Support pure numerical session ids in sanitization

spaze · spaze · commit 06d9f3a390f8 · 2024-03-16T04:11:04.000+01:00
However improbable they are in reality, in tests though... Follow-up to #8
diff --git a/src/PhpInfo.php b/src/PhpInfo.php
@@ -28,6 +28,7 @@ public function getHtml(): string
 		}
 		$sanitize = $this->sanitize + $sanitize;
 		foreach ($sanitize as $search => $replace) {
+			$search = (string)$search;
 			$replacements[$search] = $replace;
 			$replacements[urlencode($search)] = $replace;
 		}
diff --git a/tests/PhpInfoTest.phpt b/tests/PhpInfoTest.phpt
@@ -76,6 +76,23 @@ class PhpInfoTest extends TestCase
 		Assert::contains(self::WALDO_1338, $html);
 	}
 
+
+	public function testGetHtmlNumericSessionId(): void
+	{
+		$sessionId = '31337';
+		$_COOKIE['PHPSESSID'] = $sessionId;
+
+		// Set a new session id
+		session_destroy();
+		session_set_save_handler(new TestSessionHandler($sessionId));
+		session_start();
+
+		Assert::noError(function () use ($sessionId, &$html): void {
+			$html = (new PhpInfo())->getHtml();
+		});
+		Assert::notContains($sessionId, $html);
+	}
+
 }
 
 (new PhpInfoTest())->run();

Original file line number	Diff line number	Diff line change
`@@ -28,6 +28,7 @@ public function getHtml(): string`
`28`	`28`	`}`
`29`	`29`	`$sanitize = $this->sanitize + $sanitize;`
`30`	`30`	`foreach ($sanitize as $search => $replace) {`
	`31`	`+ $search = (string)$search;`
`31`	`32`	`$replacements[$search] = $replace;`
`32`	`33`	`$replacements[urlencode($search)] = $replace;`
`33`	`34`	`}`