Issues in mail.class.php - Fixed Issues - Inspection of "Merge pull request #488 from nlubisch/feature/221-..." - OpencachingDeutschland/oc-server3 - Measure and Improve Code Quality continuously with Scrutinizer

Passed

Push — development ( 171f18...98bd13 )

by Thomas

created 2017-05-14 10:20 UTC

htdocs/lib2/mail.class.php (2 issues)

Labels

Security 2

Severity

Critical 2

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/***************************************************************************
 * for license information see doc/license.txt
 ***************************************************************************/

require_once __DIR__ . '/../vendor/autoload.php';

class mail extends Smarty
{
    public $name = 'sys_nothing';
    public $main_template = 'sys_main';
    public $recipient_locale = null;

    public $from = '';
    public $to = '';
    public $subject = '';

    public $replyTo = null;
    public $returnPath = null;

    public $headers = array();

    /**
     * mail constructor.
     */
    public function __construct()
    {
        parent::__construct();

        global $opt;

        $this->template_dir = __DIR__ . '/../templates2/mail/';
        $this->compile_dir = __DIR__ . '/../var/cache2/smarty/compiled/';
        $this->plugins_dir = [
            'plugins',
            __DIR__ . '/../src/Oc/SmartyPlugins'
        ];

        // disable caching ...
        $this->caching = false;

        // register additional functions
        $this->load_filter('pre', 't');

        // cache control
        if (($opt['debug'] & DEBUG_TEMPLATES) == DEBUG_TEMPLATES) {
            $this->force_compile = true;
        }

        $this->from = $opt['mail']['from'];
    }

    /**
     * @return string
     */
    public function get_compile_id()
    {
        global $opt;

        return 'mail|' . $opt['template']['locale'] . '|' . $this->compile_id;
    }

    /**
     * @param $name
     * @param $rs
     */
    public function assign_rs($name, $rs)
    {
        $items = array();
        while ($r = sql_fetch_assoc($rs)) {
            $items[] = $r;
        }
        $this->assign($name, $items);
    }

    /**
     * @param bool $page_url
     *
     * @return bool
     */
    public function send($page_url = false)
    {
        global $tpl, $opt;

        if (!$this->template_exists($this->name . '.tpl')) {
            $tpl->error(ERROR_MAIL_TEMPLATE_NOT_FOUND);
        }
        $this->assign('template', $this->name);
        if (!$this->recipient_locale) {
            $this->recipient_locale = $opt['template']['locale'];
        }

        $optn['mail']['contact'] = $opt['mail']['contact'];
        $optn['page']['absolute_url'] = ($page_url ? $page_url : $opt['page']['absolute_url']);
        $optn['page']['sitename'] = $opt['page']['sitename'];
        $optn['format'] = $opt['locale'][$this->recipient_locale]['format'];
        $this->assign('opt', $optn);

        $this->assign('to', $this->to);
        $this->assign('from', $this->from);
        $this->assign('subject', $this->subject);

        // This is nasty, but as there is only a global translation system
        // (based on gettext) and there are no precompiled, language-dependend email
        // templates available, we must temporarily change the locale according to
        // the recipient's locale. If some error occurs while running fetch(),
        // the error message may be displayed in the recipient's language.

        $sender_locale = $opt['template']['locale'];
        if ($this->recipient_locale != $sender_locale) {
            $opt['template']['locale'] = $this->recipient_locale;
            set_php_locale();
        }

        $body = $this->fetch($this->main_template . '.tpl', '', $this->get_compile_id());

        if ($this->recipient_locale != $sender_locale) {
            $opt['template']['locale'] = $sender_locale;
            set_php_locale();
        }

        // check if the target domain exists if the domain does not
        // exist, the mail is sent to the own domain (?!)
        $domain = mail::getToMailDomain($this->to);
        if (mail::is_existent_maildomain($domain) == false) {
            return false;
        }

        $aAddHeaders = array();
        $aAddHeaders[] = 'From: "' . $this->from . '" <' . $this->from . '>';

        if ($this->replyTo !== null) {
            $aAddHeaders[] = 'Reply-To: ' . $this->replyTo;
        }

        if ($this->returnPath !== null) {
            $aAddHeaders[] = 'Return-Path: ' . $this->returnPath;
        }

        $mailHeaders = implode("\n", array_merge($aAddHeaders, $this->headers));

        return mb_send_mail($this->to, $opt['mail']['subject'] . $this->subject, $body, $mailHeaders);
if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) {
    throw new \InvalidArgumentException('This input is not allowed.');
}
    }

    /**
     * @param string $domain
     *
     * @return bool
     */
    public static function is_existent_maildomain($domain)
    {
        if ($domain === 'localhost') {
            return true;
        }  // allow maintenance mails e.g. to root

        $smtpServerList = [];
        $smtpServerWeight = [];

        if (getmxrr($domain, $smtpServerList, $smtpServerWeight) !== false && count($smtpServerList) > 0) {
            return true;
        }

        // check if A exists
        $a = dns_get_record($domain, DNS_A);

        return count($a) > 0;
    }

    /**
     * @param string $mail
     *
     * @return string
     */
    public static function getToMailDomain($mail)
    {
        if ($mail === '') {
            return '';
        }

        if (strrpos($mail, '@') === false) {
            $domain = 'localhost';
        } else {
            $domain = substr($mail, strrpos($mail, '@') + 1);
        }

