From d935140a9528a3a42323b51d84fb2bcd3da065a7 Mon Sep 17 00:00:00 2001 From: Damian Mooyman Date: Mon, 9 Apr 2018 11:06:05 +1200 Subject: [PATCH] [ss-2018-005] Prevent unauthenticated isDev / isTest being allowed --- .../Startup/ParameterConfirmationToken.php | 1 + .../ParameterConfirmationTokenTest.php | 27 +++++++++++-------- 2 files changed, 17 insertions(+), 11 deletions(-) diff --git a/src/Core/Startup/ParameterConfirmationToken.php b/src/Core/Startup/ParameterConfirmationToken.php index a5069102c..1c80db1d0 100644 --- a/src/Core/Startup/ParameterConfirmationToken.php +++ b/src/Core/Startup/ParameterConfirmationToken.php @@ -214,6 +214,7 @@ class ParameterConfirmationToken */ public function suppress() { + unset($_GET[$this->parameterName]); $this->request->offsetUnset($this->parameterName); } diff --git a/tests/php/Core/Startup/ParameterConfirmationTokenTest.php b/tests/php/Core/Startup/ParameterConfirmationTokenTest.php index b3ae253d0..66616433f 100644 --- a/tests/php/Core/Startup/ParameterConfirmationTokenTest.php +++ b/tests/php/Core/Startup/ParameterConfirmationTokenTest.php @@ -20,17 +20,17 @@ class ParameterConfirmationTokenTest extends SapphireTest protected function setUp() { parent::setUp(); - $get = []; - $get['parameterconfirmationtokentest_notoken'] = 'value'; - $get['parameterconfirmationtokentest_empty'] = ''; - $get['parameterconfirmationtokentest_withtoken'] = '1'; - $get['parameterconfirmationtokentest_withtokentoken'] = 'dummy'; - $get['parameterconfirmationtokentest_nulltoken'] = '1'; - $get['parameterconfirmationtokentest_nulltokentoken'] = null; - $get['parameterconfirmationtokentest_emptytoken'] = '1'; - $get['parameterconfirmationtokentest_emptytokentoken'] = ''; - $get['BackURL'] = 'page?parameterconfirmationtokentest_backtoken=1'; - $this->request = new HTTPRequest('GET', 'anotherpage', $get); + $_GET = []; + $_GET['parameterconfirmationtokentest_notoken'] = 'value'; + $_GET['parameterconfirmationtokentest_empty'] = ''; + $_GET['parameterconfirmationtokentest_withtoken'] = '1'; + $_GET['parameterconfirmationtokentest_withtokentoken'] = 'dummy'; + $_GET['parameterconfirmationtokentest_nulltoken'] = '1'; + $_GET['parameterconfirmationtokentest_nulltokentoken'] = null; + $_GET['parameterconfirmationtokentest_emptytoken'] = '1'; + $_GET['parameterconfirmationtokentest_emptytokentoken'] = ''; + $_GET['BackURL'] = 'page?parameterconfirmationtokentest_backtoken=1'; + $this->request = new HTTPRequest('GET', 'anotherpage', $_GET); $this->request->setSession(new Session([])); } @@ -129,6 +129,11 @@ class ParameterConfirmationTokenTest extends SapphireTest $this->request ); $this->assertEquals('parameterconfirmationtokentest_backtoken', $token->getName()); + + // Test prepare_tokens() unsets $_GET vars + $this->assertArrayNotHasKey('parameterconfirmationtokentest_notoken', $_GET); + $this->assertArrayNotHasKey('parameterconfirmationtokentest_empty', $_GET); + $this->assertArrayNotHasKey('parameterconfirmationtokentest_noparam', $_GET); } public function dataProviderURLs()