rfc1867_callback != NULL) {
901 multipart_event_formdata event_formdata;
902 size_t newlength = new_val_len;
903
904 event_formdata.post_bytes_processed = SG(read_post_bytes);
905 event_formdata.name = param;
906 event_formdata.value = &value;
907 event_formdata.length = new_val_len;
908 event_formdata.newlength = &newlength;
909 if (php_rfc1867_callback(MULTIPART_EVENT_FORMDATA, &event_formdata, &event_extra_data) == FAILURE) {
910 efree(param);
911 efree(value);
912 continue;
913 }
914 new_val_len = newlength;
915 }
916 safe_php_register_variable(param, value, new_val_len, array_ptr, 0);
917 } else {
918 if (count == PG(max_input_vars) + 1) {
919 php_error_docref(NULL, E_WARNING, "Input variables exceeded " ZEND_LONG_FMT ". To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
920 }
921
922 if (php_rfc1867_callback != NULL) {
923 multipart_event_formdata event_formdata;
924
925 event_formdata.post_bytes_processed = SG(read_post_bytes);
926 event_formdata.name = param;
927 event_formdata.value = &value;
928 event_formdata.length = value_len;
929 event_formdata.newlength = NULL;
930 php_rfc1867_callback(MULTIPART_EVENT_FORMDATA, &event_formdata, &event_extra_data);
931 }
932 }
933
934 if (!strcasecmp(param, "MAX_FILE_SIZE")) {
935#ifdef HAVE_ATOLL
936 max_file_size = atoll(value);
937#else
938 max_file_size = strtoll(value, NULL, 10);
939#endif
940 }
941
942 efree(param);
943 efree(value);
944 continue;
945 }
946
947 /* If file_uploads=off, skip the file part */
948 if (!PG(file_uploads)) {
949 skip_upload = 1;
950 } else if (upload_cnt <= 0) {
951 skip_upload = 1;
952 sapi_module.sapi_error(E_WARNING, "Maximum number of allowable file uploads has been exceeded");
953 }
954
955 /* Return with an error if the posted data is garbled */
956 if (!param && !filename) {
957 sapi_module.sapi_error(E_WARNING, "File Upload Mime headers garbled");
958 goto fileupload_done;
959 }
960
961 if (!param) {
962 is_anonymous = 1;
963 param = emalloc(MAX_SIZE_ANONNAME);
964 snprintf(param, MAX_SIZE_ANONNAME, "%u", anonindex++);
965 } else {
966 is_anonymous = 0;
967 }
968
969 /* New Rule: never repair potential malicious user input */
970 if (!skip_upload) {
971 long c = 0;
972 tmp = param;
973
974 while (*tmp) {
975 if (*tmp == '[') {
976 c++;
977 } else if (*tmp == ']') {
978 c--;
979 if (tmp[1] && tmp[1] != '[') {
980 skip_upload = 1;
981 break;
982 }
983 }
984 if (c < 0) {
985 skip_upload = 1;
986 break;
987 }
988 tmp++;
989 }
990 /* Brackets should always be closed */
991 if(c != 0) {
992 skip_upload = 1;
993 }
994 }
995
996 total_bytes = cancel_upload = 0;
997 temp_filename = NULL;
998 fd = -1;
999
1000 if (!skip_upload && php_rfc1867_callback != NULL) {
1001 multipart_event_file_start event_file_start;
1002
1003 event_file_start.post_bytes_processed = SG(read_post_bytes);
1004 event_file_start.name = param;
1005 event_file_start.filename = &filename;
1006 if (php_rfc1867_callback(MULTIPART_EVENT_FILE_START, &event_file_start, &event_extra_data) == FAILURE) {
1007 temp_filename = NULL;
1008 efree(param);
1009 efree(filename);
1010 continue;
1011 }
1012 }
1013
1014 if (skip_upload) {
1015 efree(param);
1016 efree(filename);
1017 continue;
1018 }
1019
1020 if (filename[0] == '\0') {
1021#if DEBUG_FILE_UPLOAD
1022 sapi_module.sapi_error(E_NOTICE, "No file uploaded");
1023#endif
1024 cancel_upload = UPLOAD_ERROR_D;
1025 }
1026
1027 offset = 0;
1028 end = 0;
1029
1030 if (!cancel_upload) {
1031 /* only bother to open temp file if we have data */
1032 blen = multipart_buffer_read(mbuff, buff, sizeof(buff), &end);
1033#if DEBUG_FILE_UPLOAD
1034 if (blen > 0) {
1035#else
1036 /* in non-debug mode we have no problem with 0-length files */
1037 {
1038#endif
1039 fd = php_open_temporary_fd_ex(PG(upload_tmp_dir), "php", &temp_filename, 1);
1040 upload_cnt--;
1041 if (fd == -1) {
1042 sapi_module.sapi_error(E_WARNING, "File upload error - unable to create a temporary file");
1043 cancel_upload = UPLOAD_ERROR_E;
1044 }
1045 }
1046 }
1047
1048 while (!cancel_upload && (blen > 0))
1049 {
1050 if (php_rfc1867_callback != NULL) {
1051 multipart_event_file_data event_file_data;
1052
1053 event_file_data.post_bytes_processed = SG(read_post_bytes);
1054 event_file_data.offset = offset;
1055 event_file_data.data = buff;
1056 event_file_data.length = blen;
1057 event_file_data.newlength = &blen;
1058 if (php_rfc1867_callback(MULTIPART_EVENT_FILE_DATA, &event_file_data, &event_extra_data) == FAILURE) {
1059 cancel_upload = UPLOAD_ERROR_X;
1060 continue;
1061 }
1062 }
1063
1064 if (PG(upload_max_filesize) > 0 && (zend_long)(total_bytes+blen) > PG(upload_max_filesize)) {
1065#if DEBUG_FILE_UPLOAD
1066 sapi_module.sapi_error(E_NOTICE, "upload_max_filesize of " ZEND_LONG_FMT " bytes exceeded - file [%s=%s] not saved", PG(upload_max_filesize), param, filename);
1067#endif
1068 cancel_upload = UPLOAD_ERROR_A;
1069 } else if (max_file_size && ((zend_long)(total_bytes+blen) > max_file_size)) {
1070#if DEBUG_FILE_UPLOAD
1071 sapi_module.sapi_error(E_NOTICE, "MAX_FILE_SIZE of " ZEND_LONG_FMT " bytes exceeded - file [%s=%s] not saved", max_file_size, param, filename);
1072#endif
1073 cancel_upload = UPLOAD_ERROR_B;
1074 } else if (blen > 0) {
1075#ifdef PHP_WIN32
1076 wlen = write(fd, buff, (unsigned int)blen);
1077#else
1078 wlen = write(fd, buff, blen);
1079#endif
1080
1081 if (wlen == -1) {
1082 /* write failed */
1083#if DEBUG_FILE_UPLOAD
1084 sapi_module.sapi_error(E_NOTICE, "write() failed - %s", strerror(errno));
1085#endif
1086 cancel_upload = UPLOAD_ERROR_F;
1087 } else if (wlen < blen) {
1088#if DEBUG_FILE_UPLOAD
1089 sapi_module.sapi_error(E_NOTICE, "Only %d bytes were written, expected to write %d", wlen, blen);
1090#endif
1091 cancel_upload = UPLOAD_ERROR_F;
1092 } else {
1093 total_bytes += wlen;
1094 }
1095 offset += wlen;
1096 }
1097
1098 /* read data for next iteration */
1099 blen = multipart_buffer_read(mbuff, buff, sizeof(buff), &end);
1100 }
1101
1102 if (fd != -1) { /* may not be initialized if file could not be created */
1103 close(fd);
1104 }
1105
1106 if (!cancel_upload && !end) {
1107#if DEBUG_FILE_UPLOAD
1108 sapi_module.sapi_error(E_NOTICE, "Missing mime boundary at the end of the data for file %s", filename[0] != '\0' ? filename : "");
1109#endif
1110 cancel_upload = UPLOAD_ERROR_C;
1111 }
1112#if DEBUG_FILE_UPLOAD
1113 if (filename[0] != '\0' && total_bytes == 0 && !cancel_upload) {
1114 sapi_module.sapi_error(E_WARNING, "Uploaded file size 0 - file [%s=%s] not saved", param, filename);
1115 cancel_upload = 5;
1116 }
1117#endif
1118 if (php_rfc1867_callback != NULL) {
1119 multipart_event_file_end event_file_end;
1120
1121 event_file_end.post_bytes_processed = SG(read_post_bytes);
1122 event_file_end.temp_filename = ZSTR_VAL(temp_filename);
1123 event_file_end.cancel_upload = cancel_upload;
1124 if (php_rfc1867_callback(MULTIPART_EVENT_FILE_END, &event_file_end, &event_extra_data) == FAILURE) {
1125 cancel_upload = UPLOAD_ERROR_X;
1126 }
1127 }
1128
1129 if (cancel_upload) {
1130 if (temp_filename) {
1131 if (cancel_upload != UPLOAD_ERROR_E) { /* file creation failed */
1132 unlink(ZSTR_VAL(temp_filename));
1133 }
1134 zend_string_release(temp_filename);
1135 }
1136 temp_filename = NULL;
1137 } else {
1138 zend_hash_add_ptr(SG(rfc1867_uploaded_files), temp_filename, temp_filename);
1139 }
1140
1141 /* is_arr_upload is true when name of file upload field
1142 * ends in [.*]
1143 * start_arr is set to point to 1st [ */
1144 is_arr_upload = (start_arr = strchr(param,'[')) && (param[strlen(param)-1] == ']');
1145
1146 if (is_arr_upload) {
1147 array_len = (int)strlen(start_arr);
1148 if (array_index) {
1149 efree(array_index);
1150 }
1151 array_index = estrndup(start_arr + 1, array_len - 2);
1152 }
1153
1154 /* Add $foo_name */
1155 if (llen < strlen(param) + MAX_SIZE_OF_INDEX + 1) {
1156 llen = (int)strlen(param);
1157 lbuf = (char *) safe_erealloc(lbuf, llen, 1, MAX_SIZE_OF_INDEX + 1);
1158 llen += MAX_SIZE_OF_INDEX + 1;
1159 }
1160
1161 if (is_arr_upload) {
1162 if (abuf) efree(abuf);
1163 abuf = estrndup(param, strlen(param)-array_len);
1164 snprintf(lbuf, llen, "%s_name[%s]", abuf, array_index);
1165 } else {
1166 snprintf(lbuf, llen, "%s_name", param);
1167 }
1168
1169 /* The \ check should technically be needed for win32 systems only where
1170 * it is a valid path separator. However, IE in all it's wisdom always sends
1171 * the full path of the file on the user's filesystem, which means that unless
1172 * the user does basename() they get a bogus file name. Until IE's user base drops
1173 * to nill or problem is fixed this code must remain enabled for all systems. */
1174 s = _basename(internal_encoding, filename);
1175 if (!s) {
1176 s = filename;
1177 }
1178
1179 if (!is_anonymous) {
1180 safe_php_register_variable(lbuf, s, strlen(s), NULL, 0);
1181 }
1182
1183 /* Add $foo[name] */
1184 if (is_arr_upload) {
1185 snprintf(lbuf, llen, "%s[name][%s]", abuf, array_index);
1186 } else {
1187 snprintf(lbuf, llen, "%s[name]", param);
1188 }
1189 register_http_post_files_variable(lbuf, s, &PG(http_globals)[TRACK_VARS_FILES], 0);
1190 efree(filename);
1191 s = NULL;
1192
1193 /* Possible Content-Type: */
1194 if (cancel_upload || !(cd = php_mime_get_hdr_value(header, "Content-Type"))) {
1195 cd = "";
1196 } else {
1197 /* fix for Opera 6.01 */
1198 s = strchr(cd, ';');
1199 if (s != NULL) {
1200 *s = '\0';
1201 }
1202 }
1203
1204 /* Add $foo_type */
1205 if (is_arr_upload) {
1206 snprintf(lbuf, llen, "%s_type[%s]", abuf, array_index);
1207 } else {
1208 snprintf(lbuf, llen, "%s_type", param);
1209 }
1210 if (!is_anonymous) {
1211 safe_php_register_variable(lbuf, cd, strlen(cd), NULL, 0);
1212 }
1213
1214 /* Add $foo[type] */
1215 if (is_arr_upload) {
1216 snprintf(lbuf, llen, "%s[type][%s]", abuf, array_index);
1217 } else {
1218 snprintf(lbuf, llen, "%s[type]", param);
1219 }
1220 register_http_post_files_variable(lbuf, cd, &PG(http_globals)[TRACK_VARS_FILES], 0);
1221
1222 /* Restore Content-Type Header */
1223 if (s != NULL) {
1224 *s = ';';
1225 }
1226 s = "";
1227
1228 {
1229 /* store temp_filename as-is (in case upload_tmp_dir
1230 * contains escapeable characters. escape only the variable name.) */
1231 zval zfilename;
1232
1233 /* Initialize variables */
1234 add_protected_variable(param);
1235
1236 /* if param is of form xxx[.*] this will cut it to xxx */
1237 if (!is_anonymous) {
1238 if (temp_filename) {
1239 ZVAL_STR_COPY(&zfilename, temp_filename);
1240 } else {
1241 ZVAL_EMPTY_STRING(&zfilename);
1242 }
1243 safe_php_register_variable_ex(param, &zfilename, NULL, 1);
1244 }
1245
1246 /* Add $foo[tmp_name] */
1247 if (is_arr_upload) {
1248 snprintf(lbuf, llen, "%s[tmp_name][%s]", abuf, array_index);
1249 } else {
1250 snprintf(lbuf, llen, "%s[tmp_name]", param);
1251 }
1252 add_protected_variable(lbuf);
1253 if (temp_filename) {
1254 ZVAL_STR_COPY(&zfilename, temp_filename);
1255 } else {
1256 ZVAL_EMPTY_STRING(&zfilename);
1257 }
1258 register_http_post_files_variable_ex(lbuf, &zfilename, &PG(http_globals)[TRACK_VARS_FILES], 1);
1259 }
1260
1261 {
1262 zval file_size, error_type;
1263 int size_overflow = 0;
1264 char file_size_buf[65];
1265
1266 ZVAL_LONG(&error_type, cancel_upload);
1267
1268 /* Add $foo[error] */
1269 if (cancel_upload) {
1270 ZVAL_LONG(&file_size, 0);
1271 } else {
1272 if (total_bytes > ZEND_LONG_MAX) {
1273#ifdef PHP_WIN32
1274 if (_i64toa_s(total_bytes, file_size_buf, 65, 10)) {
1275 file_size_buf[0] = '0';
1276 file_size_buf[1] = '\0';
1277 }
1278#else
1279 {
1280 int __len = snprintf(file_size_buf, 65, "%lld", total_bytes);
1281 file_size_buf[__len] = '\0';
1282 }
1283#endif
1284 size_overflow = 1;
1285
1286 } else {
1287 ZVAL_LONG(&file_size, total_bytes);
1288 }
1289 }
1290
1291 if (is_arr_upload) {
1292 snprintf(lbuf, llen, "%s[error][%s]", abuf, array_index);
1293 } else {
1294 snprintf(lbuf, llen, "%s[error]", param);
1295 }
1296 register_http_post_files_variable_ex(lbuf, &error_type, &PG(http_globals)[TRACK_VARS_FILES], 0);
1297
1298 /* Add $foo_size */
1299 if (is_arr_upload) {
1300 snprintf(lbuf, llen, "%s_size[%s]", abuf, array_index);
1301 } else {
1302 snprintf(lbuf, llen, "%s_size", param);
1303 }
1304 if (!is_anonymous) {
1305 if (size_overflow) {
1306 ZVAL_STRING(&file_size, file_size_buf);
1307 }
1308 safe_php_register_variable_ex(lbuf, &file_size, NULL, size_overflow);
1309 }
1310
1311 /* Add $foo[size] */
1312 if (is_arr_upload) {
1313 snprintf(lbuf, llen, "%s[size][%s]", abuf, array_index);
1314 } else {
1315 snprintf(lbuf, llen, "%s[size]", param);
1316 }
1317 if (size_overflow) {
1318 ZVAL_STRING(&file_size, file_size_buf);
1319 }
1320 register_http_post_files_variable_ex(lbuf, &file_size, &PG(http_globals)[TRACK_VARS_FILES], size_overflow);
1321 }
1322 efree(param);
1323 }
1324 }
1325
1326fileupload_done:
1327 if (php_rfc1867_callback != NULL) {
1328 multipart_event_end event_end;
1329
1330 event_end.post_bytes_processed = SG(read_post_bytes);
1331 php_rfc1867_callback(MULTIPART_EVENT_END, &event_end, &event_extra_data);
1332 }
1333
1334 if (lbuf) efree(lbuf);
1335 if (abuf) efree(abuf);
1336 if (array_index) efree(array_index);
1337 zend_hash_destroy(&PG(rfc1867_protected_variables));
1338 zend_llist_destroy(&header);
1339 if (mbuff->boundary_next) efree(mbuff->boundary_next);
1340 if (mbuff->boundary) efree(mbuff->boundary);
1341 if (mbuff->buffer) efree(mbuff->buffer);
1342 if (mbuff) efree(mbuff);
1343}
1344/* }}} */
1345
1346// SAPI_API void php_rfc1867_set_multibyte_callbacks(
1347// php_rfc1867_encoding_translation_t encoding_translation,
1348// php_rfc1867_get_detect_order_t get_detect_order,
1349// php_rfc1867_set_input_encoding_t set_input_encoding,
1350// php_rfc1867_getword_t getword,
1351// php_rfc1867_getword_conf_t getword_conf,
1352// php_rfc1867_basename_t basename) /* {{{ */
1353// {
1354// php_rfc1867_encoding_translation = encoding_translation;
1355// php_rfc1867_get_detect_order = get_detect_order;
1356// php_rfc1867_set_input_encoding = set_input_encoding;
1357// php_rfc1867_getword = getword;
1358// php_rfc1867_getword_conf = getword_conf;
1359// php_rfc1867_basename = basename;
1360// }
1361/* }}} */
1362
1363/*
1364 * Local variables:
1365 * tab-width: 4
1366 * c-basic-offset: 4
1367 * End:
1368 * vim600: sw=4 ts=4 fdm=marker
1369 * vim<600: sw=4 ts=4
1370 */
diff --git a/suhosin7.c b/suhosin7.c
index 6d6655a..2952629 100644
--- a/suhosin7.c
+++ b/suhosin7.c
@@ -356,15 +356,15 @@ PHP_INI_BEGIN()
356 STD_S7_INI_ENTRY("suhosin.post.disallow_nul", "1", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdatePostBool, disallow_post_nul) 356 STD_S7_INI_ENTRY("suhosin.post.disallow_nul", "1", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdatePostBool, disallow_post_nul)
357 STD_S7_INI_ENTRY("suhosin.post.disallow_ws", "0", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdatePostBool, disallow_post_ws) 357 STD_S7_INI_ENTRY("suhosin.post.disallow_ws", "0", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdatePostBool, disallow_post_ws)
358 // 358 //
359 // STD_S7_INI_ENTRY("suhosin.upload.max_uploads", "25", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateUploadLong, upload_limit) 359 STD_S7_INI_ENTRY("suhosin.upload.max_uploads", "25", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateUploadLong, upload_limit)
360 // STD_S7_INI_ENTRY("suhosin.upload.max_newlines", "100", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateUploadLong, upload_max_newlines) 360 STD_S7_INI_ENTRY("suhosin.upload.max_newlines", "100", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateUploadLong, upload_max_newlines)
361 // STD_S7_INI_ENTRY("suhosin.upload.disallow_elf", "1", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateUploadBool, upload_disallow_elf) 361 STD_S7_INI_ENTRY("suhosin.upload.disallow_elf", "1", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateUploadBool, upload_disallow_elf)
362 // STD_S7_INI_ENTRY("suhosin.upload.disallow_binary", "0", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateUploadBool, upload_disallow_binary) 362 STD_S7_INI_ENTRY("suhosin.upload.disallow_binary", "0", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateUploadBool, upload_disallow_binary)
363 // STD_S7_INI_ENTRY("suhosin.upload.remove_binary", "0", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateUploadBool, upload_remove_binary) 363 STD_S7_INI_ENTRY("suhosin.upload.remove_binary", "0", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateUploadBool, upload_remove_binary)
364#ifdef SUHOSIN7_EXPERIMENTAL 364#ifdef SUHOSIN7_EXPERIMENTAL
365 // STD_S7_INI_BOOLEAN("suhosin.upload.allow_utf8", "0", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateUploadBool, upload_allow_utf8) 365 STD_S7_INI_BOOLEAN("suhosin.upload.allow_utf8", "0", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateUploadBool, upload_allow_utf8)
366#endif 366#endif
367 // STD_S7_INI_ENTRY("suhosin.upload.verification_script", NULL, PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateUploadString, upload_verification_script) 367 STD_S7_INI_ENTRY("suhosin.upload.verification_script", NULL, PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateUploadString, upload_verification_script)
368 368
369 369
370 // STD_S7_INI_BOOLEAN("suhosin.sql.bailout_on_error", "0", PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateSQLBool, sql_bailout_on_error) 370 // STD_S7_INI_BOOLEAN("suhosin.sql.bailout_on_error", "0", PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateSQLBool, sql_bailout_on_error)
@@ -520,10 +520,14 @@ PHP_MINIT_FUNCTION(suhosin7)
520 suhosin_hook_execute(); 520 suhosin_hook_execute();
521 suhosin_hook_memory_limit(); 521 suhosin_hook_memory_limit();
522 // suhosin_hook_sha256(); 522 // suhosin_hook_sha256();
523 suhosin_hook_ex_imp();
524
523#ifdef HAVE_PHP_SESSION 525#ifdef HAVE_PHP_SESSION
524 suhosin_hook_session(); 526 suhosin_hook_session();
525#endif 527#endif
526 528
529 suhosin_hook_post_handlers();
530
527 return SUCCESS; 531 return SUCCESS;
528} 532}
529/* }}} */ 533/* }}} */
diff --git a/suhosin_rfc1867.h b/suhosin_rfc1867.h
new file mode 100644
index 0000000..5d946b0
--- /dev/null
+++ b/suhosin_rfc1867.h
@@ -0,0 +1,91 @@
1/*