        return $domain;
    }
}


1		<?php
2		/***************************************************************************
3		* for license information see doc/license.txt
4		***************************************************************************/
5
6		require_once __DIR__ . '/../vendor/autoload.php';
7
8		class mail extends Smarty
9		{
10		public $name = 'sys_nothing';
11		public $main_template = 'sys_main';
12		public $recipient_locale = null;
13
14		public $from = '';
15		public $to = '';
16		public $subject = '';
17
18		public $replyTo = null;
19		public $returnPath = null;
20
21		public $headers = array();
22
23		/**
24		* mail constructor.
25		*/
26		public function __construct()
27		{
28		parent::__construct();
29
30		global $opt;
31
32		$this->template_dir = __DIR__ . '/../templates2/mail/';
33		$this->compile_dir = __DIR__ . '/../var/cache2/smarty/compiled/';
34		$this->plugins_dir = [
35		'plugins',
36		__DIR__ . '/../src/Oc/SmartyPlugins'
37		];
38
39		// disable caching ...
40		$this->caching = false;
41
42		// register additional functions
43		$this->load_filter('pre', 't');
44
45		// cache control
46		if (($opt['debug'] & DEBUG_TEMPLATES) == DEBUG_TEMPLATES) {
47		$this->force_compile = true;
48		}
49
50		$this->from = $opt['mail']['from'];
51		}
52
53		/**
54		* @return string
55		*/
56		public function get_compile_id()
57		{
58		global $opt;
59
60		return 'mail\|' . $opt['template']['locale'] . '\|' . $this->compile_id;
61		}
62
63		/**
64		* @param $name
65		* @param $rs
66		*/
67	View Code Duplication	public function assign_rs($name, $rs)
68		{
69		$items = array();
70		while ($r = sql_fetch_assoc($rs)) {
71		$items[] = $r;
72		}
73		$this->assign($name, $items);
74		}
75
76		/**
77		* @param bool $page_url
78		*
79		* @return bool
80		*/
81		public function send($page_url = false)
82		{
83		global $tpl, $opt;
84
85		if (!$this->template_exists($this->name . '.tpl')) {
86		$tpl->error(ERROR_MAIL_TEMPLATE_NOT_FOUND);
87		}
88		$this->assign('template', $this->name);
89		if (!$this->recipient_locale) {
90		$this->recipient_locale = $opt['template']['locale'];
91		}
92
93		$optn['mail']['contact'] = $opt['mail']['contact'];
94		$optn['page']['absolute_url'] = ($page_url ? $page_url : $opt['page']['absolute_url']);
95		$optn['page']['sitename'] = $opt['page']['sitename'];
96		$optn['format'] = $opt['locale'][$this->recipient_locale]['format'];
97		$this->assign('opt', $optn);
98
99		$this->assign('to', $this->to);
100		$this->assign('from', $this->from);
101		$this->assign('subject', $this->subject);
102
103		// This is nasty, but as there is only a global translation system
104		// (based on gettext) and there are no precompiled, language-dependend email
105		// templates available, we must temporarily change the locale according to
106		// the recipient's locale. If some error occurs while running fetch(),
107		// the error message may be displayed in the recipient's language.
108
109		$sender_locale = $opt['template']['locale'];
110		if ($this->recipient_locale != $sender_locale) {
111		$opt['template']['locale'] = $this->recipient_locale;
112		set_php_locale();
113		}
114
115		$body = $this->fetch($this->main_template . '.tpl', '', $this->get_compile_id());
116
117		if ($this->recipient_locale != $sender_locale) {
118		$opt['template']['locale'] = $sender_locale;
119		set_php_locale();
120		}
121
122		// check if the target domain exists if the domain does not
123		// exist, the mail is sent to the own domain (?!)
124		$domain = mail::getToMailDomain($this->to);
125		if (mail::is_existent_maildomain($domain) == false) {
126		return false;
127		}
128
129		$aAddHeaders = array();
130		$aAddHeaders[] = 'From: "' . $this->from . '" <' . $this->from . '>';
131
132		if ($this->replyTo !== null) {
133		$aAddHeaders[] = 'Reply-To: ' . $this->replyTo;
134		}
135
136		if ($this->returnPath !== null) {
137		$aAddHeaders[] = 'Return-Path: ' . $this->returnPath;
138		}
139
140		$mailHeaders = implode("\n", array_merge($aAddHeaders, $this->headers));
141
142		return mb_send_mail($this->to, $opt['mail']['subject'] . $this->subject, $body, $mailHeaders);
		0 ignored issues – show Security Header Injection introduced 2017-04-18 22:09 UTC by Report Bug Copy Issue Report Show Similar Issues like this `$this->to` can contain request data and is used in request header context(s) leading to a potential security vulnerability. 18 paths for user data to reach this point 1. Path: Read from `$_REQUEST,` and `$_REQUEST['newlist_name']` is passed through trim(), and `$newListName` is assigned in htdocs/addtolist.php on line 26 Read from `$_REQUEST,` and `$_REQUEST['newlist_name']` is passed through trim(), and `$newListName` is assigned in htdocs/addtolist.php on line 26 `$newListName` is passed to cachelist::setNameAndVisibility() in htdocs/addtolist.php on line 38 `$name` is passed through trim(), and `$name` is assigned in htdocs/lib2/logic/cachelist.class.php on line 97 `$name` is passed through trim(), and `trim($name)` is passed to rowEditor::setValue() in htdocs/lib2/logic/cachelist.class.php on line 117 `$sFormatedValue` is assigned in htdocs/lib2/rowEditor.class.php on line 521 rowEditor::$fields is assigned in htdocs/lib2/rowEditor.class.php on line 531 Tainted property rowEditor::$fields is read in htdocs/lib2/rowEditor.class.php on line 475 rowEditor::getValue() returns tainted data in htdocs/lib2/logic/user.class.php on line 171 user::getEMail() returns tainted data, and `$email` is assigned in htdocs/lib2/logic/user.class.php on line 781 mail::$to is assigned in htdocs/lib2/logic/user.class.php on line 793 Tainted property mail::$to is read in htdocs/lib2/mail.class.php on line 142 2. Path: Read from `$_REQUEST,` and `$_REQUEST['statpic_style']` is passed to statpic::setStyle() in htdocs/change_statpic.php on line 33 Read from `$_REQUEST,` and `$_REQUEST['statpic_style']` is passed to statpic::setStyle() in htdocs/change_statpic.php on line 33 `$value` is passed to rowEditor::setValue() in htdocs/lib2/logic/statpic.class.php on line 31 `$sFormatedValue` is assigned in htdocs/lib2/rowEditor.class.php on line 521 rowEditor::$fields is assigned in htdocs/lib2/rowEditor.class.php on line 531 Tainted property rowEditor::$fields is read in htdocs/lib2/rowEditor.class.php on line 475 rowEditor::getValue() returns tainted data in htdocs/lib2/logic/user.class.php on line 171 user::getEMail() returns tainted data, and `$email` is assigned in htdocs/lib2/logic/user.class.php on line 781 mail::$to is assigned in htdocs/lib2/logic/user.class.php on line 793 Tainted property mail::$to is read in htdocs/lib2/mail.class.php on line 