Issues in ImgStreamCache.php (master) - Issues in master - XoopsModules25x/xhelp - Measure and Improve Code Quality continuously with Scrutinizer

Issues (1844)

Security Analysis not enabled

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

Header Injection

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

amenadiel/jpgraph/src/image/ImgStreamCache.php (6 issues)

Labels

Severity

<?php

/**
 * JPGraph v4.0.3
 */

namespace Amenadiel\JpGraph\Image;

use Amenadiel\JpGraph\Util;

/**
 * @class ImgStreamCache
 * // Description: Handle caching of graphs to files. All image output goes
 * //              through this class
 */
class ImgStreamCache
{
    private $cache_dir;
    private $timeout = 0;

    // Infinite timeout

    /**
     * CONSTRUCTOR.
     *
     * @param mixed $aCacheDir
     */
    public function __construct($aCacheDir = CACHE_DIR)
    {
        $this->cache_dir = $aCacheDir;
    }

    /**
     * PUBLIC METHODS.
     *
     * @param mixed $aTimeout
     */
    // Specify a timeout (in minutes) for the file. If the file is older then the
    // timeout value it will be overwritten with a newer version.
    // If timeout is set to 0 this is the same as infinite large timeout and if
    // timeout is set to -1 this is the same as infinite small timeout
    public function SetTimeout($aTimeout)
    {
        $this->timeout = $aTimeout;
    }

    // Output image to browser and also write it to the cache
    public function PutAndStream($aImage, $aCacheFileName, $aInline, $aStrokeFileName)
    {
        // Check if we should always stroke the image to a file
        if (_FORCE_IMGTOFILE) {
            $aStrokeFileName = _FORCE_IMGDIR . Util\Helper::GenImgName();
        }

        if ($aStrokeFileName != '') {
            if ($aStrokeFileName == 'auto') {
                $aStrokeFileName = Util\Helper::GenImgName();
            }

            if (file_exists($aStrokeFileName)) {
                // Wait for lock (to make sure no readers are trying to access the image)
                $fd   = fopen($aStrokeFileName, 'w');
                $lock = flock($fd, LOCK_EX);


                // Since the image write routines only accepts a filename which must not
                // exist we need to delete the old file first
                if (!@unlink($aStrokeFileName)) {
                    $lock = flock($fd, LOCK_UN);
                    Util\JpGraphError::RaiseL(25111, $aStrokeFileName);
                    //(" Can't delete cached image $aStrokeFileName. Permission problem?");
                }
                $aImage->Stream($aStrokeFileName);
                $lock = flock($fd, LOCK_UN);
                fclose($fd);
            } else {
                $aImage->Stream($aStrokeFileName);
            }

            return;
        }

        if ($aCacheFileName != '' && USE_CACHE) {
            $aCacheFileName = $this->cache_dir . $aCacheFileName;
            if (file_exists($aCacheFileName)) {
                if (!$aInline) {
                    // If we are generating image off-line (just writing to the cache)
                    // and the file exists and is still valid (no timeout)
                    // then do nothing, just return.
                    $diff = time() - filemtime($aCacheFileName);
                    if ($diff < 0) {
                        Util\JpGraphError::RaiseL(25112, $aCacheFileName);
                        //(" Cached imagefile ($aCacheFileName) has file date in the future!!");
                    }
                    if ($this->timeout > 0 && ($diff <= $this->timeout * 60)) {
                        return;
                    }
                }

                // Wait for lock (to make sure no readers are trying to access the image)
                $fd   = fopen($aCacheFileName, 'w');
                $lock = flock($fd, LOCK_EX);

                if (!@unlink($aCacheFileName)) {
                    $lock = flock($fd, LOCK_UN);
                    Util\JpGraphError::RaiseL(25113, $aStrokeFileName);
                    //(" Can't delete cached image $aStrokeFileName. Permission problem?");
                }
                $aImage->Stream($aCacheFileName);
                $lock = flock($fd, LOCK_UN);
                fclose($fd);
            } else {
                $this->MakeDirs(dirname($aCacheFileName));
                if (!is_writeable(dirname($aCacheFileName))) {
                    Util\JpGraphError::RaiseL(25114, $aCacheFileName);
                    //('PHP has not enough permissions to write to the cache file '.$aCacheFileName.'. Please make sure that the user running PHP has write permission for this file if you wan to use the cache system with JpGraph.');
                }
                $aImage->Stream($aCacheFileName);
            }

