Only permit scalar values for custom variables (#14640)

* Unit test to reproduce strlen warning

* Unit test/validation for non-string custom variable values

2 files changed, 12 insertions, 1 deletions

diff --git a/core/Tracker/Request.php b/core/Tracker/Request.php
index c7ad5c48f2..e1c59f5e05 100644
--- a/core/Tracker/Request.php
+++ b/core/Tracker/Request.php
@@ -620,7 +620,8 @@ class Request
             if ($id < 1
                 || $id > $maxCustomVars
                 || count($keyValue) != 2
-                || (!is_string($keyValue[0]) && !is_numeric($keyValue[0]))
+                || (!is_string($keyValue[0]) && !is_numeric($keyValue[0])
+                || (!is_string($keyValue[1]) && !is_numeric($keyValue[1])))
             ) {
                 Common::printDebug("Invalid custom variables detected (id=$id)");
                 continue;
diff --git a/tests/PHPUnit/Integration/Tracker/RequestTest.php b/tests/PHPUnit/Integration/Tracker/RequestTest.php
index bf3cc0389b..ca7167ea92 100644
--- a/tests/PHPUnit/Integration/Tracker/RequestTest.php
+++ b/tests/PHPUnit/Integration/Tracker/RequestTest.php
@@ -229,6 +229,16 @@ class RequestTest extends IntegrationTestCase
         $this->assertCustomVariablesInPageScope($expected, $customVars);
     }
 
+    public function test_getCustomVariables_nonStringInput()
+    {
+        $input = array('mykey' => array('myarraykey' => 'myvalue'), 'myotherkey' => 2);
+        $customVars = $this->buildCustomVars($input);
+        // Int value should come through; array value is invalid so should be discarded
+        $expected = array('custom_var_k2' => 'myotherkey', 'custom_var_v2' => 2);
+
+        $this->assertCustomVariablesInPageScope($expected, $customVars);
+    }
+
     public function test_isAuthenticated_ShouldBeNotAuthenticatedInTestsByDefault()
     {
         $this->assertFalse($this->request->isAuthenticated());