Encode all input, warn not to serve on public websites

Author: sad-spirit

tests/_network/basicauth.php

@@ -1,6 +1,6 @@
 <?php
 /**
- * Helper files for HTTP_Request2 unit tests. Should be accessible via HTTP.
+ * WARNING: This file is a part of test suite for PEAR/HTTP_Request2. It should NOT be served on public websites.
  *
  * PHP version 5
  *
@@ -13,9 +13,9 @@
  * @category  HTTP
  * @package   HTTP_Request2
  * @author    Alexey Borzov <[email protected]>
- * @copyright 2008-2023 Alexey Borzov <[email protected]>
- * @license   http://opensource.org/licenses/BSD-3-Clause BSD 3-Clause License
- * @link      http://pear.php.net/package/HTTP_Request2
+ * @copyright 2008-2025 Alexey Borzov <[email protected]>
+ * @license   https://opensource.org/licenses/BSD-3-Clause BSD 3-Clause License
+ * @link      https://pear.php.net/package/HTTP_Request2
  */
 
 $user       = isset($_SERVER['PHP_AUTH_USER']) ? $_SERVER['PHP_AUTH_USER'] : null;
@@ -27,7 +27,7 @@
     header('WWW-Authenticate: Basic realm="HTTP_Request2 tests"', true, 401);
     echo "Login required";
 } else {
-    echo "Username={$user};Password={$pass}";
+    echo htmlspecialchars("Username={$user};Password={$pass}", ENT_NOQUOTES, 'UTF-8');
 }
 
 ?>

tests/_network/bug19934.php

@@ -1,6 +1,6 @@
 <?php
 /**
- * Helper files for HTTP_Request2 unit tests. Should be accessible via HTTP.
+ * WARNING: This file is a part of test suite for PEAR/HTTP_Request2. It should NOT be served on public websites.
  *
  * PHP version 5
  *
@@ -13,9 +13,9 @@
  * @category  HTTP
  * @package   HTTP_Request2
  * @author    Alexey Borzov <[email protected]>
- * @copyright 2008-2023 Alexey Borzov <[email protected]>
- * @license   http://opensource.org/licenses/BSD-3-Clause BSD 3-Clause License
- * @link      http://pear.php.net/package/HTTP_Request2
+ * @copyright 2008-2025 Alexey Borzov <[email protected]>
+ * @license   https://opensource.org/licenses/BSD-3-Clause BSD 3-Clause License
+ * @link      https://pear.php.net/package/HTTP_Request2
  */
 
 for ($i = 0; $i < 20; $i++) {

tests/_network/bug20228.php

@@ -1,6 +1,6 @@
 <?php
 /**
- * Helper files for HTTP_Request2 unit tests. Should be accessible via HTTP.
+ * WARNING: This file is a part of test suite for PEAR/HTTP_Request2. It should NOT be served on public websites.
  *
  * PHP version 5
  *
@@ -13,9 +13,9 @@
  * @category  HTTP
  * @package   HTTP_Request2
  * @author    Alexey Borzov <[email protected]>
- * @copyright 2008-2023 Alexey Borzov <[email protected]>
- * @license   http://opensource.org/licenses/BSD-3-Clause BSD 3-Clause License
- * @link      http://pear.php.net/package/HTTP_Request2
+ * @copyright 2008-2025 Alexey Borzov <[email protected]>
+ * @license   https://opensource.org/licenses/BSD-3-Clause BSD 3-Clause License
+ * @link      https://pear.php.net/package/HTTP_Request2
  */
 
 header('Transfer-Encoding: chunked');

