Issues in Email.php (master) - Issues in master - MW-Peachy/Peachy - Measure and Improve Code Quality continuously with Scrutinizer

Issues (165)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

Plugins/Email.php (2 issues)

Labels

Severity

Minor 2

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

/**
 * This file is part of Peachy MediaWiki Bot API
 *
 * Peachy is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */

class Email {
	/**
	 * Who to send to
	 * @var array
	 */
	private $mTo = array();

	/**
	 * Who the message is from
	 * @var array
	 */
	private $mFrom = array();

	/**
	 * Subject
	 * @var string
	 */
	private $mSubject;

	/**
	 * Message to send
	 * @var string
	 */
	private $mMessage;

	/**
	 * CC field
	 * @var array
	 */
	private $mCC = array();

	/**
	 * BCC field
	 * @var array
	 */
	private $mBCC = array();

	/**
	 * Reply-to field
	 * @var array
	 */
	private $mRT = array();

	/**
	 * Construct function, adds the From: field, subject, and message
	 * @param string $fromEmail Email address of sender
	 * @param string $fromName Name of sender.
	 * @param string $subject Subject of email
	 * @param string $message Message to send
	 * @throws DependencyError
	 */
	function __construct( $fromEmail, $fromName, $subject, $message ) {


		if( !function_exists( 'mail' ) ) {
			throw new DependencyError( "Mail", "http://us4.php.net/manual/en/book.mail.php" );
		}

		if( !is_null( $fromName ) ) {
			$this->mFrom[$fromName] = $fromEmail;
		} else {
			$this->mFrom[] = $fromEmail;
		}
		$this->mSubject = $subject;
		$this->mMessage = $message;
	}

	/**
	 * Adds another email to the To: field.
	 * @param string $toEmail Email address of recipient
	 * @param string $toName Name of recipient. Default null
	 */
	public function addTarget( $toEmail, $toName = null ) {
		if( !is_null( $toName ) ) {
			$this->mTo[$toName] = $toEmail;
		} else {
			$this->mTo[] = $toEmail;
		}
	}

	/**
	 * Adds another email to the CC: field.
	 * @param string $ccEmail Email address of cc
	 * @param string $ccName Name of cc. Default null
	 */
	public function addCC( $ccEmail, $ccName = null ) {
		if( !is_null( $ccName ) ) {
			$this->mCC[$ccName] = $ccEmail;
		} else {
			$this->mCC[] = $ccEmail;
		}
	}

	/**
	 * Adds another email to the BCC: field.
	 * @param string $bccEmail Email address of bcc
	 * @param string $bccName Name of bcc. Default null
	 */
	public function addBCC( $bccEmail, $bccName = null ) {
		if( !is_null( $bccName ) ) {
			$this->mBCC[$bccName] = $bccEmail;
		} else {
			$this->mBCC[] = $bccEmail;
		}
	}

	/**
	 * Adds another email to the Reply-to: field.
	 * @param string $rtEmail Email address to reply to
	 * @param string $rtName Name to reply to. Default null
	 */
	public function addReplyTo( $rtEmail, $rtName = null ) {
		if( !is_null( $rtName ) ) {
			$this->mRT[$rtName] = $rtEmail;
		} else {
			$this->mRT[] = $rtEmail;
		}
	}

	/**
	 * Sends the email.
	 */
	public function send() {
		$msg = array();

		$msg_to = array();
		foreach( $this->mTo as $name => $target ){
			if( !is_string( $name ) ) {
				$msg_to[] = $target;
			} else {
				$msg_to[] = "$name <$target>";
			}
		}
		$msg['to'] = implode( ', ', $msg_to );

		$msg_from = array();
		foreach( $this->mFrom as $name => $target ){
			if( !is_string( $name ) ) {
				$msg_from[] = $target;
			} else {
				$msg_from[] = "$name <$target>";
			}
		}
		$msg['from'] = null;
		if( count( $msg_from ) > 0 ) $msg['from'] = "From: " . implode( ', ', $msg_from );

		$msg_cc = array();
		foreach( $this->mCC as $name => $target ){
			if( !is_string( $name ) ) {
				$msg_cc[] = $target;
			} else {
				$msg_cc[] = "$name <$target>";
			}
		}
		$msg['cc'] = null;
		if( count( $msg_cc ) > 0 ) $msg['cc'] = "CC: " . implode( ', ', $msg_cc );

