Issues in cache.php - Fixed Issues - Inspection of "Merge pull request #488 from nlubisch/feature/221-..." - OpencachingDeutschland/oc-server3 - Measure and Improve Code Quality continuously with Scrutinizer

Passed

Push — development ( 171f18...98bd13 )

by Thomas

created 2017-05-14 10:20 UTC

htdocs/xml/csv/cache.php (3 issues)

Labels

Security 3

Severity

Critical 3

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/***************************************************************************
 * for license information see doc/license.txt
 ***************************************************************************/

$opt['rootpath'] = __DIR__ . '/../../';
require_once __DIR__ . '/../../lib2/web.inc.php';
require_once __DIR__ . '/../../lib2/logic/cache.class.php';

header('Content-type: text/html; charset=utf-8');

$cache = null;
if (isset($_REQUEST['cacheid'])) {
    $cacheId = (int) $_REQUEST['cacheid'];
    $cache = new cache($cacheId);
} else {
    if (isset($_REQUEST['uuid'])) {
        $uuid = $_REQUEST['uuid'];
        $cache = cache::fromUUID($uuid);
    } else {
        if (isset($_REQUEST['wp'])) {
            $wp = $_REQUEST['wp'];
            $cache = cache::fromWP($wp);
        }
    }
}

if ($cache === null) {
    echo '0';
} else {
    if (!$cache->isPublic()) {
        echo '0';
    } else {
        echo $cache->getCacheId();
        echo ';';
        echo '"' . mb_ereg_replace('"', '\"', $cache->getName()) . '"';
// for HTML
$sanitized = htmlentities($tainted, ENT_QUOTES);

// for URLs
$sanitized = urlencode($tainted);
        echo ';';
        echo '"' . mb_ereg_replace('"', '\"', $cache->getUsername()) . '"';
        echo ';';
        echo '"' . mb_ereg_replace('"', '\"', $cache->getWPOC()) . '"';
// for HTML
$sanitized = htmlentities($tainted, ENT_QUOTES);

// for URLs
$sanitized = urlencode($tainted);
        echo ';';
        echo '"' . mb_ereg_replace('"', '\"', $cache->getWPGC()) . '"';
// for HTML
$sanitized = htmlentities($tainted, ENT_QUOTES);

// for URLs
$sanitized = urlencode($tainted);
        echo ';';
        echo '""'; // obsolete Navicache WP
    }
}


Push — development ( 171f18...98bd13 )

htdocs/xml/csv/cache.php (3 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