2 +----------------------------------------------------------------------+
3 | Suhosin Version 1 |
4 +----------------------------------------------------------------------+
5 | Copyright (c) 2006-2007 The Hardened-PHP Project |
6 | Copyright (c) 2007-2015 SektionEins GmbH |
7 +----------------------------------------------------------------------+
8 | This source file is subject to version 3.01 of the PHP license, |
9 | that is bundled with this package in the file LICENSE, and is |
10 | available through the world-wide-web at the following url: |
11 | http://www.php.net/license/3_01.txt |
12 | If you did not receive a copy of the PHP license and are unable to |
13 | obtain it through the world-wide-web, please send a note to |
14 | license@php.net so we can mail you a copy immediately. |
15 +----------------------------------------------------------------------+
16 | Author: Stefan Esser <sesser@sektioneins.de> |
17 +----------------------------------------------------------------------+
18*/
19
20/* $Id: suhosin_rfc1867.h,v 1.1.1.1 2007-11-28 01:15:35 sesser Exp $ */
21
22#ifndef SUHOSIN_RFC1867_H
23#define SUHOSIN_RFC1867_H
24
25#include "rfc1867.h"
26#include "SAPI.h"
27
28// #define MULTIPART_CONTENT_TYPE "multipart/form-data"
29// #ifdef MULTIPART_EVENT_START
30// #define HAVE_RFC1867_CALLBACK 1
31// #else
32// #define HAVE_RFC1867_CALLBACK 0
33
34// #define MULTIPART_EVENT_START 0
35// #define MULTIPART_EVENT_FORMDATA 1
36// #define MULTIPART_EVENT_FILE_START 2
37// #define MULTIPART_EVENT_FILE_DATA 3
38// #define MULTIPART_EVENT_FILE_END 4
39// #define MULTIPART_EVENT_END 5
40//
41// typedef struct _multipart_event_start {
42// size_t content_length;
43// } multipart_event_start;
44//
45// typedef struct _multipart_event_formdata {
46// size_t post_bytes_processed;
47// char *name;
48// char **value;
49// size_t length;
50// size_t *newlength;
51// } multipart_event_formdata;
52//
53// typedef struct _multipart_event_file_start {
54// size_t post_bytes_processed;
55// char *name;
56// char **filename;
57// } multipart_event_file_start;
58//
59// typedef struct _multipart_event_file_data {
60// size_t post_bytes_processed;
61// zend_off_t offset;
62// char *data;
63// size_t length;
64// size_t *newlength;
65// } multipart_event_file_data;
66//
67// typedef struct _multipart_event_file_end {
68// size_t post_bytes_processed;
69// char *temp_filename;
70// int cancel_upload;
71// } multipart_event_file_end;
72//
73// typedef struct _multipart_event_end {
74// size_t post_bytes_processed;
75// } multipart_event_end;
76//
77//
78// #endif
79//
80int suhosin_rfc1867_filter(unsigned int event, void *event_data, void **extra);
81
82SAPI_POST_HANDLER_FUNC(suhosin_rfc1867_post_handler);
83
84// void destroy_uploaded_files_hash(TSRMLS_D);
85// #if !HAVE_RFC1867_CALLBACK
86// extern PHP_SUHOSIN_API int (*php_rfc1867_callback)(unsigned int event, void *event_data, void **extra);
87// #else
88extern PHPAPI int (*php_rfc1867_callback)(unsigned int event, void *event_data, void **extra);
89// #endif
90
91#endif /* SUHOSIN_RFC1867_H */
diff --git a/tests/filter/cookie_disallow_nul.phpt b/tests/filter/cookie_disallow_nul.phpt
new file mode 100644
index 0000000..fc9975c
--- /dev/null
+++ b/tests/filter/cookie_disallow_nul.phpt
@@ -0,0 +1,32 @@
1--TEST--
2input filter: suhosin.cookie.disallow_nul
3--INI--
4suhosin.log.syslog=0
5suhosin.log.sapi=0
6suhosin.log.script=0
7suhosin.log.file=255
8suhosin.log.file.time=0
9suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
10auto_append_file={PWD}/suhosintest.$$.log.tmp
11suhosin.request.disallow_nul=0
12suhosin.cookie.disallow_nul=1
13--SKIPIF--
14<?php include('../skipif.inc'); ?>
15--COOKIE--
16var1=xx%001;var2=2;var3=xx%003;var4=4;
17--GET--
18--POST--
19--FILE--
20<?php
21var_dump($_COOKIE);
22?>
23--EXPECTF--
24array(2) {
25 ["var2"]=>
26 string(1) "2"
27 ["var4"]=>
28 string(1) "4"
29}
30ALERT - ASCII-NUL chars not allowed within COOKIE variables - dropped variable 'var1' (attacker 'REMOTE_ADDR not set', file '%s')
31ALERT - ASCII-NUL chars not allowed within COOKIE variables - dropped variable 'var3' (attacker 'REMOTE_ADDR not set', file '%s')
32ALERT - dropped 2 request variables - (0 in GET, 0 in POST, 2 in COOKIE) (attacker 'REMOTE_ADDR not set', %s)
diff --git a/tests/filter/cookie_disallow_ws.phpt b/tests/filter/cookie_disallow_ws.phpt
new file mode 100644
index 0000000..fa1f1d4
--- /dev/null
+++ b/tests/filter/cookie_disallow_ws.phpt
@@ -0,0 +1,31 @@
1--TEST--
2input filter: suhosin.cookie.disallow_ws
3--INI--
4suhosin.log.syslog=0
5suhosin.log.sapi=0
6suhosin.log.script=0
7suhosin.log.file=255
8suhosin.log.file.time=0
9suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
10auto_append_file={PWD}/suhosintest.$$.log.tmp
11suhosin.cookie.disallow_ws=1
12--SKIPIF--
13<?php include('../skipif.inc'); ?>
14--COOKIE--
15+var1=1;var2=2;%20var3=3; var4=4;
16--GET--
17--POST--
18--FILE--
19<?php
20var_dump($_COOKIE);
21?>
22--EXPECTF--
23array(2) {
24 ["var2"]=>
25 string(1) "2"
26 ["var4"]=>
27 string(1) "4"
28}
29ALERT - COOKIE variable name begins with disallowed whitespace - dropped variable ' var1' (attacker 'REMOTE_ADDR not set', file '%s')
30ALERT - COOKIE variable name begins with disallowed whitespace - dropped variable ' var3' (attacker 'REMOTE_ADDR not set', file '%s')
31ALERT - dropped 2 request variables - (0 in GET, 0 in POST, 2 in COOKIE) (attacker 'REMOTE_ADDR not set', %s)
diff --git a/tests/filter/cookie_max_array_depth.phpt b/tests/filter/cookie_max_array_depth.phpt
new file mode 100644
index 0000000..64614ef
--- /dev/null
+++ b/tests/filter/cookie_max_array_depth.phpt
@@ -0,0 +1,66 @@
1--TEST--
2input filter: suhosin.cookie.max_array_depth
3--INI--
4suhosin.log.syslog=0
5suhosin.log.sapi=0
6suhosin.log.script=0
7suhosin.log.file=255
8suhosin.log.file.time=0
9suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
10auto_append_file={PWD}/suhosintest.$$.log.tmp
11suhosin.request.max_array_depth=0
12suhosin.cookie.max_array_depth=4
13--SKIPIF--
14<?php include('../skipif.inc'); ?>
15--COOKIE--
16var1[]=1;var2[][]=2;var3[][][]=3;var4[][][][]=4;var5[][][][][]=5;var6[][][][][][]=6;
17--GET--
18--POST--
19--FILE--
20<?php
21var_dump($_COOKIE);
22?>
23--EXPECTF--
24array(4) {
25 ["var1"]=>
26 array(1) {
27 [0]=>
28 string(1) "1"
29 }
30 ["var2"]=>
31 array(1) {
32 [0]=>
33 array(1) {
34 [0]=>
35 string(1) "2"
36 }
37 }
38 ["var3"]=>
39 array(1) {
40 [0]=>
41 array(1) {
42 [0]=>
43 array(1) {
44 [0]=>
45 string(1) "3"
46 }
47 }
48 }
49 ["var4"]=>
50 array(1) {
51 [0]=>
52 array(1) {
53 [0]=>
54 array(1) {
55 [0]=>
56 array(1) {
57 [0]=>
58 string(1) "4"
59 }
60 }
61 }
62 }
63}
64ALERT - configured COOKIE variable array depth limit exceeded - dropped variable 'var5[][][][][]' (attacker 'REMOTE_ADDR not set', file '%s')
65ALERT - configured COOKIE variable array depth limit exceeded - dropped variable 'var6[][][][][][]' (attacker 'REMOTE_ADDR not set', file '%s')
66ALERT - dropped 2 request variables - (0 in GET, 0 in POST, 2 in COOKIE) (attacker 'REMOTE_ADDR not set', %s)
diff --git a/tests/filter/cookie_max_array_index_length.phpt b/tests/filter/cookie_max_array_index_length.phpt
new file mode 100644
index 0000000..19eddd1
--- /dev/null
+++ b/tests/filter/cookie_max_array_index_length.phpt
@@ -0,0 +1,53 @@
1--TEST--
2input filter: suhosin.cookie.max_array_index_length
3--INI--
4suhosin.log.syslog=0
5suhosin.log.sapi=0
6suhosin.log.script=0
7suhosin.log.file=255
8suhosin.log.file.time=0
9suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
10auto_append_file={PWD}/suhosintest.$$.log.tmp
11suhosin.request.max_array_index_length=0
12suhosin.cookie.max_array_index_length=3
13--SKIPIF--
14<?php include('../skipif.inc'); ?>
15--COOKIE--
16var1[AAA]=1;var2[BBBB]=1;var3[AAA][BBB]=1;var4[AAA][BBBB]=4;var5[AAA][BBB][CCC]=1;var6[AAA][BBBB][CCC]=1;
17--GET--
18--POST--
19--FILE--
20<?php
21var_dump($_COOKIE);
22?>
23--EXPECTF--
24array(3) {
25 ["var1"]=>
26 array(1) {
27 ["AAA"]=>
28 string(1) "1"
29 }
30 ["var3"]=>
31 array(1) {
32 ["AAA"]=>
33 array(1) {
34 ["BBB"]=>
35 string(1) "1"
36 }
37 }
38 ["var5"]=>
39 array(1) {
40 ["AAA"]=>
41 array(1) {
42 ["BBB"]=>
43 array(1) {
44 ["CCC"]=>
45 string(1) "1"
46 }
47 }
48 }
49}
50ALERT - configured COOKIE variable array index length limit exceeded - dropped variable 'var2[BBBB]' (attacker 'REMOTE_ADDR not set', file '%s')
51ALERT - configured COOKIE variable array index length limit exceeded - dropped variable 'var4[AAA][BBBB]' (attacker 'REMOTE_ADDR not set', file '%s')
52ALERT - configured COOKIE variable array index length limit exceeded - dropped variable 'var6[AAA][BBBB][CCC]' (attacker 'REMOTE_ADDR not set', file '%s')
53ALERT - dropped 3 request variables - (0 in GET, 0 in POST, 3 in COOKIE) (attacker 'REMOTE_ADDR not set', %s)
diff --git a/tests/filter/cookie_max_name_length.phpt b/tests/filter/cookie_max_name_length.phpt
new file mode 100644
index 0000000..04f9537
--- /dev/null
+++ b/tests/filter/cookie_max_name_length.phpt
@@ -0,0 +1,43 @@
1--TEST--
2input filter: suhosin.cookie.max_name_length
3--INI--
4suhosin.log.syslog=0
5suhosin.log.sapi=0
6suhosin.log.script=0
7suhosin.log.file=255
8suhosin.log.file.time=0
9suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
10auto_append_file={PWD}/suhosintest.$$.log.tmp
11suhosin.request.max_varname_length=0
12suhosin.cookie.max_name_length=4
13--SKIPIF--
14<?php include('../skipif.inc'); ?>
15--COOKIE--
16var=0;var1=1;var2[]=2;var3[xxx]=3;var04=4;var05[]=5;var06[xxx]=6;
17--GET--
18--POST--
19--FILE--
20<?php
21var_dump($_COOKIE);
22?>
23--EXPECTF--
24array(4) {
25 ["var"]=>
26 string(1) "0"
27 ["var1"]=>
28 string(1) "1"
29 ["var2"]=>
30 array(1) {
31 [0]=>
32 string(1) "2"
33 }
34 ["var3"]=>
35 array(1) {
36 ["xxx"]=>
37 string(1) "3"
38 }
39}
40ALERT - configured COOKIE variable name length limit exceeded - dropped variable 'var04' (attacker 'REMOTE_ADDR not set', file '%s')
41ALERT - configured COOKIE variable name length limit exceeded - dropped variable 'var05[]' (attacker 'REMOTE_ADDR not set', file '%s')
42ALERT - configured COOKIE variable name length limit exceeded - dropped variable 'var06[xxx]' (attacker 'REMOTE_ADDR not set', file '%s')
43ALERT - dropped 3 request variables - (0 in GET, 0 in POST, 3 in COOKIE) (attacker 'REMOTE_ADDR not set', %s)
diff --git a/tests/filter/cookie_max_totalname_length.phpt b/tests/filter/cookie_max_totalname_length.phpt
new file mode 100644
index 0000000..6b9bb76
--- /dev/null
+++ b/tests/filter/cookie_max_totalname_length.phpt
@@ -0,0 +1,44 @@
1--TEST--
2input filter: suhosin.cookie.max_totalname_length
3--INI--
4suhosin.log.syslog=0
5suhosin.log.sapi=0
6suhosin.log.script=0
7suhosin.log.file=255
8suhosin.log.file.time=0
9suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
10auto_append_file={PWD}/suhosintest.$$.log.tmp
11suhosin.request.max_totalname_length=0
12suhosin.cookie.max_totalname_length=7
13--SKIPIF--
14<?php include('../skipif.inc'); ?>
15--COOKIE--
16var=0;var1=1;var2[]=2;var3[xxx]=3;var04=4;var05[]=5;var06[xxx]=6;
17--GET--
18--POST--
19--FILE--
20<?php
21var_dump($_COOKIE);
22?>
23--EXPECTF--
24array(5) {
25 ["var"]=>
26 string(1) "0"
27 ["var1"]=>
28 string(1) "1"
29 ["var2"]=>
30 array(1) {
31 [0]=>
32 string(1) "2"
33 }
34 ["var04"]=>
35 string(1) "4"
36 ["var05"]=>
37 array(1) {
38 [0]=>
39 string(1) "5"
40 }
41}
42ALERT - configured COOKIE variable total name length limit exceeded - dropped variable 'var3[xxx]' (attacker 'REMOTE_ADDR not set', file '%s')
43ALERT - configured COOKIE variable total name length limit exceeded - dropped variable 'var06[xxx]' (attacker 'REMOTE_ADDR not set', file '%s')
44ALERT - dropped 2 request variables - (0 in GET, 0 in POST, 2 in COOKIE) (attacker 'REMOTE_ADDR not set', %s)
diff --git a/tests/filter/cookie_max_value_length.phpt b/tests/filter/cookie_max_value_length.phpt
new file mode 100644
index 0000000..f3d3ba8
--- /dev/null
+++ b/tests/filter/cookie_max_value_length.phpt
@@ -0,0 +1,35 @@
1--TEST--
2input filter: suhosin.cookie.max_value_length
3--INI--
4suhosin.log.syslog=0
5suhosin.log.sapi=0
6suhosin.log.script=0
7suhosin.log.file=255
8suhosin.log.file.time=0
9suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
10auto_append_file={PWD}/suhosintest.$$.log.tmp
11suhosin.request.max_value_length=0
12suhosin.cookie.max_value_length=3
13--SKIPIF--
14<?php include('../skipif.inc'); ?>
15--COOKIE--
16var1=1;var2=22;var3=333;var4=4444;var5=55%00555;var6=666666;
17--GET--
18--POST--
19--FILE--
20<?php
21var_dump($_COOKIE);
22?>
23--EXPECTF--
24array(3) {
25 ["var1"]=>
26 string(1) "1"
27 ["var2"]=>
28 string(2) "22"
29 ["var3"]=>
30 string(3) "333"
31}
32ALERT - configured COOKIE variable value length limit exceeded - dropped variable 'var4' (attacker 'REMOTE_ADDR not set', file '%s')
33ALERT - configured COOKIE variable value length limit exceeded - dropped variable 'var5' (attacker 'REMOTE_ADDR not set', file '%s')
34ALERT - configured COOKIE variable value length limit exceeded - dropped variable 'var6' (attacker 'REMOTE_ADDR not set', file '%s')
35ALERT - dropped 3 request variables - (0 in GET, 0 in POST, 3 in COOKIE) (attacker 'REMOTE_ADDR not set', %s)
diff --git a/tests/filter/cookie_max_vars.phpt b/tests/filter/cookie_max_vars.phpt
new file mode 100644
index 0000000..7389adb
--- /dev/null
+++ b/tests/filter/cookie_max_vars.phpt
@@ -0,0 +1,30 @@
1--TEST--
2input filter: suhosin.cookie.max_vars
3--SKIPIF--
4<?php include "../skipif.inc"; ?>
5--INI--
6suhosin.log.syslog=0
7suhosin.log.sapi=0
8suhosin.log.script=0
9suhosin.log.file=255
10suhosin.log.file.time=0
11suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
12auto_append_file={PWD}/suhosintest.$$.log.tmp
13suhosin.cookie.max_vars=3
14--COOKIE--
15a=1; b=2; c=3; d=4
16--FILE--
17<?php
18var_dump($_COOKIE);
19?>
20--EXPECTF--
21array(3) {
22 ["a"]=>
23 string(1) "1"
24 ["b"]=>
25 string(1) "2"
26 ["c"]=>
27 string(1) "3"
28}
29ALERT - configured COOKIE variable limit exceeded - dropped variable 'd' - all further COOKIE variables are dropped (attacker '%s', file '%s')
30ALERT - dropped 1 request variables - (0 in GET, 0 in POST, 1 in COOKIE) (attacker 'REMOTE_ADDR not set', %s)
diff --git a/tests/filter/filter_logging_statistics.phpt b/tests/filter/filter_logging_statistics.phpt
new file mode 100644
index 0000000..a4119b3
--- /dev/null
+++ b/tests/filter/filter_logging_statistics.phpt
@@ -0,0 +1,43 @@
1--TEST--
2suhosin variable filter logging statistics
3--INI--
4suhosin.log.syslog=0
5suhosin.log.sapi=0
6suhosin.log.script=0
7suhosin.log.file=255
8suhosin.log.file.time=0
9suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
10auto_append_file={PWD}/suhosintest.$$.log.tmp
11suhosin.get.max_vars=5
12error_reporting=E_ALL
13--SKIPIF--
14<?php include('../skipif.inc'); ?>
15--COOKIE--
16--GET--
17A=A&B=B&C=C&D=D&E=E&F=F&G=G&
18--POST--
19--FILE--
20<?php
21$counter++;
22if ($counter < 5) {
23 include __FILE__;
24} else {
25 var_dump($_GET);
26}
27?>
28--EXPECTF--
29Notice: Undefined variable: counter in %s on line 2
30array(5) {
31 ["A"]=>
32 string(1) "A"
33 ["B"]=>
34 string(1) "B"
35 ["C"]=>
36 string(1) "C"
37 ["D"]=>
38 string(1) "D"
39 ["E"]=>
40 string(1) "E"
41}
42ALERT - configured GET variable limit exceeded - dropped variable 'F' - all further GET variables are dropped (attacker 'REMOTE_ADDR not set', file '%s')
43ALERT - dropped 2 request variables - (2 in GET, 0 in POST, 0 in COOKIE) %s
diff --git a/tests/filter/get_allow_ws.phpt b/tests/filter/get_allow_ws.phpt
new file mode 100644
index 0000000..190e44c
--- /dev/null
+++ b/tests/filter/get_allow_ws.phpt
@@ -0,0 +1,56 @@
1--TEST--
2input filter: allow whitespace
3--INI--
4suhosin.log.syslog=0
5suhosin.log.sapi=0
6suhosin.log.stdout=255
7suhosin.log.script=0
8suhosin.request.disallow_ws=0
9suhosin.get.disallow_ws=0
10suhosin.post.disallow_ws=0
11suhosin.cookie.disallow_ws=0
12--SKIPIF--
13<?php include('../skipif.inc'); ?>
14--COOKIE--
15+var1=1;var2=2;%20var3=3; var4=4;
16--GET--
17+var1=1&var2=2&%20var3=3& var4=4&
18--POST--
19+var1=1&var2=2&%20var3=3& var4=4&
20--FILE--
21<?php
22var_dump($_GET);
23var_dump($_POST);
24var_dump($_COOKIE);
25?>
26--EXPECTF--
27array(4) {
28 ["var1"]=>
29 string(1) "1"
30 ["var2"]=>
31 string(1) "2"
32 ["var3"]=>
33 string(1) "3"
34 ["var4"]=>
35 string(1) "4"
36}
37array(4) {
38 ["var1"]=>
39 string(1) "1"
40 ["var2"]=>
41 string(1) "2"
42 ["var3"]=>
43 string(1) "3"
44 ["var4"]=>
45 string(1) "4"
46}
47array(4) {
48 ["var1"]=>
49 string(1) "1"
50 ["var2"]=>
51 string(1) "2"
52 ["var3"]=>
53 string(1) "3"
54 ["var4"]=>
55 string(1) "4"
56} \ No newline at end of file
diff --git a/tests/filter/get_disallow_nul.phpt b/tests/filter/get_disallow_nul.phpt
new file mode 100644
index 0000000..6432a4e
--- /dev/null
+++ b/tests/filter/get_disallow_nul.phpt
@@ -0,0 +1,32 @@
1--TEST--
2input filter: suhosin.get.disallow_nul
3--INI--
4suhosin.log.syslog=0
5suhosin.log.sapi=0
6suhosin.log.script=0
7suhosin.log.file=255
8suhosin.log.file.time=0
9suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
10auto_append_file={PWD}/suhosintest.$$.log.tmp
11suhosin.request.disallow_nul=0
12suhosin.get.disallow_nul=1
13--SKIPIF--
14<?php include('../skipif.inc'); ?>
15--COOKIE--
16--GET--
17var1=xx%001&var2=2&var3=xx%003&var4=4&
18--POST--
19--FILE--
20<?php
21var_dump($_GET);
22?>
23--EXPECTF--
24array(2) {
25 ["var2"]=>
26 string(1) "2"
27 ["var4"]=>
28 string(1) "4"
29}
30ALERT - ASCII-NUL chars not allowed within GET variables - dropped variable 'var1' (attacker 'REMOTE_ADDR not set', file '%s')
31ALERT - ASCII-NUL chars not allowed within GET variables - dropped variable 'var3' (attacker 'REMOTE_ADDR not set', file '%s')
32ALERT - dropped 2 request variables - (2 in GET, 0 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', %s)
diff --git a/tests/filter/get_disallow_ws.phpt b/tests/filter/get_disallow_ws.phpt
new file mode 100644
index 0000000..c7b57de
--- /dev/null
+++ b/tests/filter/get_disallow_ws.phpt
@@ -0,0 +1,30 @@
1--TEST--
2input filter: suhosin.get.disallow_ws
3--INI--
4suhosin.log.syslog=0
5suhosin.log.sapi=0
6suhosin.log.script=0
7suhosin.log.file=255
8suhosin.log.file.time=0
9suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
10auto_append_file={PWD}/suhosintest.$$.log.tmp