            $res = true;
            // Set group to specified
            if (CACHE_FILE_GROUP != '') {

                $res = @chgrp($aCacheFileName, CACHE_FILE_GROUP);
            }
            if (CACHE_FILE_MOD != '') {

                $res = @chmod($aCacheFileName, CACHE_FILE_MOD);
            }
            if (!$res) {
                Util\JpGraphError::RaiseL(25115, $aStrokeFileName);
                //(" Can't set permission for cached image $aStrokeFileName. Permission problem?");
            }

            $aImage->Destroy();
            if ($aInline) {
                if ($fh = @fopen($aCacheFileName, 'rb')) {
                    $aImage->Headers();
                    fpassthru($fh);

                    return;
                }
                Util\JpGraphError::RaiseL(25116, $aFile); //(" Cant open file from cache [$aFile]");

            }
        } elseif ($aInline) {
            $aImage->Headers();
            $aImage->Stream();

            return;
        }
    }

    public function IsValid($aCacheFileName)
    {
        $aCacheFileName = $this->cache_dir . $aCacheFileName;
        if (USE_CACHE && file_exists($aCacheFileName)) {
            $diff = time() - filemtime($aCacheFileName);
            if ($this->timeout > 0 && ($diff > $this->timeout * 60)) {
                return false;
            }

            return true;
        }

        return false;
    }

    public function StreamImgFile($aImage, $aCacheFileName)
    {
        $aCacheFileName = $this->cache_dir . $aCacheFileName;
        if ($fh = @fopen($aCacheFileName, 'rb')) {
            $lock = flock($fh, LOCK_SH);

            $aImage->Headers();
            fpassthru($fh);
            $lock = flock($fh, LOCK_UN);
            fclose($fh);

            return true;
        }
        Util\JpGraphError::RaiseL(25117, $aCacheFileName); //(" Can't open cached image \"$aCacheFileName\" for reading.");
    }

    // Check if a given image is in cache and in that case
    // pass it directly on to web browser. Return false if the
    // image file doesn't exist or exists but is to old
    public function GetAndStream($aImage, $aCacheFileName)
    {
        if ($this->Isvalid($aCacheFileName)) {
            $this->StreamImgFile($aImage, $aCacheFileName);
        } else {
            return false;
        }
    }

    /**
     * PRIVATE METHODS.
     *
     * @param mixed $aFile
     */

    // Create all necessary directories in a path
    public function MakeDirs($aFile)
    {
        $dirs = [];
        // In order to better work when open_basedir is enabled
        // we do not create directories in the root path
        while ($aFile != '/' && !(file_exists($aFile))) {
            $dirs[] = $aFile . '/';
            $aFile  = dirname($aFile);
        }
        for ($i = safe_count($dirs) - 1; $i >= 0; --$i) {
            if (!@mkdir($dirs[$i], 0777)) {
                Util\JpGraphError::RaiseL(25118, $aFile); //(" Can't create directory $aFile. Make sure PHP has write permission to this directory.");
            }
            // We also specify mode here after we have changed group.
            // This is necessary if Apache user doesn't belong the
            // default group and hence can't specify group permission
            // in the previous mkdir() call
            if (CACHE_FILE_GROUP != '') {
                $res = true;

                $res = @chgrp($dirs[$i], CACHE_FILE_GROUP);
                $res = @chmod($dirs[$i], 0777);
                if (!$res) {
                    Util\JpGraphError::RaiseL(25119, $aFile); //(" Can't set permissions for $aFile. Permission problems?");
                }
            }
        }

