From: Christoph M. Becker <cmbecker69@gmx.de>
Date: Tue, 7 May 2019 15:37:35 +0000 (+0200)
Subject: Simplify GD null byte injection tests
X-Git-Tag: php-7.4.0alpha1~3
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=37d0c7b0e4072889ed05e7d631ee47a6bedf8ef5;p=php

Simplify GD null byte injection tests

These tests actually check that no file with a name containing a NUL is
created by the GD image output functions.  This is superfluous, since
it is sufficient to check that the function failed, and that an
appropriate warning has been raised.

We also add missing nullbyte injection tests.
---

diff --git a/ext/gd/tests/imagebmp_nullbyte_injection.phpt b/ext/gd/tests/imagebmp_nullbyte_injection.phpt
new file mode 100644
index 0000000000..0b6d1843d3
--- /dev/null
+++ b/ext/gd/tests/imagebmp_nullbyte_injection.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Testing null byte injection in imagebmp
+--SKIPIF--
+<?php
+if(!extension_loaded('gd')) die('skip gd extension not available');
+if (!gd_info()['BMP Support']) die('skip BMP support not available');
+?>
+--FILE--
+<?php
+$image = imagecreate(1,1);// 1px image
+var_dump(imagebmp($image, "./foo\0bar"));
+?>
+===DONE===
+--EXPECTF--
+Warning: imagebmp(): Invalid 2nd parameter, filename must not contain null bytes in %s on line %d
+bool(false)
+===DONE===
diff --git a/ext/gd/tests/imagegd2_nullbyte_injection.phpt b/ext/gd/tests/imagegd2_nullbyte_injection.phpt
index 4307704ee2..2fc3050421 100644
--- a/ext/gd/tests/imagegd2_nullbyte_injection.phpt
+++ b/ext/gd/tests/imagegd2_nullbyte_injection.phpt
@@ -4,29 +4,11 @@ Testing null byte injection in imagegd2
 <?php
         if(!extension_loaded('gd')){ die('skip gd extension not available'); }
 ?>
---CLEAN--
-$tempdir = sprintf("%s/%s", sys_get_temp_dir(), preg_replace("~\.php$~", null, __FILE__));
-foreach (glob($tempdir . "/test*") as $file ) { unlink($file); }
-rmdir($tempdir);
 --FILE--
 <?php
 $image = imagecreate(1,1);// 1px image
-
-$tempdir = sprintf("%s/%s", sys_get_temp_dir(), preg_replace("~\.php$~", null, __FILE__));
-if (!is_dir($tempdir)) {
-	mkdir ($tempdir, 0777, true);
-}
-
-$userinput = "1\0"; // from post or get data
-$temp = $tempdir. "/test" . $userinput .".tmp";
-
-echo "\nimagegd2 TEST\n";
-imagegd2($image, $temp);
-var_dump(file_exists($tempdir. "/test1"));
-var_dump(file_exists($tempdir. "/test1.tmp"));
+var_dump(imagegd2($image, "./foo\0bar"));
+?>
 --EXPECTF--
-imagegd2 TEST
-
 Warning: imagegd2() expects parameter 2 to be a valid path, string given in %s on line %d
-bool(false)
-bool(false)
+NULL
diff --git a/ext/gd/tests/imagegd_nullbyte_injection.phpt b/ext/gd/tests/imagegd_nullbyte_injection.phpt
index f904bbf174..f5479a0050 100644
--- a/ext/gd/tests/imagegd_nullbyte_injection.phpt
+++ b/ext/gd/tests/imagegd_nullbyte_injection.phpt
@@ -4,30 +4,11 @@ Testing null byte injection in imagegd
 <?php
         if(!extension_loaded('gd')){ die('skip gd extension not available'); }
 ?>
---CLEAN--
-$tempdir = sprintf("%s/%s", sys_get_temp_dir(), preg_replace("~\.php$~", null, __FILE__));
-foreach (glob($tempdir . "/test*") as $file ) { unlink($file); }
-rmdir($tempdir);
 --FILE--
 <?php
 $image = imagecreate(1,1);// 1px image
