IOHelperTrait::writefile() - Code Metrics - Inspection of "Attempting to fix #373 again and again" - PHPSocialNetwork/phpfastcache - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Push — V6 ( ddfc29...839d12 )

by Georges

created 2016-11-05 16:38 UTC

IOHelperTrait::writefile() B

↳ Parent: IOHelperTrait

Complexity

Conditions	3
Paths	3

Size

Total Lines	34
Code Lines	18

Duplication

Lines	0
Ratio	0 %

Importance

Changes

Metric	Value
cc	3
eloc	18
nc	3
nop	3
dl	0
loc	34
rs	8.8571
c	0
b	0
f	0

<?php
/**
 *
 * This file is part of phpFastCache.
 *
 * @license MIT License (MIT)
 *
 * For full copyright and license information, please see the docs/CREDITS.txt file.
 *
 * @author Khoa Bui (khoaofgod)  <[email protected]> http://www.phpfastcache.com
 * @author Georges.L (Geolim4)  <[email protected]>
 *
 */

namespace phpFastCache\Core\Pool\IO;

use phpFastCache\Core\Pool\ExtendedCacheItemPoolInterface;
use phpFastCache\Exceptions\phpFastCacheIOException;
use phpFastCache\Util\Directory;

trait IOHelperTrait
{
    /**
     * @var array
     */
    public $tmp = [];

    /**
     * @param bool $readonly
     * @return string
     * @throws phpFastCacheIOException
     */
    public function getPath($readonly = false)
    {
        /**
         * Get the base system temporary directory
         */
        $tmp_dir = rtrim(ini_get('upload_tmp_dir') ?: sys_get_temp_dir(), '\\/') . DIRECTORY_SEPARATOR . 'phpfastcache';

        /**
         * Calculate the security key
         */
        {
            $securityKey = array_key_exists('securityKey', $this->config) ? $this->config[ 'securityKey' ] : '';
class MyClass { }

$x = new MyClass();
$x->foo = true;
            if (!$securityKey || $securityKey === 'auto') {
                if (isset($_SERVER[ 'HTTP_HOST' ])) {
                    $securityKey = preg_replace('/^www./', '', strtolower(str_replace(':', '_', $_SERVER[ 'HTTP_HOST' ])));
                } else {
                    $securityKey = ($this->isPHPModule() ? 'web' : 'cli');
                }
            }

            if ($securityKey !== '') {
                $securityKey .= '/';
            }

            $securityKey = static::cleanFileName($securityKey);
        }

        /**
         * Extends the temporary directory
         * with the security key and the driver name
         */
        $tmp_dir = rtrim($tmp_dir, '/') . DIRECTORY_SEPARATOR;

        if (empty($this->config[ 'path' ]) || !is_string($this->config[ 'path' ])) {
            if (self::isPHPModule()) {
                $path = $tmp_dir;
            } else {
                $document_root_path = rtrim($_SERVER[ 'DOCUMENT_ROOT' ], '/') . '/../';
                $path = isset($_SERVER[ 'DOCUMENT_ROOT' ]) && is_writable($document_root_path) ? $document_root_path : rtrim(__DIR__, '/') . DIRECTORY_SEPARATOR;
            }

            if ($this->config[ 'path' ] != '') {
                $path = $this->config[ 'path' ];
            }

        } else {
            $path = $this->config[ 'path' ];
        }

        $full_path = rtrim($path, '/')
          . DIRECTORY_SEPARATOR
          . $securityKey
          . DIRECTORY_SEPARATOR
          . $this->getDriverName();
        $full_path_hash = md5($full_path);

        /**
         * In readonly mode we only attempt
         * to verify if the directory exists
         * or not, if it does not then we
         * return the temp dir
         */
        if ($readonly === true) {
            if($this->config[ 'autoTmpFallback' ] && (@file_exists($full_path) || !@is_writable($full_path))){
                return $tmp_dir;
            }
            return $full_path;
        }else{
            if (!isset($this->tmp[ $full_path_hash ]) || (!@file_exists($full_path) || !@is_writable($full_path))) {
                if (!@file_exists($full_path)) {
                    @mkdir($full_path, $this->setChmodAuto(), true);
if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) {
    throw new \InvalidArgumentException('This input is not allowed.');
}
                }else if (!@is_writable($full_path)) {
                    @chmod($full_path, $this->setChmodAuto());
if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) {
    throw new \InvalidArgumentException('This input is not allowed.');
}
                }

                if ($this->config[ 'autoTmpFallback' ] && !@is_writable($full_path)) {
                    /**
                     * Switch back to tmp dir
                     * again if the path is not writable
                     */
                    $full_path = $tmp_dir;
                    if (!@file_exists($full_path)) {
                        @mkdir($full_path, $this->setChmodAuto(), true);
                    }
                }