11suhosin.get.disallow_ws=1
12--SKIPIF--
13<?php include('../skipif.inc'); ?>
14--COOKIE--
15--GET--
16+var1=1&var2=2&%20var3=3& var4=4&
17--POST--
18--FILE--
19<?php
20var_dump($_GET);
21?>
22--EXPECTF--
23array(1) {
24 ["var2"]=>
25 string(1) "2"
26}
27ALERT - GET variable name begins with disallowed whitespace - dropped variable ' var1' (attacker 'REMOTE_ADDR not set', file '%s')
28ALERT - GET variable name begins with disallowed whitespace - dropped variable ' var3' (attacker 'REMOTE_ADDR not set', file '%s')
29ALERT - GET variable name begins with disallowed whitespace - dropped variable ' var4' (attacker 'REMOTE_ADDR not set', file '%s')
30ALERT - dropped 3 request variables - (3 in GET, 0 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', %s)
diff --git a/tests/filter/get_filter_1.phpt b/tests/filter/get_filter_1.phpt
new file mode 100644
index 0000000..7bd9cc3
--- /dev/null
+++ b/tests/filter/get_filter_1.phpt
@@ -0,0 +1,45 @@
1--TEST--
2suhosin GET filter (disallowed variable names)
3--INI--
4suhosin.log.syslog=0
5suhosin.log.sapi=0
6suhosin.log.script=0
7suhosin.log.file=255
8suhosin.log.file.time=0
9suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
10auto_append_file={PWD}/suhosintest.$$.log.tmp
11--SKIPIF--
12<?php include('../skipif.inc'); ?>
13--COOKIE--
14--GET--
15HTTP_RAW_POST_DATA=HTTP_RAW_POST_DATA&HTTP_SESSION_VARS=HTTP_SESSION_VARS&harmless1=harmless1&HTTP_SERVER_VARS=HTTP_SERVER_VARS&HTTP_COOKIE_VARS=HTTP_COOKIE_VARS&HTTP_POST_FILES=HTTP_POST_FILES&HTTP_POST_VARS=HTTP_POST_VARS&HTTP_GET_VARS=HTTP_GET_VARS&HTTP_ENV_VARS=HTTP_ENV_VARS&_SESSION=_SESSION&_REQUEST=_REQUEST&GLOBALS=GLOBALS&_COOKIE=_COOKIE&_SERVER=_SERVER&_FILES=_FILES&_POST=_POST&_ENV=_ENV&_GET=_GET&harmless2=harmless2&
16--POST--
17--FILE--
18<?php
19var_dump($_GET);
20?>
21--EXPECTF--
22array(2) {
23 ["harmless1"]=>
24 string(9) "harmless1"
25 ["harmless2"]=>
26 string(9) "harmless2"
27}
28ALERT - tried to register forbidden variable 'HTTP_RAW_POST_DATA' through GET variables (attacker 'REMOTE_ADDR not set', file '%s')
29ALERT - tried to register forbidden variable 'HTTP_SESSION_VARS' through GET variables (attacker 'REMOTE_ADDR not set', file '%s')
30ALERT - tried to register forbidden variable 'HTTP_SERVER_VARS' through GET variables (attacker 'REMOTE_ADDR not set', file '%s')
31ALERT - tried to register forbidden variable 'HTTP_COOKIE_VARS' through GET variables (attacker 'REMOTE_ADDR not set', file '%s')
32ALERT - tried to register forbidden variable 'HTTP_POST_FILES' through GET variables (attacker 'REMOTE_ADDR not set', file '%s')
33ALERT - tried to register forbidden variable 'HTTP_POST_VARS' through GET variables (attacker 'REMOTE_ADDR not set', file '%s')
34ALERT - tried to register forbidden variable 'HTTP_GET_VARS' through GET variables (attacker 'REMOTE_ADDR not set', file '%s')
35ALERT - tried to register forbidden variable 'HTTP_ENV_VARS' through GET variables (attacker 'REMOTE_ADDR not set', file '%s')
36ALERT - tried to register forbidden variable '_SESSION' through GET variables (attacker 'REMOTE_ADDR not set', file '%s')
37ALERT - tried to register forbidden variable '_REQUEST' through GET variables (attacker 'REMOTE_ADDR not set', file '%s')
38ALERT - tried to register forbidden variable 'GLOBALS' through GET variables (attacker 'REMOTE_ADDR not set', file '%s')
39ALERT - tried to register forbidden variable '_COOKIE' through GET variables (attacker 'REMOTE_ADDR not set', file '%s')
40ALERT - tried to register forbidden variable '_SERVER' through GET variables (attacker 'REMOTE_ADDR not set', file '%s')
41ALERT - tried to register forbidden variable '_FILES' through GET variables (attacker 'REMOTE_ADDR not set', file '%s')
42ALERT - tried to register forbidden variable '_POST' through GET variables (attacker 'REMOTE_ADDR not set', file '%s')
43ALERT - tried to register forbidden variable '_ENV' through GET variables (attacker 'REMOTE_ADDR not set', file '%s')
44ALERT - tried to register forbidden variable '_GET' through GET variables (attacker 'REMOTE_ADDR not set', file '%s')
45ALERT - dropped 17 request variables - (17 in GET, 0 in POST, 0 in COOKIE) %s
diff --git a/tests/filter/get_filter_2.phpt b/tests/filter/get_filter_2.phpt
new file mode 100644
index 0000000..1e5d04c
--- /dev/null
+++ b/tests/filter/get_filter_2.phpt
@@ -0,0 +1,36 @@
1--TEST--
2suhosin GET filter (suhosin.get.max_vars)
3--INI--
4suhosin.log.syslog=0
5suhosin.log.sapi=0
6suhosin.log.script=0
7suhosin.log.file=255
8suhosin.log.file.time=0
9suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
10auto_append_file={PWD}/suhosintest.$$.log.tmp
11suhosin.get.max_vars=5
12--SKIPIF--
13<?php include('../skipif.inc'); ?>
14--COOKIE--
15--GET--
16A=A&B=B&C=C&D=D&E=E&F=F&G=G&
17--POST--
18--FILE--
19<?php
20var_dump($_GET);
21?>
22--EXPECTF--
23array(5) {
24 ["A"]=>
25 string(1) "A"
26 ["B"]=>
27 string(1) "B"
28 ["C"]=>
29 string(1) "C"
30 ["D"]=>
31 string(1) "D"
32 ["E"]=>
33 string(1) "E"
34}
35ALERT - configured GET variable limit exceeded - dropped variable 'F' - all further GET variables are dropped (attacker 'REMOTE_ADDR not set', file '%s')
36ALERT - dropped 2 request variables - (2 in GET, 0 in POST, 0 in COOKIE) %s
diff --git a/tests/filter/get_globals.phpt b/tests/filter/get_globals.phpt
new file mode 100644
index 0000000..f16991b
--- /dev/null
+++ b/tests/filter/get_globals.phpt
@@ -0,0 +1,24 @@
1--TEST--
2Testing: GLOBALS in GET
3--SKIPIF--
4<?php include "../skipifcli.inc"; ?>
5--INI--
6suhosin.log.syslog=0
7suhosin.log.sapi=255
8suhosin.log.script=255
9suhosin.log.script.name=/tmp/xx
10--GET--
11a=1&b=2&GLOBALS=123&c=3
12--FILE--
13<?php
14 var_dump($_GET['a']);
15 var_dump($_GET['b']);
16 var_dump($_GET['c']);
17 if (!isset($_GET['GLOBALS'])) var_dump(5);
18 else var_dump(0);
19?>
20--EXPECT--
21string(1) "1"
22string(1) "2"
23string(1) "3"
24int(5)
diff --git a/tests/filter/get_max_array_depth.phpt b/tests/filter/get_max_array_depth.phpt
new file mode 100644
index 0000000..2be4af1
--- /dev/null
+++ b/tests/filter/get_max_array_depth.phpt
@@ -0,0 +1,66 @@
1--TEST--
2input filter: suhosin.get.max_array_depth
3--INI--
4suhosin.log.syslog=0
5suhosin.log.sapi=0
6suhosin.log.script=0
7suhosin.log.file=255
8suhosin.log.file.time=0
9suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
10auto_append_file={PWD}/suhosintest.$$.log.tmp
11suhosin.request.max_array_depth=0
12suhosin.get.max_array_depth=4
13--SKIPIF--
14<?php include('../skipif.inc'); ?>
15--COOKIE--
16--GET--
17var1[]=1&var2[][]=2&var3[][][]=3&var4[][][][]=4&var5[][][][][]=5&var6[][][][][][]=6&
18--POST--
19--FILE--
20<?php
21var_dump($_GET);
22?>
23--EXPECTF--
24array(4) {
25 ["var1"]=>
26 array(1) {
27 [0]=>
28 string(1) "1"
29 }
30 ["var2"]=>
31 array(1) {
32 [0]=>
33 array(1) {
34 [0]=>
35 string(1) "2"
36 }
37 }
38 ["var3"]=>
39 array(1) {
40 [0]=>
41 array(1) {
42 [0]=>
43 array(1) {
44 [0]=>
45 string(1) "3"
46 }
47 }
48 }
49 ["var4"]=>
50 array(1) {
51 [0]=>
52 array(1) {
53 [0]=>
54 array(1) {
55 [0]=>
56 array(1) {
57 [0]=>
58 string(1) "4"
59 }
60 }
61 }
62 }
63}
64ALERT - configured GET variable array depth limit exceeded - dropped variable 'var5[][][][][]' (attacker 'REMOTE_ADDR not set', file '%s')
65ALERT - configured GET variable array depth limit exceeded - dropped variable 'var6[][][][][][]' (attacker 'REMOTE_ADDR not set', file '%s')
66ALERT - dropped 2 request variables - (2 in GET, 0 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', %s)
diff --git a/tests/filter/get_max_array_index_length.phpt b/tests/filter/get_max_array_index_length.phpt
new file mode 100644
index 0000000..65c8d18
--- /dev/null
+++ b/tests/filter/get_max_array_index_length.phpt
@@ -0,0 +1,53 @@
1--TEST--
2input filter: suhosin.get.max_array_index_length
3--INI--
4suhosin.log.syslog=0
5suhosin.log.sapi=0
6suhosin.log.script=0
7suhosin.log.file=255
8suhosin.log.file.time=0
9suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
10auto_append_file={PWD}/suhosintest.$$.log.tmp
11suhosin.request.max_array_index_length=0
12suhosin.get.max_array_index_length=3
13--SKIPIF--
14<?php include('../skipif.inc'); ?>
15--COOKIE--
16--GET--
17var1[AAA]=1&var2[BBBB]=1&var3[AAA][BBB]=1&var4[AAA][BBBB]=4&var5[AAA][BBB][CCC]=1&var6[AAA][BBBB][CCC]=1
18--POST--
19--FILE--
20<?php
21var_dump($_GET);
22?>
23--EXPECTF--
24array(3) {
25 ["var1"]=>
26 array(1) {
27 ["AAA"]=>
28 string(1) "1"
29 }
30 ["var3"]=>
31 array(1) {
32 ["AAA"]=>
33 array(1) {
34 ["BBB"]=>
35 string(1) "1"
36 }
37 }
38 ["var5"]=>
39 array(1) {
40 ["AAA"]=>
41 array(1) {
42 ["BBB"]=>
43 array(1) {
44 ["CCC"]=>
45 string(1) "1"
46 }
47 }
48 }
49}
50ALERT - configured GET variable array index length limit exceeded - dropped variable 'var2[BBBB]' (attacker 'REMOTE_ADDR not set', file '%s')
51ALERT - configured GET variable array index length limit exceeded - dropped variable 'var4[AAA][BBBB]' (attacker 'REMOTE_ADDR not set', file '%s')
52ALERT - configured GET variable array index length limit exceeded - dropped variable 'var6[AAA][BBBB][CCC]' (attacker 'REMOTE_ADDR not set', file '%s')
53ALERT - dropped 3 request variables - (3 in GET, 0 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', %s)
diff --git a/tests/filter/get_max_name_length.phpt b/tests/filter/get_max_name_length.phpt
new file mode 100644
index 0000000..ef2f4a2
--- /dev/null
+++ b/tests/filter/get_max_name_length.phpt
@@ -0,0 +1,43 @@
1--TEST--
2input filter: suhosin.get.max_name_length
3--INI--
4suhosin.log.syslog=0
5suhosin.log.sapi=0
6suhosin.log.script=0
7suhosin.log.file=255
8suhosin.log.file.time=0
9suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
10auto_append_file={PWD}/suhosintest.$$.log.tmp
11suhosin.request.max_varname_length=0
12suhosin.get.max_name_length=4
13--SKIPIF--
14<?php include('../skipif.inc'); ?>
15--COOKIE--
16--GET--
17var=0&var1=1&var2[]=2&var3[xxx]=3&var04=4&var05[]=5&var06[xxx]=6&
18--POST--
19--FILE--
20<?php
21var_dump($_GET);
22?>
23--EXPECTF--
24array(4) {
25 ["var"]=>
26 string(1) "0"
27 ["var1"]=>
28 string(1) "1"
29 ["var2"]=>
30 array(1) {
31 [0]=>
32 string(1) "2"
33 }
34 ["var3"]=>
35 array(1) {
36 ["xxx"]=>
37 string(1) "3"
38 }
39}
40ALERT - configured GET variable name length limit exceeded - dropped variable 'var04' (attacker 'REMOTE_ADDR not set', file '%s')
41ALERT - configured GET variable name length limit exceeded - dropped variable 'var05[]' (attacker 'REMOTE_ADDR not set', file '%s')
42ALERT - configured GET variable name length limit exceeded - dropped variable 'var06[xxx]' (attacker 'REMOTE_ADDR not set', file '%s')
43ALERT - dropped 3 request variables - (3 in GET, 0 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', %s)
diff --git a/tests/filter/get_max_totalname_length.phpt b/tests/filter/get_max_totalname_length.phpt
new file mode 100644
index 0000000..83c7ffe
--- /dev/null
+++ b/tests/filter/get_max_totalname_length.phpt
@@ -0,0 +1,44 @@
1--TEST--
2input filter: suhosin.get.max_totalname_length
3--INI--
4suhosin.log.syslog=0
5suhosin.log.sapi=0
6suhosin.log.script=0
7suhosin.log.file=255
8suhosin.log.file.time=0
9suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
10auto_append_file={PWD}/suhosintest.$$.log.tmp
11suhosin.request.max_totalname_length=0
12suhosin.get.max_totalname_length=7
13--SKIPIF--
14<?php include('../skipif.inc'); ?>
15--COOKIE--
16--GET--
17var=0&var1=1&var2[]=2&var3[xxx]=3&var04=4&var05[]=5&var06[xxx]=6&
18--POST--
19--FILE--
20<?php
21var_dump($_GET);
22?>
23--EXPECTF--
24array(5) {
25 ["var"]=>
26 string(1) "0"
27 ["var1"]=>
28 string(1) "1"
29 ["var2"]=>
30 array(1) {
31 [0]=>
32 string(1) "2"
33 }
34 ["var04"]=>
35 string(1) "4"
36 ["var05"]=>
37 array(1) {
38 [0]=>
39 string(1) "5"
40 }
41}
42ALERT - configured GET variable total name length limit exceeded - dropped variable 'var3[xxx]' (attacker 'REMOTE_ADDR not set', file '%s')
43ALERT - configured GET variable total name length limit exceeded - dropped variable 'var06[xxx]' (attacker 'REMOTE_ADDR not set', file '%s')
44ALERT - dropped 2 request variables - (2 in GET, 0 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', %s)
diff --git a/tests/filter/get_max_value_length.phpt b/tests/filter/get_max_value_length.phpt
new file mode 100644
index 0000000..a3c4435
--- /dev/null
+++ b/tests/filter/get_max_value_length.phpt
@@ -0,0 +1,35 @@
1--TEST--
2input filter: suhosin.get.max_value_length
3--INI--
4suhosin.log.syslog=0
5suhosin.log.sapi=0
6suhosin.log.script=0
7suhosin.log.file=255
8suhosin.log.file.time=0
9suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
10auto_append_file={PWD}/suhosintest.$$.log.tmp
11suhosin.request.max_value_length=0
12suhosin.get.max_value_length=3
13--SKIPIF--
14<?php include('../skipif.inc'); ?>
15--COOKIE--
16--GET--
17var1=1&var2=22&var3=333&var4=4444&var5=55%00555&var6=666666&
18--POST--
19--FILE--
20<?php
21var_dump($_GET);
22?>
23--EXPECTF--
24array(3) {
25 ["var1"]=>
26 string(1) "1"
27 ["var2"]=>
28 string(2) "22"
29 ["var3"]=>
30 string(3) "333"
31}
32ALERT - configured GET variable value length limit exceeded - dropped variable 'var4' (attacker 'REMOTE_ADDR not set', file '%s')
33ALERT - configured GET variable value length limit exceeded - dropped variable 'var5' (attacker 'REMOTE_ADDR not set', file '%s')
34ALERT - configured GET variable value length limit exceeded - dropped variable 'var6' (attacker 'REMOTE_ADDR not set', file '%s')
35ALERT - dropped 3 request variables - (3 in GET, 0 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', %s)
diff --git a/tests/filter/input_filter_allow_nul.phpt b/tests/filter/input_filter_allow_nul.phpt
new file mode 100644
index 0000000..e33ef67
--- /dev/null
+++ b/tests/filter/input_filter_allow_nul.phpt
Binary files differ
diff --git a/tests/filter/input_filter_request_max_value_length.phpt b/tests/filter/input_filter_request_max_value_length.phpt
new file mode 100644
index 0000000..27b399e
--- /dev/null
+++ b/tests/filter/input_filter_request_max_value_length.phpt
@@ -0,0 +1,61 @@
1--TEST--
2input filter: suhosin.request.max_value_length
3--INI--
4suhosin.log.syslog=0
5suhosin.log.sapi=0
6suhosin.log.script=0
7suhosin.log.file=255
8suhosin.log.file.time=0
9suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
10auto_append_file={PWD}/suhosintest.$$.log.tmp
11suhosin.request.max_value_length=3
12--SKIPIF--
13<?php include('../skipif.inc'); ?>
14--COOKIE--
15var1=1;var2=22;var3=333;var4=4444;var5=55%00555;var6=666666;
16--GET--
17var1=1&var2=22&var3=333&var4=4444&var5=55%00555&var6=666666&
18--POST--
19var1=1&var2=22&var3=333&var4=4444&var5=55%00555&var6=666666&
20--FILE--
21<?php
22var_dump($_GET);
23var_dump($_POST);
24var_dump($_COOKIE);
25?>
26--EXPECTF--
27array(3) {
28 ["var1"]=>
29 string(1) "1"
30 ["var2"]=>
31 string(2) "22"
32 ["var3"]=>
33 string(3) "333"
34}
35array(3) {
36 ["var1"]=>
37 string(1) "1"
38 ["var2"]=>
39 string(2) "22"
40 ["var3"]=>
41 string(3) "333"
42}
43array(3) {
44 ["var1"]=>
45 string(1) "1"
46 ["var2"]=>
47 string(2) "22"
48 ["var3"]=>
49 string(3) "333"
50}
51ALERT - configured request variable value length limit exceeded - dropped variable 'var4' (attacker 'REMOTE_ADDR not set', file '%s')
52ALERT - configured request variable value length limit exceeded - dropped variable 'var5' (attacker 'REMOTE_ADDR not set', file '%s')
53ALERT - configured request variable value length limit exceeded - dropped variable 'var6' (attacker 'REMOTE_ADDR not set', file '%s')
54ALERT - configured request variable value length limit exceeded - dropped variable 'var4' (attacker 'REMOTE_ADDR not set', file '%s')
55ALERT - configured request variable value length limit exceeded - dropped variable 'var5' (attacker 'REMOTE_ADDR not set', file '%s')
56ALERT - configured request variable value length limit exceeded - dropped variable 'var6' (attacker 'REMOTE_ADDR not set', file '%s')
57ALERT - configured request variable value length limit exceeded - dropped variable 'var4' (attacker 'REMOTE_ADDR not set', file '%s')
58ALERT - configured request variable value length limit exceeded - dropped variable 'var5' (attacker 'REMOTE_ADDR not set', file '%s')
59ALERT - configured request variable value length limit exceeded - dropped variable 'var6' (attacker 'REMOTE_ADDR not set', file '%s')
60ALERT - dropped 9 request variables - (3 in GET, 3 in POST, 3 in COOKIE) (attacker 'REMOTE_ADDR not set', %s)
61
diff --git a/tests/filter/post_disallow_nul.phpt b/tests/filter/post_disallow_nul.phpt
new file mode 100644
index 0000000..395d096
--- /dev/null
+++ b/tests/filter/post_disallow_nul.phpt
@@ -0,0 +1,32 @@
1--TEST--
2input filter: suhosin.post.disallow_nul
3--INI--
4suhosin.log.syslog=0
5suhosin.log.sapi=0
6suhosin.log.script=0
7suhosin.log.file=255
8suhosin.log.file.time=0
9suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
10auto_append_file={PWD}/suhosintest.$$.log.tmp
11suhosin.request.disallow_nul=0
12suhosin.post.disallow_nul=1
13--SKIPIF--
14<?php include('../skipif.inc'); ?>
15--COOKIE--
16--GET--
17--POST--
18var1=xx%001&var2=2&var3=xx%003&var4=4&
19--FILE--
20<?php
21var_dump($_POST);
22?>
23--EXPECTF--
24array(2) {
25 ["var2"]=>
26 string(1) "2"
27 ["var4"]=>
28 string(1) "4"
29}
30ALERT - ASCII-NUL chars not allowed within POST variables - dropped variable 'var1' (attacker 'REMOTE_ADDR not set', file '%s')
31ALERT - ASCII-NUL chars not allowed within POST variables - dropped variable 'var3' (attacker 'REMOTE_ADDR not set', file '%s')
32ALERT - dropped 2 request variables - (0 in GET, 2 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', %s)
diff --git a/tests/filter/post_disallow_nul_rfc1867.phpt b/tests/filter/post_disallow_nul_rfc1867.phpt
new file mode 100644
index 0000000..887873a
--- /dev/null
+++ b/tests/filter/post_disallow_nul_rfc1867.phpt
Binary files differ
diff --git a/tests/filter/post_disallow_ws.phpt b/tests/filter/post_disallow_ws.phpt
new file mode 100644
index 0000000..f8abbfd
--- /dev/null
+++ b/tests/filter/post_disallow_ws.phpt
@@ -0,0 +1,31 @@
1--TEST--
2input filter: suhosin.post.disallow_ws
3--INI--
4suhosin.log.syslog=0
5suhosin.log.sapi=0
6suhosin.log.script=0
7suhosin.log.file=255
8suhosin.log.file.time=0
9suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
10auto_append_file={PWD}/suhosintest.$$.log.tmp