tests/_network/cookies.php

@@ -1,6 +1,6 @@
 <?php
 /**
- * Helper files for HTTP_Request2 unit tests. Should be accessible via HTTP.
+ * WARNING: This file is a part of test suite for PEAR/HTTP_Request2. It should NOT be served on public websites.
  *
  * PHP version 5
  *
@@ -13,12 +13,12 @@
  * @category  HTTP
  * @package   HTTP_Request2
  * @author    Alexey Borzov <[email protected]>
- * @copyright 2008-2023 Alexey Borzov <[email protected]>
- * @license   http://opensource.org/licenses/BSD-3-Clause BSD 3-Clause License
- * @link      http://pear.php.net/package/HTTP_Request2
+ * @copyright 2008-2025 Alexey Borzov <[email protected]>
+ * @license   https://opensource.org/licenses/BSD-3-Clause BSD 3-Clause License
+ * @link      https://pear.php.net/package/HTTP_Request2
  */
 
 ksort($_COOKIE);
-echo serialize($_COOKIE);
+echo htmlspecialchars(serialize($_COOKIE), ENT_NOQUOTES, 'UTF-8');
 
 ?>

tests/_network/digestauth.php

@@ -1,6 +1,6 @@
 <?php
 /**
- * Helper files for HTTP_Request2 unit tests. Should be accessible via HTTP.
+ * WARNING: This file is a part of test suite for PEAR/HTTP_Request2. It should NOT be served on public websites.
  *
  * PHP version 5
  *
@@ -13,15 +13,15 @@
  * @category  HTTP
  * @package   HTTP_Request2
  * @author    Alexey Borzov <[email protected]>
- * @copyright 2008-2023 Alexey Borzov <[email protected]>
- * @license   http://opensource.org/licenses/BSD-3-Clause BSD 3-Clause License
- * @link      http://pear.php.net/package/HTTP_Request2
+ * @copyright 2008-2025 Alexey Borzov <[email protected]>
+ * @license   https://opensource.org/licenses/BSD-3-Clause BSD 3-Clause License
+ * @link      https://pear.php.net/package/HTTP_Request2
  */
 
 /**
  * Mostly borrowed from PHP manual and Socket Adapter implementation
  *
- * @link http://php.net/manual/en/features.http-auth.php
+ * @link https://php.net/manual/en/features.http-auth.php
  */
 
 /**
@@ -78,6 +78,6 @@ function http_digest_parse($txt)
            '",qop="auth",nonce="' . uniqid() . '"', true, 401);
     echo "Login required";
 } else {
-    echo "Username={$data['username']}";
+    echo htmlspecialchars("Username={$data['username']}", ENT_NOQUOTES, 'UTF-8');
 }
 ?>

tests/_network/download.php

@@ -1,6 +1,6 @@
 <?php
 /**
- * Helper files for HTTP_Request2 unit tests. Should be accessible via HTTP.
+ * WARNING: This file is a part of test suite for PEAR/HTTP_Request2. It should NOT be served on public websites.
  *
  * PHP version 5
  *
@@ -13,9 +13,9 @@
  * @category  HTTP
  * @package   HTTP_Request2
  * @author    Alexey Borzov <[email protected]>
- * @copyright 2008-2023 Alexey Borzov <[email protected]>
- * @license   http://opensource.org/licenses/BSD-3-Clause BSD 3-Clause License
- * @link      http://pear.php.net/package/HTTP_Request2
+ * @copyright 2008-2025 Alexey Borzov <[email protected]>
+ * @license   https://opensource.org/licenses/BSD-3-Clause BSD 3-Clause License
+ * @link      https://pear.php.net/package/HTTP_Request2
  */
 