142 3. Path: Read from `$_REQUEST,` and `$_REQUEST['statpic_text']` is passed to statpic::setText() in htdocs/change_statpic.php on line 26 Read from `$_REQUEST,` and `$_REQUEST['statpic_text']` is passed to statpic::setText() in htdocs/change_statpic.php on line 26 `$value` is passed to rowEditor::setValue() in htdocs/lib2/logic/statpic.class.php on line 47 `$sFormatedValue` is assigned in htdocs/lib2/rowEditor.class.php on line 521 rowEditor::$fields is assigned in htdocs/lib2/rowEditor.class.php on line 531 Tainted property rowEditor::$fields is read in htdocs/lib2/rowEditor.class.php on line 475 rowEditor::getValue() returns tainted data in htdocs/lib2/logic/user.class.php on line 171 user::getEMail() returns tainted data, and `$email` is assigned in htdocs/lib2/logic/user.class.php on line 781 mail::$to is assigned in htdocs/lib2/logic/user.class.php on line 793 Tainted property mail::$to is read in htdocs/lib2/mail.class.php on line 142 4. Path: Read from `$_POST,` and `$logText` is assigned in htdocs/log.php on line 111 Read from `$_POST,` and `$logText` is assigned in htdocs/log.php on line 111 Data is escaped by htmlspecialchars() for html (no single-quotes) context(s), and Data is passed through nl2br() in vendor/htdocs/lib2/edithelper.inc.php on line 50 `$logText` is assigned in htdocs/log.php on line 206 `$logText` is passed to cachelog::setText() in htdocs/log.php on line 301 `$value` is passed to rowEditor::setValue() in htdocs/lib2/logic/cachelog.class.php on line 211 `$sFormatedValue` is assigned in htdocs/lib2/rowEditor.class.php on line 521 rowEditor::$fields is assigned in htdocs/lib2/rowEditor.class.php on line 531 Tainted property rowEditor::$fields is read in htdocs/lib2/rowEditor.class.php on line 475 rowEditor::getValue() returns tainted data in htdocs/lib2/logic/user.class.php on line 171 user::getEMail() returns tainted data, and `$email` is assigned in htdocs/lib2/logic/user.class.php on line 781 mail::$to is assigned in htdocs/lib2/logic/user.class.php on line 793 Tainted property mail::$to is read in htdocs/lib2/mail.class.php on line 142 5. Path: Read from `$_REQUEST,` and `$list_password` is assigned in htdocs/mylists.php on line 20 Read from `$_REQUEST,` and `$list_password` is assigned in htdocs/mylists.php on line 20 `$list_password` is passed to cachelist::setPassword() in htdocs/mylists.php on line 58 `$pw` is passed to rowEditor::setValue() in htdocs/lib2/logic/cachelist.class.php on line 151 `$sFormatedValue` is assigned in htdocs/lib2/rowEditor.class.php on line 521 rowEditor::$fields is assigned in htdocs/lib2/rowEditor.class.php on line 531 Tainted property rowEditor::$fields is read in htdocs/lib2/rowEditor.class.php on line 475 rowEditor::getValue() returns tainted data in htdocs/lib2/logic/user.class.php on line 171 user::getEMail() returns tainted data, and `$email` is assigned in htdocs/lib2/logic/user.class.php on line 781 mail::$to is assigned in htdocs/lib2/logic/user.class.php on line 793 Tainted property mail::$to is read in htdocs/lib2/mail.class.php on line 142 6. Path: Read from `$_REQUEST,` and `$title` is assigned in htdocs/picture.php on line 82 Read from `$_REQUEST,` and `$title` is assigned in htdocs/picture.php on line 82 `$title` is passed to picture::setTitle() in htdocs/picture.php on line 87 `$value` is passed to rowEditor::setValue() in htdocs/lib2/logic/picture.class.php on line 236 `$sFormatedValue` is assigned in htdocs/lib2/rowEditor.class.php on line 521 rowEditor::$fields is assigned in htdocs/lib2/rowEditor.class.php on line 531 Tainted property rowEditor::$fields is read in htdocs/lib2/rowEditor.class.php on line 475 rowEditor::getValue() returns tainted data in htdocs/lib2/logic/user.class.php on line 171 user::getEMail() returns tainted data, and `$email` is assigned in htdocs/lib2/logic/user.class.php on line 781 mail::$to is assigned in htdocs/lib2/logic/user.class.php on line 793 Tainted property mail::$to is read in htdocs/lib2/mail.class.php on line 142 7. Path: Read from `$_REQUEST,` and `$title` is assigned in htdocs/picture.php on line 169 Read from `$_REQUEST,` and `$title` is assigned in htdocs/picture.php on line 169 `$title` is passed to picture::setTitle() in htdocs/picture.php on line 173 `$value` is passed to rowEditor::setValue() in htdocs/lib2/logic/picture.class.php on line 236 `$sFormatedValue` is assigned in htdocs/lib2/rowEditor.class.php on line 521 rowEditor::$fields is assigned in htdocs/lib2/rowEditor.class.php on line 531 Tainted property rowEditor::$fields is read in htdocs/lib2/rowEditor.class.php on line 475 rowEditor::getValue() returns tainted data in htdocs/lib2/logic/user.class.php on line 171 user::getEMail() returns tainted data, and `$email` is assigned in htdocs/lib2/logic/user.class.php on line 781 mail::$to is assigned in htdocs/lib2/logic/user.class.php on line 793 Tainted property mail::$to is read in htdocs/lib2/mail.class.php on line 142 8. Path: Read from `$_REQUEST,` and `$_REQUEST['firstName']` is passed through trim(), and `trim($_REQUEST['firstName'])` is passed to user::setFirstName() in htdocs/myprofile.php on line 60 Read from `$_REQUEST,` and `$_REQUEST['firstName']` is passed through trim(), and `trim($_REQUEST['firstName'])` is passed to user::setFirstName() in htdocs/myprofile.php on line 60 `$value` is passed to rowEditor::setValue() in htdocs/lib2/logic/user.class.php on line 230 `$sFormatedValue` is assigned in htdocs/lib2/rowEditor.class.php on line 521 rowEditor::$fields is assigned in htdocs/lib2/rowEditor.class.php on line 531 Tainted property rowEditor::$fields is read in htdocs/lib2/rowEditor.class.php on line 475 rowEditor::getValue() returns tainted data in htdocs/lib2/logic/user.class.php on line 171 user::getEMail() returns tainted data, and `$email` is assigned in htdocs/lib2/logic/user.class.php on line 781 mail::$to is assigned in htdocs/lib2/logic/user.class.php on line 793 Tainted property mail::$to is read in htdocs/lib2/mail.class.php on line 142 9. Path: Read from `$_POST,` and `$first_name` is assigned in htdocs/register.php on line 17 Read from `$_POST,` and `$first_name` is assigned in htdocs/register.php on line 17 `$first_name` is passed to user::setFirstName() in htdocs/register.php on line 40 `$value` is passed to rowEditor::setValue() in htdocs/lib2/logic/user.class.php on line 230 `$sFormatedValue` is assigned in htdocs/lib2/rowEditor.class.php on line 521 rowEditor::$fields is assigned in htdocs/lib2/rowEditor.class.php on line 531 Tainted property rowEditor::$fields is read in htdocs/lib2/rowEditor.class.php on line 475 rowEditor::getValue() returns tainted data