From f15b5aa308a46d555ecc09c075db8728a0895c23 Mon Sep 17 00:00:00 2001
From: Ben Fuhrmannek
Date: Fri, 4 Mar 2016 14:50:51 +0100
Subject: test cases for eval+func black/whitelist

---
 tests/executor/eval_blacklist.phpt                 | 18 +++++++++++++++++
 tests/executor/eval_blacklist_printf.phpt          | 16 +++++++++++++++
 .../eval_blacklist_printf_function_exists.phpt     | 23 ++++++++++++++++++++++
 tests/executor/eval_whitelist_absmax.phpt          | 16 +++++++++++++++
 tests/executor/eval_whitelist_call_user_func.phpt  | 15 ++++++++++++++
 tests/executor/function_blacklist.phpt             | 21 ++++++++++++++++++++
 tests/executor/function_blacklist_printf.phpt      | 15 ++++++++++++++
 .../function_blacklist_printf_function_exists.phpt | 22 +++++++++++++++++++++
 tests/executor/function_call_user_func.phpt        | 12 +++++++++++
 tests/executor/function_whitelist.phpt             | 17 ++++++++++++++++
 tests/executor/function_whitelist_absmax.phpt      | 15 ++++++++++++++
 .../function_whitelist_call_user_func.phpt         | 15 ++++++++++++++
 .../function_whitelist_function_exists.phpt        | 22 +++++++++++++++++++++
 tests/executor/function_whitelist_maxabs.phpt      | 15 ++++++++++++++
 ...function_whitelist_without_function_exists.phpt | 19 ++++++++++++++++++
 15 files changed, 261 insertions(+)
 create mode 100644 tests/executor/eval_blacklist.phpt
 create mode 100644 tests/executor/eval_blacklist_printf.phpt
 create mode 100644 tests/executor/eval_blacklist_printf_function_exists.phpt
 create mode 100644 tests/executor/eval_whitelist_absmax.phpt
 create mode 100644 tests/executor/eval_whitelist_call_user_func.phpt
 create mode 100644 tests/executor/function_blacklist.phpt
 create mode 100644 tests/executor/function_blacklist_printf.phpt
 create mode 100644 tests/executor/function_blacklist_printf_function_exists.phpt
 create mode 100644 tests/executor/function_call_user_func.phpt
 create mode 100644 tests/executor/function_whitelist.phpt
 create mode 100644 tests/executor/function_whitelist_absmax.phpt
 create mode 100644 tests/executor/function_whitelist_call_user_func.phpt
 create mode 100644 tests/executor/function_whitelist_function_exists.phpt
 create mode 100644 tests/executor/function_whitelist_maxabs.phpt
 create mode 100644 tests/executor/function_whitelist_without_function_exists.phpt

diff --git a/tests/executor/eval_blacklist.phpt b/tests/executor/eval_blacklist.phpt
new file mode 100644
index 0000000..8d47564
--- /dev/null
+++ b/tests/executor/eval_blacklist.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Testing: suhosin.executor.eval.blacklist=max
+--SKIPIF--
+<?php include "../skipifnotcli.inc"; ?>
+--INI--
+suhosin.log.sapi=64
+suhosin.executor.disable_eval=0
+suhosin.executor.eval.blacklist=max
+--FILE--
+<?php
+	eval('abs(1);
+	max(1,2);
+	abs(1);');
+?>
+--EXPECTF--
+ALERT - eval'd function blacklisted: max() (attacker 'REMOTE_ADDR not set', file '%s', line 2)
+
+Warning: max() has been disabled for security reasons in %s : eval()'d code on line 2
diff --git a/tests/executor/eval_blacklist_printf.phpt b/tests/executor/eval_blacklist_printf.phpt
new file mode 100644
index 0000000..b66d457
--- /dev/null
+++ b/tests/executor/eval_blacklist_printf.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Testing: suhosin.executor.eval.blacklist=printf via call_user_func
+--SKIPIF--
+<?php include "../skipifnotcli.inc"; ?>
+--INI--
+suhosin.log.sapi=64
+suhosin.executor.disable_eval=0
+suhosin.executor.eval.blacklist=printf
+--FILE--
+<?php
+	eval('call_user_func("printf", "hello\n");');
+?>
+--EXPECTF--
+ALERT - eval'd function blacklisted: printf() (attacker 'REMOTE_ADDR not set', file '%s : eval()'d code', line 1)
+
+Warning: printf() has been disabled for security reasons in %s : eval()'d code on line 1
diff --git a/tests/executor/eval_blacklist_printf_function_exists.phpt b/tests/executor/eval_blacklist_printf_function_exists.phpt
new file mode 100644
index 0000000..d9b842c
--- /dev/null
+++ b/tests/executor/eval_blacklist_printf_function_exists.phpt
@@ -0,0 +1,23 @@
+--TEST--
+Testing: suhosin.executor.eval.blacklist=printf with function_exists()
+--SKIPIF--
+<?php include "../skipifnotcli.inc"; ?>