11suhosin.post.disallow_ws=1
12--SKIPIF--
13<?php include('../skipif.inc'); ?>
14--COOKIE--
15--GET--
16--POST--
17+var1=1&var2=2&%20var3=3& var4=4& var5=5&
18--FILE--
19<?php
20var_dump($_POST);
21?>
22--EXPECTF--
23array(1) {
24 ["var2"]=>
25 string(1) "2"
26}
27ALERT - POST variable name begins with disallowed whitespace - dropped variable ' var1' (attacker 'REMOTE_ADDR not set', file '%s')
28ALERT - POST variable name begins with disallowed whitespace - dropped variable ' var3' (attacker 'REMOTE_ADDR not set', file '%s')
29ALERT - POST variable name begins with disallowed whitespace - dropped variable ' var4' (attacker 'REMOTE_ADDR not set', file '%s')
30ALERT - POST variable name begins with disallowed whitespace - dropped variable '.var5' (attacker 'REMOTE_ADDR not set', file '%s')
31ALERT - dropped 4 request variables - (0 in GET, 4 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', %s)
diff --git a/tests/filter/post_fileupload_array_index_blacklist.phpt b/tests/filter/post_fileupload_array_index_blacklist.phpt
new file mode 100644
index 0000000..6406687
--- /dev/null
+++ b/tests/filter/post_fileupload_array_index_blacklist.phpt
@@ -0,0 +1,44 @@
1--TEST--
2suhosin file upload filter (array index character whitelist)
3--INI--
4suhosin.log.syslog=0
5suhosin.log.sapi=0
6suhosin.log.script=0
7suhosin.log.file=255
8suhosin.log.file.time=0
9suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
10auto_append_file={PWD}/suhosintest.$$.log.tmp
11file_uploads=1
12suhosin.request.array_index_char_blacklist=ABC
13--SKIPIF--
14<?php include('../skipif.inc'); ?>
15--COOKIE--
16--GET--
17--POST_RAW--
18Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737
19-----------------------------20896060251896012921717172737
20Content-Disposition: form-data; name="fn[foo][bar]"
21
22ok
23-----------------------------20896060251896012921717172737
24Content-Disposition: form-data; name="fn[foo][BAR]"
25
26bad
27-----------------------------20896060251896012921717172737--
28--FILE--
29<?php
30var_dump($_POST);
31?>
32--EXPECTF--
33array(1) {
34 ["fn"]=>
35 array(1) {
36 ["foo"]=>
37 array(1) {
38 ["bar"]=>
39 string(2) "ok"
40 }
41 }
42}
43ALERT - array index contains blacklisted characters - dropped variable 'fn[foo][BAR]' (attacker 'REMOTE_ADDR not set', file '%s')
44ALERT - dropped 1 request variables - (0 in GET, 1 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', %s)
diff --git a/tests/filter/post_fileupload_array_index_whitelist.phpt b/tests/filter/post_fileupload_array_index_whitelist.phpt
new file mode 100644
index 0000000..80052d6
--- /dev/null
+++ b/tests/filter/post_fileupload_array_index_whitelist.phpt
@@ -0,0 +1,44 @@
1--TEST--
2suhosin file upload filter (array index character whitelist)
3--INI--
4suhosin.log.syslog=0
5suhosin.log.sapi=0
6suhosin.log.script=0
7suhosin.log.file=255
8suhosin.log.file.time=0
9suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
10auto_append_file={PWD}/suhosintest.$$.log.tmp
11file_uploads=1
12suhosin.request.array_index_char_whitelist=abcdefghijklmnopqrstuvwxyz
13--SKIPIF--
14<?php include('../skipif.inc'); ?>
15--COOKIE--
16--GET--
17--POST_RAW--
18Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737
19-----------------------------20896060251896012921717172737
20Content-Disposition: form-data; name="fn[foo][bar]"
21
22ok
23-----------------------------20896060251896012921717172737
24Content-Disposition: form-data; name="fn[foo][BAR]"
25
26bad
27-----------------------------20896060251896012921717172737--
28--FILE--
29<?php
30var_dump($_POST);
31?>
32--EXPECTF--
33array(1) {
34 ["fn"]=>
35 array(1) {
36 ["foo"]=>
37 array(1) {
38 ["bar"]=>
39 string(2) "ok"
40 }
41 }
42}
43ALERT - array index contains not whitelisted characters - dropped variable 'fn[foo][BAR]' (attacker 'REMOTE_ADDR not set', file '%s')
44ALERT - dropped 1 request variables - (0 in GET, 1 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', %s)
diff --git a/tests/filter/post_fileupload_filter_1.phpt b/tests/filter/post_fileupload_filter_1.phpt
new file mode 100644
index 0000000..401b4be
--- /dev/null
+++ b/tests/filter/post_fileupload_filter_1.phpt
@@ -0,0 +1,118 @@
1--TEST--
2suhosin rfc1867 file upload filter (disallowed variable names)
3--INI--
4suhosin.log.syslog=0
5suhosin.log.sapi=0
6suhosin.log.script=0
7suhosin.log.file=255
8suhosin.log.file.time=0
9suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
10auto_append_file={PWD}/suhosintest.$$.log.tmp
11file_uploads=1
12upload_max_filesize=1024
13--SKIPIF--
14<?php include('../skipif.inc'); ?>
15--COOKIE--
16--GET--
17--POST_RAW--
18Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737
19-----------------------------20896060251896012921717172737
20Content-Disposition: form-data; name="HTTP_RAW_POST_DATA"
21
22HTTP_RAW_POST_DATA
23-----------------------------20896060251896012921717172737
24Content-Disposition: form-data; name="HTTP_SESSION_VARS"
25
26HTTP_SESSION_VARS
27-----------------------------20896060251896012921717172737
28Content-Disposition: form-data; name="HTTP_SERVER_VARS"
29
30HTTP_SERVER_VARS
31-----------------------------20896060251896012921717172737
32Content-Disposition: form-data; name="HTTP_COOKIE_VARS"
33
34HTTP_COOKIE_VARS
35-----------------------------20896060251896012921717172737
36Content-Disposition: form-data; name="HTTP_POST_FILES"
37
38HTTP_POST_FILES
39-----------------------------20896060251896012921717172737
40Content-Disposition: form-data; name="HTTP_POST_VARS"
41
42HTTP_POST_VARS
43-----------------------------20896060251896012921717172737
44Content-Disposition: form-data; name="HTTP_GET_VARS"
45
46HTTP_GET_VARS
47-----------------------------20896060251896012921717172737
48Content-Disposition: form-data; name="HTTP_ENV_VARS"
49
50HTTP_ENV_VARS
51-----------------------------20896060251896012921717172737
52Content-Disposition: form-data; name="_SESSION"
53
54_SESSION
55-----------------------------20896060251896012921717172737
56Content-Disposition: form-data; name="_REQUEST"
57
58_REQUEST
59-----------------------------20896060251896012921717172737
60Content-Disposition: form-data; name="GLOBALS"
61
62GLOBALS
63-----------------------------20896060251896012921717172737
64Content-Disposition: form-data; name="_COOKIE"
65
66_COOKIE
67-----------------------------20896060251896012921717172737
68Content-Disposition: form-data; name="_SERVER"
69
70_SERVER
71-----------------------------20896060251896012921717172737
72Content-Disposition: form-data; name="_FILES"
73
74_FILES
75-----------------------------20896060251896012921717172737
76Content-Disposition: form-data; name="_POST"
77
78_POST
79-----------------------------20896060251896012921717172737
80Content-Disposition: form-data; name="_ENV"
81
82_ENV
83-----------------------------20896060251896012921717172737
84Content-Disposition: form-data; name="_GET"
85
86_GET
87-----------------------------20896060251896012921717172737
88Content-Disposition: form-data; name="harmless"
89
90harmless
91-----------------------------20896060251896012921717172737--
92--FILE--
93<?php
94var_dump($_POST);
95?>
96--EXPECTF--
97array(1) {
98 ["harmless"]=>
99 string(8) "harmless"
100}
101ALERT - tried to register forbidden variable 'HTTP_RAW_POST_DATA' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
102ALERT - tried to register forbidden variable 'HTTP_SESSION_VARS' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
103ALERT - tried to register forbidden variable 'HTTP_SERVER_VARS' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
104ALERT - tried to register forbidden variable 'HTTP_COOKIE_VARS' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
105ALERT - tried to register forbidden variable 'HTTP_POST_FILES' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
106ALERT - tried to register forbidden variable 'HTTP_POST_VARS' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
107ALERT - tried to register forbidden variable 'HTTP_GET_VARS' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
108ALERT - tried to register forbidden variable 'HTTP_ENV_VARS' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
109ALERT - tried to register forbidden variable '_SESSION' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
110ALERT - tried to register forbidden variable '_REQUEST' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
111ALERT - tried to register forbidden variable 'GLOBALS' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
112ALERT - tried to register forbidden variable '_COOKIE' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
113ALERT - tried to register forbidden variable '_SERVER' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
114ALERT - tried to register forbidden variable '_FILES' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
115ALERT - tried to register forbidden variable '_POST' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
116ALERT - tried to register forbidden variable '_ENV' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
117ALERT - tried to register forbidden variable '_GET' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
118ALERT - dropped 17 request variables - (0 in GET, 17 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', %s) \ No newline at end of file
diff --git a/tests/filter/post_fileupload_filter_2.phpt b/tests/filter/post_fileupload_filter_2.phpt
new file mode 100644
index 0000000..939b7fc
--- /dev/null
+++ b/tests/filter/post_fileupload_filter_2.phpt
@@ -0,0 +1,67 @@
1--TEST--
2suhosin rfc1867 file upload filter (suhosin.post.max_vars)
3--INI--
4suhosin.log.syslog=0
5suhosin.log.sapi=0
6suhosin.log.script=0
7suhosin.log.file=255
8suhosin.log.file.time=0
9suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
10auto_append_file={PWD}/suhosintest.$$.log.tmp
11suhosin.post.max_vars=5
12file_uploads=1
13upload_max_filesize=1024
14--SKIPIF--
15<?php include('../skipif.inc'); ?>
16--COOKIE--
17--GET--
18--POST_RAW--
19Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737
20-----------------------------20896060251896012921717172737
21Content-Disposition: form-data; name="A"
22
23A
24-----------------------------20896060251896012921717172737
25Content-Disposition: form-data; name="B"
26
27B
28-----------------------------20896060251896012921717172737
29Content-Disposition: form-data; name="C"
30
31C
32-----------------------------20896060251896012921717172737
33Content-Disposition: form-data; name="D"
34
35D
36-----------------------------20896060251896012921717172737
37Content-Disposition: form-data; name="E"
38
39E
40-----------------------------20896060251896012921717172737
41Content-Disposition: form-data; name="F"
42
43F
44-----------------------------20896060251896012921717172737
45Content-Disposition: form-data; name="G"
46
47G
48-----------------------------20896060251896012921717172737--
49--FILE--
50<?php
51var_dump($_POST);
52?>
53--EXPECTF--
54array(5) {
55 ["A"]=>
56 string(1) "A"
57 ["B"]=>
58 string(1) "B"
59 ["C"]=>
60 string(1) "C"
61 ["D"]=>
62 string(1) "D"
63 ["E"]=>
64 string(1) "E"
65}
66ALERT - configured POST variable limit exceeded - dropped variable 'F' - all further POST variables are dropped (attacker 'REMOTE_ADDR not set', file '%s')
67ALERT - dropped 2 request variables - (0 in GET, 2 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', %s)
diff --git a/tests/filter/post_filter_1.phpt b/tests/filter/post_filter_1.phpt
new file mode 100644
index 0000000..16ee164
--- /dev/null
+++ b/tests/filter/post_filter_1.phpt
@@ -0,0 +1,45 @@
1--TEST--
2suhosin POST filter (disallowed variable names)
3--INI--
4suhosin.log.syslog=0
5suhosin.log.sapi=0
6suhosin.log.script=0
7suhosin.log.file=255
8suhosin.log.file.time=0
9suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
10auto_append_file={PWD}/suhosintest.$$.log.tmp
11--SKIPIF--
12<?php include('../skipif.inc'); ?>
13--COOKIE--
14--GET--
15--POST--
16HTTP_RAW_POST_DATA=HTTP_RAW_POST_DATA&HTTP_SESSION_VARS=HTTP_SESSION_VARS&harmless1=harmless1&HTTP_SERVER_VARS=HTTP_SERVER_VARS&HTTP_COOKIE_VARS=HTTP_COOKIE_VARS&HTTP_POST_FILES=HTTP_POST_FILES&HTTP_POST_VARS=HTTP_POST_VARS&HTTP_GET_VARS=HTTP_GET_VARS&HTTP_ENV_VARS=HTTP_ENV_VARS&_SESSION=_SESSION&_REQUEST=_REQUEST&GLOBALS=GLOBALS&_COOKIE=_COOKIE&_SERVER=_SERVER&_FILES=_FILES&_POST=_POST&_ENV=_ENV&_GET=_GET&harmless2=harmless2&
17--FILE--
18<?php
19var_dump($_POST);
20?>
21--EXPECTF--
22array(2) {
23 ["harmless1"]=>
24 string(9) "harmless1"
25 ["harmless2"]=>
26 string(9) "harmless2"
27}
28ALERT - tried to register forbidden variable 'HTTP_RAW_POST_DATA' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
29ALERT - tried to register forbidden variable 'HTTP_SESSION_VARS' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
30ALERT - tried to register forbidden variable 'HTTP_SERVER_VARS' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
31ALERT - tried to register forbidden variable 'HTTP_COOKIE_VARS' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
32ALERT - tried to register forbidden variable 'HTTP_POST_FILES' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
33ALERT - tried to register forbidden variable 'HTTP_POST_VARS' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
34ALERT - tried to register forbidden variable 'HTTP_GET_VARS' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
35ALERT - tried to register forbidden variable 'HTTP_ENV_VARS' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
36ALERT - tried to register forbidden variable '_SESSION' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
37ALERT - tried to register forbidden variable '_REQUEST' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
38ALERT - tried to register forbidden variable 'GLOBALS' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
39ALERT - tried to register forbidden variable '_COOKIE' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
40ALERT - tried to register forbidden variable '_SERVER' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
41ALERT - tried to register forbidden variable '_FILES' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
42ALERT - tried to register forbidden variable '_POST' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
43ALERT - tried to register forbidden variable '_ENV' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
44ALERT - tried to register forbidden variable '_GET' through POST variables (attacker 'REMOTE_ADDR not set', file '%s')
45ALERT - dropped 17 request variables - (0 in GET, 17 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', %s)
diff --git a/tests/filter/post_filter_2.phpt b/tests/filter/post_filter_2.phpt
new file mode 100644
index 0000000..b70b120
--- /dev/null
+++ b/tests/filter/post_filter_2.phpt
@@ -0,0 +1,36 @@
1--TEST--
2suhosin POST filter (suhosin.post.max_vars)
3--INI--
4suhosin.log.syslog=0
5suhosin.log.sapi=0
6suhosin.log.script=0
7suhosin.log.file=255
8suhosin.log.file.time=0
9suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
10auto_append_file={PWD}/suhosintest.$$.log.tmp
11suhosin.post.max_vars=5
12--SKIPIF--
13<?php include('../skipif.inc'); ?>
14--COOKIE--
15--GET--
16--POST--
17A=A&B=B&C=C&D=D&E=E&F=F&G=G&
18--FILE--
19<?php
20var_dump($_POST);
21?>
22--EXPECTF--
23array(5) {
24 ["A"]=>
25 string(1) "A"
26 ["B"]=>
27 string(1) "B"
28 ["C"]=>
29 string(1) "C"
30 ["D"]=>
31 string(1) "D"
32 ["E"]=>
33 string(1) "E"
34}
35ALERT - configured POST variable limit exceeded - dropped variable 'F' - all further POST variables are dropped (attacker 'REMOTE_ADDR not set', file '%s')
36ALERT - dropped 2 request variables - (0 in GET, 2 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', %s)
diff --git a/tests/filter/post_filter_empty_avar.phpt b/tests/filter/post_filter_empty_avar.phpt
new file mode 100644
index 0000000..d09990c
--- /dev/null
+++ b/tests/filter/post_filter_empty_avar.phpt
@@ -0,0 +1,27 @@
1--TEST--
2suhosin POST filter with empty array variable
3--INI--
4suhosin.log.syslog=0
5suhosin.log.sapi=0
6suhosin.log.stdout=255
7suhosin.log.script=0
8--SKIPIF--
9<?php include('../skipif.inc'); ?>
10--COOKIE--
11--GET--
12--POST--
13a[]=&a[]=test
14--FILE--
15<?php
16var_dump($_POST);
17?>
18--EXPECTF--
19array(1) {
20 ["a"]=>
21 array(2) {
22 [0]=>
23 string(0) ""
24 [1]=>
25 string(4) "test"
26 }
27}
diff --git a/tests/filter/post_filter_empty_var.phpt b/tests/filter/post_filter_empty_var.phpt
new file mode 100644
index 0000000..87866e2
--- /dev/null
+++ b/tests/filter/post_filter_empty_var.phpt
@@ -0,0 +1,24 @@
1--TEST--
2suhosin POST filter with empty variable
3--INI--
4suhosin.log.syslog=0
5suhosin.log.sapi=0
6suhosin.log.stdout=255
7suhosin.log.script=0
8--SKIPIF--
9<?php include('../skipif.inc'); ?>
10--COOKIE--
11--GET--
12--POST--
13A=&B=test
14--FILE--
15<?php
16var_dump($_POST);
17?>
18--EXPECTF--
19array(2) {
20 ["A"]=>
21 string(0) ""
22 ["B"]=>
23 string(4) "test"
24}
diff --git a/tests/filter/post_max_array_depth.phpt b/tests/filter/post_max_array_depth.phpt
new file mode 100644
index 0000000..70a5ad6
--- /dev/null
+++ b/tests/filter/post_max_array_depth.phpt
@@ -0,0 +1,66 @@
1--TEST--
2input filter: suhosin.post.max_array_depth
3--INI--
4suhosin.log.syslog=0
5suhosin.log.sapi=0
6suhosin.log.script=0
7suhosin.log.file=255
8suhosin.log.file.time=0
9suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
10auto_append_file={PWD}/suhosintest.$$.log.tmp
11suhosin.request.max_array_depth=0
12suhosin.post.max_array_depth=4
13--SKIPIF--
14<?php include('../skipif.inc'); ?>
15--COOKIE--
16--GET--
17--POST--
18var1[]=1&var2[][]=2&var3[][][]=3&var4[][][][]=4&var5[][][][][]=5&var6[][][][][][]=6&
19--FILE--
20<?php
21var_dump($_POST);
22?>
23--EXPECTF--
24array(4) {
25 ["var1"]=>
26 array(1) {
27 [0]=>
28 string(1) "1"
29 }
30 ["var2"]=>
31 array(1) {
32 [0]=>
33 array(1) {
34 [0]=>
35 string(1) "2"
36 }
37 }
38 ["var3"]=>
39 array(1) {
40 [0]=>
41 array(1) {
42 [0]=>
43 array(1) {
44 [0]=>
45 string(1) "3"
46 }
47 }
48 }
49 ["var4"]=>
50 array(1) {
51 [0]=>
52 array(1) {
53 [0]=>
54 array(1) {
55 [0]=>
56 array(1) {
57 [0]=>
58 string(1) "4"
59 }
60 }
61 }
62 }
63}
64ALERT - configured POST variable array depth limit exceeded - dropped variable 'var5[][][][][]' (attacker 'REMOTE_ADDR not set', file '%s')
