Issues in uploader.php (master) - Issues in master - XoopsModules25x/xoopsinfo - Measure and Improve Code Quality continuously with Scrutinizer

Issues (1626)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

class/uploader.php (25 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

// $Id: uploader.php 507 2006-05-26 23:39:35Z skalpa $
//  ------------------------------------------------------------------------ //
//                XOOPS - PHP Content Management System                      //
//                    Copyright (c) 2000 XOOPS.org                           //
//                       <http://www.xoops.org/>                             //
//  ------------------------------------------------------------------------ //
//  This program is free software; you can redistribute it and/or modify     //
//  it under the terms of the GNU General Public License as published by     //
//  the Free Software Foundation; either version 2 of the License, or        //
//  (at your option) any later version.                                      //
//                                                                           //
//  You may not change or alter any portion of this comment or credits       //
//  of supporting developers from this source code or any supporting         //
//  source code which is considered copyrighted (c) material of the          //
//  original comment or credit authors.                                      //
//                                                                           //
//  This program is distributed in the hope that it will be useful,          //
//  but WITHOUT ANY WARRANTY; without even the implied warranty of           //
//  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the            //
//  GNU General Public License for more details.                             //
//                                                                           //
//  You should have received a copy of the GNU General Public License        //
//  along with this program; if not, write to the Free Software              //
//  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307 USA //
//  ------------------------------------------------------------------------ //
// Author: Kazumi Ono (AKA onokazu)                                          //
// URL: http://www.myweb.ne.jp/, http://www.xoops.org/, http://jp.xoops.org/ //
// Project: The XOOPS Project                                                //
// ------------------------------------------------------------------------- //
/**
 * Upload Media files
 *
 * Example of usage:
 * <code>
 * include_once 'uploader.php';
 * $allowed_mimetypes = array('image/gif', 'image/jpeg', 'image/pjpeg', 'image/x-png');
 * $maxfilesize = 50000;
 * $maxfilewidth = 120;
 * $maxfileheight = 120;
 * $uploader = new XoopsMediaUploader('/home/xoops/uploads', $allowed_mimetypes, $maxfilesize, $maxfilewidth, $maxfileheight);
 * if ($uploader->fetchMedia($_POST['uploade_file_name'])) {
 *   if (!$uploader->upload()) {
 *      echo $uploader->getErrors();
 *   } else {
 *      echo '<h4>File uploaded successfully!</h4>'
 *      echo 'Saved as: ' . $uploader->getSavedFileName() . '<br />';
 *      echo 'Full path: ' . $uploader->getSavedDestination();
 *   }
 * } else {
 *   echo $uploader->getErrors();
 * }
 * </code>
 *
 * @package        kernel
 * @subpackage    core
 *
 * @author        Kazumi Ono     <[email protected]>
 * @copyright    (c) 2000-2003 The Xoops Project - www.xoops.org
*/

if ( file_exists(XOOPS_ROOT_PATH . '/language/' . $GLOBALS['xoopsConfig']['language'] . '/uploader_error.php') ) {
	include_once XOOPS_ROOT_PATH . '/language/' . $GLOBALS['xoopsConfig']['language'] . '/uploader_error.php';
} else {
	include_once XOOPS_ROOT_PATH . '/language/english/uploader_error.php';
}

define('_XI_MIMETYPE', 1);
class XoopsMediaUploader {
namespace YourVendor;

class YourClass { }
	/**
	* Flag indicating if unrecognized mimetypes should be allowed (use with precaution ! may lead to security issues )
	**/
	var $allowUnknownTypes = false;
class A {
    var $property;
}

	var $mediaName;
class A {
    var $property;
}
	var $mediaType;
class A {
    var $property;
}
	var $mediaSize;
class A {
    var $property;
}
	var $mediaTmpName;
class A {
    var $property;
}
	var $mediaError;
class A {
    var $property;
}
	var $mediaRealType = '';
class A {
    var $property;
}

	var $uploadDir = '';
class A {
    var $property;
}

	var $allowedMimeTypes = array();
class A {
    var $property;
}

	var $maxFileSize = 0;
class A {
    var $property;
}
	var $maxWidth;
class A {
    var $property;
}
	var $maxHeight;
class A {
    var $property;
}

	var $targetFileName;
class A {
    var $property;
}

	var $prefix;
class A {
    var $property;
}

	var $errors = array();
class A {
    var $property;
}

	var $savedDestination;
class A {
    var $property;
}

	var $savedFileName;
class A {
    var $property;
}

	var $extensionToMime = array();
class A {
    var $property;
}
	var $checkImageType = true;
class A {
    var $property;
}