-
-$tempdir = sprintf("%s/%s", sys_get_temp_dir(), preg_replace("~\.php$~", null, __FILE__));
-if (!is_dir($tempdir)) {
-	mkdir ($tempdir, 0777, true);
-}
-
-$userinput = "1\0"; // from post or get data
-$temp = $tempdir. "/test" . $userinput .".tmp";
-
-echo "\nimagegd TEST\n";
-imagegd($image, $temp);
-var_dump(file_exists($tempdir. "/test1"));
-var_dump(file_exists($tempdir. "/test1.tmp"));
+var_dump(imagegd($image, "./foo\0bar"));
 ?>
 --EXPECTF--
-imagegd TEST
-
 Warning: imagegd() expects parameter 2 to be a valid path, string given in %s on line %d
-bool(false)
-bool(false)
+NULL
diff --git a/ext/gd/tests/imagegif_nullbyte_injection.phpt b/ext/gd/tests/imagegif_nullbyte_injection.phpt
index 0f3e5b8bad..c5acdd489e 100644
--- a/ext/gd/tests/imagegif_nullbyte_injection.phpt
+++ b/ext/gd/tests/imagegif_nullbyte_injection.phpt
@@ -3,10 +3,6 @@ Testing null byte injection in imagegif
 --SKIPIF--
 <?php
 if(!extension_loaded('gd')){ die('skip gd extension not available'); }
-$support = gd_info();
-if (!isset($support['GIF Create Support']) || $support['GIF Create Support'] === false) {
-	print 'skip gif support not available';
-}
 ?>
 --CLEAN--
 $tempdir = sprintf("%s/%s", sys_get_temp_dir(), preg_replace("~\.php$~", null, __FILE__));
@@ -15,23 +11,8 @@ rmdir($tempdir);
 --FILE--
 <?php
 $image = imagecreate(1,1);// 1px image
-
-$tempdir = sprintf("%s/%s", sys_get_temp_dir(), preg_replace("~\.php$~", null, __FILE__));
-if (!is_dir($tempdir)) {
-	mkdir ($tempdir, 0777, true);
-}
-
-$userinput = "1\0"; // from post or get data
-$temp = $tempdir. "/test" . $userinput .".tmp";
-
-echo "\nimagegif TEST\n";
-imagegif($image, $temp);
-var_dump(file_exists($tempdir. "/test1"));
-var_dump(file_exists($tempdir. "/test1.tmp"));
+var_dump(imagegif($image, "./foo\0bar"));
 ?>
 --EXPECTF--
-imagegif TEST
-
 Warning: imagegif(): Invalid 2nd parameter, filename must not contain null bytes in %s on line %d
 bool(false)
-bool(false)
diff --git a/ext/gd/tests/imagejpeg_nullbyte_injection.phpt b/ext/gd/tests/imagejpeg_nullbyte_injection.phpt
index 38eadab4ae..29cb537c3a 100644
--- a/ext/gd/tests/imagejpeg_nullbyte_injection.phpt
+++ b/ext/gd/tests/imagejpeg_nullbyte_injection.phpt
@@ -15,23 +15,8 @@ rmdir($tempdir);
 --FILE--
 <?php
 $image = imagecreate(1,1);// 1px image
-
-$tempdir = sprintf("%s/%s", sys_get_temp_dir(), preg_replace("~\.php$~", null, __FILE__));
-if (!is_dir($tempdir)) {
-	mkdir ($tempdir, 0777, true);
-}
-
-$userinput = "1\0"; // from post or get data
-$temp = $tempdir. "/test" . $userinput .".tmp";
-
-echo "\nimagejpeg TEST\n";
-imagejpeg($image, $temp);
-var_dump(file_exists($tempdir. "/test1"));
-var_dump(file_exists($tempdir. "/test1.tmp"));
+var_dump(imagejpeg($image, "./foo\0bar"));
 ?>
 --EXPECTF--
-imagejpeg TEST
-
 Warning: imagejpeg(): Invalid 2nd parameter, filename must not contain null bytes in %s on line %d
 bool(false)
-bool(false)
diff --git a/ext/gd/tests/imagepng_nullbyte_injection.phpt b/ext/gd/tests/imagepng_nullbyte_injection.phpt
index bc9c340397..271d4d5bd3 100644
--- a/ext/gd/tests/imagepng_nullbyte_injection.phpt
+++ b/ext/gd/tests/imagepng_nullbyte_injection.phpt
@@ -15,23 +15,8 @@ rmdir($tempdir);
