Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Weird behavior on bad regular expression test in cookies #105

Closed
buixor opened this issue Dec 28, 2017 · 3 comments
Closed

Weird behavior on bad regular expression test in cookies #105

buixor opened this issue Dec 28, 2017 · 3 comments
Assignees
@buixor
Labels
question testsuite
Milestone
0.4 - Oliphant Ch...

Comments

@buixor
Copy link
Contributor

buixor commented Dec 28, 2017
edited by jvoisin

Having the following test :

$ cat tests/encrypt_regexp_cookies_bad_regexp.phpt 
--TEST--
Cookie decryption in ipv4
--SKIPIF--
<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
--INI--
sp.configuration_file={PWD}/config/config_encrypted_regexp_cookies_bad_regexp.ini
--COOKIE--
super_cookie=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP3gV9YJZL/pUeNAjCKFW0U2ywmf1CwHzwd2pWM=;awful_cookie=awful_cookie_value;
--ENV--
return <<<EOF
REMOTE_ADDR=127.0.0.1
HTTP_USER_AGENT=Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/59.0.3071.109 Chrome/59.0.3071.109 Safari/537.36
EOF;
--FILE--
<?php var_dump($_COOKIE); ?>
--EXPECT--
[snuffleupagus][0.0.0.0][config][error] Failed to compile '^super_co[a-z+$': missing terminating ] for character class on line %d.
[snuffleupagus][0.0.0.0][config][error] '.name_r()' is expecting a valid regexp, and not '"^super_co[a-z+$"' on line %d.
array(0) {
}

with the associated .ini (notice the invalid regexp) :

sp.global.secret_key("abcdef").cookie_env_var("REMOTE_ADDR");
sp.cookie.name_r("^super_co[a-z+$").encrypt();
sp.auto_cookie_secure.enable();

Leads to the fail testing with the following .out :

array(2) {
  ["super_cookie"]=>
  string(92) "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP3gV9YJZL/pUeNAjCKFW0U2ywmf1CwHzwd2pWM="
  ["awful_cookie"]=>
  string(18) "awful_cookie_value"
}

While launching by hand gives the expected result :

$ sh tests/encrypt_regexp_cookies_bad_regexp.sh 
[snuffleupagus][0.0.0.0][config][error] Failed to compile '^super_co[a-z+$': missing terminating ] for character class on line 2.
[snuffleupagus][0.0.0.0][config][error] '.name_r()' is expecting a valid regexp, and not '"^super_co[a-z+$"' on line 2.
array(0) {
}
buixor pushed a commit that referenced this issue Dec 28, 2017
remove broken tests (see #105)
7c32fe2
buixor pushed a commit that referenced this issue Dec 28, 2017
remove broken tests (see #105)
62eb9b2
@jvoisin
Copy link
Owner

jvoisin commented Jan 2, 2018

Apparently, the configuration file isn't parsed when running under php's testsuite, but it is when run why hand.

@jvoisin
Copy link
Owner

jvoisin commented Jan 2, 2018

screenshot_2018-01-02_16-45-55

This is what I've got when calling phpinfo() via the testsuite, and manually via the .sh file.

@jvoisin
Copy link
Owner

jvoisin commented Jan 2, 2018
edited

By diffing the phpinfo(), I found some interesting differences:

  • The environment variable HTTP_COOKIE is absent from the .sh-generated output
  • The sh-generated output has the same env variables than my shell, and all of them are passed via the $_SERVER and $_ENV globals
  • The .sh-generated on has variables_order: EGPCS, while the php-testsuite-generated one has variables_order: GPCS

I guess this is why the behaviour can't be reproduced.

@jvoisin jvoisin added this to the 0.3 - Dentalium elephantinum milestone Jan 18, 2018
@jvoisin jvoisin removed the bug label Jan 19, 2018
xXx-caillou-xXx referenced this issue Aug 28, 2018
@xXx-caillou-xXx
add test for https://github.com/nbs-system/snuffleupagus/issues/105
344ffcd
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@buixor buixor

Labels
question testsuite
Projects
None yet
Milestone
0.4 - Oliphant Chuckerbutty
Development

No branches or pull requests
3 participants
@jvoisin @buixor @he2ss