Issues (141)

Security Analysis    not enabled

This project does not seem to handle request data directly as such no vulnerable execution paths were found.

  Cross-Site Scripting
Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.
  File Exposure
File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.
  File Manipulation
File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.
  Object Injection
Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.
  Code Injection
Code Injection enables an attacker to execute arbitrary code on the server.
  Response Splitting
Response Splitting can be used to send arbitrary responses.
  File Inclusion
File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.
  Command Injection
Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.
  SQL Injection
SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.
  XPath Injection
XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.
  LDAP Injection
LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.
  Header Injection
  Other Vulnerability
This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.
  Regex Injection
Regex Injection enables an attacker to execute arbitrary code in your PHP process.
  XML Injection
XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.
  Variable Injection
Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.
Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

SemanticResultFormats.parser.php (7 issues)

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

1
<?php
2
3
/**
4
 * Parser functions for the Semantic Result Formats extension.
5
 *
6
 * Two parser functions are defined, both for use by the Calendar format:
7
 *
8
 * #calendarstartdate returns the start date for the set of dates being
9
 *    displayed on the screen, according to the query string.
10
 *
11
 * #calendarenddate returns the *day after* the end date for the set of dates
12
 *    being displayed on the screen, according to the query string.
13
 *
14
 * @author David Loomer
15
 */
16
class SRFParserFunctions {
17
18
	static function registerFunctions( &$parser ) {
19
		$parser->setFunctionHook( 'calendarstartdate', [ 'SRFParserFunctions', 'runCalendarStartDate' ] );
20
		$parser->setFunctionHook( 'calendarenddate', [ 'SRFParserFunctions', 'runCalendarEndDate' ] );
21
		return true;
22
	}
23
24
	static function runCalendarStartDate( &$parser, $calendar_type = 'month', $calendar_start_day = null, $calendar_days = 7, $default_year = null, $default_month = null, $default_day = null ) {
0 ignored issues
show
It is generally recommended to explicitly declare the visibility for methods.

Adding explicit visibility (private, protected, or public) is generally recommend to communicate to other developers how, and from where this method is intended to be used.

Loading history...
25
		if ( $calendar_type == '' ) $calendar_type = 'month';
26
		list( $lower_date, $upper_date, $query_date ) =
0 ignored issues
show
The assignment to $upper_date is unused. Consider omitting it like so list($first,,$third).

This checks looks for assignemnts to variables using the list(...) function, where not all assigned variables are subsequently used.

Consider the following code example.

<?php

function returnThreeValues() {
    return array('a', 'b', 'c');
}

list($a, $b, $c) = returnThreeValues();

print $a . " - " . $c;

Only the variables $a and $c are used. There was no need to assign $b.

Instead, the list call could have been.

list($a,, $c) = returnThreeValues();
Loading history...
The assignment to $query_date is unused. Consider omitting it like so list($first,,$third).

This checks looks for assignemnts to variables using the list(...) function, where not all assigned variables are subsequently used.

Consider the following code example.

<?php

function returnThreeValues() {
    return array('a', 'b', 'c');
}

list($a, $b, $c) = returnThreeValues();

print $a . " - " . $c;

Only the variables $a and $c are used. There was no need to assign $b.

Instead, the list call could have been.

list($a,, $c) = returnThreeValues();
Loading history...
27
			SRFParserFunctions::getBoundaryDates( $calendar_type, $calendar_start_day, $calendar_days, $default_year, $default_month, $default_day );
28
		return date( "Y", $lower_date ) . '-' . date( "m", $lower_date ) . '-' . date( "d", $lower_date );
29
	}
30
31
	static function runCalendarEndDate( &$parser, $calendar_type = 'month', $calendar_start_day = null, $calendar_days = 7, $default_year = null, $default_month = null, $default_day = null ) {
0 ignored issues
show
It is generally recommended to explicitly declare the visibility for methods.

Adding explicit visibility (private, protected, or public) is generally recommend to communicate to other developers how, and from where this method is intended to be used.

Loading history...
32
		if ( $calendar_type == '' ) $calendar_type = 'month';
33
		list( $lower_date, $upper_date, $query_date ) =
0 ignored issues
show
The assignment to $lower_date is unused. Consider omitting it like so list($first,,$third).

This checks looks for assignemnts to variables using the list(...) function, where not all assigned variables are subsequently used.

Consider the following code example.

<?php

function returnThreeValues() {
    return array('a', 'b', 'c');
}

list($a, $b, $c) = returnThreeValues();

print $a . " - " . $c;

Only the variables $a and $c are used. There was no need to assign $b.

Instead, the list call could have been.

list($a,, $c) = returnThreeValues();
Loading history...
The assignment to $query_date is unused. Consider omitting it like so list($first,,$third).

This checks looks for assignemnts to variables using the list(...) function, where not all assigned variables are subsequently used.

Consider the following code example.

<?php

function returnThreeValues() {
    return array('a', 'b', 'c');
}

list($a, $b, $c) = returnThreeValues();

print $a . " - " . $c;

Only the variables $a and $c are used. There was no need to assign $b.