in htdocs/lib2/logic/user.class.php on line 171 user::getEMail() returns tainted data, and `$email` is assigned in htdocs/lib2/logic/user.class.php on line 781 mail::$to is assigned in htdocs/lib2/logic/user.class.php on line 793 Tainted property mail::$to is read in htdocs/lib2/mail.class.php on line 142 10. Path: Read from `$_REQUEST,` and `$_REQUEST['lastName']` is passed through trim(), and `trim($_REQUEST['lastName'])` is passed to user::setLastName() in htdocs/myprofile.php on line 68 Read from `$_REQUEST,` and `$_REQUEST['lastName']` is passed through trim(), and `trim($_REQUEST['lastName'])` is passed to user::setLastName() in htdocs/myprofile.php on line 68 `$value` is passed to rowEditor::setValue() in htdocs/lib2/logic/user.class.php on line 250 `$sFormatedValue` is assigned in htdocs/lib2/rowEditor.class.php on line 521 rowEditor::$fields is assigned in htdocs/lib2/rowEditor.class.php on line 531 Tainted property rowEditor::$fields is read in htdocs/lib2/rowEditor.class.php on line 475 rowEditor::getValue() returns tainted data in htdocs/lib2/logic/user.class.php on line 171 user::getEMail() returns tainted data, and `$email` is assigned in htdocs/lib2/logic/user.class.php on line 781 mail::$to is assigned in htdocs/lib2/logic/user.class.php on line 793 Tainted property mail::$to is read in htdocs/lib2/mail.class.php on line 142 11. Path: Read from `$_POST,` and `$last_name` is assigned in htdocs/register.php on line 16 Read from `$_POST,` and `$last_name` is assigned in htdocs/register.php on line 16 `$last_name` is passed to user::setLastName() in htdocs/register.php on line 44 `$value` is passed to rowEditor::setValue() in htdocs/lib2/logic/user.class.php on line 250 `$sFormatedValue` is assigned in htdocs/lib2/rowEditor.class.php on line 521 rowEditor::$fields is assigned in htdocs/lib2/rowEditor.class.php on line 531 Tainted property rowEditor::$fields is read in htdocs/lib2/rowEditor.class.php on line 475 rowEditor::getValue() returns tainted data in htdocs/lib2/logic/user.class.php on line 171 user::getEMail() returns tainted data, and `$email` is assigned in htdocs/lib2/logic/user.class.php on line 781 mail::$to is assigned in htdocs/lib2/logic/user.class.php on line 793 Tainted property mail::$to is read in htdocs/lib2/mail.class.php on line 142 12. Path: Read from `$_POST,` and `$email` is assigned in htdocs/register.php on line 20 Read from `$_POST,` and `$email` is assigned in htdocs/register.php on line 20 `$email` is passed to user::setEMail() in htdocs/register.php on line 30 `$value` is passed to rowEditor::setValue() in htdocs/lib2/logic/user.class.php on line 180 `$sFormatedValue` is assigned in htdocs/lib2/rowEditor.class.php on line 521 rowEditor::$fields is assigned in htdocs/lib2/rowEditor.class.php on line 531 Tainted property rowEditor::$fields is read in htdocs/lib2/rowEditor.class.php on line 475 rowEditor::getValue() returns tainted data in htdocs/lib2/logic/user.class.php on line 171 user::getEMail() returns tainted data, and `$email` is assigned in htdocs/lib2/logic/user.class.php on line 781 mail::$to is assigned in htdocs/lib2/logic/user.class.php on line 793 Tainted property mail::$to is read in htdocs/lib2/mail.class.php on line 142 13. Path: Read from `$_REQUEST,` and `$_REQUEST['username']` is passed through trim(), and `trim($_REQUEST['username'])` is passed to user::setUsername() in htdocs/myprofile.php on line 52 Read from `$_REQUEST,` and `$_REQUEST['username']` is passed through trim(), and `trim($_REQUEST['username'])` is passed to user::setUsername() in htdocs/myprofile.php on line 52 `$value` is passed to rowEditor::setValue() in htdocs/lib2/logic/user.class.php on line 161 `$sFormatedValue` is assigned in htdocs/lib2/rowEditor.class.php on line 521 rowEditor::$fields is assigned in htdocs/lib2/rowEditor.class.php on line 531 Tainted property rowEditor::$fields is read in htdocs/lib2/rowEditor.class.php on line 475 rowEditor::getValue() returns tainted data in htdocs/lib2/logic/user.class.php on line 171 user::getEMail() returns tainted data, and `$email` is assigned in htdocs/lib2/logic/user.class.php on line 781 mail::$to is assigned in htdocs/lib2/logic/user.class.php on line 793 Tainted property mail::$to is read in htdocs/lib2/mail.class.php on line 142 14. Path: Read from `$_POST,` and `$username` is assigned in htdocs/register.php on line 15 Read from `$_POST,` and `$username` is assigned in htdocs/register.php on line 15 `$username` is passed to user::setUsername() in htdocs/register.php on line 35 `$value` is passed to rowEditor::setValue() in htdocs/lib2/logic/user.class.php on line 161 `$sFormatedValue` is assigned in htdocs/lib2/rowEditor.class.php on line 521 rowEditor::$fields is assigned in htdocs/lib2/rowEditor.class.php on line 531 Tainted property rowEditor::$fields is read in htdocs/lib2/rowEditor.class.php on line 475 rowEditor::getValue() returns tainted data in htdocs/lib2/logic/user.class.php on line 171 user::getEMail() returns tainted data, and `$email` is assigned in htdocs/lib2/logic/user.class.php on line 781 mail::$to is assigned in htdocs/lib2/logic/user.class.php on line 793 Tainted property mail::$to is read in htdocs/lib2/mail.class.php on line 142 15. Path: Read from `$_FILES,` and `$_FILES['file']['name']` is passed to picture::setFilenames() in htdocs/picture.php on line 124 Read from `$_FILES,` and `$_FILES['file']['name']` is passed to picture::setFilenames() in htdocs/picture.php on line 124 `$sFilename` is passed through substr(), and `substr($sFilename, strrpos($sFilename, '.') + 1)` is passed through mb_strtolower(), and `$sExtension` is assigned in htdocs/lib2/logic/picture.class.php on line 123 `$opt['logic']['pictures']['url'] . $sUUID . '.' . $sExtension` is passed to picture::setUrl() in htdocs/lib2/logic/picture.class.php on line 128 `$value` is passed to rowEditor::setValue() in htdocs/lib2/logic/picture.class.php on line 201 `$sFormatedValue` is assigned in htdocs/lib2/rowEditor.class.php on line 521 rowEditor::$fields is assigned in htdocs/lib2/rowEditor.class.php on line 531 Tainted property rowEditor::$fields is read in htdocs/lib2/rowEditor.class.php on line 475 rowEditor::getValue() returns tainted data in htdocs/lib2/logic/user.class.php on line 171 user::getEMail() returns tainted data, and `$email` is assigned in htdocs/lib2/logic/user.class.php on line 781 mail::$to is assigned in htdocs/lib2/logic/user.class.php on line 793 Tainted property mail::$to is read in htdocs/lib2/mail.class.php on line 142 16. Path: Read from `$_FILES,` and `$_FILES['file']['name']` is escaped by pathinfo() for file context(s), and `$fname` is assigned in htdocs/picture.php on line 117 Read from `$_FILES,` and `$_FILES['file']['name']` is escaped by pathinfo() for file context(s), and `$fname` is assigned in htdocs/picture.php on line 117 `$fname` is passed through mb_strtolower(), and `mb_strtolower($fname) . '.jpg'` is passed to picture::setFilenames() in htdocs/picture.php on line 130 `$sFilename` is passed through substr(), and `substr($sFilename, strrpos($sFilename, '.') + 1)` is passed through mb_strtolower(), and `$sExtension` is assigned in htdocs/lib2/logic/picture.class.php on line 123 `$opt['logic']['pictures']['url'] . $sUUID . '.' . $sExtension` is passed to picture::setUrl() in htdocs/lib2/logic/picture.class.php on line 128 `$value` is passed to rowEditor::setValue() in htdocs/lib2/logic/picture.class.php on line 201 `$sFormatedValue` is assigned in htdocs/lib2/rowEditor.class.php on line 521 rowEditor::$fields is assigned in htdocs/lib2/rowEditor.class.php on line 531 Tainted property rowEditor::$fields is read in htdocs/lib2/rowEditor.class.php on line 475 rowEditor::getValue() returns tainted data in htdocs/lib2/logic/user.class.php on line 171 user::getEMail() returns tainted data, and `$email` is assigned in htdocs/lib2/logic/user.class.php on line 781 mail::$to is assigned in htdocs/lib2/logic/user.class.php on line 793 Tainted property mail::$to is read in htdocs/lib2/mail.class.php on line 142 17. Path: Read from `$_REQUEST,` and `$_REQUEST['list_name']` is passed through trim(), and `$list_name` is assigned in htdocs/mylists.php on line 18 Read from `$_REQUEST,` and `$_REQUEST['list_name']` is passed through trim(), and `$list_name` is assigned in htdocs/mylists.php on line 18 `$list_name` is passed to cachelist::setNameAndVisibility() in htdocs/mylists.php on line 53 `$name` is passed through trim(), and `$name` is assigned in htdocs/lib2/logic/cachelist.class.php on line 97 `$name` is passed through trim(), and `trim($name)` is passed to rowEditor::setValue() in htdocs/lib2/logic/cachelist.class.php on line 117 `$sFormatedValue` is assigned in htdocs/lib2/rowEditor.class.php on line 521 rowEditor::$fields is assigned in htdocs/lib2/rowEditor.class.php on line 531 Tainted property rowEditor::$fields is read in htdocs/lib2/rowEditor.class.php on line 475 rowEditor::getValue() returns tainted data in htdocs/lib2/logic/user.class.php on line 171 user::getEMail() returns tainted data, and `$email` is assigned in htdocs/lib2/logic/user.class.php on line 781 mail::$to is assigned in htdocs/lib2/logic/user.class.php on line 793 Tainted property mail::$to is read in htdocs/lib2/mail.class.php on line 142 18. Path: Read from `$_REQUEST,` and `$email` is assigned in htdocs/newemail.php on line 22 Read from `$_REQUEST,` and `$email` is assigned in htdocs/newemail.php on line 22 `$email` is passed to user::requestNewEMail() in htdocs/newemail.php on line 41 mail::$to is assigned in htdocs/lib2/logic/user.class.php on line 745 Tainted property mail::$to is read in htdocs/lib2/mail.class.php on line 142 General Strategies to prevent injection In general, it is advisable to prevent any user-data to reach this point. This can be done by white-listing certain values: if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) { throw new \InvalidArgumentException('This input is not allowed.'); } For numeric data, we recommend to explicitly cast the data: $sanitized = (integer) $tainted; Loading history... Security Header Injection introduced 2017-04-18 22:09 UTC by Report Bug Copy Issue Report Show Similar Issues like this `$mailHeaders` can contain request data and is used in request header context(s) leading to a potential security vulnerability. 17 paths for user data to reach this point 1. Path: Read from `$_REQUEST,` and `$_REQUEST['newlist_name']` is passed through trim(), and `$newListName` is assigned in htdocs/addtolist.php on line 26 Read from `$_REQUEST,` and `$_REQUEST['newlist_name']` is passed through trim(), and `$newListName` is assigned in htdocs/addtolist.php on line 26 `$newListName` is passed to cachelist::setNameAndVisibility() in htdocs/addtolist.php on line 38 `$name` is passed through trim(), and `$name` is assigned in htdocs/lib2/logic/cachelist.class.php on line 97 `$name` is passed through trim(), and `trim($name)` is passed to rowEditor::setValue() in htdocs/lib2/logic/cachelist.class.php on line 117 `$sFormatedValue` is assigned in htdocs/lib2/rowEditor.class.php on line 521 rowEditor::$fields is assigned in htdocs/lib2/rowEditor.class.php on line 531 Tainted property rowEditor::$fields is read in htdocs/lib2/rowEditor.class.php on line 475 rowEditor::getValue() returns tainted data in htdocs/lib2/logic/user.class.php on line 171 user::getEMail() returns tainted data, and mail::$returnPath is assigned in htdocs/lib2/logic/user.class.php on line 884 Tainted property mail::$returnPath is read, and `$aAddHeaders` is assigned in htdocs/lib2/mail.class.php on line 137 `$aAddHeaders` is passed through array_merge(), and `array_merge($aAddHeaders, $this->headers)` is passed through implode(), and `$mailHeaders` is assigned in htdocs/lib2/mail.class.php on line 140 2. Path: Read from `$_REQUEST,` and `$_REQUEST['statpic_style']` is passed to statpic::setStyle() in htdocs/change_statpic.php on line 33 Read from `$_REQUEST,` and `$_REQUEST['statpic_style']` is passed to statpic::setStyle() in htdocs/change_statpic.php on line 33 `$value` is passed to rowEditor::setValue() in htdocs/lib2/logic/statpic.class.php on line 31 `$sFormatedValue` is assigned in htdocs/lib2/rowEditor.class.php on line 521 rowEditor::$fields is assigned in htdocs/lib2/rowEditor.class.php on line 531 Tainted property rowEditor::$fields is read in htdocs/lib2/rowEditor.class.php on line 475 rowEditor::getValue() returns tainted data in htdocs/lib2/logic/user.class.php on line 171 user::getEMail() returns tainted data, and mail::$returnPath is assigned in htdocs/lib2/logic/user.class.php on line 884 Tainted property mail::$returnPath is read, and `$aAddHeaders` is assigned in htdocs/lib2/mail.class.php on line 137 `$aAddHeaders` is passed through array_merge(), and `array_merge($aAddHeaders, $this->headers)` is passed through implode(), and `$mailHeaders` is assigned in htdocs/lib2/mail.class.php on line 140 3. Path: Read from `$_REQUEST,` and `$_REQUEST['statpic_text']` is passed to statpic::setText() in htdocs/change_statpic.php on line 26 Read from `$_REQUEST,` and `$_REQUEST['statpic_text']` is passed to statpic::setText() in htdocs/change_statpic.php on line 26 `$value` is passed to rowEditor::setValue() in htdocs/lib2/logic/statpic.class.php on line 