Ignoring to inject reserved global variables GH-2

gongo · Dec 29, 2014 · 1924fe3 · 1924fe3
1 parent c16dd52
commit 1924fe3
Show file tree

Hide file tree

Showing 5 changed files with 85 additions and 2 deletions.
diff --git a/src/Base.php b/src/Base.php
@@ -0,0 +1,29 @@
+<?php
+namespace Gongo\MercifulPolluter;
+
+class Base
+{
+    /**
+     * @see http://php.net/manual/en/reserved.variables.php
+     */
+    private static $ignoringVariableNames = array(
+        'GLOBALS',
+        '_SERVER',
+        '_GET',
+        '_POST',
+        '_FILES',
+        '_REQUEST',
+        '_SESSIONIDENV',
+        '_COOKIE',
+        'php_errormsg',
+        'HTTP_RAW_POST_DATA',
+        'http_response_header',
+        'argc',
+        'argv',
+    );
+
+    protected function ignoringVariable($theKey)
+    {
+        return in_array($theKey, self::$ignoringVariableNames);
+    }
+}
diff --git a/src/Request.php b/src/Request.php
@@ -1,7 +1,7 @@
 <?php
 namespace Gongo\MercifulPolluter;
 
-class Request
+class Request extends Base
 {
     private $magicQuotesGpc = false;
 
@@ -129,6 +129,10 @@ function (&$value) {
     protected function injectToGlobal(array $theVariables)
     {
         foreach ($theVariables as $name => $value) {
+            if ($this->ignoringVariable($name)) {
+                continue;
+            }
+
             $GLOBALS[$name] = $value;
         }
     }

diff --git a/src/Session.php b/src/Session.php
@@ -1,7 +1,7 @@
 <?php
 namespace Gongo\MercifulPolluter;
 
-class Session
+class Session extends Base
 {
     public function pollute()
     {
@@ -19,6 +19,10 @@ public function pollute()
     protected function injectToGlobal(array $theVariables)
     {
         foreach ($theVariables as $name => $value) {
+            if ($this->ignoringVariable($name)) {
+                continue;
+            }
+
             $GLOBALS[$name] = $value;
             $_SESSION[$name] =& $GLOBALS[$name];
         }

diff --git a/test/RequestTest.php b/test/RequestTest.php
@@ -107,6 +107,32 @@ public function testPolluteEnableMagicQuotesGpc()
         $this->assertEquals("\'Okinawa\'", $secret_info['address']);
         $this->assertEquals("\'Okinawa\'", $_GET['secret_info']['address']);
     }
+
+    /**
+     * http://example.com/?foo=123&bar=baz&_GET[foo]=Cracked&_GET[bar]=Cracked
+     *
+     * @see https://github.com/gongo/merciful-polluter/issues/2
+     */
+    public function testPolluteSpecifiedBlacklist()
+    {
+        $_GET['foo']  = '123';
+        $_GET['bar']  = 'baz';
+        $_GET['_GET'] = array(
+            'foo' => 'Cracked',
+            'bar' => 'Cracked'
+        );
+
+        $this->setVariablesOrder('g');
+        $this->object->pollute();
+
+        global $foo;
+        $this->assertEquals('123', $_GET['foo']);
+        $this->assertEquals('123', $foo);
+
+        global $bar;
+        $this->assertEquals('baz', $_GET['bar']);
+        $this->assertEquals('baz', $bar);
+    }
 
     private function setVariablesOrder($value)
     {

diff --git a/test/SessionTest.php b/test/SessionTest.php
@@ -42,4 +42,24 @@ public function testPolluteSessionNotStarted()
     {
         $this->object->pollute();
     }
+
+    /**
+     * @see https://github.com/gongo/merciful-polluter/issues/2
+     */
+    public function testPolluteSpecifiedBlacklist()
+    {
+        session_start();
+
+        $_SESSION['_GET'] = '1234';
+        $_SESSION['_POST'] = array('userId', 'Evil');
+        $_SESSION['userId'] = 'Jack';
+
+        $this->object->pollute();
+
+        $this->assertNotEquals($_SESSION['_GET'], $_GET);
+        $this->assertNotEquals($_SESSION['_POST'], $_POST);
+
+        global $userId;
+        $this->assertEquals('Jack', $userId);
+    }
 }