This project does not seem to handle request data directly as such no vulnerable execution paths were found.
include
, or for example
via PHP's auto-loading mechanism.
1 | <?php declare(strict_types=1); |
||||
2 | |||||
3 | use Xmf\Module\Admin; |
||||
4 | use Xmf\Request; |
||||
5 | use XoopsModules\Songlist\Helper; |
||||
6 | use XoopsModules\Songlist\RequestsHandler; |
||||
7 | use XoopsModules\Songlist\Form\FormController; |
||||
8 | |||||
9 | require __DIR__ . '/header.php'; |
||||
10 | |||||
11 | xoops_loadLanguage('admin', 'songlist'); |
||||
12 | |||||
13 | xoops_cp_header(); |
||||
14 | |||||
15 | $op = $_REQUEST['op'] ?? 'requests'; |
||||
16 | $fct = $_REQUEST['fct'] ?? 'lists'; |
||||
17 | $limit = Request::getInt('limit', 30, 'REQUEST'); |
||||
18 | $start = Request::getInt('start', 0, 'REQUEST'); |
||||
19 | $order = !empty($_REQUEST['order']) ? $_REQUEST['order'] : 'DESC'; |
||||
20 | $sort = !empty($_REQUEST['sort']) ? '' . $_REQUEST['sort'] . '' : 'created'; |
||||
21 | $filter = !empty($_REQUEST['filter']) ? '' . $_REQUEST['filter'] . '' : '1,1'; |
||||
22 | |||||
23 | switch ($op) { |
||||
24 | default: |
||||
25 | case 'requests': |
||||
26 | switch ($fct) { |
||||
27 | default: |
||||
28 | case 'list': |
||||
29 | $adminObject = Admin::getInstance(); |
||||
30 | $adminObject->displayNavigation(basename(__FILE__)); |
||||
31 | |||||
32 | /** @var RequestsHandler $requestsHandler */ |
||||
33 | $requestsHandler = Helper::getInstance()->getHandler('Requests'); |
||||
34 | |||||
35 | $criteria = $requestsHandler->getFilterCriteria($GLOBALS['filter']); |
||||
36 | $ttl = $requestsHandler->getCount($criteria); |
||||
37 | $GLOBALS['sort'] = !empty($_REQUEST['sort']) ? '' . $_REQUEST['sort'] . '' : 'created'; |
||||
38 | |||||
39 | $pagenav = new \XoopsPageNav($ttl, $GLOBALS['limit'], $GLOBALS['start'], 'start', 'limit=' . $GLOBALS['limit'] . '&sort=' . $GLOBALS['sort'] . '&order=' . $GLOBALS['order'] . '&op=' . $GLOBALS['op'] . '&fct=' . $GLOBALS['fct'] . '&filter=' . $GLOBALS['filter']); |
||||
40 | $GLOBALS['xoopsTpl']->assign('pagenav', $pagenav->renderNav()); |
||||
41 | |||||
42 | foreach ($requestsHandler->filterFields() as $id => $key) { |
||||
43 | $GLOBALS['xoopsTpl']->assign( |
||||
44 | \mb_strtolower(str_replace('-', '_', $key) . '_th'), |
||||
45 | '<a href="' |
||||
46 | . $_SERVER['SCRIPT_NAME'] |
||||
47 | . '?start=' |
||||
48 | . $GLOBALS['start'] |
||||
49 | . '&limit=' |
||||
50 | . $GLOBALS['limit'] |
||||
51 | . '&sort=' |
||||
52 | . $key |
||||
53 | . '&order=' |
||||
54 | . (($key == $GLOBALS['sort']) ? ('DESC' === $GLOBALS['order'] ? 'ASC' : 'DESC') : $GLOBALS['order']) |
||||
55 | . '&op=' |
||||
56 | . $GLOBALS['op'] |
||||
57 | . '&filter=' |
||||
58 | . $GLOBALS['filter'] |
||||
59 | . '">' |
||||
60 | . (defined('_AM_SONGLIST_TH_' . \mb_strtoupper(str_replace('-', '_', $key))) ? constant('_AM_SONGLIST_TH_' . \mb_strtoupper(str_replace('-', '_', $key))) : '_AM_SONGLIST_TH_' . \mb_strtoupper(str_replace('-', '_', $key))) |
||||
61 | . '</a>' |
||||
62 | ); |
||||
63 | $GLOBALS['xoopsTpl']->assign('filter_' . \mb_strtolower(str_replace('-', '_', $key)) . '_th', $requestsHandler->getFilterForm($GLOBALS['filter'], $key, $GLOBALS['sort'], $GLOBALS['op'], $GLOBALS['fct'])); |
||||
64 | } |
||||
65 | |||||
66 | $GLOBALS['xoopsTpl']->assign('limit', $GLOBALS['limit']); |