47 `$sFormatedValue` is assigned in htdocs/lib2/rowEditor.class.php on line 521 rowEditor::$fields is assigned in htdocs/lib2/rowEditor.class.php on line 531 Tainted property rowEditor::$fields is read in htdocs/lib2/rowEditor.class.php on line 475 rowEditor::getValue() returns tainted data in htdocs/lib2/logic/user.class.php on line 171 user::getEMail() returns tainted data, and mail::$returnPath is assigned in htdocs/lib2/logic/user.class.php on line 884 Tainted property mail::$returnPath is read, and `$aAddHeaders` is assigned in htdocs/lib2/mail.class.php on line 137 `$aAddHeaders` is passed through array_merge(), and `array_merge($aAddHeaders, $this->headers)` is passed through implode(), and `$mailHeaders` is assigned in htdocs/lib2/mail.class.php on line 140 4. Path: Read from `$_POST,` and `$logText` is assigned in htdocs/log.php on line 111 Read from `$_POST,` and `$logText` is assigned in htdocs/log.php on line 111 Data is escaped by htmlspecialchars() for html (no single-quotes) context(s), and Data is passed through nl2br() in vendor/htdocs/lib2/edithelper.inc.php on line 50 `$logText` is assigned in htdocs/log.php on line 206 `$logText` is passed to cachelog::setText() in htdocs/log.php on line 301 `$value` is passed to rowEditor::setValue() in htdocs/lib2/logic/cachelog.class.php on line 211 `$sFormatedValue` is assigned in htdocs/lib2/rowEditor.class.php on line 521 rowEditor::$fields is assigned in htdocs/lib2/rowEditor.class.php on line 531 Tainted property rowEditor::$fields is read in htdocs/lib2/rowEditor.class.php on line 475 rowEditor::getValue() returns tainted data in htdocs/lib2/logic/user.class.php on line 171 user::getEMail() returns tainted data, and mail::$returnPath is assigned in htdocs/lib2/logic/user.class.php on line 884 Tainted property mail::$returnPath is read, and `$aAddHeaders` is assigned in htdocs/lib2/mail.class.php on line 137 `$aAddHeaders` is passed through array_merge(), and `array_merge($aAddHeaders, $this->headers)` is passed through implode(), and `$mailHeaders` is assigned in htdocs/lib2/mail.class.php on line 140 5. Path: Read from `$_REQUEST,` and `$list_password` is assigned in htdocs/mylists.php on line 20 Read from `$_REQUEST,` and `$list_password` is assigned in htdocs/mylists.php on line 20 `$list_password` is passed to cachelist::setPassword() in htdocs/mylists.php on line 58 `$pw` is passed to rowEditor::setValue() in htdocs/lib2/logic/cachelist.class.php on line 151 `$sFormatedValue` is assigned in htdocs/lib2/rowEditor.class.php on line 521 rowEditor::$fields is assigned in htdocs/lib2/rowEditor.class.php on line 531 Tainted property rowEditor::$fields is read in htdocs/lib2/rowEditor.class.php on line 475 rowEditor::getValue() returns tainted data in htdocs/lib2/logic/user.class.php on line 171 user::getEMail() returns tainted data, and mail::$returnPath is assigned in htdocs/lib2/logic/user.class.php on line 884 Tainted property mail::$returnPath is read, and `$aAddHeaders` is assigned in htdocs/lib2/mail.class.php on line 137 `$aAddHeaders` is passed through array_merge(), and `array_merge($aAddHeaders, $this->headers)` is passed through implode(), and `$mailHeaders` is assigned in htdocs/lib2/mail.class.php on line 140 6. Path: Read from `$_REQUEST,` and `$title` is assigned in htdocs/picture.php on line 82 Read from `$_REQUEST,` and `$title` is assigned in htdocs/picture.php on line 82 `$title` is passed to picture::setTitle() in htdocs/picture.php on line 87 `$value` is passed to rowEditor::setValue() in htdocs/lib2/logic/picture.class.php on line 236 `$sFormatedValue` is assigned in htdocs/lib2/rowEditor.class.php on line 521 rowEditor::$fields is assigned in htdocs/lib2/rowEditor.class.php on line 531 Tainted property rowEditor::$fields is read in htdocs/lib2/rowEditor.class.php on line 475 rowEditor::getValue() returns tainted data in htdocs/lib2/logic/user.class.php on line 171 user::getEMail() returns tainted data, and mail::$returnPath is assigned in htdocs/lib2/logic/user.class.php on line 884 Tainted property mail::$returnPath is read, and `$aAddHeaders` is assigned in htdocs/lib2/mail.class.php on line 137 `$aAddHeaders` is passed through array_merge(), and `array_merge($aAddHeaders, $this->headers)` is passed through implode(), and `$mailHeaders` is assigned in htdocs/lib2/mail.class.php on line 140 7. Path: Read from `$_REQUEST,` and `$title` is assigned in htdocs/picture.php on line 169 Read from `$_REQUEST,` and `$title` is assigned in htdocs/picture.php on line 169 `$title` is passed to picture::setTitle() in htdocs/picture.php on line 173 `$value` is passed to rowEditor::setValue() in htdocs/lib2/logic/picture.class.php on line 236 `$sFormatedValue` is assigned in htdocs/lib2/rowEditor.class.php on line 521 rowEditor::$fields is assigned in htdocs/lib2/rowEditor.class.php on line 531 Tainted property rowEditor::$fields is read in htdocs/lib2/rowEditor.class.php on line 475 rowEditor::getValue() returns tainted data in htdocs/lib2/logic/user.class.php on line 171 user::getEMail() returns tainted data, and mail::$returnPath is assigned in htdocs/lib2/logic/user.class.php on line 884 Tainted property mail::$returnPath is read, and `$aAddHeaders` is assigned in htdocs/lib2/mail.class.php on line 137 `$aAddHeaders` is passed through array_merge(), and `array_merge($aAddHeaders, $this->headers)` is passed through implode(), and `$mailHeaders` is assigned in htdocs/lib2/mail.class.php on line 140 8. Path: Read from `$_REQUEST,` and `$_REQUEST['firstName']` is passed through trim(), and `trim($_REQUEST['firstName'])` is passed to user::setFirstName() in htdocs/myprofile.php on line 60 Read from `$_REQUEST,` and `$_REQUEST['firstName']` is passed through trim(), and `trim($_REQUEST['firstName'])` is passed to user::setFirstName() in htdocs/myprofile.php on line 60 `$value` is passed to rowEditor::setValue() in htdocs/lib2/logic/user.class.php on line 230 `$sFormatedValue` is assigned in htdocs/lib2/rowEditor.class.php on line 521 rowEditor::$fields is assigned in htdocs/lib2/rowEditor.class.php on line 531 Tainted property rowEditor::$fields is read in htdocs/lib2/rowEditor.class.php on line 475 rowEditor::getValue() returns tainted data in htdocs/lib2/logic/user.class.php on line 171 user::getEMail() returns tainted data, and mail::$returnPath is assigned in htdocs/lib2/logic/user.class.php on line 884 Tainted property mail::$returnPath is read, and `$aAddHeaders` is assigned in htdocs/lib2/mail.class.php on line 137 `$aAddHeaders` is passed through array_merge(), and `array_merge($aAddHeaders, $this->headers)` is passed through implode(), and `$mailHeaders` is assigned in htdocs/lib2/mail.class.php on line 140 9. Path: Read from `$_POST,` and `$first_name` is assigned in htdocs/register.php on line 17 Read from `$_POST,` and `$first_name` is assigned in htdocs/register.php on line 17 `$first_name` is passed to user::setFirstName() in htdocs/register.php on line 40 `$value` is passed to rowEditor::setValue() in htdocs/lib2/logic/user.class.php on line 230 `$sFormatedValue` is assigned in htdocs/lib2/rowEditor.class.php on line 521 rowEditor::$fields is assigned in htdocs/lib2/rowEditor.class.php on line 531 Tainted property rowEditor::$fields is read in htdocs/lib2/rowEditor.class.php on line 475 rowEditor::getValue() returns tainted data in htdocs/lib2/logic/user.class.php on line 171 user::getEMail() returns tainted data, and mail::$returnPath is assigned in htdocs/lib2/logic/user.class.php on line 884 Tainted property mail::$returnPath is read, and `$aAddHeaders` is assigned in htdocs/lib2/mail.class.php on line 137 `$aAddHeaders` is passed through array_merge(), and `array_merge($aAddHeaders, $this->headers)` is passed through implode(), and `$mailHeaders` is assigned in htdocs/lib2/mail.class.php on line 140 10. Path: Read from `$_REQUEST,` and `$_REQUEST['lastName']` is passed through trim(), and `trim($_REQUEST['lastName'])` is passed to user::setLastName() in htdocs/myprofile.php on line 68 Read from `$_REQUEST,` and `$_REQUEST['lastName']` is passed through trim(), and `trim($_REQUEST['lastName'])` is passed to user::setLastName() in htdocs/myprofile.php on line 68 `$value` is passed to rowEditor::setValue() in htdocs/lib2/logic/user.class.php on line 250 `$sFormatedValue` is assigned in htdocs/lib2/rowEditor.class.php on line 521 rowEditor::$fields is assigned in htdocs/lib2/rowEditor.class.php on line 531 Tainted property rowEditor::$fields is read in htdocs/lib2/rowEditor.class.php on line 475 rowEditor::getValue() returns tainted data in htdocs/lib2/logic/user.class.php on line 171 user::getEMail() returns tainted data, and mail::$returnPath is assigned in htdocs/lib2/logic/user.class.php on line 884 Tainted property mail::$returnPath is read, and `$aAddHeaders` is assigned in htdocs/lib2/mail.class.php on line 137 `$aAddHeaders` is passed through array_merge(), and `array_merge($aAddHeaders, $this->headers)` is passed through implode(), and `$mailHeaders` is assigned in htdocs/lib2/mail.class.php on line 140 11. Path: Read from `$_POST,` and `$last_name` is assigned in htdocs/register.php on line 16 Read from `$_POST,` and `$last_name` is assigned in htdocs/register.php on line 16 `$last_name` is passed to user::setLastName() in htdocs/register.php on line 44 `$value` is passed to rowEditor::setValue() in htdocs/lib2/logic/user.class.php on line 250 `$sFormatedValue` is assigned in htdocs/lib2/rowEditor.class.php on line 521 rowEditor::$fields is assigned in htdocs/lib2/rowEditor.class.php on line 531 Tainted property rowEditor::$fields is read in htdocs/lib2/rowEditor.class.php on line 475 rowEditor::getValue() returns tainted data in htdocs/lib2/logic/user.class.php on line 171 user::getEMail() returns tainted data, and mail::$returnPath is assigned in htdocs/lib2/logic/user.class.php on line 884 Tainted property mail::$returnPath is read, and `$aAddHeaders` is assigned in htdocs/lib2/mail.class.php on line 137 `$aAddHeaders` is passed through array_merge(), and `array_merge($aAddHeaders, $this->headers)` is passed through implode(), and `$mailHeaders` is assigned in htdocs/lib2/mail.class.php on line 140 12. Path: Read from `$_POST,` and `$email` is assigned in htdocs/register.php on line 20 Read from `$_POST,` and `$email` is assigned in htdocs/register.php on line 20 `$email` is passed to user::setEMail() in htdocs/register.php on line 30 `$value` is passed to rowEditor::setValue() in htdocs/lib2/logic/user.class.php on line 180 `$sFormatedValue` is assigned in htdocs/lib2/rowEditor.class.php on line 521 rowEditor::$fields is assigned in htdocs/lib2/rowEditor.class.php on line 531 Tainted property rowEditor::$fields is read in htdocs/lib2/rowEditor.class.php on line 475 rowEditor::getValue() returns tainted data in htdocs/lib2/logic/user.class.php on line 171 user::getEMail() returns tainted data, and mail::$returnPath is assigned in htdocs/lib2/logic/user.class.php on line 884 Tainted property mail::$returnPath is read, and `$aAddHeaders` is assigned in htdocs/lib2/mail.class.php on line 137 `$aAddHeaders` is passed through array_merge(), and `array_merge($aAddHeaders, $this->headers)` is passed through implode(), and `$mailHeaders` is assigned in htdocs/lib2/mail.class.php on line 140 13. Path: Read from `$_REQUEST,` and `$_REQUEST['username']` is passed through trim(), and `trim($_REQUEST['username'])` is passed to user::setUsername() in htdocs/myprofile.php on line 52 Read from `$_REQUEST,` and `$_REQUEST['username']` is passed through trim(), and `trim($_REQUEST['username'])` is passed to user::setUsername() in htdocs/myprofile.php on line 52 `$value` is passed to rowEditor::setValue() in htdocs/lib2/logic/user.class.php on line 161 `$sFormatedValue` is assigned in htdocs/lib2/rowEditor.class.php on line 521 rowEditor::$fields is assigned in htdocs/lib2/rowEditor.class.php on line 531 Tainted property rowEditor::$fields is read in htdocs/lib2/rowEditor.class.php on line 475 rowEditor::getValue() returns tainted data in htdocs/lib2/logic/user.class.php on line 171 user::getEMail() returns tainted data, and mail::$returnPath is assigned in htdocs/lib2/logic/user.class.php on line 884 Tainted property mail::$returnPath is read, and `$aAddHeaders` is assigned in htdocs/lib2/mail.class.php on line 137 `$aAddHeaders` is passed through array_merge(), and `array_merge($aAddHeaders, $this->headers)` is passed through implode(), and `$mailHeaders` is assigned in htdocs/lib2/mail.class.php on line 140 14. Path: Read from `$_POST,` and `$username` is assigned in htdocs/register.php on line 15 Read from `$_POST,` and `$username` is assigned in htdocs/register.php on line 15 `$username` is passed to user::setUsername() in htdocs/register.php on line 35 `$value` is passed to rowEditor::setValue() in htdocs/lib2/logic/user.class.php on line 161 `$sFormatedValue` is assigned in htdocs/lib2/rowEditor.class.php on line 521 rowEditor::$fields is assigned in htdocs/lib2/rowEditor.class.php on line 531 Tainted property rowEditor::$fields is read in htdocs/lib2/rowEditor.class.php on line 475 rowEditor::getValue() returns tainted data in htdocs/lib2/logic/user.class.php on line 171 user::getEMail() returns tainted data, and mail::$returnPath is assigned in