diff options
| author | xXx-caillou-xXx | 2018-08-29 18:09:51 +0200 |
|---|---|---|
| committer | jvoisin | 2018-08-29 16:09:51 +0000 |
| commit | 89e859d09248de6b1b9b9cdd652cb72c9f7ff098 (patch) | |
| tree | f24c9e82da5bede181607903fb4e98f59210a057 /src | |
| parent | 10552296658a87e59b60a20214fef1902320d390 (diff) | |
Change how we're validating certificates
Diffstat (limited to 'src')
| -rw-r--r-- | src/config.m4 | 1 | ||||
| -rw-r--r-- | src/php_snuffleupagus.h | 1 | ||||
| -rw-r--r-- | src/snuffleupagus.c | 6 | ||||
| -rw-r--r-- | src/sp_config.c | 1 | ||||
| -rw-r--r-- | src/sp_config.h | 8 | ||||
| -rw-r--r-- | src/sp_config_keywords.c | 5 | ||||
| -rw-r--r-- | src/sp_config_keywords.h | 1 | ||||
| -rw-r--r-- | src/sp_curl_verify_certificates.c | 33 | ||||
| -rw-r--r-- | src/sp_curl_verify_certificates.h | 15 | ||||
| -rw-r--r-- | src/tests/config/disabled_function_curl_verify_certs.ini | 19 | ||||
| -rw-r--r-- | src/tests/disabled_function_ensure_client_valid_certs.phpt | 18 | ||||
| -rw-r--r-- | src/tests/disabled_function_ensure_client_valid_certs_curl_multi_setopt.phpt | 19 | ||||
| -rw-r--r-- | src/tests/disabled_function_ensure_client_valid_certs_curl_setopt_array.phpt | 21 | ||||
| -rw-r--r-- | src/tests/disabled_function_ensure_server_valid_certs.phpt | 18 | ||||
| -rw-r--r-- | src/tests/disabled_function_ensure_server_valid_certs_curl_multi_setopt.phpt | 19 | ||||
| -rw-r--r-- | src/tests/disabled_function_ensure_server_valid_certs_curl_setopt_array.phpt | 21 | ||||
| -rw-r--r-- | src/tests/ensure_client_valid_certs.phpt | 18 | ||||
| -rw-r--r-- | src/tests/ensure_server_valid_certs.phpt | 18 |
18 files changed, 134 insertions, 108 deletions
diff --git a/src/config.m4 b/src/config.m4 index dc88661..52b6d04 100644 --- a/src/config.m4 +++ b/src/config.m4 | |||
| @@ -7,7 +7,6 @@ sources="$sources sp_disabled_functions.c sp_execute.c sp_upload_validation.c" | |||
| 7 | sources="$sources sp_cookie_encryption.c sp_network_utils.c tweetnacl.c" | 7 | sources="$sources sp_cookie_encryption.c sp_network_utils.c tweetnacl.c" |
| 8 | sources="$sources sp_config_keywords.c sp_var_parser.c sp_var_value.c sp_tree.c" | 8 | sources="$sources sp_config_keywords.c sp_var_parser.c sp_var_value.c sp_tree.c" |
| 9 | sources="$sources sp_pcre_compat.c sp_crypt.c sp_session.c sp_sloppy.c sp_wrapper.c" | 9 | sources="$sources sp_pcre_compat.c sp_crypt.c sp_session.c sp_sloppy.c sp_wrapper.c" |
| 10 | sources="$sources sp_curl_verify_certificates.c" | ||
| 11 | 10 | ||
| 12 | PHP_ARG_ENABLE(snuffleupagus, whether to enable snuffleupagus support, | 11 | PHP_ARG_ENABLE(snuffleupagus, whether to enable snuffleupagus support, |
| 13 | [ --enable-snuffleupagus Enable snuffleupagus support]) | 12 | [ --enable-snuffleupagus Enable snuffleupagus support]) |
diff --git a/src/php_snuffleupagus.h b/src/php_snuffleupagus.h index 9dc045c..41d9b77 100644 --- a/src/php_snuffleupagus.h +++ b/src/php_snuffleupagus.h | |||
| @@ -32,7 +32,6 @@ | |||
| 32 | #include "sp_config.h" | 32 | #include "sp_config.h" |