        return true;
    }
} // @class Cache


1			<?php
2
3			/**
4			* JPGraph v4.0.3
5			*/
6
7			namespace Amenadiel\JpGraph\Image;
8
9			use Amenadiel\JpGraph\Util;
10
11			/**
12			* @class ImgStreamCache
13			* // Description: Handle caching of graphs to files. All image output goes
14			* // through this class
15			*/
16			class ImgStreamCache
17			{
18			private $cache_dir;
19			private $timeout = 0;
20
21			// Infinite timeout
22
23			/**
24			* CONSTRUCTOR.
25			*
26			* @param mixed $aCacheDir
27			*/
28			public function __construct($aCacheDir = CACHE_DIR)
29			{
30			$this->cache_dir = $aCacheDir;
31			}
32
33			/**
34			* PUBLIC METHODS.
35			*
36			* @param mixed $aTimeout
37			*/
38			// Specify a timeout (in minutes) for the file. If the file is older then the
39			// timeout value it will be overwritten with a newer version.
40			// If timeout is set to 0 this is the same as infinite large timeout and if
41			// timeout is set to -1 this is the same as infinite small timeout
42			public function SetTimeout($aTimeout)
43			{
44			$this->timeout = $aTimeout;
45			}
46
47			// Output image to browser and also write it to the cache
48			public function PutAndStream($aImage, $aCacheFileName, $aInline, $aStrokeFileName)
49			{
50			// Check if we should always stroke the image to a file
51			if (_FORCE_IMGTOFILE) {
52			$aStrokeFileName = _FORCE_IMGDIR . Util\Helper::GenImgName();
53			}
54
55			if ($aStrokeFileName != '') {
56			if ($aStrokeFileName == 'auto') {
57			$aStrokeFileName = Util\Helper::GenImgName();
58			}
59
60			if (file_exists($aStrokeFileName)) {
61			// Wait for lock (to make sure no readers are trying to access the image)
62			$fd = fopen($aStrokeFileName, 'w');
63			$lock = flock($fd, LOCK_EX);
			0 ignored issues – show Unused Code introduced 2022-01-13 23:33 UTC by Report Bug Copy Issue Report Show Similar Issues like this The assignment to `$lock` is dead and can be removed. Loading history...
64
65			// Since the image write routines only accepts a filename which must not
66			// exist we need to delete the old file first
67			if (!@unlink($aStrokeFileName)) {
68			$lock = flock($fd, LOCK_UN);
69			Util\JpGraphError::RaiseL(25111, $aStrokeFileName);
70			//(" Can't delete cached image $aStrokeFileName. Permission problem?");
71			}
72			$aImage->Stream($aStrokeFileName);
73			$lock = flock($fd, LOCK_UN);
74			fclose($fd);
75			} else {
76			$aImage->Stream($aStrokeFileName);
77			}
78
79			return;
80			}
81
82			if ($aCacheFileName != '' && USE_CACHE) {
83			$aCacheFileName = $this->cache_dir . $aCacheFileName;
84			if (file_exists($aCacheFileName)) {
85			if (!$aInline) {
86			// If we are generating image off-line (just writing to the cache)
87			// and the file exists and is still valid (no timeout)
88			// then do nothing, just return.
89			$diff = time() - filemtime($aCacheFileName);
90			if ($diff < 0) {
91			Util\JpGraphError::RaiseL(25112, $aCacheFileName);
92			//(" Cached imagefile ($aCacheFileName) has file date in the future!!");
93			}
94			if ($this->timeout > 0 && ($diff <= $this->timeout * 60)) {
95			return;
96			}
97			}
98
99			// Wait for lock (to make sure no readers are trying to access the image)
100			$fd = fopen($aCacheFileName, 'w');
101			$lock = flock($fd, LOCK_EX);
102
103			if (!@unlink($aCacheFileName)) {
104			$lock = flock($fd, LOCK_UN);
105			Util\JpGraphError::RaiseL(25113, $aStrokeFileName);
106			//(" Can't delete cached image $aStrokeFileName. Permission problem?");
107			}
108			$aImage->Stream($aCacheFileName);
109			$lock = flock($fd, LOCK_UN);
110			fclose($fd);
111			} else {
112			$this->MakeDirs(dirname($aCacheFileName));
113			if (!is_writeable(dirname($aCacheFileName))) {
114			Util\JpGraphError::RaiseL(25114, $aCacheFileName);
115			//('PHP has not enough permissions to write to the cache file '.$aCacheFileName.'. Please make sure that the user running PHP has write permission for this file if you wan to use the cache system with JpGraph.');
116			}
117			$aImage->Stream($aCacheFileName);
118			}
119
120			$res = true;
121			// Set group to specified
122			if (CACHE_FILE_GROUP != '') {
			0 ignored issues – show introduced 2022-01-13 23:33 UTC by Report Bug Copy Issue Report Show Similar Issues like this The condition `Amenadiel\JpGraph\Image\CACHE_FILE_GROUP != ''` is always `true`. Loading history...
