Merge remote-tracking branch 'sektioneins/master'

author: jvoisin 2022-03-20 18:20:45 +0100
committer: jvoisin 2022-03-20 18:20:45 +0100
commit: 81dd7f2ef07af306fe83d7755cbac4529aa9fc8d (patch)
tree: 32cc44c6231b30db5ac7b15699297863460784aa /src/tests/xxe
parent: 83b01942dfc80474cc05e09aeef4b44307a7120b (diff)
parent: c38df1077a6c1dfbca1baca049214d053e2e7684 (diff)
8 files changed, 128 insertions, 7 deletions
diff --git a/src/tests/xxe/config/disable_xxe.ini b/src/tests/xxe/config/disable_xxe.ini
index bc9d1f2..a50a3b9 100644
--- a/src/tests/xxe/config/disable_xxe.ini
+++ b/src/tests/xxe/config/disable_xxe.ini
@@ -1 +1 @@
-sp.disable_xxe.enable();
+sp.xxe_protection.enable();
diff --git a/src/tests/xxe/config/disable_xxe_disable.ini b/src/tests/xxe/config/disable_xxe_disable.ini
index bb1e432..eaf5755 100644
--- a/src/tests/xxe/config/disable_xxe_disable.ini
+++ b/src/tests/xxe/config/disable_xxe_disable.ini
@@ -1 +1 @@
-sp.disable_xxe.disable();
+sp.xxe_protection.disable();
diff --git a/src/tests/xxe/disable_xxe_dom_disabled.phpt b/src/tests/xxe/disable_xxe_dom_disabled.phpt
index a49e094..107171c 100644
--- a/src/tests/xxe/disable_xxe_dom_disabled.phpt
+++ b/src/tests/xxe/disable_xxe_dom_disabled.phpt
@@ -1,10 +1,10 @@
 --TEST--
-Disable XXE
+Disable XXE (feature enabled)
 --SKIPIF--
 <?php if (!extension_loaded("snuffleupagus") || !extension_loaded("dom")) print("skip"); ?>
 <?php if (PHP_VERSION_ID >= 80000) print "skip"; ?>
 --INI--
-sp.configuration_file={PWD}/config/disable_xxe_disable.ini
+sp.configuration_file={PWD}/config/disable_xxe.ini
 --EXTENSIONS--
 dom
 --FILE--
diff --git a/src/tests/xxe/disable_xxe_dom_disabled_php8.phpt b/src/tests/xxe/disable_xxe_dom_disabled_php8.phpt
new file mode 100644
index 0000000..01e3349
--- /dev/null
+++ b/src/tests/xxe/disable_xxe_dom_disabled_php8.phpt
@@ -0,0 +1,57 @@
+--TEST--
+Disable XXE (feature disabled)
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus") || !extension_loaded("dom")) print("skip"); ?>
+<?php if (PHP_VERSION_ID < 80000) print "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/disable_xxe_disable.ini
+--EXTENSIONS--
+dom
+--FILE--
+<?php 
+$dir = __DIR__;
+$content = '<content>WARNING, external entity loaded!</content>';
+file_put_contents($dir . '/content.txt', $content);
+$xml = <<<EOD
+<?xml version="1.0"?>
+<!DOCTYPE root
+[
+<!ENTITY foo SYSTEM "file://$dir/content.txt">
+]>
+<test><testing>&foo;</testing></test>
+EOD;
+file_put_contents($dir . '/content.xml', $xml);
+$dom = new DOMDocument('1.0');
+$dom->loadXML($xml, LIBXML_DTDATTR|LIBXML_DTDLOAD|LIBXML_NOENT);
+printf("default setting with LIBXML_NOENT: %s\n", $dom->getElementsByTagName('testing')->item(0)->nodeValue);
+$dom = new DOMDocument('1.0');
+$dom->loadXML($xml, LIBXML_DTDATTR|LIBXML_DTDLOAD);
+printf("default setting without LIBXML_NOENT: %s\n", $dom->getElementsByTagName('testing')->item(0)->nodeValue);
+libxml_set_external_entity_loader(null);
+$dom = new DOMDocument('1.0');
+$dom->loadXML($xml, LIBXML_DTDATTR|LIBXML_DTDLOAD|LIBXML_NOENT);
+printf("disabled entity loader with LIBXML_NOENT: %s\n", $dom->getElementsByTagName('testing')->item(0)->nodeValue);
+$dom = new DOMDocument('1.0');
+$dom->loadXML($xml, LIBXML_DTDATTR|LIBXML_DTDLOAD);
+printf("disabled entity loader without LIBXML_NOENT: %s\n", $dom->getElementsByTagName('testing')->item(0)->nodeValue);
+?>
+--EXPECTF-- 
+default setting with LIBXML_NOENT: WARNING, external entity loaded!