| 33 | #include "sp_config_utils.h" | 33 | #include "sp_config_utils.h" |
| 34 | #include "sp_config_keywords.h" | 34 | #include "sp_config_keywords.h" |
| 35 | #include "sp_curl_verify_certificates.h" | ||
| 36 | #include "sp_cookie_encryption.h" | 35 | #include "sp_cookie_encryption.h" |
| 37 | #include "sp_disable_xxe.h" | 36 | #include "sp_disable_xxe.h" |
| 38 | #include "sp_disabled_functions.h" | 37 | #include "sp_disabled_functions.h" |
diff --git a/src/snuffleupagus.c b/src/snuffleupagus.c index ca23bac..5ef8323 100644 --- a/src/snuffleupagus.c +++ b/src/snuffleupagus.c | |||
| @@ -96,7 +96,6 @@ PHP_GINIT_FUNCTION(snuffleupagus) { | |||
| 96 | SP_INIT(snuffleupagus_globals->config.config_session); | 96 | SP_INIT(snuffleupagus_globals->config.config_session); |
| 97 | SP_INIT(snuffleupagus_globals->config.config_eval); | 97 | SP_INIT(snuffleupagus_globals->config.config_eval); |
| 98 | SP_INIT(snuffleupagus_globals->config.config_wrapper); | 98 | SP_INIT(snuffleupagus_globals->config.config_wrapper); |
| 99 | SP_INIT(snuffleupagus_globals->config.config_curl_verify_certificates); | ||
| 100 | 99 | ||
| 101 | snuffleupagus_globals->config.config_disabled_functions_reg | 100 | snuffleupagus_globals->config.config_disabled_functions_reg |
| 102 | ->disabled_functions = NULL; | 101 | ->disabled_functions = NULL; |
| @@ -144,7 +143,6 @@ PHP_MSHUTDOWN_FUNCTION(snuffleupagus) { | |||
| 144 | pefree(SNUFFLEUPAGUS_G(config.config_random), 1); | 143 | pefree(SNUFFLEUPAGUS_G(config.config_random), 1); |
| 145 | pefree(SNUFFLEUPAGUS_G(config.config_readonly_exec), 1); | 144 | pefree(SNUFFLEUPAGUS_G(config.config_readonly_exec), 1); |
| 146 | pefree(SNUFFLEUPAGUS_G(config.config_global_strict), 1); | 145 | pefree(SNUFFLEUPAGUS_G(config.config_global_strict), 1); |
| 147 | pefree(SNUFFLEUPAGUS_G(config.config_curl_verify_certificates), 1); | ||
| 148 | pefree(SNUFFLEUPAGUS_G(config.config_auto_cookie_secure), 1); | 146 | pefree(SNUFFLEUPAGUS_G(config.config_auto_cookie_secure), 1); |
| 149 | pefree(SNUFFLEUPAGUS_G(config.config_snuffleupagus), 1); | 147 | pefree(SNUFFLEUPAGUS_G(config.config_snuffleupagus), 1); |
| 150 | pefree(SNUFFLEUPAGUS_G(config.config_disable_xxe), 1); | 148 | pefree(SNUFFLEUPAGUS_G(config.config_disable_xxe), 1); |
| @@ -274,10 +272,6 @@ static PHP_INI_MH(OnUpdateConfiguration) { | |||
| 274 | hook_session(); | 272 | hook_session(); |
| 275 | } | 273 | } |
| 276 | 274 | ||
| 277 | if (SNUFFLEUPAGUS_G(config).config_curl_verify_certificates->enable) { | ||
| 278 | hook_curl_verify_certificates(); | ||
| 279 | } | ||
| 280 | |||
| 281 | if (true == SNUFFLEUPAGUS_G(config).config_global_strict->enable) { | 275 | if (true == SNUFFLEUPAGUS_G(config).config_global_strict->enable) { |
| 282 | if (!zend_get_extension(PHP_SNUFFLEUPAGUS_EXTNAME)) { | 276 | if (!zend_get_extension(PHP_SNUFFLEUPAGUS_EXTNAME)) { |
| 283 | zend_extension_entry.startup = NULL; | 277 | zend_extension_entry.startup = NULL; |