                /**
                 * In case there is no directory
                 * writable including tye temporary
                 * one, we must throw an exception
                 */
                if (!@file_exists($full_path) || !@is_writable($full_path)) {
                    throw new phpFastCacheIOException('PLEASE CREATE OR CHMOD ' . $full_path . ' - 0777 OR ANY WRITABLE PERMISSION!');
                }

                $this->tmp[ $full_path_hash ] = $full_path;
                $this->htaccessGen($full_path, array_key_exists('htaccess', $this->config) ? $this->config[ 'htaccess' ] : false);
            }
        }

        return realpath($full_path);
    }


    /**
     * @param $keyword
     * @param bool $skip
     * @return string
     * @throws phpFastCacheIOException
     */
    private function getFilePath($keyword, $skip = false)
    {
        $path = $this->getPath();

        if ($keyword === false) {
            return $path;
        }

        $filename = $this->encodeFilename($keyword);
        $folder = substr($filename, 0, 2) . DIRECTORY_SEPARATOR . substr($filename, 2, 2);
        $path = rtrim($path, '/\\') . DIRECTORY_SEPARATOR . $folder;

        /**
         * Skip Create Sub Folders;
         */
        if ($skip == false) {

            if (!file_exists($path)) {
                if (@!mkdir($path, $this->setChmodAuto(), true)) {
                    throw new phpFastCacheIOException('PLEASE CHMOD ' . $path . ' - ' . $this->setChmodAuto() . ' OR ANY WRITABLE PERMISSION!');
                }
            }
        }

        return $path . '/' . $filename . '.txt';
    }



    /**
     * @param $keyword
     * @return string
     */
    protected function encodeFilename($keyword)
    {
        return md5($keyword);
    }

    /**
     * @return bool
     */
    public function isExpired()
    {
        trigger_error(__FUNCTION__ . '() is deprecated, use ExtendedCacheItemInterface::isExpired() instead.', E_USER_DEPRECATED);

        return true;
    }

    /**
     * @param $this ->config
     * @return int
     */
    public function setChmodAuto()
    {
        if (!isset($this->config[ 'default_chmod' ]) || $this->config[ 'default_chmod' ] == '' || is_null($this->config[ 'default_chmod' ])) {
            return 0777;
        } else {
            return $this->config[ 'default_chmod' ];
        }
    }

    /**
     * @param $filename
     * @return mixed
     */
    protected static function cleanFileName($filename)
    {
        $regex = [
          '/[\?\[\]\/\\\=\<\>\:\;\,\'\"\&\$\#\*\(\)\|\~\`\!\{\}]/',
          '/\.$/',
          '/^\./',
        ];
        $replace = ['-', '', ''];

        return trim(preg_replace($regex, $replace, trim($filename)), '-');
    }

    /**
     * @param $path
     * @param bool $create
     * @throws phpFastCacheIOException
     */
    protected function htaccessGen($path, $create = true)
    {
        if ($create === true) {
            if (!is_writable($path)) {
                try {
                    if(!chmod($path, 0777)){
                        throw new phpFastCacheIOException('Chmod failed on : ' . $path);
                    }
                } catch (phpFastCacheIOException $e) {
                    throw new phpFastCacheIOException('PLEASE CHMOD ' . $path . ' - 0777 OR ANY WRITABLE PERMISSION!', 0, $e);
                }
            }

            if (!file_exists($path . "/.htaccess")) {
                $content = <<<HTACCESS
### This .htaccess is auto-generated by PhpFastCache ###
order deny, allow
deny from all
allow from 127.0.0.1
HTACCESS;

                $file = @fopen($path . '/.htaccess', 'w+');
                if (!$file) {
                    throw new phpFastCacheIOException('PLEASE CHMOD ' . $path . ' - 0777 OR ANY WRITABLE PERMISSION!');
                }
                fwrite($file, $content);
                fclose($file);
            }
        }
    }


