From 89e859d09248de6b1b9b9cdd652cb72c9f7ff098 Mon Sep 17 00:00:00 2001
From: xXx-caillou-xXx
Date: Wed, 29 Aug 2018 18:09:51 +0200
Subject: Change how we're validating certificates

---
 .../config/disabled_function_curl_verify_certs.ini  | 19 ++++++++++++++++++-
 ...disabled_function_ensure_client_valid_certs.phpt | 18 ++++++++++++++++++
 ...ensure_client_valid_certs_curl_multi_setopt.phpt | 19 +++++++++++++++++++
 ...ensure_client_valid_certs_curl_setopt_array.phpt | 21 +++++++++++++++++++++
 ...disabled_function_ensure_server_valid_certs.phpt | 18 ++++++++++++++++++
 ...ensure_server_valid_certs_curl_multi_setopt.phpt | 19 +++++++++++++++++++
 ...ensure_server_valid_certs_curl_setopt_array.phpt | 21 +++++++++++++++++++++
 src/tests/ensure_client_valid_certs.phpt            | 18 ------------------
 src/tests/ensure_server_valid_certs.phpt            | 18 ------------------
 9 files changed, 134 insertions(+), 37 deletions(-)
 create mode 100644 src/tests/disabled_function_ensure_client_valid_certs.phpt
 create mode 100644 src/tests/disabled_function_ensure_client_valid_certs_curl_multi_setopt.phpt
 create mode 100644 src/tests/disabled_function_ensure_client_valid_certs_curl_setopt_array.phpt
 create mode 100644 src/tests/disabled_function_ensure_server_valid_certs.phpt
 create mode 100644 src/tests/disabled_function_ensure_server_valid_certs_curl_multi_setopt.phpt
 create mode 100644 src/tests/disabled_function_ensure_server_valid_certs_curl_setopt_array.phpt
 delete mode 100644 src/tests/ensure_client_valid_certs.phpt
 delete mode 100644 src/tests/ensure_server_valid_certs.phpt

(limited to 'src/tests')

diff --git a/src/tests/config/disabled_function_curl_verify_certs.ini b/src/tests/config/disabled_function_curl_verify_certs.ini
index 64d54a7..133e024 100644
--- a/src/tests/config/disabled_function_curl_verify_certs.ini
+++ b/src/tests/config/disabled_function_curl_verify_certs.ini
@@ -1 +1,18 @@
-sp.curl_verify_certificates.enable();
+# `81` being SSL_VERIFYHOST, and `64` SSL_VERIFYPEER
+
+sp.disable_function.function("curl_setopt").param("value").value("1").allow();
+sp.disable_function.function("curl_setopt").param("value").value("2").allow();
+sp.disable_function.function("curl_setopt").param("option").value("81").drop().alias("Please don't turn CURLOPT_SSL_VERIFYHOST off.");
+sp.disable_function.function("curl_setopt").param("option").value("64").drop().alias("Please don't turn CURLOPT_SSL_VERIFYPEER off.");
+
+# ---
+
+sp.disable_function.function("curl_setopt_array").param("options[CURLOPT_SSL_VERIFYHOST]").value("0").drop().alias("Please don't turn CURLOPT_SSL_VERIFYHOST off.");
+sp.disable_function.function("curl_setopt_array").param("options[CURLOPT_SSL_VERIFYPEER]").value("0").drop().alias("Please don't turn CURLOPT_SSL_VERIFYPEER off.");
+
+# ---
+
+sp.disable_function.function("curl_multi_setopt").param("value").value("1").allow();
+sp.disable_function.function("curl_multi_setopt").param("value").value("2").allow();
+sp.disable_function.function("curl_multi_setopt").param("option").value("81").drop().alias("Please don't turn CURLOPT_SSL_VERIFYHOST off.");
+sp.disable_function.function("curl_multi_setopt").param("option").value("64").drop().alias("Please don't turn CURLOPT_SSL_VERIFYPEER off.");
diff --git a/src/tests/disabled_function_ensure_client_valid_certs.phpt b/src/tests/disabled_function_ensure_client_valid_certs.phpt
new file mode 100644
index 0000000..374ee42
--- /dev/null
+++ b/src/tests/disabled_function_ensure_client_valid_certs.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Disable functions - Ensure that client certificates validation can't be disabled
+--SKIPIF--
+<?php
+if (!extension_loaded("snuffleupagus")) { die("skip"); }
+if (!extension_loaded("curl")) { die("skip"); }
+?>
+--INI--
+sp.configuration_file={PWD}/config/disabled_function_curl_verify_certs.ini
+--FILE--
+<?php
+$ch = curl_init();
