From 1924fe3cdd2c86bfba2fcca963e56c09379a3356 Mon Sep 17 00:00:00 2001
From: Wataru MIYAGUNI <miyaguni@occ.co.jp>
Date: Mon, 29 Dec 2014 15:08:14 +0900
Subject: [PATCH] Ignoring to inject reserved global variables GH-2

---
 src/Base.php         | 29 +++++++++++++++++++++++++++++
 src/Request.php      |  6 +++++-
 src/Session.php      |  6 +++++-
 test/RequestTest.php | 26 ++++++++++++++++++++++++++
 test/SessionTest.php | 20 ++++++++++++++++++++
 5 files changed, 85 insertions(+), 2 deletions(-)
 create mode 100644 src/Base.php

diff --git a/src/Base.php b/src/Base.php
new file mode 100644
index 0000000..5bd1aff
--- /dev/null
+++ b/src/Base.php
@@ -0,0 +1,29 @@
+<?php
+namespace Gongo\MercifulPolluter;
+
+class Base
+{
+    /**
+     * @see http://php.net/manual/en/reserved.variables.php
+     */
+    private static $ignoringVariableNames = array(
+        'GLOBALS',
+        '_SERVER',
+        '_GET',
+        '_POST',
+        '_FILES',
+        '_REQUEST',
+        '_SESSIONIDENV',
+        '_COOKIE',
+        'php_errormsg',
+        'HTTP_RAW_POST_DATA',
+        'http_response_header',
+        'argc',
+        'argv',
+    );
+
+    protected function ignoringVariable($theKey)
+    {
+        return in_array($theKey, self::$ignoringVariableNames);
+    }
+}
diff --git a/src/Request.php b/src/Request.php
index fd41c45..d4b497b 100644
--- a/src/Request.php
+++ b/src/Request.php
@@ -1,7 +1,7 @@
 <?php
 namespace Gongo\MercifulPolluter;
 
-class Request
+class Request extends Base
 {
     private $magicQuotesGpc = false;
     
@@ -129,6 +129,10 @@ function (&$value) {
     protected function injectToGlobal(array $theVariables)
     {
         foreach ($theVariables as $name => $value) {
+            if ($this->ignoringVariable($name)) {
+                continue;
+            }
+
             $GLOBALS[$name] = $value;
         }
     }
diff --git a/src/Session.php b/src/Session.php
index 4ab4791..cc8dd82 100644
--- a/src/Session.php
+++ b/src/Session.php
@@ -1,7 +1,7 @@
 <?php
 namespace Gongo\MercifulPolluter;
 
-class Session
+class Session extends Base
 {
     public function pollute()
     {
@@ -19,6 +19,10 @@ public function pollute()
     protected function injectToGlobal(array $theVariables)
     {
         foreach ($theVariables as $name => $value) {
+            if ($this->ignoringVariable($name)) {
+                continue;
+            }
+
             $GLOBALS[$name] = $value;
             $_SESSION[$name] =& $GLOBALS[$name];
         }
diff --git a/test/RequestTest.php b/test/RequestTest.php
index 5652a3d..f6bf3d2 100644
--- a/test/RequestTest.php
+++ b/test/RequestTest.php
@@ -107,6 +107,32 @@ public function testPolluteEnableMagicQuotesGpc()
         $this->assertEquals("\'Okinawa\'", $secret_info['address']);
         $this->assertEquals("\'Okinawa\'", $_GET['secret_info']['address']);
     }
+
+    /**
+     * http://example.com/?foo=123&bar=baz&_GET[foo]=Cracked&_GET[bar]=Cracked
+     *
+     * @see https://github.com/gongo/merciful-polluter/issues/2
+     */
+    public function testPolluteSpecifiedBlacklist()
+    {
+        $_GET['foo']  = '123';
+        $_GET['bar']  = 'baz';
+        $_GET['_GET'] = array(
+            'foo' => 'Cracked',
+            'bar' => 'Cracked'
+        );
+
+        $this->setVariablesOrder('g');
+        $this->object->pollute();
+
+        global $foo;
+        $this->assertEquals('123', $_GET['foo']);
+        $this->assertEquals('123', $foo);
+
+        global $bar;
+        $this->assertEquals('baz', $_GET['bar']);
+        $this->assertEquals('baz', $bar);
+    }
     
     private function setVariablesOrder($value)
     {
diff --git a/test/SessionTest.php b/test/SessionTest.php
index b117290..692ccad 100644
--- a/test/SessionTest.php
+++ b/test/SessionTest.php
@@ -42,4 +42,24 @@ public function testPolluteSessionNotStarted()
     {
         $this->object->pollute();
     }
+
+    /**
+     * @see https://github.com/gongo/merciful-polluter/issues/2
+     */
+    public function testPolluteSpecifiedBlacklist()
+    {
+        session_start();
+
+        $_SESSION['_GET'] = '1234';
+        $_SESSION['_POST'] = array('userId', 'Evil');
+        $_SESSION['userId'] = 'Jack';
+
+        $this->object->pollute();
+
+        $this->assertNotEquals($_SESSION['_GET'], $_GET);
+        $this->assertNotEquals($_SESSION['_POST'], $_POST);
+
+        global $userId;
+        $this->assertEquals('Jack', $userId);
+    }
 }