123			$res = @chgrp($aCacheFileName, CACHE_FILE_GROUP);
124			}
125			if (CACHE_FILE_MOD != '') {
			0 ignored issues – show introduced 2022-01-13 23:33 UTC by Report Bug Copy Issue Report Show Similar Issues like this The condition `Amenadiel\JpGraph\Image\CACHE_FILE_MOD != ''` is always `true`. Loading history...
126			$res = @chmod($aCacheFileName, CACHE_FILE_MOD);
127			}
128			if (!$res) {
129			Util\JpGraphError::RaiseL(25115, $aStrokeFileName);
130			//(" Can't set permission for cached image $aStrokeFileName. Permission problem?");
131			}
132
133			$aImage->Destroy();
134			if ($aInline) {
135			if ($fh = @fopen($aCacheFileName, 'rb')) {
136			$aImage->Headers();
137			fpassthru($fh);
138
139			return;
140			}
141			Util\JpGraphError::RaiseL(25116, $aFile); //(" Cant open file from cache [$aFile]");
			0 ignored issues – show Comprehensibility Best Practice introduced 2022-01-13 23:33 UTC by Report Bug Copy Issue Report Show Similar Issues like this The variable `$aFile` seems to be never defined. Loading history...
142			}
143			} elseif ($aInline) {
144			$aImage->Headers();
145			$aImage->Stream();
146
147			return;
148			}
149			}
150
151			public function IsValid($aCacheFileName)
152			{
153			$aCacheFileName = $this->cache_dir . $aCacheFileName;
154			if (USE_CACHE && file_exists($aCacheFileName)) {
155			$diff = time() - filemtime($aCacheFileName);
156			if ($this->timeout > 0 && ($diff > $this->timeout * 60)) {
157			return false;
158			}
159
160			return true;
161			}
162
163			return false;
164			}
165
166			public function StreamImgFile($aImage, $aCacheFileName)
167			{
168			$aCacheFileName = $this->cache_dir . $aCacheFileName;
169			if ($fh = @fopen($aCacheFileName, 'rb')) {
170			$lock = flock($fh, LOCK_SH);
			0 ignored issues – show Unused Code introduced 2022-01-13 23:33 UTC by Report Bug Copy Issue Report Show Similar Issues like this The assignment to `$lock` is dead and can be removed. Loading history...
171			$aImage->Headers();
172			fpassthru($fh);
173			$lock = flock($fh, LOCK_UN);
174			fclose($fh);
175
176			return true;
177			}
178			Util\JpGraphError::RaiseL(25117, $aCacheFileName); //(" Can't open cached image \"$aCacheFileName\" for reading.");
179			}
180
181			// Check if a given image is in cache and in that case
182			// pass it directly on to web browser. Return false if the
183			// image file doesn't exist or exists but is to old
184			public function GetAndStream($aImage, $aCacheFileName)
185			{
186			if ($this->Isvalid($aCacheFileName)) {
187			$this->StreamImgFile($aImage, $aCacheFileName);
188			} else {
189			return false;
190			}
191			}
192
193			/**
194			* PRIVATE METHODS.
195			*
196			* @param mixed $aFile
197			*/
198
199			// Create all necessary directories in a path
200			public function MakeDirs($aFile)
201			{
202			$dirs = [];
203			// In order to better work when open_basedir is enabled
204			// we do not create directories in the root path
205			while ($aFile != '/' && !(file_exists($aFile))) {
206			$dirs[] = $aFile . '/';
207			$aFile = dirname($aFile);
208			}
209			for ($i = safe_count($dirs) - 1; $i >= 0; --$i) {
210			if (!@mkdir($dirs[$i], 0777)) {
211			Util\JpGraphError::RaiseL(25118, $aFile); //(" Can't create directory $aFile. Make sure PHP has write permission to this directory.");
212			}
213			// We also specify mode here after we have changed group.
214			// This is necessary if Apache user doesn't belong the
215			// default group and hence can't specify group permission
216			// in the previous mkdir() call
217			if (CACHE_FILE_GROUP != '') {
218			$res = true;
			0 ignored issues – show Unused Code introduced 2022-01-13 23:33 UTC by Report Bug Copy Issue Report Show Similar Issues like this The assignment to `$res` is dead and can be removed. Loading history...
219			$res = @chgrp($dirs[$i], CACHE_FILE_GROUP);
220			$res = @chmod($dirs[$i], 0777);
221			if (!$res) {
222			Util\JpGraphError::RaiseL(25119, $aFile); //(" Can't set permissions for $aFile. Permission problems?");
223			}
224			}
225			}
226
227			return true;
228			}
229			} // @class Cache
230

XoopsModules25x / xhelp

Issues (1844)

Security Analysis not enabled

amenadiel/jpgraph/src/image/ImgStreamCache.php (6 issues)

Labels

Severity

Introduced By

Duplication Side-by-Side

Filter issues like