Forgotpassword - Code Metrics - Inspection of "security enhancements" - HaaseIT/HCSF - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Push — master ( dd17f1...b7ea8c )

by Marcus

created 2017-06-21 17:00 UTC

Forgotpassword A

↳ Parent: Project

Complexity

Total Complexity

Size/Duplication

Total Lines	105
Duplicated Lines	0 %

Coupling/Cohesion

Components	1
Dependencies	10

Importance

Changes	2
Bugs	0	Features	0

Metric	Value
wmc	11
c	2
b	0
f	0
lcom	1
cbo	10
dl	0
loc	105
rs	10

3 Methods

Rating	Name	Size	Complexity
A	__construct()	6	1
A	preparePage()	21	4
B	handleForgotPassword()	52	6

<?php

/*
    HCSF - A multilingual CMS and Shopsystem
    Copyright (C) 2014  Marcus Haase - [email protected]

    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */

namespace HaaseIT\HCSF\Controller\Customer;


use Zend\ServiceManager\ServiceManager;

/**
 * Class Forgotpassword
 * @package HaaseIT\HCSF\Controller\Customer
 */
class Forgotpassword extends Base
{
    /**
     * @var \HaaseIT\Toolbox\Textcat
     */
    private $textcats;

    /**
     * @var \Doctrine\DBAL\Connection
     */
    protected $dbal;

    /**
     * Forgotpassword constructor.
     * @param ServiceManager $serviceManager
     */
    public function __construct(ServiceManager $serviceManager)
    {
        parent::__construct($serviceManager);
        $this->textcats = $serviceManager->get('textcats');
        $this->dbal = $serviceManager->get('dbal');
    }

    /**
     *
     */
    public function preparePage()
    {
        $this->P = new \HaaseIT\HCSF\CorePage($this->serviceManager);
        $this->P->cb_pagetype = 'content';

        if (\HaaseIT\HCSF\Customer\Helper::getUserData()) {
            $this->P->oPayload->cl_html = $this->textcats->T('denied_default');
        } else {
            $this->P->cb_customcontenttemplate = 'customer/forgotpassword';

            $aErr = [];
            if (filter_input(INPUT_POST, 'doSend') === 'yes') {
                $aErr = $this->handleForgotPassword($aErr);
                if (count($aErr) === 0) {
                    $this->P->cb_customdata['forgotpw']['showsuccessmessage'] = true;
                } else {
                    $this->P->cb_customdata['forgotpw']['errors'] = $aErr;
                }
            }
        }
    }

    /**
     * @param $aErr
     * @return array
     */
    private function handleForgotPassword($aErr) {
        if (!filter_input(INPUT_POST, 'email', FILTER_VALIDATE_EMAIL)) {
            $aErr[] = 'emailinvalid';
        } else {
            $querybuilder = $this->dbal->createQueryBuilder();
            $querybuilder
                ->select('*')
                ->from('customer')
                ->where('cust_email = ?')
                ->setParameter(0, filter_var(trim(\HaaseIT\Toolbox\Tools::getFormfield('email')), FILTER_SANITIZE_EMAIL))
            ;
            $stmt = $querybuilder->execute();

            if ($stmt->rowCount() != 1) {
                $aErr[] = 'emailunknown';
            } else {
                $aResult = $stmt->fetch();
                $iTimestamp = time();
                if ($iTimestamp - strtotime('1 Hour', 0) < $aResult['cust_pwresettimestamp']) { // 1 hour delay between requests
                    $aErr[] = 'pwresetstilllocked';
                } else {
                    $sResetCode = md5($aResult['cust_email'].mt_rand().$iTimestamp);
                    $querybuilder = $this->dbal->createQueryBuilder();
                    $querybuilder
                        ->update('customer')
                        ->set('cust_pwresetcode', '?')
                        ->set('cust_pwresettimestamp', '?')
                        ->where('cust_id = ?')
                        ->setParameter(0, $sResetCode)
                        ->setParameter(1, $iTimestamp)
                        ->setParameter(2, $aResult['cust_id'])
                    ;
                    $querybuilder->execute();

