[ticket/13280] Only run sanitizer for server superglobal and modify tests

PHPBB3-13280

phpBB/phpbb/symfony_request.php

@@ -31,7 +31,8 @@ class symfony_request extends Request
 		};
 
 		// This function is meant for additional handling of server variables
-		$server_sanitizer = function(&$value, $key) {
+		$server_sanitizer = function(&$value, $key) use ($sanitizer) {
+			$sanitizer($value, $key);
 			$value = str_replace('&', '&', $value);
 		};
 
@@ -43,11 +44,10 @@ class symfony_request extends Request
 
 		array_walk_recursive($get_parameters, $sanitizer);
 		array_walk_recursive($post_parameters, $sanitizer);
-		array_walk_recursive($server_parameters, $sanitizer);
 		array_walk_recursive($files_parameters, $sanitizer);
 		array_walk_recursive($cookie_parameters, $sanitizer);
 
-		// Run additional sanitizer for server superglobal
+		// Run special sanitizer for server superglobal
 		array_walk_recursive($server_parameters, $server_sanitizer);
 
 		parent::__construct($get_parameters, $post_parameters, array(), $cookie_parameters, $files_parameters, $server_parameters);

tests/security/extract_current_page_test.php

@@ -84,8 +84,13 @@ class phpbb_security_extract_current_page_test extends phpbb_security_test_base
 
 	protected function sanitizer($value)
 	{
-		$type_cast_helper = new \phpbb\request\type_cast_helper();
+		// Fix for objects passed in phpunit
-		$type_cast_helper->set_var($value, $value, gettype($value), true);
+		if (is_object($value))
+		{
 			return $value;
 		}
+		$type_cast_helper = new \phpbb\request\type_cast_helper();
+		$type_cast_helper->set_var($value, $value, gettype($value), true);
+		return str_replace('&', '&', $value);
+	}
 }