From f730294d9e0b684f1a9aa3c241ff0bb505cea001 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C5=A0pa=C4=8Dek?= Date: Fri, 10 Apr 2026 19:20:03 +0200 Subject: [PATCH 1/4] Call getSessionId() just once --- src/SensitiveValueSanitizer.php | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/src/SensitiveValueSanitizer.php b/src/SensitiveValueSanitizer.php index 73ff419..7b385d0 100644 --- a/src/SensitiveValueSanitizer.php +++ b/src/SensitiveValueSanitizer.php @@ -26,9 +26,12 @@ public function __construct(private string $sanitizeWith = '[***]') public function sanitize(string $info): string { $sanitize = []; - if ($this->sanitizeSessionId && $this->getSessionId() !== null) { - $sanitize[$this->getSessionId()] = $this->sanitizeWith; - $sanitize[urlencode($this->getSessionId())] = $this->sanitizeWith; + if ($this->sanitizeSessionId) { + $sessionId = $this->getSessionId(); + if ($sessionId !== null) { + $sanitize[$sessionId] = $this->sanitizeWith; + $sanitize[urlencode($sessionId)] = $this->sanitizeWith; + } } return strtr($info, $this->sanitize + $sanitize); } From ee3ffb91c8f3a950e68fbf23e512e86c5c9d210c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C5=A0pa=C4=8Dek?= Date: Fri, 10 Apr 2026 19:21:02 +0200 Subject: [PATCH 2/4] Pass only non-empty string to strtr(), otherwise it throws a warning --- src/PhpInfo.php | 3 +++ src/SensitiveValueSanitizer.php | 3 +++ 2 files changed, 6 insertions(+) diff --git a/src/PhpInfo.php b/src/PhpInfo.php index d6f9688..c8d7a50 100644 --- a/src/PhpInfo.php +++ b/src/PhpInfo.php @@ -66,6 +66,9 @@ public function doNotSanitizeSessionId(): self } + /** + * @param non-empty-string $sanitize + */ public function addSanitization(string $sanitize, ?string $with = null): self { $this->sanitizer->addSanitization($sanitize, $with); diff --git a/src/SensitiveValueSanitizer.php b/src/SensitiveValueSanitizer.php index 7b385d0..970e851 100644 --- a/src/SensitiveValueSanitizer.php +++ b/src/SensitiveValueSanitizer.php @@ -64,6 +64,9 @@ public function doNotSanitizeSessionId(): self } + /** + * @param non-empty-string $sanitize + */ public function addSanitization(string $sanitize, ?string $with = null): self { $this->sanitize[$sanitize] = $this->sanitize[urlencode($sanitize)] = $with ?? $this->sanitizeWith; From 93b4b585f27eb17b10b455400e1c594b1a537c4b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C5=A0pa=C4=8Dek?= Date: Fri, 10 Apr 2026 19:22:40 +0200 Subject: [PATCH 3/4] Update description in composer.json --- composer.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/composer.json b/composer.json index 7873a5b..46f3d2d 100644 --- a/composer.json +++ b/composer.json @@ -1,6 +1,6 @@ { "name": "spaze/phpinfo", - "description": "Extract phpinfo() into a variable and move CSS to external file.", + "description": "Extract phpinfo() output into a variable, sanitize sensitive values, and move inline styles to external CSS.", "keywords": ["PHP","phpinfo"], "license": "MIT", "authors": [ From f9fa7f4fffd1e85783bceb85185b4f30da22fb42 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C5=A0pa=C4=8Dek?= Date: Fri, 10 Apr 2026 20:43:38 +0200 Subject: [PATCH 4/4] getSessionId to return null on empty session id, avoiding strtr() warnings --- src/SensitiveValueSanitizer.php | 2 +- tests/PhpInfoTest.phpt | 25 ++++++++++++++++++++----- 2 files changed, 21 insertions(+), 6 deletions(-) diff --git a/src/SensitiveValueSanitizer.php b/src/SensitiveValueSanitizer.php index 970e851..8919a18 100644 --- a/src/SensitiveValueSanitizer.php +++ b/src/SensitiveValueSanitizer.php @@ -49,7 +49,7 @@ private function getSessionId(): ?string } else { $sessionId = $_COOKIE[$sessionName] ?? null; } - return is_string($sessionId) ? $sessionId : null; + return is_string($sessionId) && $sessionId !== '' ? $sessionId : null; } diff --git a/tests/PhpInfoTest.phpt b/tests/PhpInfoTest.phpt index e076552..bc1c88a 100644 --- a/tests/PhpInfoTest.phpt +++ b/tests/PhpInfoTest.phpt @@ -23,11 +23,7 @@ class PhpInfoTest extends TestCase protected function setUp(): void { $_SERVER['HTTP_WALDO_FRED'] = self::WALDO_1337; - $_SERVER['HTTP_COOKIE'] = 'PHPSESSID=' . urlencode(self::SESSION_ID); - $_COOKIE['PHPSESSID'] = self::SESSION_ID; - - session_set_save_handler(new TestSessionHandler(self::SESSION_ID)); - session_start(); + $this->sessionStart(self::SESSION_ID); } @@ -135,6 +131,25 @@ class PhpInfoTest extends TestCase Assert::contains('🍕', $html); } + + public function testGetHtmlEmptySessionCookie(): void + { + session_destroy(); + $this->sessionStart(''); + Assert::noError(function (): void { + (new PhpInfo())->getHtml(); + }); + } + + + private function sessionStart(string $sessionId): void + { + $_SERVER['HTTP_COOKIE'] = 'PHPSESSID=' . urlencode($sessionId); + $_COOKIE['PHPSESSID'] = $sessionId; + session_set_save_handler(new TestSessionHandler($sessionId)); + session_start(); + } + } (new PhpInfoTest())->run();