                    $serverservername = filter_input(INPUT_SERVER, 'SERVER_NAME', FILTER_SANITIZE_URL);
                    $serverhttps = filter_input(INPUT_SERVER, 'HTTPS');
                    $sTargetAddress = $aResult['cust_email'];
                    $sSubject = $this->textcats->T('forgotpw_mail_subject');
                    $sMessage = $this->textcats->T('forgotpw_mail_text1');
                    $sMessage .= '<br><br>' .'<a href="http'.($serverhttps === 'on' ? 's' : '').'://';
                    $sMessage .= $serverservername.'/_misc/rp.html?key='.$sResetCode.'&amp;email='.$sTargetAddress.'">';
                    $sMessage .= 'http'.($serverhttps === 'on' ? 's' : '').'://';
                    $sMessage .= $serverservername.'/_misc/rp.html?key='.$sResetCode.'&amp;email='.$sTargetAddress.'</a>';
                    $sMessage .= '<br><br>'.$this->textcats->T('forgotpw_mail_text2');

                    \HaaseIT\HCSF\Helper::mailWrapper($sTargetAddress, $sSubject, $sMessage);
/**
 * @return array|string
 */
function returnsDifferentValues($x) {
    if ($x) {
        return 'foo';
    }

    return array();
}

$x = returnsDifferentValues($y);
if (is_array($x)) {
    // $x is an array.
}
                }
            }
        }