+default setting without LIBXML_NOENT: 
+disabled entity loader with LIBXML_NOENT: WARNING, external entity loaded!
+disabled entity loader without LIBXML_NOENT:
+--CLEAN--
+<?php
+$dir = __DIR__;
+unlink($dir . "/content.xml");
+unlink($dir . "/content.txt");
+?>
diff --git a/src/tests/xxe/disable_xxe_dom_php8.phpt b/src/tests/xxe/disable_xxe_dom_php8.phpt
new file mode 100644
index 0000000..485828f
--- /dev/null
+++ b/src/tests/xxe/disable_xxe_dom_php8.phpt
@@ -0,0 +1,59 @@
+--TEST--
+Disable XXE (feature enabled)
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus") || !extension_loaded("dom")) print("skip"); ?>
+<?php if (PHP_VERSION_ID < 80000) print "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/disable_xxe.ini
+--EXTENSIONS--
+dom
+--FILE--
+<?php 
+$dir = __DIR__;
+$content = '<content>WARNING, external entity loaded!</content>';
+file_put_contents($dir . '/content.txt', $content);
+$xml = <<<EOD
+<?xml version="1.0"?>
+<!DOCTYPE root
+[
+<!ENTITY foo SYSTEM "file://$dir/content.txt">
+]>
+<test><testing>&foo;</testing></test>
+EOD;
+file_put_contents($dir . '/content.xml', $xml);
+$dom = new DOMDocument('1.0');
+$dom->loadXML($xml, LIBXML_DTDATTR|LIBXML_DTDLOAD|LIBXML_NOENT);
+printf("default setting with LIBXML_NOENT: %s\n", $dom->getElementsByTagName('testing')->item(0)->nodeValue);
+$dom = new DOMDocument('1.0');
+$dom->loadXML($xml, LIBXML_DTDATTR|LIBXML_DTDLOAD);
+printf("default setting without LIBXML_NOENT: %s\n", $dom->getElementsByTagName('testing')->item(0)->nodeValue);
+libxml_set_external_entity_loader(null);
+$dom = new DOMDocument('1.0');
+$dom->loadXML($xml, LIBXML_DTDATTR|LIBXML_DTDLOAD|LIBXML_NOENT);
+printf("disabled entity loader with LIBXML_NOENT: %s\n", $dom->getElementsByTagName('testing')->item(0)->nodeValue);
+$dom = new DOMDocument('1.0');
+$dom->loadXML($xml, LIBXML_DTDATTR|LIBXML_DTDLOAD);
+printf("disabled entity loader without LIBXML_NOENT: %s\n", $dom->getElementsByTagName('testing')->item(0)->nodeValue);
+?>
+--EXPECTF-- 
+default setting with LIBXML_NOENT: WARNING, external entity loaded!
+default setting without LIBXML_NOENT: 
+Warning: [snuffleupagus][0.0.0.0][xxe][log] A call to libxml_set_external_entity_loader was tried and nopped in %a.php on line 26
+disabled entity loader with LIBXML_NOENT: WARNING, external entity loaded!