htdocs/lib2/logic/user.class.php on line 884 Tainted property mail::$returnPath is read, and `$aAddHeaders` is assigned in htdocs/lib2/mail.class.php on line 137 `$aAddHeaders` is passed through array_merge(), and `array_merge($aAddHeaders, $this->headers)` is passed through implode(), and `$mailHeaders` is assigned in htdocs/lib2/mail.class.php on line 140 15. Path: Read from `$_FILES,` and `$_FILES['file']['name']` is passed to picture::setFilenames() in htdocs/picture.php on line 124 Read from `$_FILES,` and `$_FILES['file']['name']` is passed to picture::setFilenames() in htdocs/picture.php on line 124 `$sFilename` is passed through substr(), and `substr($sFilename, strrpos($sFilename, '.') + 1)` is passed through mb_strtolower(), and `$sExtension` is assigned in htdocs/lib2/logic/picture.class.php on line 123 `$opt['logic']['pictures']['url'] . $sUUID . '.' . $sExtension` is passed to picture::setUrl() in htdocs/lib2/logic/picture.class.php on line 128 `$value` is passed to rowEditor::setValue() in htdocs/lib2/logic/picture.class.php on line 201 `$sFormatedValue` is assigned in htdocs/lib2/rowEditor.class.php on line 521 rowEditor::$fields is assigned in htdocs/lib2/rowEditor.class.php on line 531 Tainted property rowEditor::$fields is read in htdocs/lib2/rowEditor.class.php on line 475 rowEditor::getValue() returns tainted data in htdocs/lib2/logic/user.class.php on line 171 user::getEMail() returns tainted data, and mail::$returnPath is assigned in htdocs/lib2/logic/user.class.php on line 884 Tainted property mail::$returnPath is read, and `$aAddHeaders` is assigned in htdocs/lib2/mail.class.php on line 137 `$aAddHeaders` is passed through array_merge(), and `array_merge($aAddHeaders, $this->headers)` is passed through implode(), and `$mailHeaders` is assigned in htdocs/lib2/mail.class.php on line 140 16. Path: Read from `$_FILES,` and `$_FILES['file']['name']` is escaped by pathinfo() for file context(s), and `$fname` is assigned in htdocs/picture.php on line 117 Read from `$_FILES,` and `$_FILES['file']['name']` is escaped by pathinfo() for file context(s), and `$fname` is assigned in htdocs/picture.php on line 117 `$fname` is passed through mb_strtolower(), and `mb_strtolower($fname) . '.jpg'` is passed to picture::setFilenames() in htdocs/picture.php on line 130 `$sFilename` is passed through substr(), and `substr($sFilename, strrpos($sFilename, '.') + 1)` is passed through mb_strtolower(), and `$sExtension` is assigned in htdocs/lib2/logic/picture.class.php on line 123 `$opt['logic']['pictures']['url'] . $sUUID . '.' . $sExtension` is passed to picture::setUrl() in htdocs/lib2/logic/picture.class.php on line 128 `$value` is passed to rowEditor::setValue() in htdocs/lib2/logic/picture.class.php on line 201 `$sFormatedValue` is assigned in htdocs/lib2/rowEditor.class.php on line 521 rowEditor::$fields is assigned in htdocs/lib2/rowEditor.class.php on line 531 Tainted property rowEditor::$fields is read in htdocs/lib2/rowEditor.class.php on line 475 rowEditor::getValue() returns tainted data in htdocs/lib2/logic/user.class.php on line 171 user::getEMail() returns tainted data, and mail::$returnPath is assigned in htdocs/lib2/logic/user.class.php on line 884 Tainted property mail::$returnPath is read, and `$aAddHeaders` is assigned in htdocs/lib2/mail.class.php on line 137 `$aAddHeaders` is passed through array_merge(), and `array_merge($aAddHeaders, $this->headers)` is passed through implode(), and `$mailHeaders` is assigned in htdocs/lib2/mail.class.php on line 140 17. Path: Read from `$_REQUEST,` and `$_REQUEST['list_name']` is passed through trim(), and `$list_name` is assigned in htdocs/mylists.php on line 18 Read from `$_REQUEST,` and `$_REQUEST['list_name']` is passed through trim(), and `$list_name` is assigned in htdocs/mylists.php on line 18 `$list_name` is passed to cachelist::setNameAndVisibility() in htdocs/mylists.php on line 53 `$name` is passed through trim(), and `$name` is assigned in htdocs/lib2/logic/cachelist.class.php on line 97 `$name` is passed through trim(), and `trim($name)` is passed to rowEditor::setValue() in htdocs/lib2/logic/cachelist.class.php on line 117 `$sFormatedValue` is assigned in htdocs/lib2/rowEditor.class.php on line 521 rowEditor::$fields is assigned in htdocs/lib2/rowEditor.class.php on line 531 Tainted property rowEditor::$fields is read in htdocs/lib2/rowEditor.class.php on line 475 rowEditor::getValue() returns tainted data in htdocs/lib2/logic/user.class.php on line 171 user::getEMail() returns tainted data, and mail::$returnPath is assigned in htdocs/lib2/logic/user.class.php on line 884 Tainted property mail::$returnPath is read, and `$aAddHeaders` is assigned in htdocs/lib2/mail.class.php on line 137 `$aAddHeaders` is passed through array_merge(), and `array_merge($aAddHeaders, $this->headers)` is passed through implode(), and `$mailHeaders` is assigned in htdocs/lib2/mail.class.php on line 140 General Strategies to prevent injection In general, it is advisable to prevent any user-data to reach this point. This can be done by white-listing certain values: if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) { throw new \InvalidArgumentException('This input is not allowed.'); } For numeric data, we recommend to explicitly cast the data: $sanitized = (integer) $tainted; Loading history...
143		}
144
145		/**
146		* @param string $domain
147		*
148		* @return bool
149		*/
150		public static function is_existent_maildomain($domain)
151		{
152		if ($domain === 'localhost') {
153		return true;
154		} // allow maintenance mails e.g. to root
155
156		$smtpServerList = [];
157		$smtpServerWeight = [];
158
159		if (getmxrr($domain, $smtpServerList, $smtpServerWeight) !== false && count($smtpServerList) > 0) {
160		return true;
161		}
162
163		// check if A exists
164		$a = dns_get_record($domain, DNS_A);
165
166		return count($a) > 0;
167		}
168
169		/**
170		* @param string $mail
171		*
172		* @return string
173		*/
174		public static function getToMailDomain($mail)
175		{
176		if ($mail === '') {
177		return '';
178		}
179
180		if (strrpos($mail, '@') === false) {
181		$domain = 'localhost';
182		} else {
183		$domain = substr($mail, strrpos($mail, '@') + 1);
184		}
185
186		return $domain;
187		}
188		}
189

OpencachingDeutschland / oc-server3

Push — development ( 171f18...98bd13 )

htdocs/lib2/mail.class.php (2 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

18 paths for user data to reach this point

General Strategies to prevent injection

17 paths for user data to reach this point

General Strategies to prevent injection

Duplication Side-by-Side

Filter issues like