    /**
     * @param $file
     * @return string
     * @throws phpFastCacheIOException
     */
    protected function readfile($file)
    {
        if (function_exists('file_get_contents')) {
            return file_get_contents($file);
if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) {
    throw new \InvalidArgumentException('This input is not allowed.');
}
        } else {
            $string = '';

            $file_handle = @fopen($file, 'r');
            if (!$file_handle) {
                throw new phpFastCacheIOException("Cannot read file located at: {$file}");
            }
            while (!feof($file_handle)) {
                $line = fgets($file_handle);
                $string .= $line;
            }
            fclose($file_handle);

            return $string;
        }
    }

    /**
     * @param string $file
     * @param string $data
     * @param bool $secureFileManipulation
     * @return bool
     * @throws phpFastCacheIOException
     */
    protected function writefile($file, $data, $secureFileManipulation = false)
    {
        /**
         * @eventName CacheWriteFileOnDisk
         * @param ExtendedCacheItemPoolInterface $this
         * @param string $file
         * @param bool $secureFileManipulation
         *
         */
        $this->eventManager->dispatch('CacheWriteFileOnDisk', $this, $file, $secureFileManipulation);
class MyClass { }

$x = new MyClass();
$x->foo = true;

        if($secureFileManipulation){
            $tmpFilename = Directory::getAbsolutePath(dirname($file) . '/tmp_' . md5(
                str_shuffle(uniqid($this->getDriverName(), false))
                . str_shuffle(uniqid($this->getDriverName(), false))
              ));

            $f = fopen($tmpFilename, 'w+');
            flock($f, LOCK_EX);
            $octetWritten = fwrite($f, $data);
            flock($f, LOCK_UN);
            fclose($f);

            if(!rename($tmpFilename, $file)){
if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) {
    throw new \InvalidArgumentException('This input is not allowed.');
}
                throw new phpFastCacheIOException(sprintf('Failed to rename %s to %s', $tmpFilename, $file));
            }
        }else{
            $f = fopen($file, 'w+');
            $octetWritten = fwrite($f, $data);
            fclose($f);
        }

        return $octetWritten !== false;
    }
}

Push — V6 ( ddfc29...839d12 )

