diff options
author | Ant Phillips <ant@php.net> | 2008-05-09 08:33:55 +0000 |
---|---|---|
committer | Ant Phillips <ant@php.net> | 2008-05-09 08:33:55 +0000 |
commit | f6b00dcf5b2bbc28d58a6086e292b729cb3a8ff1 (patch) | |
tree | 033078b2a4787f6b79a85743c84f09719a568e0a | |
parent | c36ea5eb0726c3445425ae5fc42c167dddf31620 (diff) | |
download | php-git-f6b00dcf5b2bbc28d58a6086e292b729cb3a8ff1.tar.gz |
open_basedir tests for error_log
-rw-r--r-- | tests/security/open_basedir.inc | 133 | ||||
-rw-r--r-- | tests/security/open_basedir_error_log.phpt | 43 | ||||
-rw-r--r-- | tests/security/open_basedir_error_log_variation.phpt | 48 |
3 files changed, 224 insertions, 0 deletions
diff --git a/tests/security/open_basedir.inc b/tests/security/open_basedir.inc new file mode 100644 index 0000000000..7fd0afc8bb --- /dev/null +++ b/tests/security/open_basedir.inc @@ -0,0 +1,133 @@ +<?php + +// This file contains helper functions for testing open_basedir configuration +// Care must be taken with where the directories are created because different +// SAPIs set the working directory differently. So simply creating a directory +// relative to the current working directory like this: mkdir("blah") might +// actually create it in several different places depending on the SAPI..! +// +// Note also depending on the version of php being tested, so the open_basedir +// configuration may or may not be changeable from a script (PHP_INI_SYSTEM). +// +// For this reason we set the open_basedir to . (current directory) and then +// move around to various directories for testing using chdir(). This is NOT +// recommended for production use as . bypasses all semblence of security..! +// +// Although safe mode has been removed in php 6.0, open_basedir is still valid. +// See http://www.php.net/features.safe-mode for more information + +function recursive_delete_directory($directory) { + + // Remove any trailing slash first + if (substr($directory, -1) == '/') { + $directory = substr($directory, 0, -1); + } + + // Make sure the directory is valid + if (is_dir($directory) == FALSE) { + return FALSE; + } + + // Check we can access the directory + if (is_readable($directory) == FALSE) { + return FALSE; + } + + $handle = opendir($directory); + + // Scan through the directory contents + while (FALSE !== ($item = readdir($handle))) { + if ($item != '.') { + if ($item != '..') { + $path = ($directory.'/'.$item); + if (is_dir($path) == TRUE) { + recursive_delete_directory($path); + } else { + @chmod($path, 0777); + unlink($path); + } + } + } + } + + closedir($handle); + @chmod($directory, 0777); + rmdir($directory); + + return TRUE; +} + +function create_directories() { + delete_directories(); + $directory = dirname(__FILE__); + + var_dump(mkdir($directory."/test")); + var_dump(mkdir($directory."/test/ok")); + var_dump(mkdir($directory."/test/bad")); + file_put_contents($directory."/test/ok/ok.txt", "Hello World!"); + file_put_contents($directory."/test/bad/bad.txt", "Hello World!"); +} + +function delete_directories() { + $directory = (dirname(__FILE__)."/test"); + recursive_delete_directory($directory); +} + +function test_open_basedir_error($function) { + var_dump($function("../bad")); + var_dump($function("../bad/bad.txt")); + var_dump($function("..")); + var_dump($function("../")); + var_dump($function("/")); + var_dump($function("../bad/.")); + $directory = dirname(__FILE__); + var_dump($function($directory."/test/bad/bad.txt")); + var_dump($function($directory."/test/bad/../bad/bad.txt")); +} + +function test_open_basedir_before($function, $change = TRUE) { + echo "*** Testing open_basedir configuration [$function] ***\n"; + $directory = dirname(__FILE__); + var_dump(chdir($directory)); + create_directories(); + + // Optionally change directory + if ($change == TRUE) { + var_dump(chdir($directory."/test/ok")); + } +} + +// Delete directories using a --CLEAN-- section! +function test_open_basedir_after($function) { + echo "*** Finished testing open_basedir configuration [$function] ***\n"; +} + +// This is used by functions that return an array on success +function test_open_basedir_array($function) { + test_open_basedir_before($function); + test_open_basedir_error($function); + var_dump(is_array($function("./../."))); + var_dump(is_array($function("../ok"))); + var_dump(is_array($function("ok.txt"))); + var_dump(is_array($function("../ok/ok.txt"))); + $directory = dirname(__FILE__); + var_dump(is_array($function($directory."