1 files changed, 11 insertions, 8 deletions

diff --git a/lib/Minz/Session.php b/lib/Minz/Session.php
index 9977e62f6..bb2c1a817 100644
--- a/lib/Minz/Session.php
+++ b/lib/Minz/Session.php
@@ -72,7 +72,13 @@ class Minz_Session {
 		if (empty($_SESSION[$key]) || !is_array($_SESSION[$key])) {
 			return [];
 		}
-		return $_SESSION[$key];
+		$result = [];
+		foreach ($_SESSION[$key] as $k => $v) {
+			if (is_string($v) || (is_array($v) && is_array_keys_string($v))) {
+				$result[$k] = $v;
+			}
+		}
+		return $result;
 	}
 
 	public static function paramTernary(string $key): ?bool {
@@ -97,10 +103,7 @@ class Minz_Session {
 	}
 
 	public static function paramInt(string $key): int {
-		if (!empty($_SESSION[$key])) {
-			return intval($_SESSION[$key]);
-		}
-		return 0;
+		return empty($_SESSION[$key]) || !is_numeric($_SESSION[$key]) ? 0 : (int)$_SESSION[$key];
 	}
 
 	public static function paramString(string $key): string {
@@ -175,10 +178,10 @@ class Minz_Session {
 	public static function getCookieDir(): string {
 		// Get the script_name (e.g. /p/i/index.php) and keep only the path.
 		$cookie_dir = '';
-		if (!empty($_SERVER['HTTP_X_FORWARDED_PREFIX'])) {
+		if (!empty($_SERVER['HTTP_X_FORWARDED_PREFIX']) && is_string($_SERVER['HTTP_X_FORWARDED_PREFIX'])) {
 			$cookie_dir .= rtrim($_SERVER['HTTP_X_FORWARDED_PREFIX'], '/ ');
 		}
-		$cookie_dir .= empty($_SERVER['REQUEST_URI']) ? '/' : $_SERVER['REQUEST_URI'];
+		$cookie_dir .= empty($_SERVER['REQUEST_URI']) || !is_string($_SERVER['REQUEST_URI']) ? '/' : $_SERVER['REQUEST_URI'];
 		if (substr($cookie_dir, -1) !== '/') {
 			$cookie_dir = dirname($cookie_dir) . '/';
 		}
@@ -210,7 +213,7 @@ class Minz_Session {
 	}
 
 	public static function getLongTermCookie(string $name): string {
-		return $_COOKIE[$name] ?? '';
+		return is_string($_COOKIE[$name] ?? null) ? $_COOKIE[$name] : '';
 	}
 
 }