		$msg_bcc = array();
		foreach( $this->mBCC as $name => $target ){
			if( !is_string( $name ) ) {
				$msg_bcc[] = $target;
			} else {
				$msg_bcc[] = "$name";
			}
		}
		$msg['bcc'] = null;
		if( count( $msg_bcc ) > 0 ) $msg['bcc'] = "BCC: " . implode( ', ', $msg_bcc );

		$msg_rt = array();
		foreach( $this->mRT as $name => $target ){
			if( !is_string( $name ) ) {
				$msg_rt[] = $target;
			} else {
				$msg_rt[] = "$name <$target>";
			}
		}
		$msg['rt'] = null;
		if( count( $msg_rt ) > 0 ) $msg['rt'] = "Reply-to: " . implode( ', ', $msg_rt );

		$msg['subject'] = $this->mSubject;
		$msg['message'] = $this->mMessage;
		$msg['version'] = 'X-Mailer: PHP/' . phpversion();

		$msg['headers'] = $msg['from'] . "\r\n";
		if( !is_null( $msg['rt'] ) ) $msg['headers'] .= $msg['rt'] . "\r\n";
		if( !is_null( $msg['cc'] ) ) $msg['headers'] .= $msg['cc'] . "\r\n";
		if( !is_null( $msg['bcc'] ) ) $msg['headers'] .= $msg['bcc'] . "\r\n";
		$msg['headers'] .= $msg['version'];

		$result = mail( $msg['to'], $msg['subject'], $msg['message'], $msg['headers'] );