diff --git a/src/sp_config.c b/src/sp_config.c index bc703a6..2480362 100644 --- a/src/sp_config.c +++ b/src/sp_config.c | |||
| @@ -24,7 +24,6 @@ sp_config_tokens const sp_func[] = { | |||
| 24 | {.func = parse_session, .token = SP_TOKEN_SESSION_ENCRYPTION}, | 24 | {.func = parse_session, .token = SP_TOKEN_SESSION_ENCRYPTION}, |
| 25 | {.func = parse_sloppy_comparison, .token = SP_TOKEN_SLOPPY_COMPARISON}, | 25 | {.func = parse_sloppy_comparison, .token = SP_TOKEN_SLOPPY_COMPARISON}, |
| 26 | {.func = parse_wrapper_whitelist, .token = SP_TOKEN_ALLOW_WRAPPERS}, | 26 | {.func = parse_wrapper_whitelist, .token = SP_TOKEN_ALLOW_WRAPPERS}, |
| 27 | {.func = parse_curl_verify_certificates, .token = SP_TOKEN_CURL_VERIFY_CERTIFICATES}, | ||
| 28 | {NULL, NULL}}; | 27 | {NULL, NULL}}; |
| 29 | 28 | ||
| 30 | /* Top level keyword parsing */ | 29 | /* Top level keyword parsing */ |
diff --git a/src/sp_config.h b/src/sp_config.h index 4d85cf2..9d58359 100644 --- a/src/sp_config.h +++ b/src/sp_config.h | |||
| @@ -55,10 +55,6 @@ typedef struct { | |||
| 55 | 55 | ||
| 56 | typedef struct { | 56 | typedef struct { |
| 57 | bool enable; | 57 | bool enable; |
| 58 | } sp_config_curl_verify_certificates; | ||
| 59 | |||
| 60 | typedef struct { | ||
| 61 | bool enable; | ||
| 62 | } sp_config_random; | 58 | } sp_config_random; |
| 63 | 59 | ||
| 64 | typedef struct { | 60 | typedef struct { |
| @@ -166,7 +162,6 @@ typedef struct { | |||
| 166 | 162 | ||
| 167 | typedef struct { | 163 | typedef struct { |
| 168 | sp_config_random *config_random; | 164 | sp_config_random *config_random; |
| 169 | sp_config_curl_verify_certificates *config_curl_verify_certificates; | ||
| 170 | sp_config_sloppy *config_sloppy; | 165 | sp_config_sloppy *config_sloppy; |
| 171 | sp_config_unserialize *config_unserialize; | 166 | sp_config_unserialize *config_unserialize; |
| 172 | sp_config_readonly_exec *config_readonly_exec; | 167 | sp_config_readonly_exec *config_readonly_exec; |
| @@ -269,9 +264,6 @@ typedef struct { | |||
| 269 | // upload_validator | 264 | // upload_validator |
| 270 | #define SP_TOKEN_UPLOAD_SCRIPT ".script(" | 265 | #define SP_TOKEN_UPLOAD_SCRIPT ".script(" |
| 271 | 266 | ||
| 272 | // cURL certificate verify | ||
| 273 | # define SP_TOKEN_CURL_VERIFY_CERTIFICATES ".curl_verify_certificates" | ||
| 274 | |||
| 275 | #define SP_TOKEN_LIST ".list(" | 267 | #define SP_TOKEN_LIST ".list(" |
| 276 | 268 | ||
| 277 | int sp_parse_config(const char *); | 269 | int sp_parse_config(const char *); |
diff --git a/src/sp_config_keywords.c b/src/sp_config_keywords.c index ee4d130..93077c6 100644 --- a/src/sp_config_keywords.c +++ b/src/sp_config_keywords.c | |||
| @@ -94,11 +94,6 @@ int parse_global_strict(char *line) { | |||
| 94 | line, &(SNUFFLEUPAGUS_G(config).config_global_strict->enable), NULL); | 94 | line, &(SNUFFLEUPAGUS_G(config).config_global_strict->enable), NULL); |
| 95 | } | 95 | } |
| 96 | 96 | ||
| 97 | int parse_curl_verify_certificates(char *line) { | ||
| 98 | return parse_enable( | ||
