From 9111fdf5e6332923a5faf9f8a7e6b428eb91795a Mon Sep 17 00:00:00 2001
From: Ben Fuhrmannek
Date: Thu, 11 Nov 2021 12:02:07 +0100
Subject: detect dummy or short encryption key

---
 .../config/broken_conf_cookie_name_and_regexp.ini  |  2 +-
 .../config/config_encrypted_cookies_noname.ini     |  2 +-
 .../config_encrypted_regexp_cookies_bad_regexp.ini |  2 +-
 .../config/config_encryption_key_short.ini         |  1 +
 .../encrypt_key_too_short.phpt                     | 23 ++++++++++++++++++++++
 .../encrypt_regexp_cookies_bad_regexp.phpt         |  3 ++-
 6 files changed, 29 insertions(+), 4 deletions(-)
 create mode 100644 src/tests/broken_configuration/config/config_encryption_key_short.ini
 create mode 100644 src/tests/broken_configuration/encrypt_key_too_short.phpt

(limited to 'src/tests/broken_configuration')

diff --git a/src/tests/broken_configuration/config/broken_conf_cookie_name_and_regexp.ini b/src/tests/broken_configuration/config/broken_conf_cookie_name_and_regexp.ini
index 503889b..6b43b71 100644
--- a/src/tests/broken_configuration/config/broken_conf_cookie_name_and_regexp.ini
+++ b/src/tests/broken_configuration/config/broken_conf_cookie_name_and_regexp.ini
@@ -1,2 +1,2 @@
-sp.global.secret_key("abcdef").cookie_env_var("REMOTE_ADDR");
+sp.global.secret_key("abcdefGHIJ").cookie_env_var("REMOTE_ADDR");
 sp.cookie.name("my_cookie_name").name_r("my_cookie_regexp").encrypt();
diff --git a/src/tests/broken_configuration/config/config_encrypted_cookies_noname.ini b/src/tests/broken_configuration/config/config_encrypted_cookies_noname.ini
index 048e404..43a4284 100644
--- a/src/tests/broken_configuration/config/config_encrypted_cookies_noname.ini
+++ b/src/tests/broken_configuration/config/config_encrypted_cookies_noname.ini
@@ -1,3 +1,3 @@
-sp.global.secret_key("abcdef").cookie_env_var("REMOTE_ADDR");
+sp.global.secret_key("abcdefGHIJ").cookie_env_var("REMOTE_ADDR");
 sp.cookie.name("").encrypt();
 sp.auto_cookie_secure.enable();
diff --git a/src/tests/broken_configuration/config/config_encrypted_regexp_cookies_bad_regexp.ini b/src/tests/broken_configuration/config/config_encrypted_regexp_cookies_bad_regexp.ini
index 4fe92fd..817de14 100644
--- a/src/tests/broken_configuration/config/config_encrypted_regexp_cookies_bad_regexp.ini
+++ b/src/tests/broken_configuration/config/config_encrypted_regexp_cookies_bad_regexp.ini
@@ -1,3 +1,3 @@
-sp.global.secret_key("abcdef").cookie_env_var("REMOTE_ADDR");
+sp.global.secret_key("abcdefGHIJ").cookie_env_var("REMOTE_ADDR");
 sp.cookie.name_r("^super_co[a-z+$").encrypt();
 sp.auto_cookie_secure.enable();
diff --git a/src/tests/broken_configuration/config/config_encryption_key_short.ini b/src/tests/broken_configuration/config/config_encryption_key_short.ini
new file mode 100644
index 0000000..7de4438
--- /dev/null
+++ b/src/tests/broken_configuration/config/config_encryption_key_short.ini
@@ -0,0 +1 @@
+sp.global.secret_key("abcdef");
diff --git a/src/tests/broken_configuration/encrypt_key_too_short.phpt b/src/tests/broken_configuration/encrypt_key_too_short.phpt
new file mode 100644
index 0000000..fe80be1
--- /dev/null
+++ b/src/tests/broken_configuration/encrypt_key_too_short.phpt
@@ -0,0 +1,23 @@
+--TEST--
+Cookie encryption key too short
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) print "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/config_encryption_key_short.ini
+--COOKIE--
+--ENV--
+return <<<EOF
+REMOTE_ADDR=2001:0db8:0000:0000:0000:fe00:0042:8329
+HTTP_USER_AGENT=Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/59.0.3071.109 Chrome/59.0.3071.109 Safari/537.36
+HTTPS=1
+EOF;
+--FILE--
+<?php
+?>
+--EXPECT--
+PHP Fatal error:  [snuffleupagus][2001:0db8:0000:0000:0000:fe00:0042:8329][config][log] The encryption key set on line 1 is too short. please use at least 10 bytes in Unknown on line 0
+
+Fatal error: [snuffleupagus][2001:0db8:0000:0000:0000:fe00:0042:8329][config][log] The encryption key set on line 1 is too short. please use at least 10 bytes in Unknown on line 0
+
+Fatal error: [snuffleupagus][2001:0db8:0000:0000:0000:fe00:0042:8329][config][log] Invalid configuration file in Unknown on line 0
+Could not startup.
\ No newline at end of file
diff --git a/src/tests/broken_configuration/encrypt_regexp_cookies_bad_regexp.phpt b/src/tests/broken_configuration/encrypt_regexp_cookies_bad_regexp.phpt
index 5383df6..ef83154 100644
--- a/src/tests/broken_configuration/encrypt_regexp_cookies_bad_regexp.phpt
+++ b/src/tests/broken_configuration/encrypt_regexp_cookies_bad_regexp.phpt
@@ -2,11 +2,12 @@
 Cookie decryption in ipv4
 --SKIPIF--
 <?php if (!extension_loaded("snuffleupagus")) print "skip"; ?>
+<?php if (PHP_VERSION_ID >= 80000) print "skip"; ?>
 --INI--
 sp.configuration_file={PWD}/config/config_encrypted_regexp_cookies_bad_regexp.ini
 error_reporting=1
 --COOKIE--
-super_cookie=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP3gV9YJZL/pUeNAjCKFW0U2ywmf1CwHzwd2pWM=;awful_cookie=awful_cookie_value;
+super_cookie=IpRZV4rivSjANrEOSxINd%2FdFe17giJgaAAAAAAAAAAAAAAAAAAAAALnmBVs%2BTILKxauHeGcUyJpR%2BX2UiZ6OamUTaWc=;awful_cookie=awful_cookie_value;
 --ENV--
 return <<<EOF
 REMOTE_ADDR=127.0.0.1
-- 
cgit v1.3