IOHelperTrait::writefile() B

Complexity

Size

Duplication

Importance

1 path for user data to reach this point

General Strategies to prevent injection

1 path for user data to reach this point

General Strategies to prevent injection

1 path for user data to reach this point

General Strategies to prevent injection

1 path for user data to reach this point

General Strategies to prevent injection

1			<?php
2			/**
3			*
4			* This file is part of phpFastCache.
5			*
6			* @license MIT License (MIT)
7			*
8			* For full copyright and license information, please see the docs/CREDITS.txt file.
9			*
10			* @author Khoa Bui (khoaofgod) <[email protected]> http://www.phpfastcache.com
11			* @author Georges.L (Geolim4) <[email protected]>
12			*
13			*/
14
15			namespace phpFastCache\Core\Pool\IO;
16
17			use phpFastCache\Core\Pool\ExtendedCacheItemPoolInterface;
18			use phpFastCache\Exceptions\phpFastCacheIOException;
19			use phpFastCache\Util\Directory;
20
21			trait IOHelperTrait
22			{
23			/**
24			* @var array
25			*/
26			public $tmp = [];
27
28			/**
29			* @param bool $readonly
30			* @return string
31			* @throws phpFastCacheIOException
32			*/
33			public function getPath($readonly = false)
34			{
35			/**
36			* Get the base system temporary directory
37			*/
38			$tmp_dir = rtrim(ini_get('upload_tmp_dir') ?: sys_get_temp_dir(), '\\/') . DIRECTORY_SEPARATOR . 'phpfastcache';
39
40			/**
41			* Calculate the security key
42			*/
43			{
44			$securityKey = array_key_exists('securityKey', $this->config) ? $this->config[ 'securityKey' ] : '';
			0 ignored issues – show Bug introduced 2016-11-05 16:41 UTC by Report Bug Copy Issue Report The property `config` does not exist. Did you maybe forget to declare it? In PHP it is possible to write to properties without declaring them. For example, the following is perfectly valid PHP code: class MyClass { } $x = new MyClass(); $x->foo = true; Generally, it is a good practice to explictly declare properties to avoid accidental typos and provide IDE auto-completion: class MyClass { public $foo; } $x = new MyClass(); $x->foo = true; Loading history...
45			if (!$securityKey \|\| $securityKey === 'auto') {
46			if (isset($_SERVER[ 'HTTP_HOST' ])) {
47			$securityKey = preg_replace('/^www./', '', strtolower(str_replace(':', '_', $_SERVER[ 'HTTP_HOST' ])));
48			} else {
49			$securityKey = ($this->isPHPModule() ? 'web' : 'cli');
50			}
51			}
52
53			if ($securityKey !== '') {
54			$securityKey .= '/';
55			}
56
57			$securityKey = static::cleanFileName($securityKey);
58			}
59
60			/**
61			* Extends the temporary directory
62			* with the security key and the driver name
63			*/
64			$tmp_dir = rtrim($tmp_dir, '/') . DIRECTORY_SEPARATOR;
65
66			if (empty($this->config[ 'path' ]) \|\| !is_string($this->config[ 'path' ])) {
67			if (self::isPHPModule()) {
68			$path = $tmp_dir;
69			} else {
70			$document_root_path = rtrim($_SERVER[ 'DOCUMENT_ROOT' ], '/') . '/../';
71			$path = isset($_SERVER[ 'DOCUMENT_ROOT' ]) && is_writable($document_root_path) ? $document_root_path : rtrim(__DIR__, '/') . DIRECTORY_SEPARATOR;
72			}
73
74			if ($this->config[ 'path' ] != '') {
75			$path = $this->config[ 'path' ];
76			}
77
78			} else {
79			$path = $this->config[ 'path' ];
80			}
81
82			$full_path = rtrim($path, '/')
83			. DIRECTORY_SEPARATOR
84			. $securityKey
85			. DIRECTORY_SEPARATOR
86			. $this->getDriverName();
87			$full_path_hash = md5($full_path);
88
89			/**
90			* In readonly mode we only attempt
91			* to verify if the directory exists
92			* or not, if it does not then we
93			* return the temp dir
94			*/
95			if ($readonly === true) {
96			if($this->config[ 'autoTmpFallback' ] && (@file_exists($full_path) \|\| !@is_writable($full_path))){
97			return $tmp_dir;
98			}
99			return $full_path;
100			}else{
101			if (!isset($this->tmp[ $full_path_hash ]) \|\| (!@file_exists($full_path) \|\| !@is_writable($full_path))) {
102			if (!@file_exists($full_path)) {
103			@mkdir($full_path, $this->setChmodAuto(), true);