| 99 | line, &(SNUFFLEUPAGUS_G(config).config_curl_verify_certificates->enable), NULL); | ||
| 100 | } | ||
| 101 | |||
| 102 | int parse_unserialize(char *line) { | 97 | int parse_unserialize(char *line) { |
| 103 | bool enable = false, disable = false; | 98 | bool enable = false, disable = false; |
| 104 | sp_config_unserialize *unserialize = | 99 | sp_config_unserialize *unserialize = |
diff --git a/src/sp_config_keywords.h b/src/sp_config_keywords.h index f7a4ca4..ab58456 100644 --- a/src/sp_config_keywords.h +++ b/src/sp_config_keywords.h | |||
| @@ -17,6 +17,5 @@ int parse_eval_whitelist(char *line); | |||
| 17 | int parse_session(char *line); | 17 | int parse_session(char *line); |
| 18 | int parse_sloppy_comparison(char *line); | 18 | int parse_sloppy_comparison(char *line); |
| 19 | int parse_wrapper_whitelist(char *line); | 19 | int parse_wrapper_whitelist(char *line); |
| 20 | int parse_curl_verify_certificates(char *line); | ||
| 21 | 20 | ||
| 22 | #endif // __SP_CONFIG_KEYWORDS_H | 21 | #endif // __SP_CONFIG_KEYWORDS_H |
diff --git a/src/sp_curl_verify_certificates.c b/src/sp_curl_verify_certificates.c deleted file mode 100644 index 057ee29..0000000 --- a/src/sp_curl_verify_certificates.c +++ /dev/null | |||
| @@ -1,33 +0,0 @@ | |||
| 1 | #include "php_snuffleupagus.h" | ||
| 2 | #include "sp_config.h" | ||
| 3 | |||
| 4 | ZEND_DECLARE_MODULE_GLOBALS(snuffleupagus) | ||
| 5 | |||
| 6 | PHP_FUNCTION(sp_curl_setopt) { | ||
| 7 | void (*orig_handler)(INTERNAL_FUNCTION_PARAMETERS); | ||
| 8 | zend_string *protocol_name = NULL; | ||
| 9 | zval *zid, *zvalue; | ||
| 10 | zend_long options; | ||
| 11 | |||
| 12 | ZEND_PARSE_PARAMETERS_START(3, 3) | ||
| 13 | Z_PARAM_RESOURCE(zid) | ||
| 14 | Z_PARAM_LONG(options) | ||
| 15 | Z_PARAM_ZVAL(zvalue) | ||
| 16 | ZEND_PARSE_PARAMETERS_END(); | ||
| 17 | |||
| 18 | if (options & CURLOPT_SSL_VERIFYPEER && zval_get_long(zvalue) != 1) { | ||
| 19 | sp_log_err("verify_vertificates", "Please don't deactivate server certificate validation"); | ||
| 20 | } else if (options & CURLOPT_SSL_VERIFYHOST && zval_get_long(zvalue) != 2) { | ||
| 21 | sp_log_err("verify_vertificates", "Please don't deactivate client certificate validation"); | ||
| 22 | } | ||
| 23 | |||
| 24 | orig_handler(INTERNAL_FUNCTION_PARAM_PASSTHRU); | ||
| 25 | } | ||
| 26 | |||
| 27 | int hook_curl_verify_certificates() { | ||
| 28 | TSRMLS_FETCH(); | ||
| 29 | |||
| 30 | HOOK_FUNCTION("curl_setopt", sp_internal_functions_hook, PHP_FN(sp_curl_setopt)); | ||
| 31 | |||
| 32 | return SUCCESS; | ||
| 33 | } | ||
diff --git a/src/sp_curl_verify_certificates.h b/src/sp_curl_verify_certificates.h deleted file mode 100644 index f4f680e..0000000 --- a/src/sp_curl_verify_certificates.h +++ /dev/null | |||
| @@ -1,15 +0,0 @@ | |||
| 1 | #ifndef SP_CURL_VERIFY_CERTIFICATES_H | ||
| 2 | #define SP_CURL_VERIFY_CERTIFICATES_H | ||
| 3 | #include "php_snuffleupagus.h" | ||
| 4 | |||
| 5 | #ifndef CURLOPT_SSL_VERIFYPEER | ||
| 6 | #define CURLOPT_SSL_VERIFYPEER 64 | ||
| 7 | #endif | ||
| 8 | |||