65ALERT - configured POST variable array depth limit exceeded - dropped variable 'var6[][][][][][]' (attacker 'REMOTE_ADDR not set', file '%s')
66ALERT - dropped 2 request variables - (0 in GET, 2 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', %s)
diff --git a/tests/filter/post_max_array_depth_rfc1867.phpt b/tests/filter/post_max_array_depth_rfc1867.phpt
new file mode 100644
index 0000000..925878b
--- /dev/null
+++ b/tests/filter/post_max_array_depth_rfc1867.phpt
@@ -0,0 +1,91 @@
1--TEST--
2input filter: suhosin.post.max_array_depth - RFC1867 version
3--INI--
4suhosin.log.syslog=0
5suhosin.log.sapi=0
6suhosin.log.script=0
7suhosin.log.file=255
8suhosin.log.file.time=0
9suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
10auto_append_file={PWD}/suhosintest.$$.log.tmp
11suhosin.request.max_array_depth=0
12suhosin.post.max_array_depth=4
13--SKIPIF--
14<?php include('../skipif.inc'); ?>
15--COOKIE--
16--GET--
17--POST_RAW--
18Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737
19-----------------------------20896060251896012921717172737
20Content-Disposition: form-data; name="var1[]"
21
221
23-----------------------------20896060251896012921717172737
24Content-Disposition: form-data; name="var2[][]"
25
262
27-----------------------------20896060251896012921717172737
28Content-Disposition: form-data; name="var3[][][]"
29
303
31-----------------------------20896060251896012921717172737
32Content-Disposition: form-data; name="var4[][][][]"
33
344
35-----------------------------20896060251896012921717172737
36Content-Disposition: form-data; name="var5[][][][][]"
37
385
39-----------------------------20896060251896012921717172737
40Content-Disposition: form-data; name="var6[][][][][][]"
41
426
43-----------------------------20896060251896012921717172737--
44--FILE--
45<?php
46var_dump($_POST);
47?>
48--EXPECTF--
49array(4) {
50 ["var1"]=>
51 array(1) {
52 [0]=>
53 string(1) "1"
54 }
55 ["var2"]=>
56 array(1) {
57 [0]=>
58 array(1) {
59 [0]=>
60 string(1) "2"
61 }
62 }
63 ["var3"]=>
64 array(1) {
65 [0]=>
66 array(1) {
67 [0]=>
68 array(1) {
69 [0]=>
70 string(1) "3"
71 }
72 }
73 }
74 ["var4"]=>
75 array(1) {
76 [0]=>
77 array(1) {
78 [0]=>
79 array(1) {
80 [0]=>
81 array(1) {
82 [0]=>
83 string(1) "4"
84 }
85 }
86 }
87 }
88}
89ALERT - configured POST variable array depth limit exceeded - dropped variable 'var5[][][][][]' (attacker 'REMOTE_ADDR not set', file '%s')
90ALERT - configured POST variable array depth limit exceeded - dropped variable 'var6[][][][][][]' (attacker 'REMOTE_ADDR not set', file '%s')
91ALERT - dropped 2 request variables - (0 in GET, 2 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', %s)
diff --git a/tests/filter/post_max_array_index_length.phpt b/tests/filter/post_max_array_index_length.phpt
new file mode 100644
index 0000000..9f8404c
--- /dev/null
+++ b/tests/filter/post_max_array_index_length.phpt
@@ -0,0 +1,53 @@
1--TEST--
2input filter: suhosin.post.max_array_index_length
3--INI--
4suhosin.log.syslog=0
5suhosin.log.sapi=0
6suhosin.log.script=0
7suhosin.log.file=255
8suhosin.log.file.time=0
9suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
10auto_append_file={PWD}/suhosintest.$$.log.tmp
11suhosin.request.max_array_index_length=0
12suhosin.post.max_array_index_length=3
13--SKIPIF--
14<?php include('../skipif.inc'); ?>
15--COOKIE--
16--GET--
17--POST--
18var1[AAA]=1&var2[BBBB]=1&var3[AAA][BBB]=1&var4[AAA][BBBB]=4&var5[AAA][BBB][CCC]=1&var6[AAA][BBBB][CCC]=1
19--FILE--
20<?php
21var_dump($_POST);
22?>
23--EXPECTF--
24array(3) {
25 ["var1"]=>
26 array(1) {
27 ["AAA"]=>
28 string(1) "1"
29 }
30 ["var3"]=>
31 array(1) {
32 ["AAA"]=>
33 array(1) {
34 ["BBB"]=>
35 string(1) "1"
36 }
37 }
38 ["var5"]=>
39 array(1) {
40 ["AAA"]=>
41 array(1) {
42 ["BBB"]=>
43 array(1) {
44 ["CCC"]=>
45 string(1) "1"
46 }
47 }
48 }
49}
50ALERT - configured POST variable array index length limit exceeded - dropped variable 'var2[BBBB]' (attacker 'REMOTE_ADDR not set', file '%s')
51ALERT - configured POST variable array index length limit exceeded - dropped variable 'var4[AAA][BBBB]' (attacker 'REMOTE_ADDR not set', file '%s')
52ALERT - configured POST variable array index length limit exceeded - dropped variable 'var6[AAA][BBBB][CCC]' (attacker 'REMOTE_ADDR not set', file '%s')
53ALERT - dropped 3 request variables - (0 in GET, 3 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', %s)
diff --git a/tests/filter/post_max_array_index_length_rfc1867.phpt b/tests/filter/post_max_array_index_length_rfc1867.phpt
new file mode 100644
index 0000000..22591f2
--- /dev/null
+++ b/tests/filter/post_max_array_index_length_rfc1867.phpt
@@ -0,0 +1,80 @@
1--TEST--
2input filter: suhosin.post.max_array_index_length - RFC1867 version
3--INI--
4suhosin.log.syslog=0
5suhosin.log.sapi=0
6suhosin.log.script=0
7suhosin.log.file=255
8suhosin.log.file.time=0
9suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
10auto_append_file={PWD}/suhosintest.$$.log.tmp
11suhosin.request.max_array_index_length=0
12suhosin.post.max_array_index_length=3
13--SKIPIF--
14<?php include('../skipif.inc'); ?>
15--COOKIE--
16--GET--
17--POST--
18var1[AAA]=1&var2[BBBB]=1&var3[AAA][BBB]=1&var4[AAA][BBBB]=4&var5[AAA][BBB][CCC]=1&var6[AAA][BBBB][CCC]=1
19--POST_RAW--
20Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737
21-----------------------------20896060251896012921717172737
22Content-Disposition: form-data; name="var1[AAA]"
23
241
25-----------------------------20896060251896012921717172737
26Content-Disposition: form-data; name="var2[BBBB]"
27
281
29-----------------------------20896060251896012921717172737
30Content-Disposition: form-data; name="var3[AAA][BBB]"
31
321
33-----------------------------20896060251896012921717172737
34Content-Disposition: form-data; name="var4[AAA][BBBB]"
35
361
37-----------------------------20896060251896012921717172737
38Content-Disposition: form-data; name="var5[AAA][BBB][CCC]"
39
401
41-----------------------------20896060251896012921717172737
42Content-Disposition: form-data; name="var6[AAA][BBBB][CCC]"
43
441
45-----------------------------20896060251896012921717172737--
46--FILE--
47<?php
48var_dump($_POST);
49?>
50--EXPECTF--
51array(3) {
52 ["var1"]=>
53 array(1) {
54 ["AAA"]=>
55 string(1) "1"
56 }
57 ["var3"]=>
58 array(1) {
59 ["AAA"]=>
60 array(1) {
61 ["BBB"]=>
62 string(1) "1"
63 }
64 }
65 ["var5"]=>
66 array(1) {
67 ["AAA"]=>
68 array(1) {
69 ["BBB"]=>
70 array(1) {
71 ["CCC"]=>
72 string(1) "1"
73 }
74 }
75 }
76}
77ALERT - configured POST variable array index length limit exceeded - dropped variable 'var2[BBBB]' (attacker 'REMOTE_ADDR not set', file '%s')
78ALERT - configured POST variable array index length limit exceeded - dropped variable 'var4[AAA][BBBB]' (attacker 'REMOTE_ADDR not set', file '%s')
79ALERT - configured POST variable array index length limit exceeded - dropped variable 'var6[AAA][BBBB][CCC]' (attacker 'REMOTE_ADDR not set', file '%s')
80ALERT - dropped 3 request variables - (0 in GET, 3 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', %s) \ No newline at end of file
diff --git a/tests/filter/post_max_name_length.phpt b/tests/filter/post_max_name_length.phpt
new file mode 100644
index 0000000..701356e
--- /dev/null
+++ b/tests/filter/post_max_name_length.phpt
@@ -0,0 +1,43 @@
1--TEST--
2input filter: suhosin.post.max_name_length
3--INI--
4suhosin.log.syslog=0
5suhosin.log.sapi=0
6suhosin.log.script=0
7suhosin.log.file=255
8suhosin.log.file.time=0
9suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
10auto_append_file={PWD}/suhosintest.$$.log.tmp
11suhosin.request.max_varname_length=0
12suhosin.post.max_name_length=4
13--SKIPIF--
14<?php include('../skipif.inc'); ?>
15--COOKIE--
16--GET--
17--POST--
18var=0&var1=1&var2[]=2&var3[xxx]=3&var04=4&var05[]=5&var06[xxx]=6&
19--FILE--
20<?php
21var_dump($_POST);
22?>
23--EXPECTF--
24array(4) {
25 ["var"]=>
26 string(1) "0"
27 ["var1"]=>
28 string(1) "1"
29 ["var2"]=>
30 array(1) {
31 [0]=>
32 string(1) "2"
33 }
34 ["var3"]=>
35 array(1) {
36 ["xxx"]=>
37 string(1) "3"
38 }
39}
40ALERT - configured POST variable name length limit exceeded - dropped variable 'var04' (attacker 'REMOTE_ADDR not set', file '%s')
41ALERT - configured POST variable name length limit exceeded - dropped variable 'var05[]' (attacker 'REMOTE_ADDR not set', file '%s')
42ALERT - configured POST variable name length limit exceeded - dropped variable 'var06[xxx]' (attacker 'REMOTE_ADDR not set', file '%s')
43ALERT - dropped 3 request variables - (0 in GET, 3 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', %s)
diff --git a/tests/filter/post_max_name_length_rfc1867.phpt b/tests/filter/post_max_name_length_rfc1867.phpt
new file mode 100644
index 0000000..0316f17
--- /dev/null
+++ b/tests/filter/post_max_name_length_rfc1867.phpt
@@ -0,0 +1,72 @@
1--TEST--
2input filter: suhosin.post.max_name_length - RFC1867 version
3--INI--
4suhosin.log.syslog=0
5suhosin.log.sapi=0
6suhosin.log.script=0
7suhosin.log.file=255
8suhosin.log.file.time=0
9suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
10auto_append_file={PWD}/suhosintest.$$.log.tmp
11suhosin.request.max_varname_length=0
12suhosin.post.max_name_length=4
13--SKIPIF--
14<?php include('../skipif.inc'); ?>
15--COOKIE--
16--GET--
17--POST_RAW--
18Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737
19-----------------------------20896060251896012921717172737
20Content-Disposition: form-data; name="var"
21
220
23-----------------------------20896060251896012921717172737
24Content-Disposition: form-data; name="var1"
25
261
27-----------------------------20896060251896012921717172737
28Content-Disposition: form-data; name="var2[]"
29
302
31-----------------------------20896060251896012921717172737
32Content-Disposition: form-data; name="var3[xxx]"
33
343
35-----------------------------20896060251896012921717172737
36Content-Disposition: form-data; name="var04"
37
384
39-----------------------------20896060251896012921717172737
40Content-Disposition: form-data; name="var05[]"
41
425
43-----------------------------20896060251896012921717172737
44Content-Disposition: form-data; name="var06[xxx]"
45
466
47-----------------------------20896060251896012921717172737--
48--FILE--
49<?php
50var_dump($_POST);
51?>
52--EXPECTF--
53array(4) {
54 ["var"]=>
55 string(1) "0"
56 ["var1"]=>
57 string(1) "1"
58 ["var2"]=>
59 array(1) {
60 [0]=>
61 string(1) "2"
62 }
63 ["var3"]=>
64 array(1) {
65 ["xxx"]=>
66 string(1) "3"
67 }
68}
69ALERT - configured POST variable name length limit exceeded - dropped variable 'var04' (attacker 'REMOTE_ADDR not set', file '%s')
70ALERT - configured POST variable name length limit exceeded - dropped variable 'var05[]' (attacker 'REMOTE_ADDR not set', file '%s')
71ALERT - configured POST variable name length limit exceeded - dropped variable 'var06[xxx]' (attacker 'REMOTE_ADDR not set', file '%s')
72ALERT - dropped 3 request variables - (0 in GET, 3 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', %s)
diff --git a/tests/filter/post_max_totalname_length.phpt b/tests/filter/post_max_totalname_length.phpt
new file mode 100644
index 0000000..eb6cfb5
--- /dev/null
+++ b/tests/filter/post_max_totalname_length.phpt
@@ -0,0 +1,44 @@
1--TEST--
2input filter: suhosin.post.max_totalname_length
3--INI--
4suhosin.log.syslog=0
5suhosin.log.sapi=0
6suhosin.log.script=0
7suhosin.log.file=255
8suhosin.log.file.time=0
9suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
10auto_append_file={PWD}/suhosintest.$$.log.tmp
11suhosin.request.max_totalname_length=0
12suhosin.post.max_totalname_length=7
13--SKIPIF--
14<?php include('../skipif.inc'); ?>
15--COOKIE--
16--GET--
17--POST--
18var=0&var1=1&var2[]=2&var3[xxx]=3&var04=4&var05[]=5&var06[xxx]=6&
19--FILE--
20<?php
21var_dump($_POST);
22?>
23--EXPECTF--
24array(5) {
25 ["var"]=>
26 string(1) "0"
27 ["var1"]=>
28 string(1) "1"
29 ["var2"]=>
30 array(1) {
31 [0]=>
32 string(1) "2"
33 }
34 ["var04"]=>
35 string(1) "4"
36 ["var05"]=>
37 array(1) {
38 [0]=>
39 string(1) "5"
40 }
41}
42ALERT - configured POST variable total name length limit exceeded - dropped variable 'var3[xxx]' (attacker 'REMOTE_ADDR not set', file '%s')
43ALERT - configured POST variable total name length limit exceeded - dropped variable 'var06[xxx]' (attacker 'REMOTE_ADDR not set', file '%s')
44ALERT - dropped 2 request variables - (0 in GET, 2 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', %s)
diff --git a/tests/filter/post_max_totalname_length_rfc1867.phpt b/tests/filter/post_max_totalname_length_rfc1867.phpt
new file mode 100644
index 0000000..efcface
--- /dev/null
+++ b/tests/filter/post_max_totalname_length_rfc1867.phpt
@@ -0,0 +1,73 @@
1--TEST--
2input filter: suhosin.post.max_totalname_length - RFC1867 version
3--INI--
4suhosin.log.syslog=0
5suhosin.log.sapi=0
6suhosin.log.script=0
7suhosin.log.file=255
8suhosin.log.file.time=0
9suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
10auto_append_file={PWD}/suhosintest.$$.log.tmp
11suhosin.request.max_totalname_length=0
12suhosin.post.max_totalname_length=7
13--SKIPIF--
14<?php include('../skipif.inc'); ?>
15--COOKIE--
16--GET--
17--POST_RAW--
18Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737
19-----------------------------20896060251896012921717172737
20Content-Disposition: form-data; name="var"
21
220
23-----------------------------20896060251896012921717172737
24Content-Disposition: form-data; name="var1"
25
261
27-----------------------------20896060251896012921717172737
28Content-Disposition: form-data; name="var2[]"
29
302
31-----------------------------20896060251896012921717172737
32Content-Disposition: form-data; name="var3[xxx]"
33
343
35-----------------------------20896060251896012921717172737
36Content-Disposition: form-data; name="var04"
37
384
39-----------------------------20896060251896012921717172737
40Content-Disposition: form-data; name="var05[]"
41
425
43-----------------------------20896060251896012921717172737
44Content-Disposition: form-data; name="var06[xxx]"
45
466
47-----------------------------20896060251896012921717172737--
48--FILE--
49<?php
50var_dump($_POST);
51?>
52--EXPECTF--
53array(5) {
54 ["var"]=>
55 string(1) "0"
56 ["var1"]=>
57 string(1) "1"
58 ["var2"]=>
59 array(1) {
60 [0]=>
61 string(1) "2"
62 }
63 ["var04"]=>
64 string(1) "4"
65 ["var05"]=>
66 array(1) {
67 [0]=>
68 string(1) "5"
69 }
70}
71ALERT - configured POST variable total name length limit exceeded - dropped variable 'var3[xxx]' (attacker 'REMOTE_ADDR not set', file '%s')
72ALERT - configured POST variable total name length limit exceeded - dropped variable 'var06[xxx]' (attacker 'REMOTE_ADDR not set', file '%s')
73ALERT - dropped 2 request variables - (0 in GET, 2 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', %s)
diff --git a/tests/filter/post_max_value_length.phpt b/tests/filter/post_max_value_length.phpt
new file mode 100644
index 0000000..cd5da3b
--- /dev/null
+++ b/tests/filter/post_max_value_length.phpt
@@ -0,0 +1,36 @@
1--TEST--
2input filter: suhosin.post.max_value_length
3--INI--
4suhosin.log.syslog=0
5suhosin.log.sapi=0
6suhosin.log.script=0
7suhosin.log.file=255
8suhosin.log.file.time=0
9suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
10auto_append_file={PWD}/suhosintest.$$.log.tmp
11suhosin.request.max_value_length=0
12suhosin.post.max_value_length=3
13--SKIPIF--
14<?php include('../skipif.inc'); ?>
15--COOKIE--
16--GET--
17--POST--
18var1=1&var2=22&var3=333&var4=4444&var5=55%00555&var6=666666&
19--FILE--
20<?php
21var_dump($_POST);
22?>
23--EXPECTF--
24array(3) {
25 ["var1"]=>
26 string(1) "1"
27 ["var2"]=>
28 string(2) "22"
29 ["var3"]=>
30 string(3) "333"
31}
32ALERT - configured POST variable value length limit exceeded - dropped variable 'var4' (attacker 'REMOTE_ADDR not set', file '%s')
33ALERT - configured POST variable value length limit exceeded - dropped variable 'var5' (attacker 'REMOTE_ADDR not set', file '%s')
34ALERT - configured POST variable value length limit exceeded - dropped variable 'var6' (attacker 'REMOTE_ADDR not set', file '%s')
35ALERT - dropped 3 request variables - (0 in GET, 3 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', %s)
36
diff --git a/tests/filter/post_max_value_length_rfc1867.phpt b/tests/filter/post_max_value_length_rfc1867.phpt
new file mode 100644
index 0000000..6d807f4
--- /dev/null
+++ b/tests/filter/post_max_value_length_rfc1867.phpt
Binary files differ
diff --git a/tests/filter/request_array_index_blacklist.phpt b/tests/filter/request_array_index_blacklist.phpt
new file mode 100644
index 0000000..c24316e
--- /dev/null
+++ b/tests/filter/request_array_index_blacklist.phpt
@@ -0,0 +1,56 @@
1--TEST--
2input filter: suhosin.request.array_index_blacklist
3--INI--
4suhosin.log.syslog=0
5suhosin.log.sapi=0
6suhosin.log.script=0
7suhosin.log.file=255
8suhosin.log.file.time=0
9suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
10auto_append_file={PWD}/suhosintest.$$.log.tmp
11suhosin.request.array_index_char_blacklist="=ABC%{}\\$;"
12--SKIPIF--
13<?php include('../skipif.inc'); ?>
14--COOKIE--
15var1[aaa]=1;var2[bbB]=1;var3[ccc][ccC]=1
16--GET--
17var1[aaa]=1&var2[bbB]=1&var3[ccc][ccC]=1
18--POST--
19var1[aaa]=1&var2[bbB]=1&var3[ccc][ccC]=1
20--FILE--
21<?php
22var_dump(ini_get("suhosin.request.array_index_char_blacklist"));
23var_dump($_GET);
24var_dump($_POST);
25var_dump($_COOKIE);
26?>
27--EXPECTF--
28string(10) "=ABC%{}\$;"
29array(1) {
30 ["var1"]=>
31 array(1) {
32 ["aaa"]=>
33 string(1) "1"
34 }
35}
36array(1) {
37 ["var1"]=>
38 array(1) {
39 ["aaa"]=>
40 string(1) "1"
41 }
42}
43array(1) {
44 ["var1"]=>
45 array(1) {
46 ["aaa"]=>
47 string(1) "1"
48 }
49}
50ALERT - array index contains blacklisted characters - dropped variable 'var2[bbB]' (attacker 'REMOTE_ADDR not set', file '%s')
51ALERT - array index contains blacklisted characters - dropped variable 'var3[ccc][ccC]' (attacker 'REMOTE_ADDR not set', file '%s')
52ALERT - array index contains blacklisted characters - dropped variable 'var2[bbB]' (attacker 'REMOTE_ADDR not set', file '%s')
53ALERT - array index contains blacklisted characters - dropped variable 'var3[ccc][ccC]' (attacker 'REMOTE_ADDR not set', file '%s')