+--INI--
+suhosin.log.sapi=64
+suhosin.executor.disable_eval=0
+suhosin.executor.eval.blacklist=printf,max
+--FILE--
+<?php
+	eval('var_dump(function_exists("abs"));');
+	eval('var_dump(function_exists("max"));');
+	eval('var_dump(function_exists("ord"));');
+	eval('var_dump(function_exists("printf"));');
+	eval('var_dump(function_exists("chr"));');
+?>
+--EXPECTF--
+bool(true)
+bool(false)
+bool(true)
+bool(false)
+bool(true)
+
diff --git a/tests/executor/eval_whitelist_absmax.phpt b/tests/executor/eval_whitelist_absmax.phpt
new file mode 100644
index 0000000..fff7345
--- /dev/null
+++ b/tests/executor/eval_whitelist_absmax.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Testing: suhosin.executor.eval.whitelist=abs,max
+--SKIPIF--
+<?php include "../skipifnotcli.inc"; ?>
+--INI--
+suhosin.log.sapi=64
+suhosin.executor.disable_eval=0
+suhosin.executor.eval.whitelist=abs,max
+--FILE--
+<?php
+	eval('abs(1);
+	max(1,2);
+	abs(1);');
+?>
+--EXPECTF--
+
diff --git a/tests/executor/eval_whitelist_call_user_func.phpt b/tests/executor/eval_whitelist_call_user_func.phpt
new file mode 100644
index 0000000..9ad1912
--- /dev/null
+++ b/tests/executor/eval_whitelist_call_user_func.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Testing: suhosin.executor.eval.whitelist=printf via call_user_func
+--SKIPIF--
+<?php include "../skipifnotcli.inc"; ?>
+--INI--
+suhosin.log.sapi=64
+suhosin.executor.eval.whitelist=call_user_func
+--FILE--
+<?php
+	eval('call_user_func("printf", "hello\n");');
+?>
+--EXPECTF--
+ALERT - eval'd function not whitelisted: printf() (attacker 'REMOTE_ADDR not set', file '%s : eval()'d code', line 1)
+
+Warning: printf() has been disabled for security reasons in %s : eval()'d code on line 1
diff --git a/tests/executor/function_blacklist.phpt b/tests/executor/function_blacklist.phpt
new file mode 100644
index 0000000..52ebc8b
--- /dev/null
+++ b/tests/executor/function_blacklist.phpt
@@ -0,0 +1,21 @@
+--TEST--
+Testing: suhosin.executor.func.blacklist=max
+--SKIPIF--
+<?php include "../skipifnotcli.inc"; ?>
+--INI--
+suhosin.log.sapi=64
+suhosin.executor.func.blacklist=max
+--FILE--
+<?php
+	echo 'a';
+	abs(1);
+	echo 'b';
+	max(1,2);
+	echo 'c';
+	abs(1);
+	echo 'd';
+?>
+--EXPECTF--
+abALERT - function blacklisted: max() (attacker 'REMOTE_ADDR not set', file '%s', line 5)
+
+Warning: max() has been disabled for security reasons in %s on line 5
diff --git a/tests/executor/function_blacklist_printf.phpt b/tests/executor/function_blacklist_printf.phpt
new file mode 100644
index 0000000..f60f938
--- /dev/null
+++ b/tests/executor/function_blacklist_printf.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Testing: suhosin.executor.func.blacklist=printf
+--SKIPIF--
+<?php include "../skipifnotcli.inc"; ?>
+--INI--
+suhosin.log.sapi=64
+suhosin.executor.func.blacklist=printf
+--FILE--
+<?php
+	call_user_func("printf", "hello\n");
+?>
+--EXPECTF--
+ALERT - function blacklisted: printf() (attacker 'REMOTE_ADDR not set', file '%s', line 2)
+
+Warning: printf() has been disabled for security reasons in %s on line 2
diff --git a/tests/executor/function_blacklist_printf_function_exists.phpt b/tests/executor/function_blacklist_printf_function_exists.phpt
new file mode 100644
index 0000000..2fe9d33
--- /dev/null
+++ b/tests/executor/function_blacklist_printf_function_exists.phpt
@@ -0,0 +1,22 @@
+--TEST--
+Testing: suhosin.executor.func.blacklist=printf with function_exists()
+--SKIPIF--
+<?php include "../skipifnotcli.inc"; ?>
+--INI--
+suhosin.log.sapi=64
+suhosin.executor.func.blacklist=printf,max
+--FILE--
+<?php
+	var_dump(function_exists("abs"));
+	var_dump(function_exists("max"));
+	var_dump(function_exists("ord"));
+	var_dump(function_exists("printf"));
+	var_dump(function_exists("chr"));
+?>
+--EXPECTF--
+bool(true)
+bool(false)
+bool(true)
+bool(false)
+bool(true)
+
diff --git a/tests/executor/function_call_user_func.phpt b/tests/executor/function_call_user_func.phpt
new file mode 100644
index 0000000..8a229d4
--- /dev/null
+++ b/tests/executor/function_call_user_func.phpt
@@ -0,0 +1,12 @@
+--TEST--
+Testing if call_user_func() actually works
+--SKIPIF--
+<?php include "../skipifnotcli.inc"; ?>