+curl_setopt($ch, CURLOPT_VERBOSE, '1');
+curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, '0');
+echo "1337";
+?>
+--EXPECTF--
+Fatal error: [snuffleupagus][disabled_function] Aborted execution on call of the function 'curl_setopt', because its argument '$option' content (64) matched the rule 'Please don't turn CURLOPT_SSL_VERIFYPEER off.' in %s/tests/disabled_function_ensure_client_valid_certs.php on line %d
diff --git a/src/tests/disabled_function_ensure_client_valid_certs_curl_multi_setopt.phpt b/src/tests/disabled_function_ensure_client_valid_certs_curl_multi_setopt.phpt
new file mode 100644
index 0000000..fd4d176
--- /dev/null
+++ b/src/tests/disabled_function_ensure_client_valid_certs_curl_multi_setopt.phpt
@@ -0,0 +1,19 @@
+--TEST--
+Disable functions - Ensure that client certificates validation can't be disabled via `curl_multi_setopt`
+--EXTENSIONS--
+curl
+--SKIPIF--
+<?php
+if (!extension_loaded("snuffleupagus")) { die("skip"); }
+if (!extension_loaded("curl")) { die("skip"); }
+?>
+--INI--
+sp.configuration_file={PWD}/config/disabled_function_curl_verify_certs.ini
+--FILE--
+<?php
+$mch = curl_multi_init();
+curl_multi_setopt($mch, CURLOPT_SSL_VERIFYPEER, 0);
+echo "1337";
+?>
+--EXPECTF--
+Fatal error: [snuffleupagus][disabled_function] Aborted execution on call of the function 'curl_multi_setopt', because its argument '$option' content (64) matched the rule 'Please don't turn CURLOPT_SSL_VERIFYPEER off.' in %s/tests/disabled_function_ensure_client_valid_certs_curl_multi_setopt.php on line %d
diff --git a/src/tests/disabled_function_ensure_client_valid_certs_curl_setopt_array.phpt b/src/tests/disabled_function_ensure_client_valid_certs_curl_setopt_array.phpt
new file mode 100644
index 0000000..ce6a585
--- /dev/null
+++ b/src/tests/disabled_function_ensure_client_valid_certs_curl_setopt_array.phpt
@@ -0,0 +1,21 @@
+--TEST--
+Disable functions - Ensure that client certificates validation can't be disabled via `curl_setopt_array`
+--EXTENSIONS--
+curl
+--SKIPIF--
+<?php
+if (!extension_loaded("snuffleupagus")) { die("skip"); }
+if (!extension_loaded("curl")) { die("skip"); }
+?>
+--INI--
+sp.configuration_file={PWD}/config/disabled_function_curl_verify_certs.ini
+--FILE--
+<?php
+$ch = curl_init();
+curl_setopt($ch, CURLOPT_VERBOSE, '1');
+$options = array(CURLOPT_SSL_VERIFYPEER => 0);
+curl_setopt_array($ch, $options);
+echo "1337";
+?>
+--EXPECTF--
+Fatal error: [snuffleupagus][disabled_function] Aborted execution on call of the function 'curl_setopt_array', because its argument '$options' content (0) matched the rule 'Please don't turn CURLOPT_SSL_VERIFYPEER off.' in %s/tests/disabled_function_ensure_client_valid_certs_curl_setopt_array.php on line 5
diff --git a/src/tests/disabled_function_ensure_server_valid_certs.phpt b/src/tests/disabled_function_ensure_server_valid_certs.phpt
new file mode 100644
index 0000000..01a4406
--- /dev/null
+++ b/src/tests/disabled_function_ensure_server_valid_certs.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Disable functions - Ensure that server certificates validation can't be disabled
+--SKIPIF--
+<?php
+if (!extension_loaded("snuffleupagus")) { die("skip"); }
+if (!extension_loaded("curl")) { die("skip"); }
+?>
+--INI--
+sp.configuration_file={PWD}/config/disabled_function_curl_verify_certs.ini
+--FILE--
+<?php
+$ch = curl_init();
+curl_setopt($ch, CURLOPT_VERBOSE, '1');
+curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, '0');
+echo "1337";
+?>
+--EXPECTF--
+Fatal error: [snuffleupagus][disabled_function] Aborted execution on call of the function 'curl_setopt', because its argument '$option' content (81) matched the rule 'Please don't turn CURLOPT_SSL_VERIFYHOST off.' in %s/tests/disabled_function_ensure_server_valid_certs.php on line %d
diff --git a/src/tests/disabled_function_ensure_server_valid_certs_curl_multi_setopt.phpt b/src/tests/disabled_function_ensure_server_valid_certs_curl_multi_setopt.phpt
