diff --git a/src/Dropdown.php b/src/Dropdown.php index ec1a24fdfa9..b300b96680c 100644 --- a/src/Dropdown.php +++ b/src/Dropdown.php @@ -202,7 +202,9 @@ public static function show($itemtype, $options = []) $params['entity'] = getSonsOf('glpi_entities', $params['entity']); } } - $params['entity'] = Session::getMatchingActiveEntities($params['entity']); + if ($params['entity'] !== null) { + $params['entity'] = Session::getMatchingActiveEntities($params['entity']); + } $field_id = Html::cleanId("dropdown_" . $params['name'] . $params['rand']); diff --git a/src/Session.php b/src/Session.php index 3bfd566a48d..08e73c86c1c 100644 --- a/src/Session.php +++ b/src/Session.php @@ -1978,18 +1978,25 @@ public static function getMatchingActiveEntities(/*int|array*/ $entities_ids)/*: return $entities_ids; } - if (!is_array($entities_ids) && !is_int($entities_ids) && !ctype_digit($entities_ids)) { + if ( + !is_array($entities_ids) + && !is_int($entities_ids) + && (!is_string($entities_ids) || !ctype_digit($entities_ids)) + ) { // Unexpected value type. return []; } $active_entities_ids = []; foreach ($_SESSION['glpiactiveentities'] ?? [] as $active_entity_id) { - if (!is_int($active_entity_id) && !ctype_digit($active_entity_id)) { + if ( + !is_int($active_entity_id) + && (!is_string($active_entity_id) || !ctype_digit($active_entity_id)) + ) { // Ensure no unexpected value converted to int // as it would be converted to `0` and would permit access to root entity trigger_error( - sprintf('Unexpected value `%s` found in `$_SESSION[\'glpiactiveentities\']`.', $active_entity_id), + sprintf('Unexpected value `%s` found in `$_SESSION[\'glpiactiveentities\']`.', $active_entity_id ?? 'null'), E_USER_WARNING ); continue; @@ -2004,7 +2011,7 @@ public static function getMatchingActiveEntities(/*int|array*/ $entities_ids)/*: $filtered = []; foreach ((array)$entities_ids as $entity_id) { if ( - (is_int($entity_id) || ctype_digit($entity_id)) + (is_int($entity_id) || (is_string($entity_id) && ctype_digit($entity_id))) && in_array((int)$entity_id, $active_entities_ids, true) ) { $filtered[] = (int)$entity_id; diff --git a/tests/functional/Session.php b/tests/functional/Session.php index ebd3badc0a8..365cf1d4bb9 100644 --- a/tests/functional/Session.php +++ b/tests/functional/Session.php @@ -722,12 +722,24 @@ protected function entitiesRestrictProvider(): iterable 'result' => is_array($entity_restrict) ? [2] : 2, ]; } + + // Invalid null values in input + yield [ + 'entity_restrict' => null, + 'active_entities' => [0, 1, '2', 3], + 'result' => [], + ]; + yield [ + 'entity_restrict' => [1, null, 3], + 'active_entities' => [0, 1, '2', 3], + 'result' => [1, 3], + ]; } /** * @dataProvider entitiesRestrictProvider */ - public function testGetMatchingActiveEntities(/*int|array*/ $entity_restrict, ?array $active_entities, /*int|array*/ $result): void + public function testGetMatchingActiveEntities(/*mixed*/ $entity_restrict, ?array $active_entities, /*int|array*/ $result): void { $_SESSION['glpiactiveentities'] = $active_entities; $this->variable(\Session::getMatchingActiveEntities($entity_restrict))->isIdenticalTo($result); @@ -735,7 +747,7 @@ public function testGetMatchingActiveEntities(/*int|array*/ $entity_restrict, ?a public function testGetMatchingActiveEntitiesWithUnexpectedValue(): void { - $_SESSION['glpiactiveentities'] = [0, 1, 2, 'foo', 3]; + $_SESSION['glpiactiveentities'] = [0, 1, 2, 'foo', null, 3]; $this->when( function () { @@ -744,6 +756,10 @@ function () { )->error ->withType(E_USER_WARNING) ->withMessage('Unexpected value `foo` found in `$_SESSION[\'glpiactiveentities\']`.') + ->exists() + ->error + ->withType(E_USER_WARNING) + ->withMessage('Unexpected value `null` found in `$_SESSION[\'glpiactiveentities\']`.') ->exists(); } }