Skip to content

Commit 9eee922

Browse files
fix(guard): cast drp_action valid-actions to strings for strict in_array
array_keys($actions + $assoc_actions) returns integer keys; POST values are always strings. Without the strval() cast, in_array(..., true) with strict comparison always fails, making every bulk form action unreachable. Adds regression test asserting the strval() cast is present. Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
1 parent 4253b17 commit 9eee922

2 files changed

Lines changed: 7 additions & 1 deletion

File tree

notify_lists.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -148,7 +148,7 @@ function form_actions() {
148148
// ================= input validation =================
149149
get_filter_request_var('drp_action');
150150

151-
$valid_actions = array_keys($actions + $assoc_actions);
151+
$valid_actions = array_map('strval', array_keys($actions + $assoc_actions));
152152

153153
if (!in_array(get_request_var('drp_action'), $valid_actions, true)) {
154154
raise_message(40);

tests/Security/PreparedStatementTest.php

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -64,3 +64,9 @@
6464
it('thold_functions.php get_allowed_threshold_logs uses db_fetch_assoc_prepared', function () use ($funcs_src) {
6565
expect($funcs_src)->toContain('db_fetch_assoc_prepared("SELECT');
6666
});
67+
68+
it('notify_lists.php drp_action guard converts keys to strings before strict comparison', function () use ($notify_src) {
69+
// array_keys() returns int keys; POST values are strings; strval() cast allows strict in_array()
70+
expect($notify_src)->toContain("array_map('strval', array_keys(\$actions + \$assoc_actions))");
71+
expect($notify_src)->toContain("in_array(get_request_var('drp_action'), \$valid_actions, true)");
72+
});

0 commit comments

Comments
 (0)