16 paths for user data to reach this point

Preventing Cross-Site-Scripting Attacks

General Strategies to prevent injection

16 paths for user data to reach this point

Preventing Cross-Site-Scripting Attacks

General Strategies to prevent injection

16 paths for user data to reach this point

Preventing Cross-Site-Scripting Attacks

General Strategies to prevent injection

1			<?php
2			/***************************************************************************
3			* for license information see doc/license.txt
4			***************************************************************************/
5
6			$opt['rootpath'] = __DIR__ . '/../../';
7			require_once __DIR__ . '/../../lib2/web.inc.php';
8			require_once __DIR__ . '/../../lib2/logic/cache.class.php';
9
10			header('Content-type: text/html; charset=utf-8');
11
12			$cache = null;
13			if (isset($_REQUEST['cacheid'])) {
14			$cacheId = (int) $_REQUEST['cacheid'];
15			$cache = new cache($cacheId);
16			} else {
17			if (isset($_REQUEST['uuid'])) {
18			$uuid = $_REQUEST['uuid'];
19			$cache = cache::fromUUID($uuid);
20			} else {
21			if (isset($_REQUEST['wp'])) {
22			$wp = $_REQUEST['wp'];
23			$cache = cache::fromWP($wp);
24			}
25			}
26			}
27
28			if ($cache === null) {
29			echo '0';
30			} else {
31			if (!$cache->isPublic()) {
32			echo '0';
33			} else {
34			echo $cache->getCacheId();
35			echo ';';
36			echo '"' . mb_ereg_replace('"', '\"', $cache->getName()) . '"';
			0 ignored issues – show Security Cross-Site Scripting introduced 2017-04-18 22:09 UTC by Report Bug Copy Issue Report Show Similar Issues like this `'"' . mb_ereg_replace('"...cache->getName()) . '"'` can contain request data and is used in output context(s) leading to a potential security vulnerability. 16 paths for user data to reach this point 1. Path: Read from `$_REQUEST,` and `$_REQUEST['newlist_name']` is passed through trim(), and `$newListName` is assigned in htdocs/addtolist.php on line 26 Read from `$_REQUEST,` and `$_REQUEST['newlist_name']` is passed through trim(), and `$newListName` is assigned in htdocs/addtolist.php on line 26 `$newListName` is passed to cachelist::setNameAndVisibility() in htdocs/addtolist.php on line 38 `$name` is passed through trim(), and `$name` is assigned in htdocs/lib2/logic/cachelist.class.php on line 97 `$name` is passed through trim(), and `trim($name)` is passed to rowEditor::setValue() in htdocs/lib2/logic/cachelist.class.php on line 117 `$sFormatedValue` is assigned in htdocs/lib2/rowEditor.class.php on line 521 rowEditor::$fields is assigned in htdocs/lib2/rowEditor.class.php on line 531 Tainted property rowEditor::$fields is read in htdocs/lib2/rowEditor.class.php on line 475 rowEditor::getValue() returns tainted data in htdocs/lib2/logic/cache.class.php on line 153 cache::getName() returns tainted data, and `$cache->getName()` is passed through mb_ereg_replace() in htdocs/xml/csv/cache.php on line 36 2. Path: Read from `$_REQUEST,` and `$_REQUEST['statpic_style']` is passed to statpic::setStyle() in htdocs/change_statpic.php on line 33 Read from `$_REQUEST,` and `$_REQUEST['statpic_style']` is passed to statpic::setStyle() in htdocs/change_statpic.php on line 33 `$value` is passed to rowEditor::setValue() in htdocs/lib2/logic/statpic.class.php on line 31 `$sFormatedValue` is assigned in htdocs/lib2/rowEditor.class.php on line 521 rowEditor::$fields is assigned in htdocs/lib2/rowEditor.class.php on line 531 Tainted property rowEditor::$fields is read in htdocs/lib2/rowEditor.class.php on line 475 rowEditor::getValue() returns tainted data in htdocs/lib2/logic/cache.class.php on line 153 cache::getName() returns tainted data, and `$cache->getName()` is passed through mb_ereg_replace() in htdocs/xml/csv/cache.php on line 36 3. Path: Read from `$_REQUEST,` and `$_REQUEST['statpic_text']` is passed to statpic::setText() in htdocs/change_statpic.php on line 26 Read from `$_REQUEST,` and `$_REQUEST['statpic_text']` is passed to statpic::setText() in htdocs/change_statpic.php on line 26 `$value` is passed to rowEditor::setValue() in htdocs/lib2/logic/statpic.class.php on line 47 `$sFormatedValue` is assigned in htdocs/lib2/rowEditor.class.php on line 521 rowEditor::$fields is assigned in htdocs/lib2/rowEditor.class.php on line 531 Tainted property rowEditor::$fields is read in htdocs/lib2/rowEditor.class.php on line 475 rowEditor::getValue() returns tainted data in htdocs/lib2/logic/cache.class.php on line 153 cache::getName() returns tainted data, and `$cache->getName()` is passed through mb_ereg_replace() in htdocs/xml/csv/cache.php on line 36 4. Path: Read from `$_REQUEST,` and `$list_password` is assigned in htdocs/mylists.php on line 20 Read from `$_REQUEST,` and `$list_password` is assigned in htdocs/mylists.php on line 20 `$list_password` is passed to cachelist::setPassword() in htdocs/mylists.php on line 58 `$pw` is passed to rowEditor::setValue() in htdocs/lib2/logic/cachelist.class.php on line 151 `$sFormatedValue` is assigned in htdocs/lib2/rowEditor.class.php on line 521 rowEditor::$fields is assigned in htdocs/lib2/rowEditor.class.php on line 531 Tainted property rowEditor::$fields is read in htdocs/lib2/rowEditor.class.php on line 475 rowEditor::getValue() returns tainted data in htdocs/lib2/logic/cache.class.php on line 153 cache::getName() returns tainted data, and `$cache->getName()` is passed through mb_ereg_replace() in htdocs/xml/csv/cache.php on line 36 5. Path: Read from `$_REQUEST,` and `$title` is assigned in htdocs/picture.php on line 82 Read from `$_REQUEST,` and `$title` is assigned in htdocs/picture.php on line 82 `$title` is passed to picture::setTitle() in htdocs/picture.php on line 87 `$value` is passed to rowEditor::setValue() in htdocs/lib2/logic/picture.class.php on line 236 `$sFormatedValue` is assigned in htdocs/lib2/rowEditor.class.php on line 521 rowEditor::$fields is assigned in htdocs/lib2/rowEditor.class.php on line 531 Tainted property rowEditor::$fields is read in htdocs/lib2/rowEditor.class.php on line 475 rowEditor::getValue() returns tainted data in htdocs/lib2/logic/cache.class.php on line 153 cache::getName() returns tainted data, and `$cache->getName()` is passed through mb_ereg_replace() in htdocs/xml/csv/cache.php on line 36 6. Path: Read from `$_REQUEST,` and `$title` is assigned in htdocs/picture.php on line 169 Read from `$_REQUEST,` and `$title` is assigned in htdocs/picture.php on line 169 `$title` is passed to picture::setTitle() in htdocs/picture.php on line 173 `$value` is passed to rowEditor::setValue() in htdocs/lib2/logic/picture.class.php on line 236 `$sFormatedValue` is assigned in htdocs/lib2/rowEditor.class.php on line 521 rowEditor::$fields is assigned in htdocs/lib2/rowEditor.class.php on line 531 Tainted property rowEditor::$fields is read in htdocs/lib2/rowEditor.class.php on line 475 rowEditor::getValue() returns tainted data in htdocs/lib2/logic/cache.class.php on line 153 cache::getName() returns tainted data, and `$cache->getName()` is passed through mb_ereg_replace() in htdocs/xml/csv/cache.php on line 36 7. Path: Read from `$_REQUEST,` and `$_REQUEST['firstName']` is passed through trim(), and `trim($_REQUEST['firstName'])` is passed to user::setFirstName() in htdocs/myprofile.php on line 60 Read from `$_REQUEST,` and `$_REQUEST['firstName']` is passed through trim(), and `trim($_REQUEST['firstName'])` is passed to user::setFirstName() in htdocs/myprofile.php on line 60 `$value` is passed to rowEditor::setValue() in htdocs/lib2/logic/user.class.php on line 230 `$sFormatedValue` is assigned in htdocs/lib2/rowEditor.class.php on line 521 rowEditor::$fields is assigned in htdocs/lib2/rowEditor.class.php on line 531 Tainted property rowEditor::$fields is read in htdocs/lib2/rowEditor.class.php on line 475 rowEditor::getValue() returns tainted data in htdocs/lib2/logic/cache.class.php on line 153 cache::getName() returns tainted data, and `$cache->getName()` is passed through mb_ereg_replace() in htdocs/xml/csv/cache.php on line 36 8. Path: Read from `$_POST,` and `$first_name` is assigned in htdocs/register.php on line 17 Read from `$_POST,` and `$first_name` is assigned in htdocs/register.php on line 17 `$first_name` is passed to user::setFirstName() in htdocs/register.php on line 40 `$value` is passed to rowEditor::setValue() in htdocs/lib2/logic/user.class.php on line 230 `$sFormatedValue` is assigned in htdocs/lib2/rowEditor.class.php on line 521 rowEditor::$fields is assigned in htdocs/lib2/rowEditor.class.php on line 531 Tainted property rowEditor::$fields is read in htdocs/lib2/rowEditor.class.php on line 475 rowEditor::getValue() returns tainted data in htdocs/lib2/logic/cache.class.php on line 153 cache::getName() returns tainted data, and `$cache->getName()` is passed through mb_ereg_replace() in htdocs/xml/csv/cache.php on line 36 9. Path: Read from `$_REQUEST,` and `$_REQUEST['lastName']` is passed through trim(), and `trim($_REQUEST['lastName'])` is passed to user::setLastName() in htdocs/myprofile.php on line 68 Read from `$_REQUEST,` and `$_REQUEST['lastName']` is passed through trim(), and `trim($_REQUEST['lastName'])` is passed to user::setLastName() in htdocs/myprofile.php on line 68 `$value` is passed to rowEditor::setValue() in htdocs/lib2/logic/user.class.php on line 250 `$sFormatedValue` is assigned in htdocs/lib2/rowEditor.class.php on line 521 rowEditor::$fields is assigned in htdocs/lib2/rowEditor.class.php on line 531 Tainted property rowEditor::$fields is read in htdocs/lib2/rowEditor.class.php on line 475 rowEditor::getValue() returns tainted data in htdocs/lib2/logic/cache.class.php on line 153 cache::getName() returns tainted data, and `$cache->getName()` is passed through mb_ereg_replace() in htdocs/xml/csv/cache.php on line 36 10. Path: Read from `$_POST,` and `$last_name` is assigned in htdocs/register.php on line 16 Read from `$_POST,` and `$last_name` is assigned in htdocs/register.php on line 16 `$last_name` is passed to user::setLastName() in htdocs/register.php on line 44 `$value` is passed to rowEditor::setValue() in htdocs/lib2/logic/user.class.php on line 250 `$sFormatedValue` is assigned in htdocs/lib2/rowEditor.class.php on line 521 rowEditor::$fields is assigned in htdocs/lib2/rowEditor.class.php on line 531 Tainted property rowEditor::$fields is read in htdocs/lib2/rowEditor.class.php on line 475 rowEditor::getValue() returns tainted data in htdocs/lib2/logic/cache.class.php on line 153 cache::getName() returns tainted data, and `$cache->getName()` is passed through mb_ereg_replace() in htdocs/xml/csv/cache.php on line 36 11. Path: Read from `$_POST,` and `$email` is assigned in htdocs/register.php on line 20 Read from `$_POST,` and `$email` is assigned in htdocs/register.php on line 20 `$email` is passed to user::setEMail() in htdocs/register.php on line 30 `$value` is passed to rowEditor::setValue() in htdocs/lib2/logic/user.class.php on line 180 `$sFormatedValue` is assigned in htdocs/lib2/rowEditor.class.php on line 521 rowEditor::$fields is assigned in htdocs/lib2/rowEditor.class.php on line 531 Tainted property rowEditor::$fields is read in htdocs/lib2/rowEditor.class.php on line 475 rowEditor::getValue() returns tainted data in htdocs/lib2/logic/cache.class.php on line 153 cache::getName() returns tainted data, and `$cache->getName()` is passed through mb_ereg_replace() in htdocs/xml/csv/cache.php on line 36 12. Path: Read from `$_REQUEST,` and `$_REQUEST['username']` is passed through trim(), and `trim($_REQUEST['username'])` is passed to user::setUsername() in htdocs/myprofile.php on line 52 Read from `$_REQUEST,` and `$_REQUEST['username']` is passed through trim(), and `trim($_REQUEST['username'])` is passed to user::setUsername() in htdocs/myprofile.php on line 52 `$value` is passed to rowEditor::setValue() in htdocs/lib2/logic/user.class.php on line 161 `$sFormatedValue` is assigned in htdocs/lib2/rowEditor.class.php on line 521 rowEditor::$fields is assigned in htdocs/lib2/rowEditor.class.php on line 531 Tainted property rowEditor::$fields is read in htdocs/lib2/rowEditor.class.php on line 475 rowEditor::getValue() returns tainted data in htdocs/lib2/logic/cache.class.php on line 153 cache::getName() returns tainted data, and `$cache->getName()` is passed through mb_ereg_replace() in htdocs/xml/csv/cache.php on line 36 13. Path: Read from `$_POST,` and `$username` is assigned in htdocs/register.php on line 15 Read from `$_POST,` and `$username` is assigned in htdocs/register.php on line 15 `$username` is passed to user::setUsername() in htdocs/register.php on line 35 `$value` is passed to rowEditor::setValue() in htdocs/lib2/logic/user.class.php on line 161 `$sFormatedValue` is assigned in htdocs/lib2/rowEditor.class.php on line 521 rowEditor::$fields is assigned in htdocs/lib2/rowEditor.class.php on line 531 Tainted property rowEditor::$fields is read in htdocs/lib2/rowEditor.class.php on line 475 rowEditor::getValue() returns tainted data in htdocs/lib2/logic/cache.class.php on line 153 cache::getName() returns tainted data, and `$cache->getName()` is passed through mb_ereg_replace() in htdocs/xml/csv/cache.php on line 36 14. Path: Read from `$_FILES,` and `$_FILES['file']['name']` is passed to picture::setFilenames() in htdocs/picture.php on line 124 Read from `$_FILES,` and `$_FILES['file']['name']` is passed to picture::setFilenames() in htdocs/picture.php on line 124 `$sFilename` is passed through substr(), and `substr($sFilename, strrpos($sFilename, '.') + 1)` is passed through mb_strtolower(), and `$sExtension` is assigned in htdocs/lib2/logic/picture.class.php on line 123 `$opt['logic']['pictures']['url'] . $sUUID . '.' . $sExtension` is passed to picture::setUrl() in htdocs/lib2/logic/picture.class.php on line 128 `$value` is passed to rowEditor::setValue() in