+disabled entity loader without LIBXML_NOENT:
+--CLEAN--
+<?php
+$dir = __DIR__;
+unlink($dir . "/content.xml");
+unlink($dir . "/content.txt");
+?>
diff --git a/src/tests/xxe/disable_xxe_simplexml.phpt b/src/tests/xxe/disable_xxe_simplexml.phpt
index 1d3ef4c..9560156 100644
--- a/src/tests/xxe/disable_xxe_simplexml.phpt
+++ b/src/tests/xxe/disable_xxe_simplexml.phpt
@@ -2,8 +2,9 @@
 Disable XXE
 --SKIPIF--
 <?php if (!extension_loaded("snuffleupagus") || !extension_loaded("simplexml") || getenv('TRAVIS')) print("skip"); ?>
+<?php if (PHP_VERSION_ID >= 80000) print "skip"; ?>
 --INI--
-sp.configuration_file={PWD}/config/disable_xxe.ini
+sp.configuration_file={PWD}/config/disable_xxe_disable.ini
 --EXTENSIONS--
 simplexml
 --XFAIL--
diff --git a/src/tests/xxe/disable_xxe_simplexml_oop.phpt b/src/tests/xxe/disable_xxe_simplexml_oop.phpt
index e101337..1b2c4ca 100644
--- a/src/tests/xxe/disable_xxe_simplexml_oop.phpt
+++ b/src/tests/xxe/disable_xxe_simplexml_oop.phpt
@@ -2,8 +2,9 @@
 Disable XXE
 --SKIPIF--
 <?php if (!extension_loaded("snuffleupagus") || !extension_loaded("simplexml") || getenv('TRAVIS')) print("skip"); ?>
+<?php if (PHP_VERSION_ID >= 80000) print "skip"; ?>
 --INI--
-sp.configuration_file={PWD}/config/disable_xxe.ini
+sp.configuration_file={PWD}/config/disable_xxe_disable.ini
 --EXTENSIONS--
 simplexml
 --XFAIL--
diff --git a/src/tests/xxe/disable_xxe_xml_parse.phpt b/src/tests/xxe/disable_xxe_xml_parse.phpt
index 6b48bea..bc7e338 100644
--- a/src/tests/xxe/disable_xxe_xml_parse.phpt
+++ b/src/tests/xxe/disable_xxe_xml_parse.phpt
@@ -70,7 +70,8 @@ $parser = create_parser();
 $doc = xml_parse($parser, $xml, true);
 xml_parser_free($parser);
--EXPECT--
+--EXPECTF--
+Warning: [snuffleupagus][0.0.0.0][xxe][log] A call to libxml_disable_entity_loader was tried and nopped in %a.php on line 41
 string(4) "TEST"
 array(0) {
@@ -81,6 +82,8 @@ array(0) {
 }
 string(7) "TESTING"
 string(4) "TEST"
+Warning: [snuffleupagus][0.0.0.0][xxe][log] A call to libxml_disable_entity_loader was tried and nopped in %a.php on line 46
 string(4) "TEST"
 array(0) {
author	jvoisin	2022-03-20 18:20:45 +0100
committer	jvoisin	2022-03-20 18:20:45 +0100
commit	81dd7f2ef07af306fe83d7755cbac4529aa9fc8d (patch)
tree	32cc44c6231b30db5ac7b15699297863460784aa /src/tests/xxe
parent	83b01942dfc80474cc05e09aeef4b44307a7120b (diff)
parent	c38df1077a6c1dfbca1baca049214d053e2e7684 (diff)

diff --git a/src/tests/xxe/config/disable_xxe.ini b/src/tests/xxe/config/disable_xxe.ini index bc9d1f2..a50a3b9 100644 --- a/src/tests/xxe/config/disable_xxe.ini +++ b/src/tests/xxe/config/disable_xxe.ini
@@ -1 +1 @@
	sp.disable_xxe.enable();		sp.xxe_protection.enable();


diff --git a/src/tests/xxe/config/disable_xxe_disable.ini b/src/tests/xxe/config/disable_xxe_disable.ini index bb1e432..eaf5755 100644 --- a/src/tests/xxe/config/disable_xxe_disable.ini +++ b/src/tests/xxe/config/disable_xxe_disable.ini
@@ -1 +1 @@