/test/ok/ok.txt"))); + var_dump(is_array($function($directory."/test/ok/../ok/ok.txt"))); + test_open_basedir_after($function); +} + +function test_open_basedir($function) { + test_open_basedir_before($function); + test_open_basedir_error($function); + var_dump($function("./../.")); + var_dump($function("../ok")); + var_dump($function("ok.txt")); + var_dump($function("../ok/ok.txt")); + $directory = dirname(__FILE__); + var_dump($function($directory."/test/ok/ok.txt")); + var_dump($function($directory."/test/ok/../ok/ok.txt")); + test_open_basedir_after($function); +} + +?> + diff --git a/tests/security/open_basedir_error_log.phpt b/tests/security/open_basedir_error_log.phpt new file mode 100644 index 0000000000..d4406505a9 --- /dev/null +++ b/tests/security/open_basedir_error_log.phpt @@ -0,0 +1,43 @@ +--TEST-- +Test open_basedir configuration +--INI-- +open_basedir=. +--FILE-- +<?php +require_once "open_basedir.inc"; +test_open_basedir_before("error_log"); +$directory = dirname(__FILE__); + +var_dump(ini_set("error_log", $directory."/test/bad/bad.txt")); +var_dump(ini_set("error_log", $directory."/test/bad.txt")); +var_dump(ini_set("error_log", $directory."/bad.txt")); +var_dump(ini_set("error_log", $directory."/test/ok/ok.txt")); +var_dump(ini_set("error_log", $directory."/test/ok/ok.txt")); + +test_open_basedir_after("error_log"); +?> +--CLEAN-- +<?php +require_once "open_basedir.inc"; +delete_directories(); +?> +--EXPECTF-- +*** Testing open_basedir configuration [error_log] *** +bool(true) +bool(true) +bool(true) +bool(true) +bool(true) + +Warning: ini_set(): open_basedir restriction in effect. File(%s/test/bad/bad.txt) is not within the allowed path(s): (.) in %s on line %d +bool(false) + +Warning: ini_set(): open_basedir restriction in effect. File(%s/test/bad.txt) is not within the allowed path(s): (.) in %s on line %d +bool(false) + +Warning: ini_set(): open_basedir restriction in effect. File(%s/bad.txt) is not within the allowed path(s): (.) in %s on line %d +bool(false) +bool(false) +string(%d) "%s/test/ok/ok.txt" +*** Finished testing open_basedir configuration [error_log] *** + diff --git a/tests/security/open_basedir_error_log_variation.phpt b/tests/security/open_basedir_error_log_variation.phpt new file mode 100644 index 0000000000..c0295f6506 --- /dev/null +++ b/tests/security/open_basedir_error_log_variation.phpt @@ -0,0 +1,48 @@ +--TEST-- +Test open_basedir configuration +--INI-- +open_basedir=. +--FILE-- +<?php +require_once "open_basedir.inc"; +test_open_basedir_before("error_log"); +$directory = dirname(__FILE__); +define("DESTINATION_IS_FILE", 3); + +var_dump(error_log("Hello World!", DESTINATION_IS_FILE, $directory."/test/bad/bad.txt")); +var_dump(error_log("Hello World!", DESTINATION_IS_FILE, $directory."/test/bad.txt")); +var_dump(error_log("Hello World!", DESTINATION_IS_FILE, $directory."/bad.txt")); +var_dump(error_log("Hello World!", DESTINATION_IS_FILE, $directory."/test/ok/ok.txt")); + +test_open_basedir_after("error_log"); +?> +--CLEAN-- +<?php +require_once "open_basedir.inc"; +delete_directories(); +?> +--EXPECTF-- +*** Testing open_basedir configuration [error_log] *** +bool(true) +bool(true) +bool(true) +bool(true) +bool(true) + +Warning: error_log(): open_basedir restriction in effect. File(%s/test/bad/bad.txt) is not within the allowed path(s): (.) in %s on line %d + +Warning: error_log(%s/test/bad/bad.txt): failed to open stream: Operation not permitted in %s on line %d +bool(false) + +Warning: error_log(): open_basedir restriction in effect. File(%s/test/bad.txt) is not within the allowed path(s): (.) in %s on line %d + +Warning: error_log(%s/test/bad.txt): failed to open stream: Operation not permitted in %s on line %d +bool(false) + +Warning: error_log(): open_basedir restriction in effect. File(%s/bad.txt) is not within the allowed path(s): (.) in %s on line %d + +Warning: error_log(%s/bad.txt): failed to open stream: Operation not permitted in %s on line %d +bool(false) +bool(true) +*** Finished testing open_basedir configuration [error_log] *** + |