From 32881dbe31a945b6d2449a3f7e1bf7c5e73cd0a6 Mon Sep 17 00:00:00 2001
From: Marc Alexander <admin@m-a-styles.de>
Date: Tue, 4 Nov 2014 16:54:45 +0100
Subject: [PATCH] [ticket/13280] Only run sanitizer for server superglobal and
 modify tests

PHPBB3-13280
---
 phpBB/phpbb/symfony_request.php              | 6 +++---
 tests/security/extract_current_page_test.php | 7 ++++++-
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/phpBB/phpbb/symfony_request.php b/phpBB/phpbb/symfony_request.php
index 23e5e6e29f..02d22c480f 100644
--- a/phpBB/phpbb/symfony_request.php
+++ b/phpBB/phpbb/symfony_request.php
@@ -31,7 +31,8 @@ class symfony_request extends Request
 		};
 
 		// This function is meant for additional handling of server variables
-		$server_sanitizer = function(&$value, $key) {
+		$server_sanitizer = function(&$value, $key) use ($sanitizer) {
+			$sanitizer($value, $key);
 			$value = str_replace('&amp;', '&', $value);
 		};
 
@@ -43,11 +44,10 @@ class symfony_request extends Request
 
 		array_walk_recursive($get_parameters, $sanitizer);
 		array_walk_recursive($post_parameters, $sanitizer);
-		array_walk_recursive($server_parameters, $sanitizer);
 		array_walk_recursive($files_parameters, $sanitizer);
 		array_walk_recursive($cookie_parameters, $sanitizer);
 
-		// Run additional sanitizer for server superglobal
+		// Run special sanitizer for server superglobal
 		array_walk_recursive($server_parameters, $server_sanitizer);
 
 		parent::__construct($get_parameters, $post_parameters, array(), $cookie_parameters, $files_parameters, $server_parameters);
diff --git a/tests/security/extract_current_page_test.php b/tests/security/extract_current_page_test.php
index 8e536ee461..c127b69b2b 100644
--- a/tests/security/extract_current_page_test.php
+++ b/tests/security/extract_current_page_test.php
@@ -84,8 +84,13 @@ class phpbb_security_extract_current_page_test extends phpbb_security_test_base
 
 	protected function sanitizer($value)
 	{
+		// Fix for objects passed in phpunit
+		if (is_object($value))
+		{
+			return $value;
+		}
 		$type_cast_helper = new \phpbb\request\type_cast_helper();
 		$type_cast_helper->set_var($value, $value, gettype($value), true);
-		return $value;
+		return str_replace('&amp;', '&', $value);
 	}
 }