open_basedir tests for error_log

3 files changed, 224 insertions, 0 deletions

diff --git a/tests/security/open_basedir.inc b/tests/security/open_basedir.inc
new file mode 100644
index 0000000000..7fd0afc8bb
--- /dev/null
+++ b/tests/security/open_basedir.inc
@@ -0,0 +1,133 @@
+<?php
+
+// This file contains helper functions for testing open_basedir configuration
+// Care must be taken with where the directories are created because different
+// SAPIs set the working directory differently. So simply creating a directory
+// relative to the current working directory like this: mkdir("blah") might 
+// actually create it in several different places depending on the SAPI..!
+//
+// Note also depending on the version of php being tested, so the open_basedir
+// configuration may or may not be changeable from a script (PHP_INI_SYSTEM).
+//
+// For this reason we set the open_basedir to . (current directory) and then
+// move around to various directories for testing using chdir(). This is NOT
+// recommended for production use as . bypasses all semblence of security..!
+//
+// Although safe mode has been removed in php 6.0, open_basedir is still valid.
+//      See http://www.php.net/features.safe-mode for more information
+
+function recursive_delete_directory($directory) {
+
+    // Remove any trailing slash first
+    if (substr($directory, -1) == '/') {
+        $directory = substr($directory, 0, -1);
+    }
+
+    // Make sure the directory is valid
+    if (is_dir($directory) == FALSE) {
+        return FALSE;
+    } 
+
+    // Check we can access the directory
+    if (is_readable($directory) == FALSE) {
+        return FALSE;
+    }
+
+    $handle = opendir($directory);
+
+    // Scan through the directory contents
+    while (FALSE !== ($item = readdir($handle))) {
+        if ($item != '.') {
+             if ($item != '..') {
+                $path = ($directory.'/'.$item);
+                if (is_dir($path) == TRUE) {
+                    recursive_delete_directory($path);
+                } else {
+					@chmod($path, 0777);
+                    unlink($path);
+                }
+            }
+        }
+    }
+
+    closedir($handle);
+	@chmod($directory, 0777);
+    rmdir($directory);
+
+    return TRUE;
+}
+
+function create_directories() {
+    delete_directories();
+    $directory = dirname(__FILE__);
+
+    var_dump(mkdir($directory."/test"));
+    var_dump(mkdir($directory."/test/ok"));
+    var_dump(mkdir($directory."/test/bad"));
+    file_put_contents($directory."/test/ok/ok.txt", "Hello World!");
+    file_put_contents($directory."/test/bad/bad.txt", "Hello World!");
+}
+
+function delete_directories() {
+    $directory = (dirname(__FILE__)."/test");
+    recursive_delete_directory($directory);
+}
+
+function test_open_basedir_error($function) {
+    var_dump($function("../bad"));
+    var_dump($function("../bad/bad.txt"));
+    var_dump($function(".."));
+    var_dump($function("../"));
+    var_dump($function("/"));
+    var_dump($function("../bad/."));
+    $directory = dirname(__FILE__);
+    var_dump($function($directory."/test/bad/bad.txt"));
+    var_dump($function($directory."/test/bad/../bad/bad.txt"));
+}
+
+function test_open_basedir_before($function, $change = TRUE) {
+    echo "*** Testing open_basedir configuration [$function] ***\n";
+    $directory = dirname(__FILE__);
+    var_dump(chdir($directory));
+    create_directories();
+
+    // Optionally change directory
+    if ($change == TRUE) {
+        var_dump(chdir($directory."/test/ok"));
+    }
+}
+
+// Delete directories using a --CLEAN-- section!
+function test_open_basedir_after($function) {
+    echo "*** Finished testing open_basedir configuration [$function] ***\n";
+}
+
+// This is used by functions that return an array on success
+function test_open_basedir_array($function) {
+    test_open_basedir_before($function);
+    test_open_basedir_error($function); 
+    var_dump(is_array($function("./../.")));
+    var_dump(is_array($function("../ok")));
+    var_dump(is_array($function("ok.txt")));
+    var_dump(is_array($function("../ok/ok.txt")));
+    $directory = dirname(__FILE__);
+    var_dump(is_array($function($directory."/test/ok/ok.txt")));
+    var_dump(is_array($function($directory."/test/ok/../ok/ok.txt")));
+    test_open_basedir_after($function);
+}
+
+function test_open_basedir($function) {
+    test_open_basedir_before($function);
+    test_open_basedir_error($function);     
+    var_dump($function("./../."));
+    var_dump($function("../ok"));
+    var_dump($function("ok.txt"));
+    var_dump($function("../ok/ok.txt"));
+    $directory = dirname(__FILE__);
+    var_dump($function($directory."/test/ok/ok.txt"));
+    var_dump($function($directory."/test/ok/../ok/ok.txt"));
+    test_open_basedir_after($function);
+}
+
+?>
+
diff --git a/tests/security/open_basedir_error_log.phpt b/tests/security/open_basedir_error_log.phpt
new file mode 100644
index 0000000000..d4406505a9
--- /dev/null
+++ b/tests/security/open_basedir_error_log.phpt
@@ -0,0 +1,43 @@
+--TEST--
+Test open_basedir configuration
+--INI--
+open_basedir=.