	sp.disable_xxe.disable();		sp.xxe_protection.disable();


diff --git a/src/tests/xxe/disable_xxe_dom_disabled.phpt b/src/tests/xxe/disable_xxe_dom_disabled.phpt index a49e094..107171c 100644 --- a/src/tests/xxe/disable_xxe_dom_disabled.phpt +++ b/src/tests/xxe/disable_xxe_dom_disabled.phpt
@@ -1,10 +1,10 @@
1	--TEST--	1	--TEST--
2	Disable XXE	2	Disable XXE (feature enabled)
3	--SKIPIF--	3	--SKIPIF--
4	<?php if (!extension_loaded("snuffleupagus") \|\| !extension_loaded("dom")) print("skip"); ?>	4	<?php if (!extension_loaded("snuffleupagus") \|\| !extension_loaded("dom")) print("skip"); ?>
5	<?php if (PHP_VERSION_ID >= 80000) print "skip"; ?>	5	<?php if (PHP_VERSION_ID >= 80000) print "skip"; ?>
6	--INI--	6	--INI--
7	sp.configuration_file={PWD}/config/disable_xxe_disable.ini	7	sp.configuration_file={PWD}/config/disable_xxe.ini
8	--EXTENSIONS--	8	--EXTENSIONS--
9	dom	9	dom
10	--FILE--	10	--FILE--


diff --git a/src/tests/xxe/disable_xxe_dom_disabled_php8.phpt b/src/tests/xxe/disable_xxe_dom_disabled_php8.phpt new file mode 100644 index 0000000..01e3349 --- /dev/null +++ b/src/tests/xxe/disable_xxe_dom_disabled_php8.phpt
@@ -0,0 +1,57 @@
		1	--TEST--
		2	Disable XXE (feature disabled)
		3	--SKIPIF--
		4	<?php if (!extension_loaded("snuffleupagus") \|\| !extension_loaded("dom")) print("skip"); ?>
		5	<?php if (PHP_VERSION_ID < 80000) print "skip"; ?>
		6	--INI--
		7	sp.configuration_file={PWD}/config/disable_xxe_disable.ini
		8	--EXTENSIONS--
		9	dom
		10	--FILE--
		11	<?php
		12	$dir = __DIR__;
		13	$content = '<content>WARNING, external entity loaded!</content>';
		14	file_put_contents($dir . '/content.txt', $content);
		15
		16	$xml = <<<EOD
		17	<?xml version="1.0"?>
		18	<!DOCTYPE root
		19	[
		20	<!ENTITY foo SYSTEM "file://$dir/content.txt">
		21	]>
		22	<test><testing>&foo;</testing></test>
		23	EOD;
		24
		25	file_put_contents($dir . '/content.xml', $xml);
		26
		27
		28	$dom = new DOMDocument('1.0');
		29	$dom->loadXML($xml, LIBXML_DTDATTR\|LIBXML_DTDLOAD\|LIBXML_NOENT);
		30	printf("default setting with LIBXML_NOENT: %s\n", $dom->getElementsByTagName('testing')->item(0)->nodeValue);
		31
		32	$dom = new DOMDocument('1.0');
		33	$dom->loadXML($xml, LIBXML_DTDATTR\|LIBXML_DTDLOAD);
		34	printf("default setting without LIBXML_NOENT: %s\n", $dom->getElementsByTagName('testing')->item(0)->nodeValue);
		35
		36	libxml_set_external_entity_loader(null);
		37
		38	$dom = new DOMDocument('1.0');
		39	$dom->loadXML($xml, LIBXML_DTDATTR\|LIBXML_DTDLOAD\|LIBXML_NOENT);
		40	printf("disabled entity loader with LIBXML_NOENT: %s\n", $dom->getElementsByTagName('testing')->item(0)->nodeValue);
		41
		42	$dom = new DOMDocument('1.0');
		43	$dom->loadXML($xml, LIBXML_DTDATTR\|LIBXML_DTDLOAD);
		44	printf("disabled entity loader without LIBXML_NOENT: %s\n", $dom->getElementsByTagName('testing')->item(0)->nodeValue);
		45
		46	?>
		47	--EXPECTF--
		48	default setting with LIBXML_NOENT: WARNING, external entity loaded!
