security: Fix ZF2019-01

Ensures all configured toolbar entries are examined when determining whether or not to enable them.
zendframework · Mar 27, 2019 · ce27f46 · ce27f46
1 parent 8427584
commit ce27f46
Show file tree

Hide file tree

Showing 2 changed files with 47 additions and 1 deletion.
diff --git a/src/Options.php b/src/Options.php
@@ -357,7 +357,7 @@ public function setToolbar(array $options)
                     foreach ($value as $collector => $template) {
                         if ($template === false || $template === null) {
                             unset($this->toolbar[$key][$collector]);
-                            break;
+                            continue;
                         }
 
                         $this->toolbar[$key][$collector] = $template;

diff --git a/test/OptionsTest.php b/test/OptionsTest.php
@@ -21,4 +21,50 @@ public function testStatusOfDefaultConfiguration()
         $this->assertTrue($options->isEnabled());
         $this->assertTrue($options->isToolbarEnabled());
     }
+
+    public function blacklistFlags()
+    {
+        yield 'null' => [null];
+        yield 'false' => [false];
+    }
+
+    /**
+     * @see https://framework.zend.com/security/advisory/ZF2019-01
+     * @dataProvider blacklistFlags
+     * @param null|bool $flagValue
+     */
+    public function testOnlyWhitelistedToolbarEntriesShouldBeEnabled($flagValue)
+    {
+        $reportMock     = $this->prophesize(ReportInterface::class)->reveal();
+        $options        = new Options([], $reportMock);
+        $toolbarOptions = [
+            'enabled' => true,
+            'entries' => [
+                'request' => $flagValue,
+                'time'    => true,
+                'config'  => $flagValue,
+            ],
+        ];
+
+        $options->setToolbar($toolbarOptions);
+
+        $this->assertTrue($options->isToolbarEnabled());
+
+        $entries = $options->getToolbarEntries();
+        $this->assertArrayNotHasKey(
+            'request',
+            $entries,
+            'Request key found in toolbar entries, and should not have been'
+        );
+        $this->assertArrayHasKey(
+            'time',
+            $entries,
+            'Time key NOT found in toolbar entries, and should have been'
+        );
+        $this->assertArrayNotHasKey(
+            'config',
+            $entries,
+            'Config key found in toolbar entries, and should not have been'
+        );
+    }
 }