+--FILE--
+<?php
+require_once "open_basedir.inc";
+test_open_basedir_before("error_log");
+$directory = dirname(__FILE__);
+
+var_dump(ini_set("error_log", $directory."/test/bad/bad.txt"));
+var_dump(ini_set("error_log", $directory."/test/bad.txt"));
+var_dump(ini_set("error_log", $directory."/bad.txt"));
+var_dump(ini_set("error_log", $directory."/test/ok/ok.txt"));
+var_dump(ini_set("error_log", $directory."/test/ok/ok.txt"));
+
+test_open_basedir_after("error_log");
+?>
+--CLEAN--
+<?php
+require_once "open_basedir.inc";
+delete_directories();
+?>
+--EXPECTF--
+*** Testing open_basedir configuration [error_log] ***
+bool(true)
+bool(true)
+bool(true)
+bool(true)
+bool(true)
+
+Warning: ini_set(): open_basedir restriction in effect. File(%s/test/bad/bad.txt) is not within the allowed path(s): (.) in %s on line %d
+bool(false)
+
+Warning: ini_set(): open_basedir restriction in effect. File(%s/test/bad.txt) is not within the allowed path(s): (.) in %s on line %d
+bool(false)
+
+Warning: ini_set(): open_basedir restriction in effect. File(%s/bad.txt) is not within the allowed path(s): (.) in %s on line %d
+bool(false)
+bool(false)
+string(%d) "%s/test/ok/ok.txt"
+*** Finished testing open_basedir configuration [error_log] ***
+
diff --git a/tests/security/open_basedir_error_log_variation.phpt b/tests/security/open_basedir_error_log_variation.phpt
new file mode 100644
index 0000000000..c0295f6506
--- /dev/null
+++ b/tests/security/open_basedir_error_log_variation.phpt
@@ -0,0 +1,48 @@
+--TEST--
+Test open_basedir configuration
+--INI--
+open_basedir=.
+--FILE--
+<?php
+require_once "open_basedir.inc";
+test_open_basedir_before("error_log");
+$directory = dirname(__FILE__);
+define("DESTINATION_IS_FILE", 3);
+
+var_dump(error_log("Hello World!", DESTINATION_IS_FILE, $directory."/test/bad/bad.txt"));
+var_dump(error_log("Hello World!", DESTINATION_IS_FILE, $directory."/test/bad.txt"));
+var_dump(error_log("Hello World!", DESTINATION_IS_FILE, $directory."/bad.txt"));
+var_dump(error_log("Hello World!", DESTINATION_IS_FILE, $directory."/test/ok/ok.txt"));
+
+test_open_basedir_after("error_log");
+?>
+--CLEAN--
+<?php
+require_once "open_basedir.inc";
+delete_directories();
+?>
+--EXPECTF--
+*** Testing open_basedir configuration [error_log] ***
+bool(true)
+bool(true)
+bool(true)
+bool(true)
+bool(true)
+
+Warning: error_log(): open_basedir restriction in effect. File(%s/test/bad/bad.txt) is not within the allowed path(s): (.) in %s on line %d
+
+Warning: error_log(%s/test/bad/bad.txt): failed to open stream: Operation not permitted in %s on line %d
+bool(false)
+
+Warning: error_log(): open_basedir restriction in effect. File(%s/test/bad.txt) is not within the allowed path(s): (.) in %s on line %d
+
+Warning: error_log(%s/test/bad.txt): failed to open stream: Operation not permitted in %s on line %d
+bool(false)
+
+Warning: error_log(): open_basedir restriction in effect. File(%s/bad.txt) is not within the allowed path(s): (.) in %s on line %d
+
+Warning: error_log(%s/bad.txt): failed to open stream: Operation not permitted in %s on line %d
+bool(false)
+bool(true)
+*** Finished testing open_basedir configuration [error_log] ***
+