||||
67 | $GLOBALS['xoopsTpl']->assign('start', $GLOBALS['start']); |
||||
68 | $GLOBALS['xoopsTpl']->assign('order', $GLOBALS['order']); |
||||
69 | $GLOBALS['xoopsTpl']->assign('sort', $GLOBALS['sort']); |
||||
70 | $GLOBALS['xoopsTpl']->assign('filter', $GLOBALS['filter']); |
||||
71 | $GLOBALS['xoopsTpl']->assign('xoConfig', $GLOBALS['songlistModuleConfig']); |
||||
72 | |||||
73 | $criteria->setStart($GLOBALS['start']); |
||||
74 | $criteria->setLimit($GLOBALS['limit']); |
||||
75 | $criteria->setSort('`' . $GLOBALS['sort'] . '`'); |
||||
76 | $criteria->setOrder($GLOBALS['order']); |
||||
77 | |||||
78 | $requestss = $requestsHandler->getObjects($criteria, true); |
||||
79 | foreach ($requestss as $cid => $requests) { |
||||
80 | if (is_object($requests)) { |
||||
81 | $GLOBALS['xoopsTpl']->append('requests', $requests->toArray()); |
||||
82 | } |
||||
83 | } |
||||
84 | $GLOBALS['xoopsTpl']->assign('form', FormController::getFormRequests(false)); |
||||
85 | $GLOBALS['xoopsTpl']->assign('php_self', $_SERVER['SCRIPT_NAME']); |
||||
86 | $GLOBALS['xoopsTpl']->display('db:songlist_cpanel_requests_list.tpl'); |
||||
87 | break; |
||||
88 | case 'new': |
||||
89 | case 'edit': |
||||
90 | $adminObject = Admin::getInstance(); |
||||
91 | $adminObject->displayNavigation(basename(__FILE__)); |
||||
92 | |||||
93 | $requestsHandler = Helper::getInstance()->getHandler('Requests'); |
||||
94 | if (Request::hasVar('id', 'REQUEST')) { |
||||
95 | $requests = $requestsHandler->get(Request::getInt('id', 0, 'REQUEST')); |
||||
96 | } else { |
||||
97 | $requests = $requestsHandler->create(); |
||||
98 | } |
||||
99 | |||||
100 | $GLOBALS['xoopsTpl']->assign('form', $requests->getForm()); |
||||
0 ignored issues
–
show
Bug
introduced
by
![]() |
|||||
101 | $GLOBALS['xoopsTpl']->assign('php_self', $_SERVER['SCRIPT_NAME']); |
||||
102 | $GLOBALS['xoopsTpl']->display('db:songlist_cpanel_requests_edit.tpl'); |
||||
103 | break; |
||||
104 | case 'save': |
||||
105 | $requestsHandler = Helper::getInstance()->getHandler('Requests'); |
||||
106 | $id = 0; |
||||
107 | $id = Request::getInt('id', 0, 'REQUEST'); |
||||
108 | if ($id) { |
||||
109 | $requests = $requestsHandler->get($id); |
||||
110 | } else { |
||||
111 | $requests = $requestsHandler->create(); |
||||
112 | } |
||||
113 | $requests->setVars($_POST[$id]); |
||||
114 | |||||
115 | if (!$id = $requestsHandler->insert($requests)) { |
||||
116 | redirect_header($_SERVER['SCRIPT_NAME'] . '?op=' . $GLOBALS['op'] . '&fct=list&limit=' . $GLOBALS['limit'] . '&start=' . $GLOBALS['start'] . '&order=' . $GLOBALS['order'] . '&sort=' . $GLOBALS['sort'] . '&filter=' . $GLOBALS['filter'], 10, _AM_SONGLIST_MSG_REQUESTS_FAILEDTOSAVE); |
||||
117 | exit(0); |
||||
118 | } |
||||
119 | if ('new' === $_REQUEST['state'][$_REQUEST['id']]) { |
||||
120 | redirect_header( |
||||
121 | $_SERVER['SCRIPT_NAME'] . '?op=' . $GLOBALS['op'] . '&fct=edit&id=' . $_REQUEST['id'] . '&limit=' . $GLOBALS['limit'] . '&start=' . $GLOBALS['start'] . '&order=' . $GLOBALS['order'] . '&sort=' . $GLOBALS['sort'] . '&filter=' . $GLOBALS['filter'], |
||||
122 | 10, |
||||
123 | _AM_SONGLIST_MSG_REQUESTS_SAVEDOKEY |
||||
124 | ); |
||||
125 | } else { |
||||