| 9 | #ifndef CURLOPT_SSL_VERIFYHOST | ||
| 10 | #define CURLOPT_SSL_VERIFYHOST 81 | ||
| 11 | #endif | ||
| 12 | |||
| 13 | int hook_curl_verify_certificates(); | ||
| 14 | |||
| 15 | #endif | ||
diff --git a/src/tests/config/disabled_function_curl_verify_certs.ini b/src/tests/config/disabled_function_curl_verify_certs.ini index 64d54a7..133e024 100644 --- a/src/tests/config/disabled_function_curl_verify_certs.ini +++ b/src/tests/config/disabled_function_curl_verify_certs.ini | |||
| @@ -1 +1,18 @@ | |||
| 1 | sp.curl_verify_certificates.enable(); | 1 | # `81` being SSL_VERIFYHOST, and `64` SSL_VERIFYPEER |
| 2 | |||
| 3 | sp.disable_function.function("curl_setopt").param("value").value("1").allow(); | ||
| 4 | sp.disable_function.function("curl_setopt").param("value").value("2").allow(); | ||
| 5 | sp.disable_function.function("curl_setopt").param("option").value("81").drop().alias("Please don't turn CURLOPT_SSL_VERIFYHOST off."); | ||
| 6 | sp.disable_function.function("curl_setopt").param("option").value("64").drop().alias("Please don't turn CURLOPT_SSL_VERIFYPEER off."); | ||
| 7 | |||
| 8 | # --- | ||
| 9 | |||
| 10 | sp.disable_function.function("curl_setopt_array").param("options[CURLOPT_SSL_VERIFYHOST]").value("0").drop().alias("Please don't turn CURLOPT_SSL_VERIFYHOST off."); | ||
| 11 | sp.disable_function.function("curl_setopt_array").param("options[CURLOPT_SSL_VERIFYPEER]").value("0").drop().alias("Please don't turn CURLOPT_SSL_VERIFYPEER off."); | ||
| 12 | |||
| 13 | # --- | ||
| 14 | |||
| 15 | sp.disable_function.function("curl_multi_setopt").param("value").value("1").allow(); | ||
| 16 | sp.disable_function.function("curl_multi_setopt").param("value").value("2").allow(); | ||
| 17 | sp.disable_function.function("curl_multi_setopt").param("option").value("81").drop().alias("Please don't turn CURLOPT_SSL_VERIFYHOST off."); | ||
| 18 | sp.disable_function.function("curl_multi_setopt").param("option").value("64").drop().alias("Please don't turn CURLOPT_SSL_VERIFYPEER off."); | ||
diff --git a/src/tests/disabled_function_ensure_client_valid_certs.phpt b/src/tests/disabled_function_ensure_client_valid_certs.phpt new file mode 100644 index 0000000..374ee42 --- /dev/null +++ b/src/tests/disabled_function_ensure_client_valid_certs.phpt | |||
| @@ -0,0 +1,18 @@ | |||
| 1 | --TEST-- | ||
| 2 | Disable functions - Ensure that client certificates validation can't be disabled | ||
| 3 | --SKIPIF-- | ||
| 4 | <?php | ||
| 5 | if (!extension_loaded("snuffleupagus")) { die("skip"); } | ||
| 6 | if (!extension_loaded("curl")) { die("skip"); } | ||
| 7 | ?> | ||
| 8 | --INI-- | ||
| 9 | sp.configuration_file={PWD}/config/disabled_function_curl_verify_certs.ini | ||
| 10 | --FILE-- | ||
| 11 | <?php | ||
| 12 | $ch = curl_init(); | ||
| 13 | curl_setopt($ch, CURLOPT_VERBOSE, '1'); | ||
| 14 | curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, '0'); | ||
| 15 | echo "1337"; | ||
| 16 | ?> | ||
| 17 | --EXPECTF-- | ||