54ALERT - array index contains blacklisted characters - dropped variable 'var2[bbB]' (attacker 'REMOTE_ADDR not set', file '%s')
55ALERT - array index contains blacklisted characters - dropped variable 'var3[ccc][ccC]' (attacker 'REMOTE_ADDR not set', file '%s')
56ALERT - dropped 6 request variables - (2 in GET, 2 in POST, 2 in COOKIE) (attacker 'REMOTE_ADDR not set', %s)
diff --git a/tests/filter/request_array_index_whitelist.phpt b/tests/filter/request_array_index_whitelist.phpt
new file mode 100644
index 0000000..31d8efc
--- /dev/null
+++ b/tests/filter/request_array_index_whitelist.phpt
@@ -0,0 +1,54 @@
1--TEST--
2input filter: suhosin.request.array_index_whitelist
3--INI--
4suhosin.log.syslog=0
5suhosin.log.sapi=0
6suhosin.log.script=0
7suhosin.log.file=255
8suhosin.log.file.time=0
9suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
10auto_append_file={PWD}/suhosintest.$$.log.tmp
11suhosin.request.array_index_char_whitelist=abcdefghijklmnopqrstuvwxyz
12--SKIPIF--
13<?php include('../skipif.inc'); ?>
14--COOKIE--
15var1[aaa]=1;var2[bbB]=1;var3[ccc][ccC]=1
16--GET--
17var1[aaa]=1&var2[bbB]=1&var3[ccc][ccC]=1
18--POST--
19var1[aaa]=1&var2[bbB]=1&var3[ccc][ccC]=1
20--FILE--
21<?php
22var_dump($_GET);
23var_dump($_POST);
24var_dump($_COOKIE);
25?>
26--EXPECTF--
27array(1) {
28 ["var1"]=>
29 array(1) {
30 ["aaa"]=>
31 string(1) "1"
32 }
33}
34array(1) {
35 ["var1"]=>
36 array(1) {
37 ["aaa"]=>
38 string(1) "1"
39 }
40}
41array(1) {
42 ["var1"]=>
43 array(1) {
44 ["aaa"]=>
45 string(1) "1"
46 }
47}
48ALERT - array index contains not whitelisted characters - dropped variable 'var2[bbB]' (attacker 'REMOTE_ADDR not set', file '%s')
49ALERT - array index contains not whitelisted characters - dropped variable 'var3[ccc][ccC]' (attacker 'REMOTE_ADDR not set', file '%s')
50ALERT - array index contains not whitelisted characters - dropped variable 'var2[bbB]' (attacker 'REMOTE_ADDR not set', file '%s')
51ALERT - array index contains not whitelisted characters - dropped variable 'var3[ccc][ccC]' (attacker 'REMOTE_ADDR not set', file '%s')
52ALERT - array index contains not whitelisted characters - dropped variable 'var2[bbB]' (attacker 'REMOTE_ADDR not set', file '%s')
53ALERT - array index contains not whitelisted characters - dropped variable 'var3[ccc][ccC]' (attacker 'REMOTE_ADDR not set', file '%s')
54ALERT - dropped 6 request variables - (2 in GET, 2 in POST, 2 in COOKIE) (attacker 'REMOTE_ADDR not set', %s)
diff --git a/tests/filter/request_disallow_nul.phpt b/tests/filter/request_disallow_nul.phpt
new file mode 100644
index 0000000..621eda7
--- /dev/null
+++ b/tests/filter/request_disallow_nul.phpt
@@ -0,0 +1,51 @@
1--TEST--
2input filter: suhosin.request.disallow_nul
3--INI--
4suhosin.log.syslog=0
5suhosin.log.sapi=0
6suhosin.log.script=0
7suhosin.log.file=255
8suhosin.log.file.time=0
9suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
10auto_append_file={PWD}/suhosintest.$$.log.tmp
11suhosin.request.disallow_nul=1
12--SKIPIF--
13<?php include('../skipif.inc'); ?>
14--COOKIE--
15var1=xx%001;var2=2;var3=xx%003;var4=4;
16--GET--
17var1=xx%001&var2=2&var3=xx%003&var4=4&
18--POST--
19var1=xx%001&var2=2&var3=xx%003&var4=4&
20--FILE--
21<?php
22var_dump($_GET);
23var_dump($_POST);
24var_dump($_COOKIE);
25?>
26--EXPECTF--
27array(2) {
28 ["var2"]=>
29 string(1) "2"
30 ["var4"]=>
31 string(1) "4"
32}
33array(2) {
34 ["var2"]=>
35 string(1) "2"
36 ["var4"]=>
37 string(1) "4"
38}
39array(2) {
40 ["var2"]=>
41 string(1) "2"
42 ["var4"]=>
43 string(1) "4"
44}
45ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'var1' (attacker 'REMOTE_ADDR not set', file '%s')
46ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'var3' (attacker 'REMOTE_ADDR not set', file '%s')
47ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'var1' (attacker 'REMOTE_ADDR not set', file '%s')
48ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'var3' (attacker 'REMOTE_ADDR not set', file '%s')
49ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'var1' (attacker 'REMOTE_ADDR not set', file '%s')
50ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'var3' (attacker 'REMOTE_ADDR not set', file '%s')
51ALERT - dropped 6 request variables - (2 in GET, 2 in POST, 2 in COOKIE) (attacker 'REMOTE_ADDR not set', file %s)
diff --git a/tests/filter/request_disallow_ws.phpt b/tests/filter/request_disallow_ws.phpt
new file mode 100644
index 0000000..99041b8
--- /dev/null
+++ b/tests/filter/request_disallow_ws.phpt
@@ -0,0 +1,30 @@
1--TEST--
2input filter: suhosin.request.disallow_ws
3--INI--
4suhosin.log.syslog=0
5suhosin.log.sapi=0
6suhosin.log.script=0
7suhosin.log.file=255
8suhosin.log.file.time=0
9suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
10auto_append_file={PWD}/suhosintest.$$.log.tmp
11suhosin.request.disallow_ws=1
12--SKIPIF--
13<?php include('../skipif.inc'); ?>
14--COOKIE--
15--GET--
16+var1=1&var2=2&%20var3=3& var4=4&
17--POST--
18--FILE--
19<?php
20var_dump($_GET);
21?>
22--EXPECTF--
23array(1) {
24 ["var2"]=>
25 string(1) "2"
26}
27ALERT - request variable name begins with disallowed whitespace - dropped variable ' var1' (attacker 'REMOTE_ADDR not set', file '%s')
28ALERT - request variable name begins with disallowed whitespace - dropped variable ' var3' (attacker 'REMOTE_ADDR not set', file '%s')
29ALERT - request variable name begins with disallowed whitespace - dropped variable ' var4' (attacker 'REMOTE_ADDR not set', file '%s')
30ALERT - dropped 3 request variables - (3 in GET, 0 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file %s)
diff --git a/tests/filter/request_max_array_depth.phpt b/tests/filter/request_max_array_depth.phpt
new file mode 100644
index 0000000..7782a4c
--- /dev/null
+++ b/tests/filter/request_max_array_depth.phpt
@@ -0,0 +1,153 @@
1--TEST--
2input filter: suhosin.request.max_array_depth
3--INI--
4suhosin.log.syslog=0
5suhosin.log.sapi=0
6suhosin.log.script=0
7suhosin.log.file=255
8suhosin.log.file.time=0
9suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
10auto_append_file={PWD}/suhosintest.$$.log.tmp
11suhosin.request.max_array_depth=4
12--SKIPIF--
13<?php include('../skipif.inc'); ?>
14--COOKIE--
15var1[]=1;var2[][]=2;var3[][][]=3;var4[][][][]=4;var5[][][][][]=5;var6[][][][][][]=6;
16--GET--
17var1[]=1&var2[][]=2&var3[][][]=3&var4[][][][]=4&var5[][][][][]=5&var6[][][][][][]=6&
18--POST--
19var1[]=1&var2[][]=2&var3[][][]=3&var4[][][][]=4&var5[][][][][]=5&var6[][][][][][]=6&
20--FILE--
21<?php
22var_dump($_GET);
23var_dump($_POST);
24var_dump($_COOKIE);
25?>
26--EXPECTF--
27array(4) {
28 ["var1"]=>
29 array(1) {
30 [0]=>
31 string(1) "1"
32 }
33 ["var2"]=>
34 array(1) {
35 [0]=>
36 array(1) {
37 [0]=>
38 string(1) "2"
39 }
40 }
41 ["var3"]=>
42 array(1) {
43 [0]=>
44 array(1) {
45 [0]=>
46 array(1) {
47 [0]=>
48 string(1) "3"
49 }
50 }
51 }
52 ["var4"]=>
53 array(1) {
54 [0]=>
55 array(1) {
56 [0]=>
57 array(1) {
58 [0]=>
59 array(1) {
60 [0]=>
61 string(1) "4"
62 }
63 }
64 }
65 }
66}
67array(4) {
68 ["var1"]=>
69 array(1) {
70 [0]=>
71 string(1) "1"
72 }
73 ["var2"]=>
74 array(1) {
75 [0]=>
76 array(1) {
77 [0]=>
78 string(1) "2"
79 }
80 }
81 ["var3"]=>
82 array(1) {
83 [0]=>
84 array(1) {
85 [0]=>
86 array(1) {
87 [0]=>
88 string(1) "3"
89 }
90 }
91 }
92 ["var4"]=>
93 array(1) {
94 [0]=>
95 array(1) {
96 [0]=>
97 array(1) {
98 [0]=>
99 array(1) {
100 [0]=>
101 string(1) "4"
102 }
103 }
104 }
105 }
106}
107array(4) {
108 ["var1"]=>
109 array(1) {
110 [0]=>
111 string(1) "1"
112 }
113 ["var2"]=>
114 array(1) {
115 [0]=>
116 array(1) {
117 [0]=>
118 string(1) "2"
119 }
120 }
121 ["var3"]=>
122 array(1) {
123 [0]=>
124 array(1) {
125 [0]=>
126 array(1) {
127 [0]=>
128 string(1) "3"
129 }
130 }
131 }
132 ["var4"]=>
133 array(1) {
134 [0]=>
135 array(1) {
136 [0]=>
137 array(1) {
138 [0]=>
139 array(1) {
140 [0]=>
141 string(1) "4"
142 }
143 }
144 }
145 }
146}
147ALERT - configured request variable array depth limit exceeded - dropped variable 'var5[][][][][]' (attacker 'REMOTE_ADDR not set', file '%s')
148ALERT - configured request variable array depth limit exceeded - dropped variable 'var6[][][][][][]' (attacker 'REMOTE_ADDR not set', file '%s')
149ALERT - configured request variable array depth limit exceeded - dropped variable 'var5[][][][][]' (attacker 'REMOTE_ADDR not set', file '%s')
150ALERT - configured request variable array depth limit exceeded - dropped variable 'var6[][][][][][]' (attacker 'REMOTE_ADDR not set', file '%s')
151ALERT - configured request variable array depth limit exceeded - dropped variable 'var5[][][][][]' (attacker 'REMOTE_ADDR not set', file '%s')
152ALERT - configured request variable array depth limit exceeded - dropped variable 'var6[][][][][][]' (attacker 'REMOTE_ADDR not set', file '%s')
153ALERT - dropped 6 request variables - (2 in GET, 2 in POST, 2 in COOKIE) (attacker 'REMOTE_ADDR not set', %s)
diff --git a/tests/filter/request_max_array_index_length.phpt b/tests/filter/request_max_array_index_length.phpt
new file mode 100644
index 0000000..eefa501
--- /dev/null
+++ b/tests/filter/request_max_array_index_length.phpt
@@ -0,0 +1,114 @@
1--TEST--
2input filter: suhosin.request.max_array_index_length
3--INI--
4suhosin.log.syslog=0
5suhosin.log.sapi=0
6suhosin.log.script=0
7suhosin.log.file=255
8suhosin.log.file.time=0
9suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
10auto_append_file={PWD}/suhosintest.$$.log.tmp
11suhosin.request.max_array_index_length=3
12--SKIPIF--
13<?php include('../skipif.inc'); ?>
14--COOKIE--
15var1[AAA]=1;var2[BBBB]=1;var3[AAA][BBB]=1;var4[AAA][BBBB]=4;var5[AAA][BBB][CCC]=1;var6[AAA][BBBB][CCC]=1;
16--GET--
17var1[AAA]=1&var2[BBBB]=1&var3[AAA][BBB]=1&var4[AAA][BBBB]=4&var5[AAA][BBB][CCC]=1&var6[AAA][BBBB][CCC]=1
18--POST--
19var1[AAA]=1&var2[BBBB]=1&var3[AAA][BBB]=1&var4[AAA][BBBB]=4&var5[AAA][BBB][CCC]=1&var6[AAA][BBBB][CCC]=1
20--FILE--
21<?php
22var_dump($_GET);
23var_dump($_POST);
24var_dump($_COOKIE);
25?>
26--EXPECTF--
27array(3) {
28 ["var1"]=>
29 array(1) {
30 ["AAA"]=>
31 string(1) "1"
32 }
33 ["var3"]=>
34 array(1) {
35 ["AAA"]=>
36 array(1) {
37 ["BBB"]=>
38 string(1) "1"
39 }
40 }
41 ["var5"]=>
42 array(1) {
43 ["AAA"]=>
44 array(1) {
45 ["BBB"]=>
46 array(1) {
47 ["CCC"]=>
48 string(1) "1"
49 }
50 }
51 }
52}
53array(3) {
54 ["var1"]=>
55 array(1) {
56 ["AAA"]=>
57 string(1) "1"
58 }
59 ["var3"]=>
60 array(1) {
61 ["AAA"]=>
62 array(1) {
63 ["BBB"]=>
64 string(1) "1"
65 }
66 }
67 ["var5"]=>
68 array(1) {
69 ["AAA"]=>
70 array(1) {
71 ["BBB"]=>
72 array(1) {
73 ["CCC"]=>
74 string(1) "1"
75 }
76 }
77 }
78}
79array(3) {
80 ["var1"]=>
81 array(1) {
82 ["AAA"]=>
83 string(1) "1"
84 }
85 ["var3"]=>
86 array(1) {
87 ["AAA"]=>
88 array(1) {
89 ["BBB"]=>
90 string(1) "1"
91 }
92 }
93 ["var5"]=>
94 array(1) {
95 ["AAA"]=>
96 array(1) {
97 ["BBB"]=>
98 array(1) {
99 ["CCC"]=>
100 string(1) "1"
101 }
102 }
103 }
104}
105ALERT - configured request variable array index length limit exceeded - dropped variable 'var2[BBBB]' (attacker 'REMOTE_ADDR not set', file '%s')
106ALERT - configured request variable array index length limit exceeded - dropped variable 'var4[AAA][BBBB]' (attacker 'REMOTE_ADDR not set', file '%s')
107ALERT - configured request variable array index length limit exceeded - dropped variable 'var6[AAA][BBBB][CCC]' (attacker 'REMOTE_ADDR not set', file '%s')
108ALERT - configured request variable array index length limit exceeded - dropped variable 'var2[BBBB]' (attacker 'REMOTE_ADDR not set', file '%s')
109ALERT - configured request variable array index length limit exceeded - dropped variable 'var4[AAA][BBBB]' (attacker 'REMOTE_ADDR not set', file '%s')
110ALERT - configured request variable array index length limit exceeded - dropped variable 'var6[AAA][BBBB][CCC]' (attacker 'REMOTE_ADDR not set', file '%s')
111ALERT - configured request variable array index length limit exceeded - dropped variable 'var2[BBBB]' (attacker 'REMOTE_ADDR not set', file '%s')
112ALERT - configured request variable array index length limit exceeded - dropped variable 'var4[AAA][BBBB]' (attacker 'REMOTE_ADDR not set', file '%s')
113ALERT - configured request variable array index length limit exceeded - dropped variable 'var6[AAA][BBBB][CCC]' (attacker 'REMOTE_ADDR not set', file '%s')
114ALERT - dropped 9 request variables - (3 in GET, 3 in POST, 3 in COOKIE) (attacker 'REMOTE_ADDR not set', %s) \ No newline at end of file
diff --git a/tests/filter/request_max_name_length.phpt b/tests/filter/request_max_name_length.phpt
new file mode 100644
index 0000000..34f7915
--- /dev/null
+++ b/tests/filter/request_max_name_length.phpt
@@ -0,0 +1,85 @@
1--TEST--
2input filter: suhosin.request.max_varname_length
3--INI--
4suhosin.log.syslog=0
5suhosin.log.sapi=0
6suhosin.log.script=0
7suhosin.log.file=255
8suhosin.log.file.time=0
9suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
10auto_append_file={PWD}/suhosintest.$$.log.tmp
11suhosin.request.max_varname_length=4
12--SKIPIF--
13<?php include('../skipif.inc'); ?>
14--COOKIE--
15var=0;var1=1;var2[]=2;var3[xxx]=3;var04=4;var05[]=5;var06[xxx]=6;
16--GET--
17var=0&var1=1&var2[]=2&var3[xxx]=3&var04=4&var05[]=5&var06[xxx]=6&
18--POST--
19var=0&var1=1&var2[]=2&var3[xxx]=3&var04=4&var05[]=5&var06[xxx]=6&
20--FILE--
21<?php
22var_dump($_GET);
23var_dump($_POST);
24var_dump($_COOKIE);
25?>
26--EXPECTF--
27array(4) {
28 ["var"]=>
29 string(1) "0"
30 ["var1"]=>
31 string(1) "1"
32 ["var2"]=>
33 array(1) {
34 [0]=>
35 string(1) "2"
36 }
37 ["var3"]=>
38 array(1) {
39 ["xxx"]=>
40 string(1) "3"
41 }
42}
43array(4) {
44 ["var"]=>
45 string(1) "0"
46 ["var1"]=>
47 string(1) "1"
48 ["var2"]=>
49 array(1) {
50 [0]=>
51 string(1) "2"
52 }
53 ["var3"]=>
54 array(1) {
55 ["xxx"]=>
56 string(1) "3"
57 }
58}
59array(4) {
60 ["var"]=>
61 string(1) "0"
62 ["var1"]=>
63 string(1) "1"
64 ["var2"]=>
65 array(1) {
66 [0]=>
67 string(1) "2"
68 }
69 ["var3"]=>
70 array(1) {
71 ["xxx"]=>
72 string(1) "3"
73 }
74}
75ALERT - configured request variable name length limit exceeded - dropped variable 'var04' (attacker 'REMOTE_ADDR not set', file '%s')
76ALERT - configured request variable name length limit exceeded - dropped variable 'var05[]' (attacker 'REMOTE_ADDR not set', file '%s')
77ALERT - configured request variable name length limit exceeded - dropped variable 'var06[xxx]' (attacker 'REMOTE_ADDR not set', file '%s')
78ALERT - configured request variable name length limit exceeded - dropped variable 'var04' (attacker 'REMOTE_ADDR not set', file '%s')
79ALERT - configured request variable name length limit exceeded - dropped variable 'var05[]' (attacker 'REMOTE_ADDR not set', file '%s')
80ALERT - configured request variable name length limit exceeded - dropped variable 'var06[xxx]' (attacker 'REMOTE_ADDR not set', file '%s')
81ALERT - configured request variable name length limit exceeded - dropped variable 'var04' (attacker 'REMOTE_ADDR not set', file '%s')
82ALERT - configured request variable name length limit exceeded - dropped variable 'var05[]' (attacker 'REMOTE_ADDR not set', file '%s')
83ALERT - configured request variable name length limit exceeded - dropped variable 'var06[xxx]' (attacker 'REMOTE_ADDR not set', file '%s')
84ALERT - dropped 9 request variables - (3 in GET, 3 in POST, 3 in COOKIE) (attacker 'REMOTE_ADDR not set', %s)
85
diff --git a/tests/filter/request_max_totalname_length.phpt b/tests/filter/request_max_totalname_length.phpt
new file mode 100644
index 0000000..c4a415f
--- /dev/null
+++ b/tests/filter/request_max_totalname_length.phpt
@@ -0,0 +1,87 @@
1--TEST--
2input filter: suhosin.request.max_totalname_length
3--INI--
4suhosin.log.syslog=0
5suhosin.log.sapi=0
6suhosin.log.script=0
7suhosin.log.file=255
8suhosin.log.file.time=0
9suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
10auto_append_file={PWD}/suhosintest.$$.log.tmp
11suhosin.request.max_totalname_length=7
12--SKIPIF--
13<?php include('../skipif.inc'); ?>
14--COOKIE--
15var=0;var1=1;var2[]=2;var3[xxx]=3;var04=4;var05[]=5;var06[xxx]=6;
16--GET--
17var=0&var1=1&var2[]=2&var3[xxx]=3&var04=4&var05[]=5&var06[xxx]=6&
18--POST--
19var=0&var1=1&var2[]=2&var3[xxx]=3&var04=4&var05[]=5&var06[xxx]=6&
20--FILE--
21<?php
22var_dump($_GET);
23var_dump($_POST);
24var_dump($_COOKIE);
25?>
26--EXPECTF--
27array(5) {
28 ["var"]=>
29 string(1) "0"
30 ["var1"]=>
31 string(1) "1"
32 ["var2"]=>
33 array(1) {
34 [0]=>
35 string(1) "2"
36 }
37 ["var04"]=>
38 string(1) "4"
39 ["var05"]=>
40 array(1) {
41 [0]=>
42 string(1) "5"
43 }
44}
45array(5) {
46 ["var"]=>
47 string(1) "0"
48 ["var1"]=>
49 string(1) "1"
50 ["var2"]=>
51 array(1) {
52 [0]=>
53 string(1) "2"
54 }
55 ["var04"]=>
56 string(1) "4"
57 ["var05"]=>
58 array(1) {
59 [0]=>
60 string(1) "5"
61 }
62}
63array(5) {
64 ["var"]=>
65 string(1) "0"
66 ["var1"]=>
67 string(1) "1"
68 ["var2"]=>
69 array(1) {
70 [0]=>
71 string(1) "2"
72 }
73 ["var04"]=>
74 string(1) "4"
75 ["var05"]=>
76 array(1) {
77 [0]=>
78 string(1) "5"
79 }
80}
81ALERT - configured request variable total name length limit exceeded - dropped variable 'var3[xxx]' (attacker 'REMOTE_ADDR not set', file '%s')
82ALERT - configured request variable total name length limit exceeded - dropped variable 'var06[xxx]' (attacker 'REMOTE_ADDR not set', file '%s')
83ALERT - configured request variable total name length limit exceeded - dropped variable 'var3[xxx]' (attacker 'REMOTE_ADDR not set', file '%s')
84ALERT - configured request variable total name length limit exceeded - dropped variable 'var06[xxx]' (attacker 'REMOTE_ADDR not set', file '%s')
85ALERT - configured request variable total name length limit exceeded - dropped variable 'var3[xxx]' (attacker 'REMOTE_ADDR not set', file '%s')
86ALERT - configured request variable total name length limit exceeded - dropped variable 'var06[xxx]' (attacker 'REMOTE_ADDR not set', file '%s')
87ALERT - dropped 6 request variables - (2 in GET, 2 in POST, 2 in COOKIE) (attacker 'REMOTE_ADDR not set', %s)
diff --git a/tests/filter/server_encode_off.phpt b/tests/filter/server_encode_off.phpt
new file mode 100644
index 0000000..69793fd
--- /dev/null
+++ b/tests/filter/server_encode_off.phpt
@@ -0,0 +1,31 @@
1--TEST--
2Testing: suhosin.server.encode=Off
3--DESCRIPTION--
4This test is incomplete but at the moment we cannot do better with the standard test framework.