new file mode 100644
index 0000000..add2a18
--- /dev/null
+++ b/src/tests/disabled_function_ensure_server_valid_certs_curl_multi_setopt.phpt
@@ -0,0 +1,19 @@
+--TEST--
+Disable functions - Ensure that server certificates validation can't be disabled via `curl_multi_setopt`
+--EXTENSIONS--
+curl
+--SKIPIF--
+<?php
+if (!extension_loaded("snuffleupagus")) { die("skip"); }
+if (!extension_loaded("curl")) { die("skip"); }
+?>
+--INI--
+sp.configuration_file={PWD}/config/disabled_function_curl_verify_certs.ini
+--FILE--
+<?php
+$mch = curl_multi_init();
+curl_multi_setopt($mch, CURLOPT_SSL_VERIFYHOST, 0);
+echo "1337";
+?>
+--EXPECTF--
+Fatal error: [snuffleupagus][disabled_function] Aborted execution on call of the function 'curl_multi_setopt', because its argument '$option' content (81) matched the rule 'Please don't turn CURLOPT_SSL_VERIFYHOST off.' in %s/tests/disabled_function_ensure_server_valid_certs_curl_multi_setopt.php on line %d
diff --git a/src/tests/disabled_function_ensure_server_valid_certs_curl_setopt_array.phpt b/src/tests/disabled_function_ensure_server_valid_certs_curl_setopt_array.phpt
new file mode 100644
index 0000000..3345797
--- /dev/null
+++ b/src/tests/disabled_function_ensure_server_valid_certs_curl_setopt_array.phpt
@@ -0,0 +1,21 @@
+--TEST--
+Disable functions - Ensure that server certificates validation can't be disabled via `curl_setopt_array`
+--EXTENSIONS--
+curl
+--SKIPIF--
+<?php
+if (!extension_loaded("snuffleupagus")) { die("skip"); }
+if (!extension_loaded("curl")) { die("skip"); }
+?>
+--INI--
+sp.configuration_file={PWD}/config/disabled_function_curl_verify_certs.ini
+--FILE--
+<?php
+$ch = curl_init();
+curl_setopt($ch, CURLOPT_VERBOSE, '1');
+$options = array(CURLOPT_SSL_VERIFYHOST => 0);
+curl_setopt_array($ch, $options);
+echo "1337";
+?>
+--EXPECTF--
+Fatal error: [snuffleupagus][disabled_function] Aborted execution on call of the function 'curl_setopt_array', because its argument '$options' content (0) matched the rule 'Please don't turn CURLOPT_SSL_VERIFYHOST off.' in %s/tests/disabled_function_ensure_server_valid_certs_curl_setopt_array.php on line 5
diff --git a/src/tests/ensure_client_valid_certs.phpt b/src/tests/ensure_client_valid_certs.phpt
deleted file mode 100644
index 64c523c..0000000
--- a/src/tests/ensure_client_valid_certs.phpt
+++ /dev/null
@@ -1,18 +0,0 @@
---TEST--
-Disable functions - Ensure that client certificates validation can't be disabled
---SKIPIF--
-<?php
-if (!extension_loaded("snuffleupagus")) die "skip"; 
-if (!extension_loaded("curl")) die "skip"; 
-?>
---INI--
-sp.configuration_file={PWD}/config/disabled_function_curl_verify_certs.ini
---FILE--
-<?php
-$ch = curl_init();
-curl_setopt($ch, CURLOPT_VERBOSE, '1'); 
-curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, '0'); 
-echo "1337";
-?>
---EXPECTF--
-Fatal error: [snuffleupagus][verify_vertificates] Please don't deactivate client certificate validation in %s/tests/ensure_client_valid_certs.php on line %d
diff --git a/src/tests/ensure_server_valid_certs.phpt b/src/tests/ensure_server_valid_certs.phpt
deleted file mode 100644
index 7eaf1a4..0000000
--- a/src/tests/ensure_server_valid_certs.phpt
+++ /dev/null
@@ -1,18 +0,0 @@
---TEST--
-Disable functions - Ensure that server certificates validation can't be disabled
---SKIPIF--
-<?php
-if (!extension_loaded("snuffleupagus")) die "skip"; 
-if (!extension_loaded("curl")) die "skip"; 
-?>
---INI--
-sp.configuration_file={PWD}/config/disabled_function_curl_verify_certs.ini
---FILE--
-<?php
-$ch = curl_init();
-curl_setopt($ch, CURLOPT_VERBOSE, '1'); 
-curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, '0'); 
-echo "1337";
-?>
---EXPECTF--
-Fatal error: [snuffleupagus][verify_vertificates] Please don't deactivate client certificate validation in %s/tests/ensure_server_valid_certs.php on line 3
-- 
cgit v1.3