        return $aErr;
    }
}


1			<?php
2
3			/*
4			HCSF - A multilingual CMS and Shopsystem
5			Copyright (C) 2014 Marcus Haase - [email protected]
6
7			This program is free software: you can redistribute it and/or modify
8			it under the terms of the GNU General Public License as published by
9			the Free Software Foundation, either version 3 of the License, or
10			(at your option) any later version.
11
12			This program is distributed in the hope that it will be useful,
13			but WITHOUT ANY WARRANTY; without even the implied warranty of
14			MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15			GNU General Public License for more details.
16
17			You should have received a copy of the GNU General Public License
18			along with this program. If not, see <http://www.gnu.org/licenses/>.
19			*/
20
21			namespace HaaseIT\HCSF\Controller\Customer;
22
23
24			use Zend\ServiceManager\ServiceManager;
25
26			/**
27			* Class Forgotpassword
28			* @package HaaseIT\HCSF\Controller\Customer
29			*/
30			class Forgotpassword extends Base
31			{
32			/**
33			* @var \HaaseIT\Toolbox\Textcat
34			*/
35			private $textcats;
36
37			/**
38			* @var \Doctrine\DBAL\Connection
39			*/
40			protected $dbal;
41
42			/**
43			* Forgotpassword constructor.
44			* @param ServiceManager $serviceManager
45			*/
46			public function __construct(ServiceManager $serviceManager)
47			{
48			parent::__construct($serviceManager);
49			$this->textcats = $serviceManager->get('textcats');
50			$this->dbal = $serviceManager->get('dbal');
51			}
52
53			/**
54			*
55			*/
56			public function preparePage()
57			{
58			$this->P = new \HaaseIT\HCSF\CorePage($this->serviceManager);
59			$this->P->cb_pagetype = 'content';
60
61			if (\HaaseIT\HCSF\Customer\Helper::getUserData()) {
62			$this->P->oPayload->cl_html = $this->textcats->T('denied_default');
63			} else {
64			$this->P->cb_customcontenttemplate = 'customer/forgotpassword';
65
66			$aErr = [];
67			if (filter_input(INPUT_POST, 'doSend') === 'yes') {
68			$aErr = $this->handleForgotPassword($aErr);
69			if (count($aErr) === 0) {
70			$this->P->cb_customdata['forgotpw']['showsuccessmessage'] = true;
71			} else {
72			$this->P->cb_customdata['forgotpw']['errors'] = $aErr;
73			}
74			}
75			}
76			}
77
78			/**
79			* @param $aErr
80			* @return array
81			*/
82			private function handleForgotPassword($aErr) {
83			if (!filter_input(INPUT_POST, 'email', FILTER_VALIDATE_EMAIL)) {
84			$aErr[] = 'emailinvalid';
85			} else {
86			$querybuilder = $this->dbal->createQueryBuilder();
87			$querybuilder
88			->select('*')
89			->from('customer')
90			->where('cust_email = ?')
91			->setParameter(0, filter_var(trim(\HaaseIT\Toolbox\Tools::getFormfield('email')), FILTER_SANITIZE_EMAIL))
92			;
93			$stmt = $querybuilder->execute();
94
95			if ($stmt->rowCount() != 1) {
96			$aErr[] = 'emailunknown';
97			} else {
98			$aResult = $stmt->fetch();
99			$iTimestamp = time();
100			if ($iTimestamp - strtotime('1 Hour', 0) < $aResult['cust_pwresettimestamp']) { // 1 hour delay between requests
101			$aErr[] = 'pwresetstilllocked';
102			} else {
103			$sResetCode = md5($aResult['cust_email'].mt_rand().$iTimestamp);
104			$querybuilder = $this->dbal->createQueryBuilder();
105			$querybuilder
106			->update('customer')
107			->set('cust_pwresetcode', '?')
108			->set('cust_pwresettimestamp', '?')
109			->where('cust_id = ?')
110			->setParameter(0, $sResetCode)
111			->setParameter(1, $iTimestamp)
112			->setParameter(2, $aResult['cust_id'])
113			;
114			$querybuilder->execute();
115
116			$serverservername = filter_input(INPUT_SERVER, 'SERVER_NAME', FILTER_SANITIZE_URL);
117			$serverhttps = filter_input(INPUT_SERVER, 'HTTPS');
118			$sTargetAddress = $aResult['cust_email'];
119			$sSubject = $this->textcats->T('forgotpw_mail_subject');
120			$sMessage = $this->textcats->T('forgotpw_mail_text1');
121			$sMessage .= '<br><br>' .'<a href="http'.($serverhttps === 'on' ? 's' : '').'://';
122			$sMessage .= $serverservername.'/_misc/rp.html?key='.$sResetCode.'&email='.$sTargetAddress.'">';
123			$sMessage .= 'http'.($serverhttps === 'on' ? 's' : '').'://';
124			$sMessage .= $serverservername.'/_misc/rp.html?key='.$sResetCode.'&email='.$sTargetAddress.'</a>';
125			$sMessage .= '<br><br>'.$this->textcats->T('forgotpw_mail_text2');
126
127			\HaaseIT\HCSF\Helper::mailWrapper($sTargetAddress, $sSubject, $sMessage);
			0 ignored issues – show Bug introduced 2017-03-21 09:14 UTC by Report Bug Copy Issue Report It seems like `$sSubject` defined by `$this->textcats->T('forgotpw_mail_subject')` on line `119` can also be of type `false` or `null`; however, `HaaseIT\HCSF\Helper::mailWrapper()` does only seem to accept `string`, maybe add an additional type check? If a method or function can return multiple different values and unless you are sure that you only can receive a single value in this context, we recommend to add an additional type check: /** * @return array\|string */ function returnsDifferentValues($x) { if ($x) { return 'foo'; } return array(); } $x = returnsDifferentValues($y); if (is_array($x)) { // $x is an array. } If this a common case that PHP Analyzer should handle natively, please let us know by opening an issue. Loading history...
128			}
129			}
130			}
131
132			return $aErr;
133			}
134			}
135

HaaseIT / HCSF

Push — master ( dd17f1...b7ea8c )

Forgotpassword A

Complexity

Size/Duplication

Coupling/Cohesion

Importance

3 Methods

Duplication Side-by-Side

Filter issues like