		49	default setting without LIBXML_NOENT:
		50	disabled entity loader with LIBXML_NOENT: WARNING, external entity loaded!
		51	disabled entity loader without LIBXML_NOENT:
		52	--CLEAN--
		53	<?php
		54	$dir = __DIR__;
		55	unlink($dir . "/content.xml");
		56	unlink($dir . "/content.txt");
		57	?>


diff --git a/src/tests/xxe/disable_xxe_dom_php8.phpt b/src/tests/xxe/disable_xxe_dom_php8.phpt new file mode 100644 index 0000000..485828f --- /dev/null +++ b/src/tests/xxe/disable_xxe_dom_php8.phpt
@@ -0,0 +1,59 @@
		1	--TEST--
		2	Disable XXE (feature enabled)
		3	--SKIPIF--
		4	<?php if (!extension_loaded("snuffleupagus") \|\| !extension_loaded("dom")) print("skip"); ?>
		5	<?php if (PHP_VERSION_ID < 80000) print "skip"; ?>
		6	--INI--
		7	sp.configuration_file={PWD}/config/disable_xxe.ini
		8	--EXTENSIONS--
		9	dom
		10	--FILE--
		11	<?php
		12	$dir = __DIR__;
		13	$content = '<content>WARNING, external entity loaded!</content>';
		14	file_put_contents($dir . '/content.txt', $content);
		15
		16	$xml = <<<EOD
		17	<?xml version="1.0"?>
		18	<!DOCTYPE root
		19	[
		20	<!ENTITY foo SYSTEM "file://$dir/content.txt">
		21	]>
		22	<test><testing>&foo;</testing></test>
		23	EOD;
		24
		25	file_put_contents($dir . '/content.xml', $xml);
		26
		27
		28	$dom = new DOMDocument('1.0');
		29	$dom->loadXML($xml, LIBXML_DTDATTR\|LIBXML_DTDLOAD\|LIBXML_NOENT);
		30	printf("default setting with LIBXML_NOENT: %s\n", $dom->getElementsByTagName('testing')->item(0)->nodeValue);
		31
		32	$dom = new DOMDocument('1.0');
		33	$dom->loadXML($xml, LIBXML_DTDATTR\|LIBXML_DTDLOAD);
		34	printf("default setting without LIBXML_NOENT: %s\n", $dom->getElementsByTagName('testing')->item(0)->nodeValue);
		35
		36	libxml_set_external_entity_loader(null);
		37
		38	$dom = new DOMDocument('1.0');
		39	$dom->loadXML($xml, LIBXML_DTDATTR\|LIBXML_DTDLOAD\|LIBXML_NOENT);
		40	printf("disabled entity loader with LIBXML_NOENT: %s\n", $dom->getElementsByTagName('testing')->item(0)->nodeValue);
		41
		42	$dom = new DOMDocument('1.0');
		43	$dom->loadXML($xml, LIBXML_DTDATTR\|LIBXML_DTDLOAD);
		44	printf("disabled entity loader without LIBXML_NOENT: %s\n", $dom->getElementsByTagName('testing')->item(0)->nodeValue);
		45
		46	?>
		47	--EXPECTF--
		48	default setting with LIBXML_NOENT: WARNING, external entity loaded!
		49	default setting without LIBXML_NOENT:
		50
		51	Warning: [snuffleupagus][0.0.0.0][xxe][log] A call to libxml_set_external_entity_loader was tried and nopped in %a.php on line 26
		52	disabled entity loader with LIBXML_NOENT: WARNING, external entity loaded!