			0 ignored issues – show Security File Manipulation introduced 2016-10-16 15:23 UTC by Report Bug Copy Issue Report `$full_path` can contain request data and is used in file manipulation context(s) leading to a potential security vulnerability. 1 path for user data to reach this point Fetching key `HTTP_HOST` from `$_SERVER,` and `$_SERVER['HTTP_HOST']` is passed through str_replace(), and `str_replace(':', '_', $_SERVER['HTTP_HOST'])` is passed through strtolower(), and `strtolower(str_replace(':', '_', $_SERVER['HTTP_HOST']))` is passed through preg_replace(), and `$securityKey` is assigned in src/phpFastCache/Core/Pool/IO/IOHelperTrait.php on line 47 Data is passed through trim(), and Data is passed through preg_replace() in vendor/src/phpFastCache/Core/Pool/IO/IOHelperTrait.php on line 216 `$securityKey` is assigned in src/phpFastCache/Core/Pool/IO/IOHelperTrait.php on line 57 `$full_path` is assigned in src/phpFastCache/Core/Pool/IO/IOHelperTrait.php on line 82 General Strategies to prevent injection In general, it is advisable to prevent any user-data to reach this point. This can be done by white-listing certain values: if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) { throw new \InvalidArgumentException('This input is not allowed.'); } For numeric data, we recommend to explicitly cast the data: $sanitized = (integer) $tainted; Loading history...
104			}else if (!@is_writable($full_path)) {
105			@chmod($full_path, $this->setChmodAuto());
			0 ignored issues – show Security File Manipulation introduced 2016-10-16 15:23 UTC by Report Bug Copy Issue Report `$full_path` can contain request data and is used in file manipulation context(s) leading to a potential security vulnerability. 1 path for user data to reach this point Fetching key `HTTP_HOST` from `$_SERVER,` and `$_SERVER['HTTP_HOST']` is passed through str_replace(), and `str_replace(':', '_', $_SERVER['HTTP_HOST'])` is passed through strtolower(), and `strtolower(str_replace(':', '_', $_SERVER['HTTP_HOST']))` is passed through preg_replace(), and `$securityKey` is assigned in src/phpFastCache/Core/Pool/IO/IOHelperTrait.php on line 47 Data is passed through trim(), and Data is passed through preg_replace() in vendor/src/phpFastCache/Core/Pool/IO/IOHelperTrait.php on line 216 `$securityKey` is assigned in src/phpFastCache/Core/Pool/IO/IOHelperTrait.php on line 57 `$full_path` is assigned in src/phpFastCache/Core/Pool/IO/IOHelperTrait.php on line 82 General Strategies to prevent injection In general, it is advisable to prevent any user-data to reach this point. This can be done by white-listing certain values: if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) { throw new \InvalidArgumentException('This input is not allowed.'); } For numeric data, we recommend to explicitly cast the data: $sanitized = (integer) $tainted; Loading history...
106			}
107
108			if ($this->config[ 'autoTmpFallback' ] && !@is_writable($full_path)) {
109			/**
110			* Switch back to tmp dir
111			* again if the path is not writable
112			*/
113			$full_path = $tmp_dir;
114			if (!@file_exists($full_path)) {
115			@mkdir($full_path, $this->setChmodAuto(), true);
116			}
117			}
118
119			/**
120			* In case there is no directory
121			* writable including tye temporary
122			* one, we must throw an exception
123			*/
124			if (!@file_exists($full_path) \|\| !@is_writable($full_path)) {
125			throw new phpFastCacheIOException('PLEASE CREATE OR CHMOD ' . $full_path . ' - 0777 OR ANY WRITABLE PERMISSION!');
126			}
127
128			$this->tmp[ $full_path_hash ] = $full_path;
129			$this->htaccessGen($full_path, array_key_exists('htaccess', $this->config) ? $this->config[ 'htaccess' ] : false);
130			}
131			}
132
133			return realpath($full_path);
134			}
135
136
137			/**
138			* @param $keyword
139			* @param bool $skip
140			* @return string
141			* @throws phpFastCacheIOException
142			*/
143			private function getFilePath($keyword, $skip = false)
144			{
145			$path = $this->getPath();
146
147			if ($keyword === false) {
148			return $path;
149			}
150
151			$filename = $this->encodeFilename($keyword);
152			$folder = substr($filename, 0, 2) . DIRECTORY_SEPARATOR . substr($filename, 2, 2);
153			$path = rtrim($path, '/\\') . DIRECTORY_SEPARATOR . $folder;
154
155			/**
156			* Skip Create Sub Folders;
157			*/
158			if ($skip == false) {
			0 ignored issues – show Coding Style Best Practice introduced 2016-05-12 20:38 UTC by Report Bug Copy Issue Report It seems like you are loosely comparing two booleans. Considering using the strict comparison `===` instead. When comparing two booleans, it is generally considered safer to use the strict comparison operator. Loading history...
159			if (!file_exists($path)) {
160			if (@!mkdir($path, $this->setChmodAuto(), true)) {