 --FILE--
 <?php
 $image = imagecreate(1,1);// 1px image
-
-$tempdir = sprintf("%s/%s", sys_get_temp_dir(), preg_replace("~\.php$~", null, __FILE__));
-if (!is_dir($tempdir)) {
-	mkdir ($tempdir, 0777, true);
-}
-
-$userinput = "1\0"; // from post or get data
-$temp = $tempdir. "/test" . $userinput .".tmp";
-
-echo "\nimagepng TEST\n";
-imagepng($image, $temp);
-var_dump(file_exists($tempdir. "/test1"));
-var_dump(file_exists($tempdir. "/test1.tmp"));
+var_dump(imagepng($image, "./foo\0bar"));
 ?>
 --EXPECTF--
-imagepng TEST
-
 Warning: imagepng(): Invalid 2nd parameter, filename must not contain null bytes in %s on line %d
 bool(false)
-bool(false)
diff --git a/ext/gd/tests/imagewbmp_nullbyte_injection.phpt b/ext/gd/tests/imagewbmp_nullbyte_injection.phpt
index 466584f968..fc5d238f41 100644
--- a/ext/gd/tests/imagewbmp_nullbyte_injection.phpt
+++ b/ext/gd/tests/imagewbmp_nullbyte_injection.phpt
@@ -15,23 +15,8 @@ rmdir($tempdir);
 --FILE--
 <?php
 $image = imagecreate(1,1);// 1px image
-
-$tempdir = sprintf("%s/%s", sys_get_temp_dir(), preg_replace("~\.php$~", null, __FILE__));
-if (!is_dir($tempdir)) {
-	mkdir ($tempdir, 0777, true);
-}
-
-$userinput = "1\0"; // from post or get data
-$temp = $tempdir. "/test" . $userinput .".tmp";
-
-echo "\nimagewbmp TEST\n";
-imagewbmp($image, $temp);
-var_dump(file_exists($tempdir. "/test1"));
-var_dump(file_exists($tempdir. "/test1.tmp"));
+var_dump(imagewbmp($image, "./foo\0bar"));
 ?>
 --EXPECTF--
-imagewbmp TEST
-
 Warning: imagewbmp(): Invalid 2nd parameter, filename must not contain null bytes in %s on line %d
 bool(false)
-bool(false)
diff --git a/ext/gd/tests/imagewebp_nullbyte_injection.phpt b/ext/gd/tests/imagewebp_nullbyte_injection.phpt
index 9d46a21140..d778d0a379 100644
--- a/ext/gd/tests/imagewebp_nullbyte_injection.phpt
+++ b/ext/gd/tests/imagewebp_nullbyte_injection.phpt
@@ -15,23 +15,8 @@ rmdir($tempdir);
 --FILE--
 <?php
 $image = imagecreate(1,1);// 1px image
-
-$tempdir = sprintf("%s/%s", sys_get_temp_dir(), preg_replace("~\.php$~", null, __FILE__));
-if (!is_dir($tempdir)) {
-	mkdir ($tempdir, 0777, true);
-}
-
-$userinput = "1\0"; // from post or get data
-$temp = $tempdir. "/test" . $userinput .".tmp";
-
-echo "\nimagewebp TEST\n";
-imagewebp($image, $temp);
-var_dump(file_exists($tempdir. "/test1"));
-var_dump(file_exists($tempdir. "/test1.tmp"));
+var_dump(imagewebp($image, "./foo\0bar"));
 ?>
 --EXPECTF--
-imagewebp TEST
-
 Warning: imagewebp(): Invalid 2nd parameter, filename must not contain null bytes in %s on line %d
 bool(false)
-bool(false)
diff --git a/ext/gd/tests/imagexbm_nullbyte_injection.phpt b/ext/gd/tests/imagexbm_nullbyte_injection.phpt
new file mode 100644
index 0000000000..b485315064
--- /dev/null
+++ b/ext/gd/tests/imagexbm_nullbyte_injection.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Testing null byte injection in imagexbm
+--SKIPIF--
+<?php
+if(!extension_loaded('gd')) die('skip gd extension not available');
+?>
+--FILE--
+<?php
+$image = imagecreate(1,1);// 1px image
+var_dump(imagexbm($image, "./foo\0bar"));
+?>
+===DONE===
+--EXPECTF--
+Warning: imagexbm() expects parameter 2 to be a valid path, string given in %s on line %d
+NULL
+===DONE===