 $payload = str_repeat('0123456789abcdef', 128);

tests/_network/getparameters.php

@@ -1,6 +1,6 @@
 <?php
 /**
- * Helper files for HTTP_Request2 unit tests. Should be accessible via HTTP.
+ * WARNING: This file is a part of test suite for PEAR/HTTP_Request2. It should NOT be served on public websites.
  *
  * PHP version 5
  *
@@ -13,12 +13,12 @@
  * @category  HTTP
  * @package   HTTP_Request2
  * @author    Alexey Borzov <[email protected]>
- * @copyright 2008-2023 Alexey Borzov <[email protected]>
- * @license   http://opensource.org/licenses/BSD-3-Clause BSD 3-Clause License
- * @link      http://pear.php.net/package/HTTP_Request2
+ * @copyright 2008-2025 Alexey Borzov <[email protected]>
+ * @license   https://opensource.org/licenses/BSD-3-Clause BSD 3-Clause License
+ * @link      https://pear.php.net/package/HTTP_Request2
  */
 
 ksort($_GET);
-echo serialize($_GET);
+echo htmlspecialchars(serialize($_GET), ENT_NOQUOTES, 'UTF-8');
 
 ?>

tests/_network/incompletebody.php

@@ -1,6 +1,6 @@
 <?php
 /**
- * Helper files for HTTP_Request2 unit tests. Should be accessible via HTTP.
+ * WARNING: This file is a part of test suite for PEAR/HTTP_Request2. It should NOT be served on public websites.
  *
  * PHP version 5
  *
@@ -13,9 +13,9 @@
  * @category  HTTP
  * @package   HTTP_Request2
  * @author    Alexey Borzov <[email protected]>
- * @copyright 2008-2023 Alexey Borzov <[email protected]>
- * @license   http://opensource.org/licenses/BSD-3-Clause BSD 3-Clause License
- * @link      http://pear.php.net/package/HTTP_Request2
+ * @copyright 2008-2025 Alexey Borzov <[email protected]>
+ * @license   https://opensource.org/licenses/BSD-3-Clause BSD 3-Clause License
+ * @link      https://pear.php.net/package/HTTP_Request2
  */
 
 header('Connection: close');

tests/_network/postparameters.php

@@ -1,6 +1,6 @@
 <?php
 /**
- * Helper files for HTTP_Request2 unit tests. Should be accessible via HTTP.
+ * WARNING: This file is a part of test suite for PEAR/HTTP_Request2. It should NOT be served on public websites.
  *
  * PHP version 5
  *
@@ -13,12 +13,12 @@
  * @category  HTTP
  * @package   HTTP_Request2
  * @author    Alexey Borzov <[email protected]>
- * @copyright 2008-2023 Alexey Borzov <[email protected]>
- * @license   http://opensource.org/licenses/BSD-3-Clause BSD 3-Clause License
- * @link      http://pear.php.net/package/HTTP_Request2
+ * @copyright 2008-2025 Alexey Borzov <[email protected]>
+ * @license   https://opensource.org/licenses/BSD-3-Clause BSD 3-Clause License
+ * @link      https://pear.php.net/package/HTTP_Request2
  */
 
 ksort($_POST);
-echo serialize($_POST);
+echo htmlspecialchars(serialize($_POST), ENT_NOQUOTES, 'UTF-8');
 
 ?>

tests/_network/rawpostdata.php

@@ -1,6 +1,6 @@
 <?php
 /**
- * Helper files for HTTP_Request2 unit tests. Should be accessible via HTTP.
+ * WARNING: This file is a part of test suite for PEAR/HTTP_Request2. It should NOT be served on public websites.
  *
  * PHP version 5
  *
@@ -13,10 +13,10 @@
  * @category  HTTP
  * @package   HTTP_Request2
  * @author    Alexey Borzov <[email protected]>
- * @copyright 2008-2023 Alexey Borzov <[email protected]>
- * @license   http://opensource.org/licenses/BSD-3-Clause BSD 3-Clause License
- * @link      http://pear.php.net/package/HTTP_Request2
+ * @copyright 2008-2025 Alexey Borzov <[email protected]>
+ * @license   https://opensource.org/licenses/BSD-3-Clause BSD 3-Clause License
+ * @link      https://pear.php.net/package/HTTP_Request2
  */
 
-readfile('php://input');
+echo htmlspecialchars(file_get_contents('php://input'), ENT_NOQUOTES, 'UTF-8');
 ?>