5--INI--
6suhosin.log.syslog=0
7suhosin.log.sapi=0
8suhosin.log.stdout=255
9suhosin.log.script=0
10suhosin.server.encode=Off
11--SKIPIF--
12<?php include('../skipif.inc'); ?>
13--ENV--
14return <<<END
15REQUEST_URI=AAA<>"'`!AAA
16END;
17--COOKIE--
18--GET--
19BBB<>"'`!BBB
20--POST--
21--FILE--
22<?php
23// THIS TEST IS INCOMPLETE!!! SEE DESCRIPTION
24var_dump($_SERVER['REQUEST_URI']);
25var_dump($_SERVER['QUERY_STRING']);
26?>
27--EXPECTF--
28string(12) "AAA<>"'`!AAA"
29string(12) "BBB<>"'`!BBB"
30
31
diff --git a/tests/filter/server_encode_on.phpt b/tests/filter/server_encode_on.phpt
new file mode 100644
index 0000000..3b02ce4
--- /dev/null
+++ b/tests/filter/server_encode_on.phpt
@@ -0,0 +1,30 @@
1--TEST--
2Testing: suhosin.server.encode=On
3--DESCRIPTION--
4This test is incomplete but at the moment we cannot do better with the standard test framework.
5--INI--
6suhosin.log.syslog=0
7suhosin.log.sapi=0
8suhosin.log.stdout=255
9suhosin.log.script=0
10suhosin.server.encode=On
11--SKIPIF--
12<?php include('../skipif.inc'); ?>
13--ENV--
14return <<<END
15REQUEST_URI=AAA<>"'`!AAA
16END;
17--COOKIE--
18--GET--
19BBB<>"'`!BBB
20--POST--
21--FILE--
22<?php
23// THIS TEST IS INCOMPLETE!!! SEE DESCRIPTION
24var_dump($_SERVER['REQUEST_URI']);
25var_dump($_SERVER['QUERY_STRING']);
26?>
27--EXPECTF--
28string(22) "AAA%3C%3E%22%27%60!AAA"
29string(22) "BBB%3C%3E%22%27%60!BBB"
30
diff --git a/tests/filter/server_filter.phpt b/tests/filter/server_filter.phpt
new file mode 100644
index 0000000..f2afdf7
--- /dev/null
+++ b/tests/filter/server_filter.phpt
@@ -0,0 +1,36 @@
1--TEST--
2suhosin SERVER filter
3--INI--
4suhosin.log.syslog=0
5suhosin.log.sapi=0
6suhosin.log.script=0
7suhosin.log.file=255
8suhosin.log.file.time=0
9suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
10auto_append_file={PWD}/suhosintest.$$.log.tmp
11--SKIPIF--
12<?php include('../skipif.inc'); ?>
13--ENV--
14return <<<END
15HTTP_POST_VARS=HTTP_POST_VARS
16HTTP_MY_VARS=HTTP_MY_VARS
17HTTP_GET_VARS=HTTP_GET_VARS
18HTTP_ENV_VARS=HTTP_ENV_VARS
19HTTP_SERVER_VARS=HTTP_SERVER_VARS
20HTTP_SESSION_VARS=HTTP_SESSION_VARS
21HTTP_COOKIE_VARS=HTTP_COOKIE_VARS
22HTTP_RAW_POST_DATA=HTTP_RAW_POST_DATA
23HTTP_POST_FILES=HTTP_POST_FILES
24END;
25--COOKIE--
26--GET--
27--POST--
28--FILE--
29<?php
30foreach ($_SERVER as $k => $v) {
31 if (!strncmp($k, "HTTP_", 5)) echo "$k => $v\n";
32}
33?>
34--EXPECTF--
35HTTP_MY_VARS => HTTP_MY_VARS
36ALERT - Attacker tried to overwrite a superglobal through a HTTP header (attacker 'REMOTE_ADDR not set', file '%s') \ No newline at end of file
diff --git a/tests/filter/server_strip_off.phpt b/tests/filter/server_strip_off.phpt
new file mode 100644
index 0000000..57b2e97
--- /dev/null
+++ b/tests/filter/server_strip_off.phpt
@@ -0,0 +1,27 @@
1--TEST--
2Testing: suhosin.server.strip=Off
3--DESCRIPTION--
4This test is incomplete but at the moment we cannot do better with the standard test framework.
5--INI--
6suhosin.log.syslog=0
7suhosin.log.sapi=0
8suhosin.log.stdout=255
9suhosin.log.script=0
10suhosin.server.strip=Off
11--SKIPIF--
12<?php include('../skipif.inc'); ?>
13--ENV--
14return <<<END
15SCRIPT_NAME=X/index.php/THIS_IS_A_FAKE_NAME<>"'`!AAA
16END;
17--COOKIE--
18--GET--
19A=B
20--POST--
21--FILE--
22<?php
23// THIS TEST IS INCOMPLETE!!! SEE DESCRIPTION
24var_dump($_SERVER['PHP_SELF']);
25?>
26--EXPECTF--
27string(40) "X/index.php/THIS_IS_A_FAKE_NAME<>"'`!AAA"
diff --git a/tests/filter/server_strip_on.phpt b/tests/filter/server_strip_on.phpt
new file mode 100644
index 0000000..9e9d991
--- /dev/null
+++ b/tests/filter/server_strip_on.phpt
@@ -0,0 +1,27 @@
1--TEST--
2Testing: suhosin.server.strip=On
3--DESCRIPTION--
4This test is incomplete but at the moment we cannot do better with the standard test framework.
5--INI--
6suhosin.log.syslog=0
7suhosin.log.sapi=0
8suhosin.log.stdout=255
9suhosin.log.script=0
10suhosin.server.strip=On
11--SKIPIF--
12<?php include('../skipif.inc'); ?>
13--ENV--
14return <<<END
15SCRIPT_NAME=X/index.php/THIS_IS_A_FAKE_NAME<>"'`!AAA
16END;
17--COOKIE--
18--GET--
19A=B
20--POST--
21--FILE--
22<?php
23// THIS TEST IS INCOMPLETE!!! SEE DESCRIPTION
24var_dump($_SERVER['PHP_SELF']);
25?>
26--EXPECTF--
27string(40) "X/index.php/THIS_IS_A_FAKE_NAME?????!AAA"
diff --git a/tests/filter/server_user_agent_strip_off.phpt b/tests/filter/server_user_agent_strip_off.phpt
new file mode 100644
index 0000000..1f58007
--- /dev/null
+++ b/tests/filter/server_user_agent_strip_off.phpt
@@ -0,0 +1,27 @@
1--TEST--
2Testing: suhosin.server.strip=On
3--DESCRIPTION--
4This test is not exactly what we want, but good enough due to limitations of the test framework.
5--INI--
6suhosin.log.syslog=0
7suhosin.log.sapi=0
8suhosin.log.stdout=255
9suhosin.log.script=0
10suhosin.server.strip=Off
11--SKIPIF--
12<?php include('../skipif.inc'); ?>
13--ENV--
14return <<<END
15HTTP_USER_AGENT=Mozilla/5.0 (Windows NT 6.0; rv:29.0) <script>alert('123');</script>Gecko/20100101 Firefox/29.0
16END;
17--COOKIE--
18--GET--
19A=B
20--POST--
21--FILE--
22<?php
23var_dump($_SERVER['HTTP_USER_AGENT']);
24?>
25--EXPECTF--
26string(95) "Mozilla/5.0 (Windows NT 6.0; rv:29.0) <script>alert('123');</script>Gecko/20100101 Firefox/29.0"
27
diff --git a/tests/filter/server_user_agent_strip_on.phpt b/tests/filter/server_user_agent_strip_on.phpt
new file mode 100644
index 0000000..df1d040
--- /dev/null
+++ b/tests/filter/server_user_agent_strip_on.phpt
@@ -0,0 +1,27 @@
1--TEST--
2Testing: suhosin.server.strip=On
3--DESCRIPTION--
4This test is not exactly what we want, but good enough due to limitations of the test framework.
5--INI--
6suhosin.log.syslog=0
7suhosin.log.sapi=0
8suhosin.log.stdout=255
9suhosin.log.script=0
10suhosin.server.strip=On
11--SKIPIF--
12<?php include('../skipif.inc'); ?>
13--ENV--
14return <<<END
15HTTP_USER_AGENT=Mozilla/5.0 (Windows NT 6.0; rv:29.0) <script>alert('123');</script>Gecko/20100101 Firefox/29.0
16END;
17--COOKIE--
18--GET--
19A=B
20--POST--
21--FILE--
22<?php
23var_dump($_SERVER['HTTP_USER_AGENT']);
24?>
25--EXPECTF--
26string(95) "Mozilla/5.0 (Windows NT 6.0; rv:29.0) ?script?alert(?123?);?/script?Gecko/20100101 Firefox/29.0"
27
diff --git a/tests/filter/suhosin_upload_disallow_binary_off.phpt b/tests/filter/suhosin_upload_disallow_binary_off.phpt
new file mode 100644
index 0000000..bcb76be
--- /dev/null
+++ b/tests/filter/suhosin_upload_disallow_binary_off.phpt
Binary files differ
diff --git a/tests/filter/suhosin_upload_disallow_binary_on.phpt b/tests/filter/suhosin_upload_disallow_binary_on.phpt
new file mode 100644
index 0000000..bc2c7ea
--- /dev/null
+++ b/tests/filter/suhosin_upload_disallow_binary_on.phpt
Binary files differ
diff --git a/tests/filter/suhosin_upload_disallow_binary_utf8.phpt b/tests/filter/suhosin_upload_disallow_binary_utf8.phpt
new file mode 100644
index 0000000..d14f041
--- /dev/null
+++ b/tests/filter/suhosin_upload_disallow_binary_utf8.phpt
@@ -0,0 +1,46 @@
1--TEST--
2Testing: suhosin.upload.disallow_binary=On with UTF-8
3--INI--
4suhosin.log.syslog=0
5suhosin.log.sapi=0
6suhosin.log.stdout=255
7suhosin.log.script=0
8file_uploads=1
9suhosin.upload.disallow_binary=On
10suhosin.upload.allow_utf8=On
11max_file_uploads=40
12suhosin.upload.max_uploads=40
13--SKIPIF--
14<?php include('../skipif.inc');
15if (ini_get('suhosin.upload.allow_utf8') === FALSE) { die("skip feature not compiled in"); }
16?>
17--COOKIE--
18--GET--
19--POST_RAW--
20Content-Type: multipart/form-data; boundary=bound
21--bound
22Content-Disposition: form-data; name="test"; filename="test"
23
24Spaß am Gerät!
25
26--bound--
27--FILE--
28<?php
29var_dump($_FILES);
30?>
31--EXPECTF--
32array(1) {
33 ["test"]=>
34 array(5) {
35 ["name"]=>
36 string(4) "test"
37 ["type"]=>
38 string(0) ""
39 ["tmp_name"]=>
40 string(%d) "%s"
41 ["error"]=>
42 int(0)
43 ["size"]=>
44 int(17)
45 }
46}
diff --git a/tests/filter/suhosin_upload_disallow_binary_utf8fail.phpt b/tests/filter/suhosin_upload_disallow_binary_utf8fail.phpt
new file mode 100644
index 0000000..95e4864
--- /dev/null
+++ b/tests/filter/suhosin_upload_disallow_binary_utf8fail.phpt
@@ -0,0 +1,50 @@
1--TEST--
2Testing: suhosin.upload.disallow_binary=On with UTF-8 and allow_utf8=Off
3--INI--
4suhosin.log.syslog=0
5suhosin.log.sapi=0
6suhosin.log.script=0
7suhosin.log.file=255
8suhosin.log.file.time=0
9suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
10auto_append_file={PWD}/suhosintest.$$.log.tmp
11file_uploads=1
12suhosin.upload.disallow_binary=On
13suhosin.upload.allow_utf8=Off
14max_file_uploads=40
15suhosin.upload.max_uploads=40
16--SKIPIF--
17<?php include('../skipif.inc');
18if (ini_get('suhosin.upload.allow_utf8') === FALSE) { die("skip feature not compiled in"); }
19?>
20--COOKIE--
21--GET--
22--POST_RAW--
23Content-Type: multipart/form-data; boundary=bound
24--bound
25Content-Disposition: form-data; name="test"; filename="test"
26
27Spaß am Gerät!
28
29--bound--
30--FILE--
31<?php
32var_dump($_FILES);
33?>
34--EXPECTF--
35array(1) {
36 ["test"]=>
37 array(5) {
38 ["name"]=>
39 string(4) "test"
40 ["type"]=>
41 string(0) ""
42 ["tmp_name"]=>
43 string(0) ""
44 ["error"]=>
45 int(8)
46 ["size"]=>
47 int(0)
48 }
49}
50ALERT - uploaded file contains binary data - file dropped (attacker 'REMOTE_ADDR not set', file '%s')
diff --git a/tests/filter/suhosin_upload_disallow_elf.phpt b/tests/filter/suhosin_upload_disallow_elf.phpt
new file mode 100644
index 0000000..7b074f7
--- /dev/null
+++ b/tests/filter/suhosin_upload_disallow_elf.phpt
@@ -0,0 +1,61 @@
1--TEST--
2Testing: suhosin.upload.disallow_elf=On
3--INI--
4suhosin.log.syslog=0
5suhosin.log.sapi=0
6suhosin.log.script=0
7suhosin.log.file=255
8suhosin.log.file.time=0
9suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
10auto_append_file={PWD}/suhosintest.$$.log.tmp
11file_uploads=1
12suhosin.upload.disallow_elf=On
13--SKIPIF--
14<?php include('../skipif.inc'); ?>
15--COOKIE--
16--GET--
17--POST_RAW--
18Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737
19-----------------------------20896060251896012921717172737
20Content-Disposition: form-data; name="A"; filename="A"
21
22ELFABCDEFGHIJKLMN
23-----------------------------20896060251896012921717172737
24Content-Disposition: form-data; name="B"; filename="B"
25
26XELFABCDEFGHIJKLMN
27-----------------------------20896060251896012921717172737--
28--FILE--
29<?php
30var_dump($_FILES);
31?>
32--EXPECTF--
33array(2) {
34 ["A"]=>
35 array(5) {
36 ["name"]=>
37 string(1) "A"
38 ["type"]=>
39 string(0) ""
40 ["tmp_name"]=>
41 string(0) ""
42 ["error"]=>
43 int(8)
44 ["size"]=>
45 int(0)
46 }
47 ["B"]=>
48 array(5) {
49 ["name"]=>
50 string(1) "B"
51 ["type"]=>
52 string(0) ""
53 ["tmp_name"]=>
54 string(%d) "%s"
55 ["error"]=>
56 int(0)
57 ["size"]=>
58 int(18)
59 }
60}
61ALERT - uploaded file is an ELF executable - file dropped (attacker 'REMOTE_ADDR not set', file '%s') \ No newline at end of file
diff --git a/tests/filter/suhosin_upload_disallow_elf_off.phpt b/tests/filter/suhosin_upload_disallow_elf_off.phpt
new file mode 100644
index 0000000..832692c
--- /dev/null
+++ b/tests/filter/suhosin_upload_disallow_elf_off.phpt
@@ -0,0 +1,57 @@
1--TEST--
2Testing: suhosin.upload.disallow_elf=Off
3--INI--
4suhosin.log.syslog=0
5suhosin.log.sapi=0
6suhosin.log.stdout=255
7suhosin.log.script=0
8file_uploads=1
9suhosin.upload.disallow_elf=Off
10--SKIPIF--
11<?php include('../skipif.inc'); ?>
12--COOKIE--
13--GET--
14--POST_RAW--
15Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737
16-----------------------------20896060251896012921717172737
17Content-Disposition: form-data; name="A"; filename="A"
18
19ELFABCDEFGHIJKLMN
20-----------------------------20896060251896012921717172737
21Content-Disposition: form-data; name="B"; filename="B"
22
23XELFABCDEFGHIJKLMN
24-----------------------------20896060251896012921717172737--
25--FILE--
26<?php
27var_dump($_FILES);
28?>
29--EXPECTF--
30array(2) {
31 ["A"]=>
32 array(5) {
33 ["name"]=>
34 string(1) "A"
35 ["type"]=>
36 string(0) ""
37 ["tmp_name"]=>
38 string(%d) "%s"
39 ["error"]=>
40 int(0)
41 ["size"]=>
42 int(18)
43 }
44 ["B"]=>
45 array(5) {
46 ["name"]=>
47 string(1) "B"
48 ["type"]=>
49 string(0) ""
50 ["tmp_name"]=>
51 string(%d) "%s"
52 ["error"]=>
53 int(0)
54 ["size"]=>
55 int(18)
56 }
57} \ No newline at end of file
diff --git a/tests/filter/suhosin_upload_max_uploads.phpt b/tests/filter/suhosin_upload_max_uploads.phpt
new file mode 100644
index 0000000..fb6f249
--- /dev/null
+++ b/tests/filter/suhosin_upload_max_uploads.phpt
@@ -0,0 +1,87 @@
1--TEST--
2suhosin.upload.max_uploads
3--INI--
4suhosin.log.syslog=0
5suhosin.log.sapi=0
6suhosin.log.script=0
7suhosin.log.file=255
8suhosin.log.file.time=0
9suhosin.log.file.name={PWD}/suhosintest.$$.log.tmp
10auto_append_file={PWD}/suhosintest.$$.log.tmp
11suhosin.post.max_vars=5
12file_uploads=1
13suhosin.upload.max_uploads=3
14--SKIPIF--
15<?php include('../skipif.inc'); ?>
16--COOKIE--
17--GET--
18--POST_RAW--
19Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737
20-----------------------------20896060251896012921717172737
21Content-Disposition: form-data; name="A"; filename="A"
22
23A
24-----------------------------20896060251896012921717172737
25Content-Disposition: form-data; name="B"; filename="B"
26
27B
28-----------------------------20896060251896012921717172737
29Content-Disposition: form-data; name="C"; filename="C"
30
31C
32-----------------------------20896060251896012921717172737
33Content-Disposition: form-data; name="D"; filename="D"
34
35D
36-----------------------------20896060251896012921717172737
37Content-Disposition: form-data; name="E"; filename="E"
38
39E
40-----------------------------20896060251896012921717172737--
41--FILE--
42<?php
43var_dump($_FILES);
44?>
45--EXPECTF--
46array(3) {
47 ["A"]=>
48 array(5) {
49 ["name"]=>
50 string(1) "A"
51 ["type"]=>
52 string(0) ""
53 ["tmp_name"]=>
54 string(%d) "%s"
55 ["error"]=>
56 int(0)
57 ["size"]=>
58 int(1)
59 }
60 ["B"]=>
61 array(5) {
62 ["name"]=>
63 string(1) "B"
64 ["type"]=>
65 string(0) ""
66 ["tmp_name"]=>
67 string(%d) "%s"
68 ["error"]=>
69 int(0)
70 ["size"]=>
71 int(1)
72 }
73 ["C"]=>
74 array(5) {
75 ["name"]=>
76 string(1) "C"
77 ["type"]=>
78 string(0) ""
79 ["tmp_name"]=>
80 string(%d) "%s"
81 ["error"]=>
82 int(0)
83 ["size"]=>
84 int(1)
85 }
86}
87ALERT - configured fileupload limit exceeded - file dropped (attacker 'REMOTE_ADDR not set', file '%s') \ No newline at end of file
diff --git a/tests/filter/suhosin_upload_remove_binary.phpt b/tests/filter/suhosin_upload_remove_binary.phpt
new file mode 100644
index 0000000..8d158c3
--- /dev/null
+++ b/tests/filter/suhosin_upload_remove_binary.phpt
Binary files differ
diff --git a/tests/filter/suhosin_upload_remove_binary_utf8.phpt b/tests/filter/suhosin_upload_remove_binary_utf8.phpt
new file mode 100644
index 0000000..564c095
--- /dev/null
+++ b/tests/filter/suhosin_upload_remove_binary_utf8.phpt
@@ -0,0 +1,34 @@
1--TEST--
2Testing: suhosin.upload.remove_binary=On with UTF-8
3--INI--
4suhosin.log.syslog=0
5suhosin.log.sapi=0
6suhosin.log.stdout=255
7suhosin.log.script=0
8file_uploads=1
9suhosin.upload.disallow_binary=Off
10suhosin.upload.remove_binary=On
11suhosin.upload.allow_utf8=On
12max_file_uploads=40
13suhosin.upload.max_uploads=40
14--SKIPIF--
15<?php include('../skipif.inc');
16if (ini_get('suhosin.upload.allow_utf8') === FALSE) { die("skip feature not compiled in"); }
17?>
18--COOKIE--
19--GET--
20--POST_RAW--
21Content-Type: multipart/form-data; boundary=bound
22--bound
23Content-Disposition: form-data; name="test"; filename="test"
24
25Spaß am Gerät!