161			throw new phpFastCacheIOException('PLEASE CHMOD ' . $path . ' - ' . $this->setChmodAuto() . ' OR ANY WRITABLE PERMISSION!');
162			}
163			}
164			}
165
166			return $path . '/' . $filename . '.txt';
167			}
168
169
170
171			/**
172			* @param $keyword
173			* @return string
174			*/
175			protected function encodeFilename($keyword)
176			{
177			return md5($keyword);
178			}
179
180			/**
181			* @return bool
182			*/
183			public function isExpired()
184			{
185			trigger_error(__FUNCTION__ . '() is deprecated, use ExtendedCacheItemInterface::isExpired() instead.', E_USER_DEPRECATED);
186
187			return true;
188			}
189
190			/**
191			* @param $this ->config
192			* @return int
193			*/
194			public function setChmodAuto()
195			{
196			if (!isset($this->config[ 'default_chmod' ]) \|\| $this->config[ 'default_chmod' ] == '' \|\| is_null($this->config[ 'default_chmod' ])) {
197			return 0777;
198			} else {
199			return $this->config[ 'default_chmod' ];
200			}
201			}
202
203			/**
204			* @param $filename
205			* @return mixed
206			*/
207			protected static function cleanFileName($filename)
208			{
209			$regex = [
210			'/[\?\[\]\/\\\=\<\>\:\;\,\'\"\&\$\#\*\(\)\\|\~\`\!\{\}]/',
211			'/\.$/',
212			'/^\./',
213			];
214			$replace = ['-', '', ''];
215
216			return trim(preg_replace($regex, $replace, trim($filename)), '-');
217			}
218
219			/**
220			* @param $path
221			* @param bool $create
222			* @throws phpFastCacheIOException
223			*/
224			protected function htaccessGen($path, $create = true)
225			{
226			if ($create === true) {
227			if (!is_writable($path)) {
228			try {
229			if(!chmod($path, 0777)){
230			throw new phpFastCacheIOException('Chmod failed on : ' . $path);
231			}
232			} catch (phpFastCacheIOException $e) {
233			throw new phpFastCacheIOException('PLEASE CHMOD ' . $path . ' - 0777 OR ANY WRITABLE PERMISSION!', 0, $e);
234			}
235			}
236
237			if (!file_exists($path . "/.htaccess")) {
238			$content = <<<HTACCESS
239			### This .htaccess is auto-generated by PhpFastCache ###
240			order deny, allow
241			deny from all
242			allow from 127.0.0.1
243			HTACCESS;
244
245			$file = @fopen($path . '/.htaccess', 'w+');
246			if (!$file) {
247			throw new phpFastCacheIOException('PLEASE CHMOD ' . $path . ' - 0777 OR ANY WRITABLE PERMISSION!');
248			}
249			fwrite($file, $content);
250			fclose($file);
251			}
252			}
253			}
254
255
256			/**
257			* @param $file
258			* @return string
259			* @throws phpFastCacheIOException
260			*/
261			protected function readfile($file)
262			{
263			if (function_exists('file_get_contents')) {
264			return file_get_contents($file);
			0 ignored issues – show Security File Exposure introduced 2016-11-05 16:41 UTC by Report Bug Copy Issue Report `$file` can contain request data and is used in file inclusion context(s) leading to a potential security vulnerability. 1 path for user data to reach this point Fetching key `HTTP_HOST` from `$_SERVER,` and `$_SERVER['HTTP_HOST']` is passed through str_replace(), and `str_replace(':', '_', $_SERVER['HTTP_HOST'])` is passed through strtolower(), and `strtolower(str_replace(':', '_', $_SERVER['HTTP_HOST']))` is passed through preg_replace(), and `$securityKey` is assigned in src/phpFastCache/Core/Pool/IO/IOHelperTrait.php on line 47 Data is passed through trim(), and Data is passed through preg_replace() in vendor/src/phpFastCache/Core/Pool/IO/IOHelperTrait.php on line 216 `$securityKey` is assigned in src/phpFastCache/Core/Pool/IO/IOHelperTrait.php on line 57 `$full_path` is assigned in src/phpFastCache/Core/Pool/IO/IOHelperTrait.php on line 82 IOHelperTrait::getPath() returns tainted data, and `$path` is assigned in src/phpFastCache/Core/Pool/IO/IOHelperTrait.php on line 145 IOHelperTrait::getFilePath() returns tainted data, and `$file_path` is assigned in src/phpFastCache/Drivers/Files/Driver.php on line 98 `$file_path` is passed to IOHelperTrait::readfile() in src/phpFastCache/Drivers/Files/Driver.php on line 103 General Strategies to prevent injection In general, it is advisable to prevent any user-data to reach this point. This can be done by white-listing certain values: if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) { throw new \InvalidArgumentException('This input is not allowed.'); } For numeric data, we recommend to explicitly cast the data: $sanitized = (integer) $tainted; Loading history...
265			} else {
266			$string = '';
267