htdocs/lib2/logic/picture.class.php on line 201 `$sFormatedValue` is assigned in htdocs/lib2/rowEditor.class.php on line 521 rowEditor::$fields is assigned in htdocs/lib2/rowEditor.class.php on line 531 Tainted property rowEditor::$fields is read in htdocs/lib2/rowEditor.class.php on line 475 rowEditor::getValue() returns tainted data in htdocs/lib2/logic/cache.class.php on line 153 cache::getName() returns tainted data, and `$cache->getName()` is passed through mb_ereg_replace() in htdocs/xml/csv/cache.php on line 36 15. Path: Read from `$_FILES,` and `$_FILES['file']['name']` is escaped by pathinfo() for file context(s), and `$fname` is assigned in htdocs/picture.php on line 117 Read from `$_FILES,` and `$_FILES['file']['name']` is escaped by pathinfo() for file context(s), and `$fname` is assigned in htdocs/picture.php on line 117 `$fname` is passed through mb_strtolower(), and `mb_strtolower($fname) . '.jpg'` is passed to picture::setFilenames() in htdocs/picture.php on line 130 `$sFilename` is passed through substr(), and `substr($sFilename, strrpos($sFilename, '.') + 1)` is passed through mb_strtolower(), and `$sExtension` is assigned in htdocs/lib2/logic/picture.class.php on line 123 `$opt['logic']['pictures']['url'] . $sUUID . '.' . $sExtension` is passed to picture::setUrl() in htdocs/lib2/logic/picture.class.php on line 128 `$value` is passed to rowEditor::setValue() in htdocs/lib2/logic/picture.class.php on line 201 `$sFormatedValue` is assigned in htdocs/lib2/rowEditor.class.php on line 521 rowEditor::$fields is assigned in htdocs/lib2/rowEditor.class.php on line 531 Tainted property rowEditor::$fields is read in htdocs/lib2/rowEditor.class.php on line 475 rowEditor::getValue() returns tainted data in htdocs/lib2/logic/cache.class.php on line 153 cache::getName() returns tainted data, and `$cache->getName()` is passed through mb_ereg_replace() in htdocs/xml/csv/cache.php on line 36 16. Path: Read from `$_REQUEST,` and `$_REQUEST['list_name']` is passed through trim(), and `$list_name` is assigned in htdocs/mylists.php on line 18 Read from `$_REQUEST,` and `$_REQUEST['list_name']` is passed through trim(), and `$list_name` is assigned in htdocs/mylists.php on line 18 `$list_name` is passed to cachelist::setNameAndVisibility() in htdocs/mylists.php on line 53 `$name` is passed through trim(), and `$name` is assigned in htdocs/lib2/logic/cachelist.class.php on line 97 `$name` is passed through trim(), and `trim($name)` is passed to rowEditor::setValue() in htdocs/lib2/logic/cachelist.class.php on line 117 `$sFormatedValue` is assigned in htdocs/lib2/rowEditor.class.php on line 521 rowEditor::$fields is assigned in htdocs/lib2/rowEditor.class.php on line 531 Tainted property rowEditor::$fields is read in htdocs/lib2/rowEditor.class.php on line 475 rowEditor::getValue() returns tainted data in htdocs/lib2/logic/cache.class.php on line 153 cache::getName() returns tainted data, and `$cache->getName()` is passed through mb_ereg_replace() in htdocs/xml/csv/cache.php on line 36 Preventing Cross-Site-Scripting Attacks Cross-Site-Scripting allows an attacker to inject malicious code into your website - in particular Javascript code, and have that code executed with the privileges of a visiting user. This can be used to obtain data, or perform actions on behalf of that visiting user. In order to prevent this, make sure to escape all user-provided data: // for HTML $sanitized = htmlentities($tainted, ENT_QUOTES); // for URLs $sanitized = urlencode($tainted); General Strategies to prevent injection In general, it is advisable to prevent any user-data to reach this point. This can be done by white-listing certain values: if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) { throw new \InvalidArgumentException('This input is not allowed.'); } For numeric data, we recommend to explicitly cast the data: $sanitized = (integer) $tainted; Loading history...
37			echo ';';
38			echo '"' . mb_ereg_replace('"', '\"', $cache->getUsername()) . '"';
39			echo ';';

OpencachingDeutschland / oc-server3

Push — development ( 171f18...98bd13 )

htdocs/xml/csv/cache.php (3 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

16 paths for user data to reach this point

Preventing Cross-Site-Scripting Attacks

General Strategies to prevent injection

16 paths for user data to reach this point

Preventing Cross-Site-Scripting Attacks

General Strategies to prevent injection

16 paths for user data to reach this point

Preventing Cross-Site-Scripting Attacks

General Strategies to prevent injection

Duplication Side-by-Side

Filter issues like