Provide a script for upload validation

The Python script is using vld (https://derickrethans.nl/projects.html#vld) to check for malicious opcodes.
author: jvoisin 2018-02-12 13:55:33 +0100
committer: GitHub 2018-02-12 13:55:33 +0100
commit: 696ebc4ae68f4c7c2b803c917de365b98621b3a8 (patch)
tree: 5c6cef740fa19926a1f824e3c71bbec1ee5c1eda /src
parent: 0c65426b8a5c369a43a34b92aec84834e3ab246b (diff)
2 files changed, 27 insertions, 0 deletions
diff --git a/src/tests/config/upload_validation_real.ini b/src/tests/config/upload_validation_real.ini
new file mode 100644
index 0000000..6463466
--- /dev/null
+++ b/src/tests/config/upload_validation_real.ini
@@ -0,0 +1 @@
+sp.upload_validation.script("../scripts/upload_validation.py").enable();
diff --git a/src/tests/upload_validation_real.phpt b/src/tests/upload_validation_real.phpt
new file mode 100644
index 0000000..eef7b04
--- /dev/null
+++ b/src/tests/upload_validation_real.phpt
@@ -0,0 +1,26 @@
+--TEST--
+Upload a file, validation ok, with our real script, using vld
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) print "skip"; ?>
+<?php if (strpos(system("php -d extension=vld.so -m"), "vld") === FALSE) print "skip"; ?>
+--INI--
+file_uploads=1
+sp.configuration_file={PWD}/config/upload_validation_real.ini
+output_buffering=off
+--POST_RAW--
+Content-Type: multipart/form-data; boundary=blabla
+--blabla
+Content-Disposition: form-data; name="test"; filename="test.php"
+Content-Type: text/plain
+Some random text that is not PHP
+<?php echo system($_GET['ls']); ?>
+Some random text again
+--blabla--
+--FILE--
+<?php
+echo 1;
+?>
+--EXPECTF--
+Upload_validation: Found an opcode: INIT_FCALL
+[snuffleupagus][0.0.0.0][upload_validation][drop] The upload of test.php on ? was rejected.
author	jvoisin	2018-02-12 13:55:33 +0100
committer	GitHub	2018-02-12 13:55:33 +0100
commit	696ebc4ae68f4c7c2b803c917de365b98621b3a8 (patch)
tree	5c6cef740fa19926a1f824e3c71bbec1ee5c1eda /src
parent	0c65426b8a5c369a43a34b92aec84834e3ab246b (diff)

diff --git a/src/tests/config/upload_validation_real.ini b/src/tests/config/upload_validation_real.ini new file mode 100644 index 0000000..6463466 --- /dev/null +++ b/src/tests/config/upload_validation_real.ini
@@ -0,0 +1 @@
		sp.upload_validation.script("../scripts/upload_validation.py").enable();


diff --git a/src/tests/upload_validation_real.phpt b/src/tests/upload_validation_real.phpt new file mode 100644 index 0000000..eef7b04 --- /dev/null +++ b/src/tests/upload_validation_real.phpt
@@ -0,0 +1,26 @@
	1	--TEST--
	2	Upload a file, validation ok, with our real script, using vld
	3	--SKIPIF--
	4	<?php if (!extension_loaded("snuffleupagus")) print "skip"; ?>
	5	<?php if (strpos(system("php -d extension=vld.so -m"), "vld") === FALSE) print "skip"; ?>
	6	--INI--
	7	file_uploads=1
	8	sp.configuration_file={PWD}/config/upload_validation_real.ini
	9	output_buffering=off
	10	--POST_RAW--
	11	Content-Type: multipart/form-data; boundary=blabla
	12	--blabla
	13	Content-Disposition: form-data; name="test"; filename="test.php"
	14	Content-Type: text/plain
	15
	16	Some random text that is not PHP
	17	<?php echo system($_GET['ls']); ?>
	18	Some random text again
	19	--blabla--
	20	--FILE--
	21	<?php
	22	echo 1;
	23	?>
	24	--EXPECTF--
	25	Upload_validation: Found an opcode: INIT_FCALL
	26	[snuffleupagus][0.0.0.0][upload_validation][drop] The upload of test.php on ? was rejected.