echo "\n\n"; echo "testing ob_get_contents\n"; ob_start(); echo $good1; $a = ob_get_contents(); ob_end_clean(); not_tainted($a); ob_start(); echo $bad1; $a = ob_get_contents(); ob_end_clean(); tainted($a); echo "\n\n"; echo "testing ob_get_flush\n"; ob_start(); ob_start(); echo $good1; $a = ob_get_flush(); ob_end_clean(); $b = ob_get_clean(); not_tainted($a); not_tainted($b); ob_start(); ob_start(); echo $bad1; $a = ob_get_flush(); ob_end_clean(); $b = ob_get_clean(); tainted($a); tainted($b);
+----------------------------------------------------------------------+ | Copyright (c) 2010 Facebook, Inc. (http://www.facebook.com) | +----------------------------------------------------------------------+ | This source file is subject to version 3.01 of the PHP license, | | that is bundled with this package in the file LICENSE, and is | | available through the world-wide-web at the following url: | | http://www.php.net/license/3_01.txt | | If you did not receive a copy of the PHP license and are unable to | | obtain it through the world-wide-web, please send a note to | | license@php.net so we can mail you a copy immediately. | +----------------------------------------------------------------------+ */ require_once 'setup.inc'; /** * Check that various forms of concatenations output the right taint information */ $a = $good1 . $good2; not_tainted($a); $a = $good1 . $bad1; tainted($a); $a = $good1; $a .= $good2; not_tainted($a); $a = $good1; $a .= $bad1; tainted($a); $a = "{$good1} {$good2}"; not_tainted($a); $a = "{$good1} {$bad1}"; tainted($a);
not_tainted(wordwrap($good1, 5, $good2, true)); tainted(wordwrap($bad1, 5, $good1, true)); tainted(wordwrap($good1, 5, $bad1, true)); tainted(wordwrap($bad1, 5, $bad2, true)); echo "\n\n"; echo "testing html_entity_decode\n"; not_tainted(html_entity_decode($good1)); tainted(html_entity_decode($bad1)); echo "\n\n"; echo "testing htmlentities\n"; not_tainted(htmlentities($good1)); tainted(htmlentities($bad1)); echo "\n\n"; echo "testing convert_uuencode\n"; not_tainted(convert_uuencode($good1)); tainted(convert_uuencode($bad1)); echo "\n\n"; echo "testing md5\n"; // We consider md5 operation to generate dangerous output. It unlikely to be // exploitable, but it's better for us to be safe than sorry... not_tainted(md5($good1)); tainted(md5($bad1)); echo "\n\n"; echo "testing print_r\n"; $arr = array($good1, $good2); $x = print_r($arr, true); not_tainted($x); $arr = array($good1, $bad1); $x = print_r($arr, true); tainted($x);
<?php function tainted() { return $_GET['tainted']; } function clean() { return 0; } $a = tainted(); $b = clean();
echo "\n\n"; echo "testing debug_zval_dump\n"; ob_start(); debug_zval_dump($good1); $a = ob_get_clean(); not_tainted($a); ob_start(); debug_zval_dump($bad1); $a = ob_get_clean(); tainted($a); echo "\n\n"; echo "testing serialize\n"; not_tainted(serialize($good1)); tainted(serialize($bad1)); echo "\n\n"; echo "testing unserialize\n"; not_tainted(unserialize($serialized_good)); tainted(unserialize($serialized_bad)); echo "\n\n"; echo "testing get_defined_vars\n"; $arr = get_defined_vars(); not_tainted($arr['good1']); tainted($arr['bad1']); // Note: import_request_variables is not supported in hphp echo "\n\n"; echo "testing extract\n"; $arr = array('good1' => $good1, 'bad1' => $bad1); extract($arr, EXTR_PREFIX_ALL, 'extract'); not_tainted($extract_good1); tainted($extract_bad1);