+--INI--
+suhosin.log.sapi=64
+--FILE--
+<?php
+	call_user_func("printf", "hello\n");
+?>
+--EXPECTF--
+hello
\ No newline at end of file
diff --git a/tests/executor/function_whitelist.phpt b/tests/executor/function_whitelist.phpt
new file mode 100644
index 0000000..2e9fee4
--- /dev/null
+++ b/tests/executor/function_whitelist.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Testing: suhosin.executor.func.whitelist=abs
+--SKIPIF--
+<?php include "../skipifnotcli.inc"; ?>
+--INI--
+suhosin.log.sapi=64
+suhosin.executor.func.whitelist=abs
+--FILE--
+<?php
+	abs(1);
+	max(1,2);
+	abs(1);
+?>
+--EXPECTF--
+ALERT - function not whitelisted: max() (attacker 'REMOTE_ADDR not set', file '%s', line 3)
+
+Warning: max() has been disabled for security reasons in %s on line 3
diff --git a/tests/executor/function_whitelist_absmax.phpt b/tests/executor/function_whitelist_absmax.phpt
new file mode 100644
index 0000000..f240e69
--- /dev/null
+++ b/tests/executor/function_whitelist_absmax.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Testing: suhosin.executor.func.whitelist=abs,max
+--SKIPIF--
+<?php include "../skipifnotcli.inc"; ?>
+--INI--
+suhosin.log.sapi=64
+suhosin.executor.func.whitelist=abs,max
+--FILE--
+<?php
+	abs(1);
+	max(1,2);
+	abs(1);
+?>
+--EXPECTF--
+
diff --git a/tests/executor/function_whitelist_call_user_func.phpt b/tests/executor/function_whitelist_call_user_func.phpt
new file mode 100644
index 0000000..e86380c
--- /dev/null
+++ b/tests/executor/function_whitelist_call_user_func.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Testing: suhosin.executor.func.whitelist=call_user_func
+--SKIPIF--
+<?php include "../skipifnotcli.inc"; ?>
+--INI--
+suhosin.log.sapi=64
+suhosin.executor.func.whitelist=call_user_func
+--FILE--
+<?php
+	call_user_func("printf", "hello\n");
+?>
+--EXPECTF--
+ALERT - function not whitelisted: printf() (attacker 'REMOTE_ADDR not set', file '%s', line 2)
+
+Warning: printf() has been disabled for security reasons in %s on line 2
diff --git a/tests/executor/function_whitelist_function_exists.phpt b/tests/executor/function_whitelist_function_exists.phpt
new file mode 100644
index 0000000..bc515ab
--- /dev/null
+++ b/tests/executor/function_whitelist_function_exists.phpt
@@ -0,0 +1,22 @@
+--TEST--
+Testing: suhosin.executor.func.whitelist with function_exists()
+--SKIPIF--
+<?php include "../skipifnotcli.inc"; ?>
+--INI--
+suhosin.log.sapi=64
+suhosin.executor.func.whitelist=printf,max,function_exists,var_dump
+--FILE--
+<?php
+	var_dump(function_exists("abs"));
+	var_dump(function_exists("max"));
+	var_dump(function_exists("ord"));
+	var_dump(function_exists("printf"));
+	var_dump(function_exists("chr"));
+?>
+--EXPECTF--
+bool(false)
+bool(true)
+bool(false)
+bool(true)
+bool(false)
+
diff --git a/tests/executor/function_whitelist_maxabs.phpt b/tests/executor/function_whitelist_maxabs.phpt
new file mode 100644
index 0000000..88a356e
--- /dev/null
+++ b/tests/executor/function_whitelist_maxabs.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Testing: suhosin.executor.func.whitelist=max,abs
+--SKIPIF--
+<?php include "../skipifnotcli.inc"; ?>
+--INI--
+suhosin.log.sapi=64
+suhosin.executor.func.whitelist=max,abs
+--FILE--
+<?php
+	abs(1);
+	max(1,2);
+	abs(1);
+?>
+--EXPECTF--
+
diff --git a/tests/executor/function_whitelist_without_function_exists.phpt b/tests/executor/function_whitelist_without_function_exists.phpt
new file mode 100644
index 0000000..383a7c6
--- /dev/null
+++ b/tests/executor/function_whitelist_without_function_exists.phpt
@@ -0,0 +1,19 @@
+--TEST--
+Testing: suhosin.executor.func.whitelist without function_exists()
+--SKIPIF--
+<?php include "../skipifnotcli.inc"; ?>
+--INI--
+suhosin.log.sapi=64
+suhosin.executor.func.whitelist=printf,max,var_dump
+--FILE--
+<?php
+	var_dump(function_exists("abs"));
+	var_dump(function_exists("max"));
+	var_dump(function_exists("ord"));
+	var_dump(function_exists("printf"));
+	var_dump(function_exists("chr"));
+?>
+--EXPECTF--
+ALERT - function not whitelisted: function_exists() (attacker 'REMOTE_ADDR not set', file '%s', line 2)
+
+Warning: function_exists() has been disabled for security reasons in %s on line 2
-- 
cgit v1.3