From ce27f4624cf947bea2d746244b1ed6de10e22f1f Mon Sep 17 00:00:00 2001
From: Matthew Weier O'Phinney <matthew@zend.com>
Date: Wed, 27 Mar 2019 11:49:46 -0500
Subject: [PATCH] security: Fix ZF2019-01

Ensures all configured toolbar entries are examined when determining
whether or not to enable them.
---
 src/Options.php      |  2 +-
 test/OptionsTest.php | 46 ++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 47 insertions(+), 1 deletion(-)

diff --git a/src/Options.php b/src/Options.php
index 380ff41..aca4cde 100644
--- a/src/Options.php
+++ b/src/Options.php
@@ -357,7 +357,7 @@ public function setToolbar(array $options)
                     foreach ($value as $collector => $template) {
                         if ($template === false || $template === null) {
                             unset($this->toolbar[$key][$collector]);
-                            break;
+                            continue;
                         }
 
                         $this->toolbar[$key][$collector] = $template;
diff --git a/test/OptionsTest.php b/test/OptionsTest.php
index a28ceb9..bf89bf6 100644
--- a/test/OptionsTest.php
+++ b/test/OptionsTest.php
@@ -21,4 +21,50 @@ public function testStatusOfDefaultConfiguration()
         $this->assertTrue($options->isEnabled());
         $this->assertTrue($options->isToolbarEnabled());
     }
+
+    public function blacklistFlags()
+    {
+        yield 'null' => [null];
+        yield 'false' => [false];
+    }
+
+    /**
+     * @see https://framework.zend.com/security/advisory/ZF2019-01
+     * @dataProvider blacklistFlags
+     * @param null|bool $flagValue
+     */
+    public function testOnlyWhitelistedToolbarEntriesShouldBeEnabled($flagValue)
+    {
+        $reportMock     = $this->prophesize(ReportInterface::class)->reveal();
+        $options        = new Options([], $reportMock);
+        $toolbarOptions = [
+            'enabled' => true,
+            'entries' => [
+                'request' => $flagValue,
+                'time'    => true,
+                'config'  => $flagValue,
+            ],
+        ];
+
+        $options->setToolbar($toolbarOptions);
+
+        $this->assertTrue($options->isToolbarEnabled());
+
+        $entries = $options->getToolbarEntries();
+        $this->assertArrayNotHasKey(
+            'request',
+            $entries,
+            'Request key found in toolbar entries, and should not have been'
+        );
+        $this->assertArrayHasKey(
+            'time',
+            $entries,
+            'Time key NOT found in toolbar entries, and should have been'
+        );
+        $this->assertArrayNotHasKey(
+            'config',
+            $entries,
+            'Config key found in toolbar entries, and should not have been'
+        );
+    }
 }