		53	disabled entity loader without LIBXML_NOENT:
		54	--CLEAN--
		55	<?php
		56	$dir = __DIR__;
		57	unlink($dir . "/content.xml");
		58	unlink($dir . "/content.txt");
		59	?>


diff --git a/src/tests/xxe/disable_xxe_simplexml.phpt b/src/tests/xxe/disable_xxe_simplexml.phpt index 1d3ef4c..9560156 100644 --- a/src/tests/xxe/disable_xxe_simplexml.phpt +++ b/src/tests/xxe/disable_xxe_simplexml.phpt
@@ -2,8 +2,9 @@
2	Disable XXE	2	Disable XXE
3	--SKIPIF--	3	--SKIPIF--
4	<?php if (!extension_loaded("snuffleupagus") \|\| !extension_loaded("simplexml") \|\| getenv('TRAVIS')) print("skip"); ?>	4	<?php if (!extension_loaded("snuffleupagus") \|\| !extension_loaded("simplexml") \|\| getenv('TRAVIS')) print("skip"); ?>
		5	<?php if (PHP_VERSION_ID >= 80000) print "skip"; ?>
5	--INI--	6	--INI--
6	sp.configuration_file={PWD}/config/disable_xxe.ini	7	sp.configuration_file={PWD}/config/disable_xxe_disable.ini
7	--EXTENSIONS--	8	--EXTENSIONS--
8	simplexml	9	simplexml
9	--XFAIL--	10	--XFAIL--


diff --git a/src/tests/xxe/disable_xxe_simplexml_oop.phpt b/src/tests/xxe/disable_xxe_simplexml_oop.phpt index e101337..1b2c4ca 100644 --- a/src/tests/xxe/disable_xxe_simplexml_oop.phpt +++ b/src/tests/xxe/disable_xxe_simplexml_oop.phpt
@@ -2,8 +2,9 @@
2	Disable XXE	2	Disable XXE
3	--SKIPIF--	3	--SKIPIF--
4	<?php if (!extension_loaded("snuffleupagus") \|\| !extension_loaded("simplexml") \|\| getenv('TRAVIS')) print("skip"); ?>	4	<?php if (!extension_loaded("snuffleupagus") \|\| !extension_loaded("simplexml") \|\| getenv('TRAVIS')) print("skip"); ?>
		5	<?php if (PHP_VERSION_ID >= 80000) print "skip"; ?>
5	--INI--	6	--INI--
6	sp.configuration_file={PWD}/config/disable_xxe.ini	7	sp.configuration_file={PWD}/config/disable_xxe_disable.ini
7	--EXTENSIONS--	8	--EXTENSIONS--
8	simplexml	9	simplexml
9	--XFAIL--	10	--XFAIL--


diff --git a/src/tests/xxe/disable_xxe_xml_parse.phpt b/src/tests/xxe/disable_xxe_xml_parse.phpt index 6b48bea..bc7e338 100644 --- a/src/tests/xxe/disable_xxe_xml_parse.phpt +++ b/src/tests/xxe/disable_xxe_xml_parse.phpt
@@ -70,7 +70,8 @@ $parser = create_parser();
70	$doc = xml_parse($parser, $xml, true);	70	$doc = xml_parse($parser, $xml, true);
71	xml_parser_free($parser);	71	xml_parser_free($parser);
72		72
73	--EXPECT--	73	--EXPECTF--
		74	Warning: [snuffleupagus][0.0.0.0][xxe][log] A call to libxml_disable_entity_loader was tried and nopped in %a.php on line 41
74	string(4) "TEST"	75	string(4) "TEST"
75		76
76	array(0) {	77	array(0) {
@@ -81,6 +82,8 @@ array(0) {
81	}	82	}
82	string(7) "TESTING"	83	string(7) "TESTING"
83	string(4) "TEST"	84	string(4) "TEST"
		85
		86	Warning: [snuffleupagus][0.0.0.0][xxe][log] A call to libxml_disable_entity_loader was tried and nopped in %a.php on line 46
84	string(4) "TEST"	87	string(4) "TEST"
85		88
86	array(0) {	89	array(0) {