/** * Test for PMA_checkPageValidity * * @param string $page Page * @param array|null $whiteList White list * @param int $expected Expected value * * @return void * * @dataProvider provider */ function testGotoNowhere($page, $whiteList, $expected) { $this->assertTrue($expected === PMA_checkPageValidity($page, $whiteList)); }
* holds page that should be displayed * @global string $GLOBALS['goto'] */ $GLOBALS['goto'] = ''; // Security fix: disallow accessing serious server files via "?goto=" if (PMA_checkPageValidity($_REQUEST['goto'], $goto_whitelist)) { $GLOBALS['goto'] = $_REQUEST['goto']; $GLOBALS['url_params']['goto'] = $_REQUEST['goto']; } else { unset($_REQUEST['goto'], $_GET['goto'], $_POST['goto'], $_COOKIE['goto']); } /** * returning page * @global string $GLOBALS['back'] */ if (PMA_checkPageValidity($_REQUEST['back'], $goto_whitelist)) { $GLOBALS['back'] = $_REQUEST['back']; } else { unset($_REQUEST['back'], $_GET['back'], $_POST['back'], $_COOKIE['back']); } /** * Check whether user supplied token is valid, if not remove any possibly * dangerous stuff from request. * * remember that some objects in the session with session_start and __wakeup() * could access this variables before we reach this point * f.e. PMA_Config: fontsize * * @todo variables should be handled by their respective owners (objects) * f.e. lang, server, collation_connection in PMA_Config */
function testGotoWhitelistEncodedPage() { $page = 'main.php%3Fsql.php%26test%3Dtrue'; $this->assertTrue(PMA_checkPageValidity($page, $this->goto_whitelist)); }