268			$file_handle = @fopen($file, 'r');
269			if (!$file_handle) {
270			throw new phpFastCacheIOException("Cannot read file located at: {$file}");
271			}
272			while (!feof($file_handle)) {
273			$line = fgets($file_handle);
274			$string .= $line;
275			}
276			fclose($file_handle);
277
278			return $string;
279			}
280			}
281
282			/**
283			* @param string $file
284			* @param string $data
285			* @param bool $secureFileManipulation
286			* @return bool
287			* @throws phpFastCacheIOException
288			*/
289			protected function writefile($file, $data, $secureFileManipulation = false)
290			{
291			/**
292			* @eventName CacheWriteFileOnDisk
293			* @param ExtendedCacheItemPoolInterface $this
294			* @param string $file
295			* @param bool $secureFileManipulation
296			*
297			*/
298			$this->eventManager->dispatch('CacheWriteFileOnDisk', $this, $file, $secureFileManipulation);
			0 ignored issues – show Bug introduced 2016-10-16 15:23 UTC by Report Bug Copy Issue Report The property `eventManager` does not exist. Did you maybe forget to declare it? In PHP it is possible to write to properties without declaring them. For example, the following is perfectly valid PHP code: class MyClass { } $x = new MyClass(); $x->foo = true; Generally, it is a good practice to explictly declare properties to avoid accidental typos and provide IDE auto-completion: class MyClass { public $foo; } $x = new MyClass(); $x->foo = true; Loading history...
299
300			if($secureFileManipulation){
301			$tmpFilename = Directory::getAbsolutePath(dirname($file) . '/tmp_' . md5(
302			str_shuffle(uniqid($this->getDriverName(), false))
303			. str_shuffle(uniqid($this->getDriverName(), false))
304			));
305
306			$f = fopen($tmpFilename, 'w+');
307			flock($f, LOCK_EX);
308			$octetWritten = fwrite($f, $data);
309			flock($f, LOCK_UN);
310			fclose($f);
311
312			if(!rename($tmpFilename, $file)){
			0 ignored issues – show Security File Manipulation introduced 2016-11-05 16:41 UTC by Report Bug Copy Issue Report `$file` can contain request data and is used in file manipulation context(s) leading to a potential security vulnerability. 1 path for user data to reach this point Fetching key `HTTP_HOST` from `$_SERVER,` and `$_SERVER['HTTP_HOST']` is passed through str_replace(), and `str_replace(':', '_', $_SERVER['HTTP_HOST'])` is passed through strtolower(), and `strtolower(str_replace(':', '_', $_SERVER['HTTP_HOST']))` is passed through preg_replace(), and `$securityKey` is assigned in src/phpFastCache/Core/Pool/IO/IOHelperTrait.php on line 47 Data is passed through trim(), and Data is passed through preg_replace() in vendor/src/phpFastCache/Core/Pool/IO/IOHelperTrait.php on line 216 `$securityKey` is assigned in src/phpFastCache/Core/Pool/IO/IOHelperTrait.php on line 57 `$full_path` is assigned in src/phpFastCache/Core/Pool/IO/IOHelperTrait.php on line 82 IOHelperTrait::getPath() returns tainted data, and `$path` is assigned in src/phpFastCache/Core/Pool/IO/IOHelperTrait.php on line 145 IOHelperTrait::getFilePath() returns tainted data, and `$file_path` is assigned in src/phpFastCache/Drivers/Files/Driver.php on line 73 `$file_path` is passed to IOHelperTrait::writefile() in src/phpFastCache/Drivers/Files/Driver.php on line 80 General Strategies to prevent injection In general, it is advisable to prevent any user-data to reach this point. This can be done by white-listing certain values: if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) { throw new \InvalidArgumentException('This input is not allowed.'); } For numeric data, we recommend to explicitly cast the data: $sanitized = (integer) $tainted; Loading history...
313			throw new phpFastCacheIOException(sprintf('Failed to rename %s to %s', $tmpFilename, $file));
314			}
315			}else{
316			$f = fopen($file, 'w+');
317			$octetWritten = fwrite($f, $data);
318			fclose($f);
319			}
320
321			return $octetWritten !== false;
322			}
323			}

PHPSocialNetwork / phpfastcache

Push — V6 ( ddfc29...839d12 )

IOHelperTrait::writefile() B

Complexity

Size

Duplication

Importance

1 path for user data to reach this point

General Strategies to prevent injection

1 path for user data to reach this point

General Strategies to prevent injection

1 path for user data to reach this point

General Strategies to prevent injection

1 path for user data to reach this point

General Strategies to prevent injection

Duplication Side-by-Side

Filter issues like