| 18 | Fatal error: [snuffleupagus][disabled_function] Aborted execution on call of the function 'curl_setopt', because its argument '$option' content (64) matched the rule 'Please don't turn CURLOPT_SSL_VERIFYPEER off.' in %s/tests/disabled_function_ensure_client_valid_certs.php on line %d | ||
diff --git a/src/tests/disabled_function_ensure_client_valid_certs_curl_multi_setopt.phpt b/src/tests/disabled_function_ensure_client_valid_certs_curl_multi_setopt.phpt new file mode 100644 index 0000000..fd4d176 --- /dev/null +++ b/src/tests/disabled_function_ensure_client_valid_certs_curl_multi_setopt.phpt | |||
| @@ -0,0 +1,19 @@ | |||
| 1 | --TEST-- | ||
| 2 | Disable functions - Ensure that client certificates validation can't be disabled via `curl_multi_setopt` | ||
| 3 | --EXTENSIONS-- | ||
| 4 | curl | ||
| 5 | --SKIPIF-- | ||
| 6 | <?php | ||
| 7 | if (!extension_loaded("snuffleupagus")) { die("skip"); } | ||
| 8 | if (!extension_loaded("curl")) { die("skip"); } | ||
| 9 | ?> | ||
| 10 | --INI-- | ||
| 11 | sp.configuration_file={PWD}/config/disabled_function_curl_verify_certs.ini | ||
| 12 | --FILE-- | ||
| 13 | <?php | ||
| 14 | $mch = curl_multi_init(); | ||
| 15 | curl_multi_setopt($mch, CURLOPT_SSL_VERIFYPEER, 0); | ||
| 16 | echo "1337"; | ||
| 17 | ?> | ||
| 18 | --EXPECTF-- | ||
| 19 | Fatal error: [snuffleupagus][disabled_function] Aborted execution on call of the function 'curl_multi_setopt', because its argument '$option' content (64) matched the rule 'Please don't turn CURLOPT_SSL_VERIFYPEER off.' in %s/tests/disabled_function_ensure_client_valid_certs_curl_multi_setopt.php on line %d | ||
diff --git a/src/tests/disabled_function_ensure_client_valid_certs_curl_setopt_array.phpt b/src/tests/disabled_function_ensure_client_valid_certs_curl_setopt_array.phpt new file mode 100644 index 0000000..ce6a585 --- /dev/null +++ b/src/tests/disabled_function_ensure_client_valid_certs_curl_setopt_array.phpt | |||
| @@ -0,0 +1,21 @@ | |||
| 1 | --TEST-- | ||
| 2 | Disable functions - Ensure that client certificates validation can't be disabled via `curl_setopt_array` | ||
| 3 | --EXTENSIONS-- | ||
| 4 | curl | ||
| 5 | --SKIPIF-- | ||
| 6 | <?php | ||
| 7 | if (!extension_loaded("snuffleupagus")) { die("skip"); } | ||
| 8 | if (!extension_loaded("curl")) { die("skip"); } | ||
| 9 | ?> | ||
| 10 | --INI-- | ||
| 11 | sp.configuration_file={PWD}/config/disabled_function_curl_verify_certs.ini | ||
| 12 | --FILE-- | ||
| 13 | <?php | ||
| 14 | $ch = curl_init(); | ||
| 15 | curl_setopt($ch, CURLOPT_VERBOSE, '1'); | ||
| 16 | $options = array(CURLOPT_SSL_VERIFYPEER => 0); | ||
| 17 | curl_setopt_array($ch, $options); | ||
| 18 | echo "1337"; | ||
| 19 | ?> | ||
| 20 | --EXPECTF-- | ||
| 21 | Fatal error: [snuffleupagus][disabled_function] Aborted execution on call of the function 'curl_setopt_array', because its argument '$options' content (0) matched the rule 'Please don't turn CURLOPT_SSL_VERIFYPEER off.' in %s/tests/disabled_function_ensure_client_valid_certs_curl_setopt_array.php on line 5 | ||
