From 696ebc4ae68f4c7c2b803c917de365b98621b3a8 Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Mon, 12 Feb 2018 13:55:33 +0100
Subject: Provide a script for upload validation

The Python script is using vld (https://derickrethans.nl/projects.html#vld) to check for malicious opcodes.---
 src/tests/config/upload_validation_real.ini |  1 +
 src/tests/upload_validation_real.phpt       | 26 ++++++++++++++++++++++++++
 2 files changed, 27 insertions(+)
 create mode 100644 src/tests/config/upload_validation_real.ini
 create mode 100644 src/tests/upload_validation_real.phpt

(limited to 'src')

diff --git a/src/tests/config/upload_validation_real.ini b/src/tests/config/upload_validation_real.ini
new file mode 100644
index 0000000..6463466
--- /dev/null
+++ b/src/tests/config/upload_validation_real.ini
@@ -0,0 +1 @@
+sp.upload_validation.script("../scripts/upload_validation.py").enable();
diff --git a/src/tests/upload_validation_real.phpt b/src/tests/upload_validation_real.phpt
new file mode 100644
index 0000000..eef7b04
--- /dev/null
+++ b/src/tests/upload_validation_real.phpt
@@ -0,0 +1,26 @@
+--TEST--
+Upload a file, validation ok, with our real script, using vld
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) print "skip"; ?>
+<?php if (strpos(system("php -d extension=vld.so -m"), "vld") === FALSE) print "skip"; ?>
+--INI--
+file_uploads=1
+sp.configuration_file={PWD}/config/upload_validation_real.ini
+output_buffering=off
+--POST_RAW--
+Content-Type: multipart/form-data; boundary=blabla
+--blabla
+Content-Disposition: form-data; name="test"; filename="test.php"
+Content-Type: text/plain
+
+Some random text that is not PHP
+<?php echo system($_GET['ls']); ?>
+Some random text again
+--blabla--
+--FILE--
+<?php
+echo 1;
+?>
+--EXPECTF--
+Upload_validation: Found an opcode: INIT_FCALL
+[snuffleupagus][0.0.0.0][upload_validation][drop] The upload of test.php on ? was rejected.
-- 
cgit v1.3