26
27--bound--
28--FILE--
29<?php
30var_dump(file_get_contents($_FILES['test']['tmp_name']));
31?>
32--EXPECTF--
33string(17) "Spaß am Gerät!
34" \ No newline at end of file
diff --git a/tests/filter/suhosin_upload_remove_binary_utf8fail.phpt b/tests/filter/suhosin_upload_remove_binary_utf8fail.phpt
new file mode 100644
index 0000000..4787a3a
--- /dev/null
+++ b/tests/filter/suhosin_upload_remove_binary_utf8fail.phpt
@@ -0,0 +1,34 @@
1--TEST--
2Testing: suhosin.upload.remove_binary=On with UTF-8 and allow_utf8=Off
3--INI--
4suhosin.log.syslog=0
5suhosin.log.sapi=0
6suhosin.log.stdout=255
7suhosin.log.script=0
8file_uploads=1
9suhosin.upload.disallow_binary=Off
10suhosin.upload.remove_binary=On
11suhosin.upload.allow_utf8=Off
12max_file_uploads=40
13suhosin.upload.max_uploads=40
14--SKIPIF--
15<?php include('../skipif.inc');
16if (ini_get('suhosin.upload.allow_utf8') === FALSE) { die("skip feature not compiled in"); }
17?>
18--COOKIE--
19--GET--
20--POST_RAW--
21Content-Type: multipart/form-data; boundary=bound
22--bound
23Content-Disposition: form-data; name="test"; filename="test"
24
25Spaß am Gerät!
26
27--bound--
28--FILE--
29<?php
30var_dump(file_get_contents($_FILES['test']['tmp_name']));
31?>
32--EXPECTF--
33string(13) "Spa am Gert!
34" \ No newline at end of file
diff --git a/ufilter.c b/ufilter.c
new file mode 100644
index 0000000..cb36a67
--- /dev/null
+++ b/ufilter.c
@@ -0,0 +1,425 @@
1/*
2 +----------------------------------------------------------------------+
3 | Suhosin Version 1 |
4 +----------------------------------------------------------------------+
5 | Copyright (c) 2006-2007 The Hardened-PHP Project |
6 | Copyright (c) 2007-2016 SektionEins GmbH |
7 +----------------------------------------------------------------------+
8 | This source file is subject to version 3.01 of the PHP license, |
9 | that is bundled with this package in the file LICENSE, and is |
10 | available through the world-wide-web at the following url: |
11 | http://www.php.net/license/3_01.txt |
12 | If you did not receive a copy of the PHP license and are unable to |
13 | obtain it through the world-wide-web, please send a note to |
14 | license@php.net so we can mail you a copy immediately. |
15 +----------------------------------------------------------------------+
16 | Authors: Stefan Esser <sesser@sektioneins.de> |
17 | Ben Fuhrmannek <ben.fuhrmannek@sektioneins.de> |
18 +----------------------------------------------------------------------+
19*/
20/*
21 $Id: ufilter.c,v 1.1.1.1 2007-11-28 01:15:35 sesser Exp $
22*/
23
24#ifdef HAVE_CONFIG_H
25#include "config.h"
26#endif
27
28#include "php.h"
29#include "php_ini.h"
30#include "ext/standard/info.h"
31#include "php_suhosin7.h"
32#include "php_variables.h"
33#include "suhosin_rfc1867.h"
34#include "ext/standard/php_var.h"
35
36// #if !HAVE_RFC1867_CALLBACK
37// PHP_SUHOSIN_API int (*php_rfc1867_callback)(unsigned int event, void *event_data, void **extra) = NULL;
38// #endif
39//
40
41/* {{{ SAPI_UPLOAD_VARNAME_FILTER_FUNC
42 */
43static int check_fileupload_varname(char *varname)
44{
45 char *index, *prev_index = NULL, *var;
46 unsigned int var_len, total_len, depth = 0;
47
48 var = estrdup(varname);
49
50 /* Normalize the variable name */
51 suhosin_normalize_varname(var);
52
53 /* Find length of variable name */
54 index = strchr(var, '[');
55 total_len = strlen(var);
56 var_len = index ? index-var : total_len;
57
58 /* Drop this variable if it exceeds the varname/total length limit */
59 if (SUHOSIN7_G(max_varname_length) && SUHOSIN7_G(max_varname_length) < var_len) {
60 suhosin_log(S_FILES, "configured request variable name length limit exceeded - dropped variable '%s'", var);
61 if (!SUHOSIN7_G(simulation)) {
62 goto return_failure;
63 }
64 }
65 if (SUHOSIN7_G(max_totalname_length) && SUHOSIN7_G(max_totalname_length) < total_len) {
66 suhosin_log(S_FILES, "configured request variable total name length limit exceeded - dropped variable '%s'", var);
67 if (!SUHOSIN7_G(simulation)) {
68 goto return_failure;
69 }
70 }
71 if (SUHOSIN7_G(max_post_name_length) && SUHOSIN7_G(max_post_name_length) < var_len) {
72 suhosin_log(S_FILES, "configured POST variable name length limit exceeded - dropped variable '%s'", var);
73 if (!SUHOSIN7_G(simulation)) {
74 goto return_failure;
75 }
76 }
77 if (SUHOSIN7_G(max_post_totalname_length) && SUHOSIN7_G(max_post_totalname_length) < var_len) {
78 suhosin_log(S_FILES, "configured POST variable total name length limit exceeded - dropped variable '%s'", var);
79 if (!SUHOSIN7_G(simulation)) {
80 goto return_failure;
81 }
82 }
83
84 /* Find out array depth */
85 while (index) {
86 char *index_end;
87 unsigned int index_length;
88
89 /* overjump '[' */
90 index++;
91
92 /* increase array depth */
93 depth++;
94
95 index_end = strchr(index, ']');
96 if (index_end == NULL) {
97 index_end = index+strlen(index);
98 }
99
100 index_length = index_end - index;
101
102 if (SUHOSIN7_G(max_array_index_length) && SUHOSIN7_G(max_array_index_length) < index_length) {
103 suhosin_log(S_FILES, "configured request variable array index length limit exceeded - dropped variable '%s'", var);
104 if (!SUHOSIN7_G(simulation)) {
105 goto return_failure;
106 }
107 }
108 if (SUHOSIN7_G(max_post_array_index_length) && SUHOSIN7_G(max_post_array_index_length) < index_length) {
109 suhosin_log(S_FILES, "configured POST variable array index length limit exceeded - dropped variable '%s'", var);
110 if (!SUHOSIN7_G(simulation)) {
111 goto return_failure;
112 }
113 }
114
115 /* index whitelist/blacklist */
116 if (SUHOSIN7_G(array_index_whitelist) && *(SUHOSIN7_G(array_index_whitelist))) {
117 if (suhosin_strnspn(index, index_length, SUHOSIN7_G(array_index_whitelist)) != index_length) {
118 suhosin_log(S_VARS, "array index contains not whitelisted characters - dropped variable '%s'", var);
119 if (!SUHOSIN7_G(simulation)) {
120 goto return_failure;
121 }
122 }
123 } else if (SUHOSIN7_G(array_index_blacklist) && *(SUHOSIN7_G(array_index_blacklist))) {
124 if (suhosin_strncspn(index, index_length, SUHOSIN7_G(array_index_blacklist)) != index_length) {
125 suhosin_log(S_VARS, "array index contains blacklisted characters - dropped variable '%s'", var);
126 if (!SUHOSIN7_G(simulation)) {
127 goto return_failure;
128 }
129 }
130 }
131
132
133 index = strchr(index, '[');
134 }
135
136 /* Drop this variable if it exceeds the array depth limit */
137 if (SUHOSIN7_G(max_array_depth) && SUHOSIN7_G(max_array_depth) < depth) {
138 suhosin_log(S_FILES, "configured request variable array depth limit exceeded - dropped variable '%s'", var);
139 if (!SUHOSIN7_G(simulation)) {
140 goto return_failure;
141 }
142 }
143 if (SUHOSIN7_G(max_post_array_depth) && SUHOSIN7_G(max_post_array_depth) < depth) {
144 suhosin_log(S_FILES, "configured POST variable array depth limit exceeded - dropped variable '%s'", var);
145 if (!SUHOSIN7_G(simulation)) {
146 goto return_failure;
147 }
148 }
149
150
151 /* Drop this variable if it is one of GLOBALS, _GET, _POST, ... */
152 /* This is to protect several silly scripts that do globalizing themself */
153 if (suhosin_is_protected_varname(var, var_len)) {
154 suhosin_log(S_FILES, "tried to register forbidden variable '%s' through FILE variables", var);
155 if (!SUHOSIN7_G(simulation)) {
156 goto return_failure;
157 }
158 }
159
160 efree(var);
161 return SUCCESS;
162
163return_failure:
164 efree(var);
165 return FAILURE;
166}
167/* }}} */
168
169#ifdef SUHOSIN7_EXPERIMENTAL
170static inline int suhosin_validate_utf8_multibyte(const char* cp, size_t maxlen)
171{
172 if (maxlen < 2 || !(*cp & 0x80)) { return 0; }
173 if ((*cp & 0xe0) == 0xc0 && // 1st byte is 110xxxxx
174 (*(cp+1) & 0xc0) == 0x80 && // 2nd byte is 10xxxxxx
175 (*cp & 0x1e)) { // overlong check 110[xxxx]x 10xxxxxx
176 return 2;
177 }
178 if (maxlen < 3) { return 0; }
179 if ((*cp & 0xf0) == 0xe0 && // 1st byte is 1110xxxx
180 (*(cp+1) & 0xc0) == 0x80 && // 2nd byte is 10xxxxxx
181 (*(cp+2) & 0xc0) == 0x80 && // 3rd byte is 10xxxxxx
182 ((*cp & 0x0f) | (*(cp+1) & 0x20))) { // 1110[xxxx] 10[x]xxxxx 10xxxxxx
183 return 3;
184 }
185 if (maxlen < 4) { return 0; }
186 if ((*cp & 0xf8) == 0xf0 && // 1st byte is 11110xxx
187 (*(cp+1) & 0xc0) == 0x80 && // 2nd byte is 10xxxxxx
188 (*(cp+2) & 0xc0) == 0x80 && // 3rd byte is 10xxxxxx
189 (*(cp+3) & 0xc0) == 0x80 && // 4th byte is 10xxxxxx
190 ((*cp & 0x07) | (*(cp+1) & 0x30))) { // 11110[xxx] 10[xx]xxxx 10xxxxxx 10xxxxxx
191 return 4;
192 }
193 return 0;
194}
195#endif
196
197int suhosin_rfc1867_filter(unsigned int event, void *event_data, void **extra)
198{
199 int retval = SUCCESS;
200
201 SDEBUG("rfc1867_filter %u", event);
202
203 switch (event) {
204 case MULTIPART_EVENT_START:
205 case MULTIPART_EVENT_FORMDATA:
206 /* nothing todo */
207 break;
208
209 case MULTIPART_EVENT_FILE_START:
210 {
211 multipart_event_file_start *mefs = (multipart_event_file_start *) event_data;
212
213 /* Drop if no more variables flag is set */
214 if (SUHOSIN7_G(no_more_uploads)) {
215 goto continue_with_failure;
216 }
217
218 /* Drop this fileupload if the limit is reached */
219 if (SUHOSIN7_G(upload_limit) && SUHOSIN7_G(upload_limit) <= SUHOSIN7_G(num_uploads)) {
220 suhosin_log(S_FILES, "configured fileupload limit exceeded - file dropped");
221 if (!SUHOSIN7_G(simulation)) {
222 SUHOSIN7_G(no_more_uploads) = 1;
223 goto continue_with_failure;
224 }
225 }
226
227 if (check_fileupload_varname(mefs->name) == FAILURE) {
228 goto continue_with_failure;
229 }
230 }
231
232 break;
233
234 case MULTIPART_EVENT_FILE_DATA:
235
236 if (SUHOSIN7_G(upload_disallow_elf)) {
237 multipart_event_file_data *mefd = (multipart_event_file_data *) event_data;
238
239 if (mefd->offset == 0 && mefd->length > 10) {
240 if (mefd->data[0] == 0x7F && mefd->data[1] == 'E' && mefd->data[2] == 'L' && mefd->data[3] == 'F') {
241 suhosin_log(S_FILES, "uploaded file is an ELF executable - file dropped");
242 if (!SUHOSIN7_G(simulation)) {
243 goto continue_with_failure;
244 }
245 }
246 }
247 }
248
249 if (SUHOSIN7_G(upload_disallow_binary)) {
250
251 multipart_event_file_data *mefd = (multipart_event_file_data *) event_data;
252
253 char *cp, *cpend;
254 int n;
255 cpend = mefd->data + mefd->length;
256 for (cp = mefd->data; cp < cpend; cp++) {
257 if (*cp >= 32 || isspace(*cp)) {
258 continue;
259 }
260#ifdef SUHOSIN7_EXPERIMENTAL
261 if ((*cp & 0x80) && SUHOSIN7_G(upload_allow_utf8)) {
262 SDEBUG("checking char %x", *cp);
263 if ((n = suhosin_validate_utf8_multibyte(cp, cpend-cp))) { // valid UTF8 multibyte character
264 cp += n - 1;
265 continue;
266 }
267 }
268#endif
269 suhosin_log(S_FILES, "uploaded file contains binary data - file dropped");
270 if (!SUHOSIN7_G(simulation)) {
271 goto continue_with_failure;
272 }
273 break;
274 }
275 }
276
277 if (SUHOSIN7_G(upload_remove_binary)) {
278
279 multipart_event_file_data *mefd = (multipart_event_file_data *) event_data;
280 size_t i, j;
281 int n;
282
283 for (i=0, j=0; i<mefd->length; i++) {
284 if (mefd->data[i] >= 32 || isspace(mefd->data[i])) {
285 mefd->data[j++] = mefd->data[i];
286 }
287#ifdef SUHOSIN7_EXPERIMENTAL
288 else if (SUHOSIN7_G(upload_allow_utf8) && mefd->data[i] & 0x80) {
289 n = suhosin_validate_utf8_multibyte(mefd->data + i, mefd->length - i);
290 if (!n) { continue; }
291 while (n--) {
292 mefd->data[j++] = mefd->data[i++];
293 }
294 i--;
295 }
296#endif
297 }
298 mefd->data[j] = '\0';
299
300 SDEBUG("removing binary %zu %zu",i,j);
301 /* IMPORTANT FOR DAISY CHAINING */
302 mefd->length = j;
303 if (mefd->newlength) {
304 *mefd->newlength = j;
305 }
306 }
307
308 break;
309
310 case MULTIPART_EVENT_FILE_END:
311
312 if (SUHOSIN7_G(upload_verification_script)) {
313 multipart_event_file_end *mefe = (multipart_event_file_end *) event_data;
314 char cmd[8192];
315 FILE *in;
316 int first=1;
317 struct stat st;
318 char *sname = SUHOSIN7_G(upload_verification_script);
319
320 /* ignore files that will get deleted anyway */
321 if (mefe->cancel_upload) {
322 break;
323 }
324
325 /* ignore empty scriptnames */
326 while (isspace(*sname)) ++sname;
327 if (*sname == 0) {
328 SUHOSIN7_G(num_uploads)++;
329 break;
330 }
331
332 if (VCWD_STAT(sname, &st) < 0) {
333 suhosin_log(S_FILES, "unable to find fileupload verification script %s - file dropped", sname);
334 if (!SUHOSIN7_G(simulation)) {
335 goto continue_with_failure;
336 } else {
337 goto continue_with_next;
338 }
339 }
340 if (access(sname, X_OK|R_OK) < 0) {
341 suhosin_log(S_FILES, "fileupload verification script %s is not executable - file dropped", sname);
342 if (!SUHOSIN7_G(simulation)) {
343 goto continue_with_failure;
344 } else {
345 goto continue_with_next;
346 }
347 }
348
349 ap_php_snprintf(cmd, sizeof(cmd), "%s %s 2>&1", sname, mefe->temp_filename);
350
351 if ((in = VCWD_POPEN(cmd, "r")) == NULL) {
352 suhosin_log(S_FILES, "unable to execute fileupload verification script %s - file dropped", sname);
353 if (!SUHOSIN7_G(simulation)) {
354 goto continue_with_failure;
355 } else {
356 goto continue_with_next;
357 }
358 }
359
360 retval = FAILURE;
361
362 /* read and forget the result */
363 while (1) {
364 int readbytes = fread(cmd, 1, sizeof(cmd), in);
365 if (readbytes<=0) {
366 break;
367 }
368 if (first) {
369 if (strncmp(cmd, "sh: ", 4) == 0) {
370 /* assume this is an error */
371 suhosin_log(S_FILES, "error while executing fileupload verification script %s - file dropped", sname);
372 if (!SUHOSIN7_G(simulation)) {
373 goto continue_with_failure;
374 } else {
375 goto continue_with_next;
376 }
377 } else {
378 retval = atoi(cmd) == 1 ? SUCCESS : FAILURE;
379 first = 0;
380 }
381 }
382 }
383 pclose(in);
384 }
385
386 if (retval != SUCCESS) {
387 suhosin_log(S_FILES, "fileupload verification script disallows file - file dropped");
388 if (!SUHOSIN7_G(simulation)) {
389 goto continue_with_failure;
390 }
391 }
392
393 SUHOSIN7_G(num_uploads)++;
394 break;
395
396 case MULTIPART_EVENT_END:
397 /* nothing todo */
398 break;
399
400 default:
401 /* unknown: return failure */
402 goto continue_with_failure;
403 }
404continue_with_next:
405// #if HAVE_RFC1867_CALLBACK
406 if (php_rfc1867_callback != NULL) {
407 return php_rfc1867_callback(event, event_data, extra);
408 }
409// #endif
410 return SUCCESS;
411continue_with_failure:
412 SUHOSIN7_G(abort_request) = 1;
413 return FAILURE;
414}
415
416
417
418/*
419 * Local variables:
420 * tab-width: 4
421 * c-basic-offset: 4
422 * End:
423 * vim600: sw=4 ts=4 fdm=marker
424 * vim<600: sw=4 ts=4
425 */