diff --git a/src/tests/disabled_function_ensure_server_valid_certs.phpt b/src/tests/disabled_function_ensure_server_valid_certs.phpt new file mode 100644 index 0000000..01a4406 --- /dev/null +++ b/src/tests/disabled_function_ensure_server_valid_certs.phpt | |||
| @@ -0,0 +1,18 @@ | |||
| 1 | --TEST-- | ||
| 2 | Disable functions - Ensure that server certificates validation can't be disabled | ||
| 3 | --SKIPIF-- | ||
| 4 | <?php | ||
| 5 | if (!extension_loaded("snuffleupagus")) { die("skip"); } | ||
| 6 | if (!extension_loaded("curl")) { die("skip"); } | ||
| 7 | ?> | ||
| 8 | --INI-- | ||
| 9 | sp.configuration_file={PWD}/config/disabled_function_curl_verify_certs.ini | ||
| 10 | --FILE-- | ||
| 11 | <?php | ||
| 12 | $ch = curl_init(); | ||
| 13 | curl_setopt($ch, CURLOPT_VERBOSE, '1'); | ||
| 14 | curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, '0'); | ||
| 15 | echo "1337"; | ||
| 16 | ?> | ||
| 17 | --EXPECTF-- | ||
| 18 | Fatal error: [snuffleupagus][disabled_function] Aborted execution on call of the function 'curl_setopt', because its argument '$option' content (81) matched the rule 'Please don't turn CURLOPT_SSL_VERIFYHOST off.' in %s/tests/disabled_function_ensure_server_valid_certs.php on line %d | ||
diff --git a/src/tests/disabled_function_ensure_server_valid_certs_curl_multi_setopt.phpt b/src/tests/disabled_function_ensure_server_valid_certs_curl_multi_setopt.phpt new file mode 100644 index 0000000..add2a18 --- /dev/null +++ b/src/tests/disabled_function_ensure_server_valid_certs_curl_multi_setopt.phpt | |||
| @@ -0,0 +1,19 @@ | |||
| 1 | --TEST-- | ||
| 2 | Disable functions - Ensure that server certificates validation can't be disabled via `curl_multi_setopt` | ||
| 3 | --EXTENSIONS-- | ||
| 4 | curl | ||
| 5 | --SKIPIF-- | ||
| 6 | <?php | ||
| 7 | if (!extension_loaded("snuffleupagus")) { die("skip"); } | ||
| 8 | if (!extension_loaded("curl")) { die("skip"); } | ||
| 9 | ?> | ||
| 10 | --INI-- | ||
| 11 | sp.configuration_file={PWD}/config/disabled_function_curl_verify_certs.ini | ||
| 12 | --FILE-- | ||
| 13 | <?php | ||
| 14 | $mch = curl_multi_init(); | ||
| 15 | curl_multi_setopt($mch, CURLOPT_SSL_VERIFYHOST, 0); | ||
| 16 | echo "1337"; | ||
| 17 | ?> | ||
| 18 | --EXPECTF-- | ||
| 19 | Fatal error: [snuffleupagus][disabled_function] Aborted execution on call of the function 'curl_multi_setopt', because its argument '$option' content (81) matched the rule 'Please don't turn CURLOPT_SSL_VERIFYHOST off.' in %s/tests/disabled_function_ensure_server_valid_certs_curl_multi_setopt.php on line %d | ||
diff --git a/src/tests/disabled_function_ensure_server_valid_certs_curl_setopt_array.phpt b/src/tests/disabled_function_ensure_server_valid_certs_curl_setopt_array.phpt new file mode 100644 index 0000000..3345797 --- /dev/null +++ b/src/tests/disabled_function_ensure_server_valid_certs_curl_setopt_array.phpt | |||
| @@ -0,0 +1,21 @@ | |||
| 1 | --TEST-- | ||
| 2 | Disable functions - Ensure that server certificates validation can't be disabled via `curl_setopt_array` | ||
| 3 | --EXTENSIONS-- | ||