Instead, the list call could have been.

list($a,, $c) = returnThreeValues();
Loading history...
34
			SRFParserFunctions::getBoundaryDates( $calendar_type, $calendar_start_day, $calendar_days, $default_year, $default_month, $default_day );
35
		return date( "Y", $upper_date ) . '-' . date( "m", $upper_date ) . '-' . date( "d", $upper_date );
36
	}
37
38
	/**
39
	 * Obtain both a lower- and upper- bound date to be used for querying.
40
	 *
41
	 * @param $calendar_type string Values: 'month' (the default) for monthly
42
	 *	calendar such as SRF Calendar; others not yet defined.
43
	 * @param $calendar_start_day int Optionally force the lower bound date to be a certain
44
	 *	day of the week (0 for Sunday, 6 for Saturday).  If using a $calendar_type
45
	 *	of 'month' this parameter is ignored, as the start day of week for a monthly
46
	 *	calendar is currently always set as Sunday.  Ohterwise defaults to either the day
47
	 *	supplied in the query string, or the current day.
48
	 * @param $calendar_days int The number of days to display.  Ignored if using a
49
	 *	$calendar_type of 'month'; otherwise defaults to 7.
50
	 * @param $default_year int (Optional) Default year if none is specified in
51
	 *	the query string.  If parameter is not supplied, will fall back to current year.
52
	 * @param $default_month int (Optional) Default month if none is specified in
53
	 *	the query string.  If parameter is not supplied, will fall back to current month.
54
	 * @param $default_day int (Optional) Default day of month if none is specified in
55
	 *	the query string.  If parameter is not supplied, will fall back to current day of month.
56
	 * @return array First element contains the lower bound date, second
57
	 *	element contains the upper bound, third element contains a date indicating
58
	 *	the year/month/day to be queried.
59
	 *
60
	 */
61
	static function getBoundaryDates( $calendar_type = 'month', $calendar_start_day = null, $calendar_days = 7, $default_year = null, $default_month = null, $default_day = null ) {
0 ignored issues
show
It is generally recommended to explicitly declare the visibility for methods.

Adding explicit visibility (private, protected, or public) is generally recommend to communicate to other developers how, and from where this method is intended to be used.

Loading history...
62
 		if ( $calendar_type == 'month' ) $calendar_start_day = 0;
63
64
		if ( $default_year == null ) $default_year = date( "Y", time() );
65
		if ( $default_month == null ) $default_month = date( "n", time() );
66
		if ( $default_day == null ) $default_day = date( "j", time() );
67
68
		global $wgRequest;
69
70
		// Set the lower bound based on query string parameters if provided;
71
		// otherwise fall back to defaults.
72
		if ( $wgRequest->getCheck( 'year' ) && $wgRequest->getCheck( 'month' ) ) {
73
74
			$query_year = $wgRequest->getVal( 'year' );
75
			if ( is_numeric( $query_year ) && ( intval( $query_year ) == $query_year ) ) {
76
				$lower_year = $query_year;
77
			}
78
			else {
79
				$lower_year = $default_year;
80
			}
81
82
			$query_month = $wgRequest->getVal( 'month' );
83
			if ( is_numeric( $query_month ) && ( intval( $query_month ) == $query_month ) && $query_month >= 1 && $query_month <= 12 ) {
84
				$lower_month = $query_month;
85
			}
86
			else {
87
				$lower_month = $default_month;
88
			}
89
90
			$query_day = $wgRequest->getVal( 'day' );
91
			if ( $wgRequest->getCheck( 'day' )
92
				&& is_numeric( $query_day )
93
				&& ( intval( $query_day ) == $query_day )
94
				&& $query_day >= 1
95
				&& $query_day <= 31 ) {
96
97
				$lower_day = $query_day;
98
			} elseif ( $calendar_type != 'month'
99
				&& (int)$lower_year == (int)$default_year
100
				&& (int)$lower_month == (int)$default_month ) {
101
102
				$lower_day = $default_day;
103
			}
104
			else {
105
				$lower_day = '1';
106
			}
107
108
		} else {
109
			$lower_year = $default_year;
110
			$lower_month = $default_month;
111
112
			if ( $calendar_type == 'month' ) {
113
				$lower_day = 1;
114
			}
115
			else {
116
				$lower_day = $default_day;
117
			}
118
		}
119
120
		$lower_date = mktime( 0, 0, 0, $lower_month, $lower_day, $lower_year );
121
122
		// Date to be queried
123
		$return_date = $lower_date;
124
125
		// Set the upper bound based on calendar type or number of days.
126
		if ( $calendar_type == 'month' ) {
127
			$upper_year = date( "Y", $lower_date );
128
			$upper_month = date( "n", $lower_date ) + 1;
129
			if ( $upper_month == 13 ) {
130
				$upper_month = 1;
131
				$upper_year = $upper_year + 1;
132
			}
133
			// One second before start of next month.
134
			$upper_date = mktime( 0, 0, 0, $upper_month, 1, $upper_year ) - 1;
135
		} else {
136
			// One second before start of first day outside our range.
137
			$upper_date = $lower_date + $calendar_days * 86400 - 1;
138
		}
139
140
		// If necessary, adjust bounds to comply with required days of week for each.
141
		if ( $calendar_type == 'month' || $calendar_start_day >= 0 ) {
142
			$lower_offset = date( "w", $lower_date ) - $calendar_start_day;
143
144
			if ( $lower_offset < 0 ) {
145
				$lower_offset += 7;
146
			}
147
148
			if ( $calendar_type == 'month' ) {
149
				$upper_offset = $calendar_start_day + 6 - date( "w", $upper_date );
150
151
				if ( $upper_offset > 6 ) {
152
					$upper_offset -= 7;
153
				}
154
			} else {
155
				$upper_offset = 0 - $lower_offset;
156
			}
157
158
			$lower_date = $lower_date - 86400 * $lower_offset;
159
			$upper_date = $upper_date + 86400 * $upper_offset;
160
		}
161
162
		// Add a day since users will need to use < operator for upper date.
163
		$upper_date += 86400;
164
165
		return [ $lower_date, $upper_date, $return_date ];
166
	}
167
168
}
169