		return $result;
	}
}


1			<?php
2
3			/**
4			* This file is part of Peachy MediaWiki Bot API
5			*
6			* Peachy is free software: you can redistribute it and/or modify
7			* it under the terms of the GNU General Public License as published by
8			* the Free Software Foundation, either version 3 of the License, or
9			* (at your option) any later version.
10			*
11			* This program is distributed in the hope that it will be useful,
12			* but WITHOUT ANY WARRANTY; without even the implied warranty of
13			* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14			* GNU General Public License for more details.
15			*
16			* You should have received a copy of the GNU General Public License
17			* along with this program. If not, see <http://www.gnu.org/licenses/>.
18			*/
19
20			class Email {
21			/**
22			* Who to send to
23			* @var array
24			*/
25			private $mTo = array();
26
27			/**
28			* Who the message is from
29			* @var array
30			*/
31			private $mFrom = array();
32
33			/**
34			* Subject
35			* @var string
36			*/
37			private $mSubject;
38
39			/**
40			* Message to send
41			* @var string
42			*/
43			private $mMessage;
44
45			/**
46			* CC field
47			* @var array
48			*/
49			private $mCC = array();
50
51			/**
52			* BCC field
53			* @var array
54			*/
55			private $mBCC = array();
56
57			/**
58			* Reply-to field
59			* @var array
60			*/
61			private $mRT = array();
62
63			/**
64			* Construct function, adds the From: field, subject, and message
65			* @param string $fromEmail Email address of sender
66			* @param string $fromName Name of sender.
67			* @param string $subject Subject of email
68			* @param string $message Message to send
69			* @throws DependencyError
70			*/
71			function __construct( $fromEmail, $fromName, $subject, $message ) {
			0 ignored issues – show Best Practice introduced 2016-01-19 16:04 UTC by Report Bug Copy Issue Report Show Similar Issues like this It is generally recommended to explicitly declare the visibility for methods. Adding explicit visibility (`private`, `protected`, or `public`) is generally recommend to communicate to other developers how, and from where this method is intended to be used. Loading history... Comprehensibility Best Practice introduced 2016-01-19 16:04 UTC by Report Bug Copy Issue Report Show Similar Issues like this It is recommend to declare an explicit visibility for `__construct`. Generally, we recommend to declare visibility for all methods in your source code. This has the advantage of clearly communication to other developers, and also yourself, how this method should be consumed. If you are not sure which visibility to choose, it is a good idea to start with the most restrictive visibility, and then raise visibility as needed, i.e. start with `private`, and only raise it to `protected` if a sub-class needs to have access, or `public` if an external class needs access. Loading history...
72
73			if( !function_exists( 'mail' ) ) {
74			throw new DependencyError( "Mail", "http://us4.php.net/manual/en/book.mail.php" );
75			}
76
77			if( !is_null( $fromName ) ) {
78			$this->mFrom[$fromName] = $fromEmail;
79			} else {
80			$this->mFrom[] = $fromEmail;
81			}
82			$this->mSubject = $subject;
83			$this->mMessage = $message;
84			}
85
86			/**
87			* Adds another email to the To: field.
88			* @param string $toEmail Email address of recipient
89			* @param string $toName Name of recipient. Default null
90			*/
91			public function addTarget( $toEmail, $toName = null ) {
92			if( !is_null( $toName ) ) {
93			$this->mTo[$toName] = $toEmail;
94			} else {
95			$this->mTo[] = $toEmail;
96			}
97			}
98
99			/**
100			* Adds another email to the CC: field.
101			* @param string $ccEmail Email address of cc
102			* @param string $ccName Name of cc. Default null
103			*/
104			public function addCC( $ccEmail, $ccName = null ) {
105			if( !is_null( $ccName ) ) {
106			$this->mCC[$ccName] = $ccEmail;
107			} else {
108			$this->mCC[] = $ccEmail;
109			}
110			}
111
112			/**
113			* Adds another email to the BCC: field.
114			* @param string $bccEmail Email address of bcc
115			* @param string $bccName Name of bcc. Default null
116			*/
117			public function addBCC( $bccEmail, $bccName = null ) {
118			if( !is_null( $bccName ) ) {
119			$this->mBCC[$bccName] = $bccEmail;
120			} else {
121			$this->mBCC[] = $bccEmail;
122			}
123			}
124
125			/**
126			* Adds another email to the Reply-to: field.
127			* @param string $rtEmail Email address to reply to
128			* @param string $rtName Name to reply to. Default null
129			*/
130			public function addReplyTo( $rtEmail, $rtName = null ) {
131			if( !is_null( $rtName ) ) {
132			$this->mRT[$rtName] = $rtEmail;
133			} else {
134			$this->mRT[] = $rtEmail;
135			}
136			}
137
138			/**
139			* Sends the email.
140			*/
141			public function send() {
142			$msg = array();
143
144			$msg_to = array();
145			foreach( $this->mTo as $name => $target ){
146			if( !is_string( $name ) ) {
147			$msg_to[] = $target;
148			} else {
149			$msg_to[] = "$name <$target>";
150			}
151			}
152			$msg['to'] = implode( ', ', $msg_to );
153
154			$msg_from = array();
155			foreach( $this->mFrom as $name => $target ){
156			if( !is_string( $name ) ) {
157			$msg_from[] = $target;
158			} else {
159			$msg_from[] = "$name <$target>";
160			}
161			}
162			$msg['from'] = null;
163			if( count( $msg_from ) > 0 ) $msg['from'] = "From: " . implode( ', ', $msg_from );
164
165			$msg_cc = array();
166			foreach( $this->mCC as $name => $target ){
167			if( !is_string( $name ) ) {
168			$msg_cc[] = $target;
169			} else {
170			$msg_cc[] = "$name <$target>";
171			}
172			}
173			$msg['cc'] = null;
174			if( count( $msg_cc ) > 0 ) $msg['cc'] = "CC: " . implode( ', ', $msg_cc );
175
176			$msg_bcc = array();
177			foreach( $this->mBCC as $name => $target ){
178			if( !is_string( $name ) ) {
179			$msg_bcc[] = $target;
180			} else {
181			$msg_bcc[] = "$name";
182			}
183			}
184			$msg['bcc'] = null;
185			if( count( $msg_bcc ) > 0 ) $msg['bcc'] = "BCC: " . implode( ', ', $msg_bcc );
186
187			$msg_rt = array();
188			foreach( $this->mRT as $name => $target ){
189			if( !is_string( $name ) ) {
190			$msg_rt[] = $target;
191			} else {
192			$msg_rt[] = "$name <$target>";
193			}
194			}
195			$msg['rt'] = null;
196			if( count( $msg_rt ) > 0 ) $msg['rt'] = "Reply-to: " . implode( ', ', $msg_rt );
197
198			$msg['subject'] = $this->mSubject;
199			$msg['message'] = $this->mMessage;
200			$msg['version'] = 'X-Mailer: PHP/' . phpversion();
201
202			$msg['headers'] = $msg['from'] . "\r\n";
203			if( !is_null( $msg['rt'] ) ) $msg['headers'] .= $msg['rt'] . "\r\n";
204			if( !is_null( $msg['cc'] ) ) $msg['headers'] .= $msg['cc'] . "\r\n";
205			if( !is_null( $msg['bcc'] ) ) $msg['headers'] .= $msg['bcc'] . "\r\n";
206			$msg['headers'] .= $msg['version'];
207
208			$result = mail( $msg['to'], $msg['subject'], $msg['message'], $msg['headers'] );
209
210			return $result;
211			}
212			}
213

MW-Peachy / Peachy

Issues (165)

Security Analysis no request data

Plugins/Email.php (2 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like