126 | redirect_header($_SERVER['SCRIPT_NAME'] . '?op=' . $GLOBALS['op'] . '&fct=list&limit=' . $GLOBALS['limit'] . '&start=' . $GLOBALS['start'] . '&order=' . $GLOBALS['order'] . '&sort=' . $GLOBALS['sort'] . '&filter=' . $GLOBALS['filter'], 10, _AM_SONGLIST_MSG_REQUESTS_SAVEDOKEY); |
||||
127 | } |
||||
128 | exit(0); |
||||
129 | |||||
130 | break; |
||||
131 | case 'savelist': |
||||
132 | $requestsHandler = Helper::getInstance()->getHandler('Requests'); |
||||
133 | foreach ($_REQUEST['id'] as $id) { |
||||
134 | $requests = $requestsHandler->get($id); |
||||
135 | $requests->setVars($_POST[$id]); |
||||
136 | if (!$requestsHandler->insert($requests)) { |
||||
137 | redirect_header( |
||||
138 | $_SERVER['SCRIPT_NAME'] . '?op=' . $GLOBALS['op'] . '&fct=list&limit=' . $GLOBALS['limit'] . '&start=' . $GLOBALS['start'] . '&order=' . $GLOBALS['order'] . '&sort=' . $GLOBALS['sort'] . '&filter=' . $GLOBALS['filter'], |
||||
139 | 10, |
||||
140 | _AM_SONGLIST_MSG_REQUESTS_FAILEDTOSAVE |
||||
141 | ); |
||||
142 | exit(0); |
||||
143 | } |
||||
144 | } |
||||
145 | redirect_header($_SERVER['SCRIPT_NAME'] . '?op=' . $GLOBALS['op'] . '&fct=list&limit=' . $GLOBALS['limit'] . '&start=' . $GLOBALS['start'] . '&order=' . $GLOBALS['order'] . '&sort=' . $GLOBALS['sort'] . '&filter=' . $GLOBALS['filter'], 10, _AM_SONGLIST_MSG_REQUESTS_SAVEDOKEY); |
||||
146 | exit(0); |
||||
147 | break; |
||||
148 | case 'delete': |
||||
149 | $requestsHandler = Helper::getInstance()->getHandler('Requests'); |
||||
150 | $id = 0; |
||||
151 | if (Request::hasVar('id', 'POST') && $id = Request::getInt('id', 0, 'POST')) { |
||||
152 | $requests = $requestsHandler->get($id); |
||||
153 | if (!$requestsHandler->delete($requests)) { |
||||
154 | redirect_header( |
||||
155 | $_SERVER['SCRIPT_NAME'] . '?op=' . $GLOBALS['op'] . '&fct=list&limit=' . $GLOBALS['limit'] . '&start=' . $GLOBALS['start'] . '&order=' . $GLOBALS['order'] . '&sort=' . $GLOBALS['sort'] . '&filter=' . $GLOBALS['filter'], |
||||
156 | 10, |
||||
157 | _AM_SONGLIST_MSG_REQUESTS_FAILEDTODELETE |
||||
158 | ); |
||||
159 | exit(0); |
||||
160 | } |
||||
161 | redirect_header($_SERVER['SCRIPT_NAME'] . '?op=' . $GLOBALS['op'] . '&fct=list&limit=' . $GLOBALS['limit'] . '&start=' . $GLOBALS['start'] . '&order=' . $GLOBALS['order'] . '&sort=' . $GLOBALS['sort'] . '&filter=' . $GLOBALS['filter'], 10, _AM_SONGLIST_MSG_REQUESTS_DELETED); |
||||
162 | exit(0); |
||||
163 | } |
||||
164 | $requests = $requestsHandler->get(Request::getInt('id', 0, 'REQUEST')); |
||||
165 | xoops_confirm( |
||||
166 | ['id' => $_REQUEST['id'], 'op' => $_REQUEST['op'], 'fct' => $_REQUEST['fct'], 'limit' => $_REQUEST['limit'], 'start' => $_REQUEST['start'], 'order' => $_REQUEST['order'], 'sort' => $_REQUEST['sort'], 'filter' => $_REQUEST['filter']], |
||||
167 | $_SERVER['SCRIPT_NAME'], |
||||
168 | sprintf(_AM_SONGLIST_MSG_REQUESTS_DELETE, $requests->getVar('name')) |
||||
0 ignored issues
–
show
It seems like
$requests->getVar('name') can also be of type array and array ; however, parameter $values of sprintf() does only seem to accept double|integer|string , maybe add an additional type check?
(
Ignorable by Annotation
)
If this is a false-positive, you can also ignore this issue in your code via the
![]() |
|||||
169 | ); |
||||
170 | |||||
171 | break; |
||||
172 | } |
||||
173 | break; |
||||
174 | } |
||||
175 | |||||
176 | xoops_cp_footer(); |
||||
177 |