| 4 | curl | ||
| 5 | --SKIPIF-- | ||
| 6 | <?php | ||
| 7 | if (!extension_loaded("snuffleupagus")) { die("skip"); } | ||
| 8 | if (!extension_loaded("curl")) { die("skip"); } | ||
| 9 | ?> | ||
| 10 | --INI-- | ||
| 11 | sp.configuration_file={PWD}/config/disabled_function_curl_verify_certs.ini | ||
| 12 | --FILE-- | ||
| 13 | <?php | ||
| 14 | $ch = curl_init(); | ||
| 15 | curl_setopt($ch, CURLOPT_VERBOSE, '1'); | ||
| 16 | $options = array(CURLOPT_SSL_VERIFYHOST => 0); | ||
| 17 | curl_setopt_array($ch, $options); | ||
| 18 | echo "1337"; | ||
| 19 | ?> | ||
| 20 | --EXPECTF-- | ||
| 21 | Fatal error: [snuffleupagus][disabled_function] Aborted execution on call of the function 'curl_setopt_array', because its argument '$options' content (0) matched the rule 'Please don't turn CURLOPT_SSL_VERIFYHOST off.' in %s/tests/disabled_function_ensure_server_valid_certs_curl_setopt_array.php on line 5 | ||
diff --git a/src/tests/ensure_client_valid_certs.phpt b/src/tests/ensure_client_valid_certs.phpt deleted file mode 100644 index 64c523c..0000000 --- a/src/tests/ensure_client_valid_certs.phpt +++ /dev/null | |||
| @@ -1,18 +0,0 @@ | |||
| 1 | --TEST-- | ||
| 2 | Disable functions - Ensure that client certificates validation can't be disabled | ||
| 3 | --SKIPIF-- | ||
| 4 | <?php | ||
| 5 | if (!extension_loaded("snuffleupagus")) die "skip"; | ||
| 6 | if (!extension_loaded("curl")) die "skip"; | ||
| 7 | ?> | ||
| 8 | --INI-- | ||
| 9 | sp.configuration_file={PWD}/config/disabled_function_curl_verify_certs.ini | ||
| 10 | --FILE-- | ||
| 11 | <?php | ||
| 12 | $ch = curl_init(); | ||
| 13 | curl_setopt($ch, CURLOPT_VERBOSE, '1'); | ||
| 14 | curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, '0'); | ||
| 15 | echo "1337"; | ||
| 16 | ?> | ||
| 17 | --EXPECTF-- | ||
| 18 | Fatal error: [snuffleupagus][verify_vertificates] Please don't deactivate client certificate validation in %s/tests/ensure_client_valid_certs.php on line %d | ||
diff --git a/src/tests/ensure_server_valid_certs.phpt b/src/tests/ensure_server_valid_certs.phpt deleted file mode 100644 index 7eaf1a4..0000000 --- a/src/tests/ensure_server_valid_certs.phpt +++ /dev/null | |||
| @@ -1,18 +0,0 @@ | |||
| 1 | --TEST-- | ||
| 2 | Disable functions - Ensure that server certificates validation can't be disabled | ||
| 3 | --SKIPIF-- | ||
| 4 | <?php | ||
| 5 | if (!extension_loaded("snuffleupagus")) die "skip"; | ||
| 6 | if (!extension_loaded("curl")) die "skip"; | ||
| 7 | ?> | ||
| 8 | --INI-- | ||
| 9 | sp.configuration_file={PWD}/config/disabled_function_curl_verify_certs.ini | ||
| 10 | --FILE-- | ||
| 11 | <?php | ||
| 12 | $ch = curl_init(); | ||
| 13 | curl_setopt($ch, CURLOPT_VERBOSE, '1'); | ||
| 14 | curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, '0'); | ||
| 15 | echo "1337"; | ||
| 16 | ?> | ||
| 17 | --EXPECTF-- | ||
| 18 | Fatal error: [snuffleupagus][verify_vertificates] Please don't deactivate client certificate validation in %s/tests/ensure_server_valid_certs.php on line 3 | ||