	var $extensionsToBeSanitized = array( 'php' , 'phtml' , 'phtm' , 'php3' , 'php4' , 'cgi' , 'pl' , 'asp', 'php5' );
class A {
    var $property;
}
	// extensions needed image check (anti-IE Content-Type XSS)
	var $imageExtensions = array( 1 => 'gif', 2 => 'jpg', 3 => 'png', 4 => 'swf', 5 => 'psd', 6 => 'bmp', 7 => 'tif', 8 => 'tif', 9 => 'jpc', 10 => 'jp2', 11 => 'jpx', 12 => 'jb2', 13 => 'swc', 14 => 'iff', 15 => 'wbmp', 16 => 'xbm' );
class A {
    var $property;
}

	/**
	* Constructor
	*
	* @param   string  $uploadDir
	* @param   array   $allowedMimeTypes
	* @param   int$maxFileSize
	* @param   int$maxWidth
	* @param   int$maxHeight
	* @param   int$cmodvalue
	**/
	function XoopsMediaUploader($uploadDir, $allowedMimeTypes, $maxFileSize=0, $maxWidth=null, $maxHeight=null) {

/*
		@$this->extensionToMime = include( XOOPS_ROOT_PATH . '/class/mimetypes.inc.php' );
		if ( !is_array( $this->extensionToMime ) ) {
			$this->extensionToMime = array();
			return false;
		}
		if (is_array($allowedMimeTypes)) {
			$this->allowedMimeTypes =& $allowedMimeTypes;
		}
		$this->uploadDir = $uploadDir;
		$this->maxFileSize = intval($maxFileSize);
		if(isset($maxWidth)) {
			$this->maxWidth = intval($maxWidth);
		}
		if(isset($maxHeight)) {
			$this->maxHeight = intval($maxHeight);
		}
*/
		if (is_array($allowedMimeTypes)) {
			$this->allowedMimeTypes =& $allowedMimeTypes;
		}

		$this->uploadDir = $uploadDir;
		$this->maxFileSize = intval($maxFileSize);
		$this->maxWidth = intval($maxWidth);
		$this->maxHeight = intval($maxHeight);
		$this->GetextensionToMime();
	}

	/**
	* Fetch the uploaded file
	*
	* @param   string  $media_name Name of the file field
	* @param   int$index Index of the file (if more than one uploaded under that name)
	* @return  bool
	**/
	function fetchMedia($media_name, $index = null) {
// Bad
class Router
{
    public function generate($path)
    {
        return $_SERVER['HOST'].$path;
    }
}

// Better
class Router
{
    private $host;

    public function __construct($host)
    {
        $this->host = $host;
    }

    public function generate($path)
    {
        return $this->host.$path;
    }
}

class Controller
{
    public function myAction(Request $request)
    {
        // Instead of
        $page = isset($_GET['page']) ? intval($_GET['page']) : 1;

        // Better (assuming you use the Symfony2 request)
        $page = $request->query->get('page', 1);
    }
}
/*
		if ( empty( $this->extensionToMime ) ) {
*/
		if ( count( $this->extensionToMime ) == 0 ) {
			$this->setErrors( _ER_UP_MIMETYPELOAD );
		return false;
	}

	if (!isset($_FILES[$media_name])) {
		$this->setErrors( _ER_UP_FILENOTFOUND );
		return false;
	} elseif (is_array($_FILES[$media_name]['name']) && isset($index)) {
		$index = intval($index);
		$this->mediaName = (get_magic_quotes_gpc()) ? stripslashes($_FILES[$media_name]['name'][$index]) : $_FILES[$media_name]['name'][$index];
		$this->mediaType = $_FILES[$media_name]['type'][$index];
		$this->mediaSize = $_FILES[$media_name]['size'][$index];
		$this->mediaTmpName = $_FILES[$media_name]['tmp_name'][$index];
		$this->mediaError = !empty($_FILES[$media_name]['error'][$index]) ? $_FILES[$media_name]['error'][$index] : 0;
	} else {
		$media_name =& $_FILES[$media_name];
		$this->mediaName = (get_magic_quotes_gpc()) ? stripslashes($media_name['name']) : $media_name['name'];
		$this->mediaName = $media_name['name'];
		$this->mediaType = $media_name['type'];
		$this->mediaSize = $media_name['size'];
		$this->mediaTmpName = $media_name['tmp_name'];
		$this->mediaError = !empty($media_name['error']) ? $media_name['error'] : 0;
	}
/*
	if ( ($ext = strrpos( $this->mediaName, '.' )) !== false ) {
		$ext = strtolower(substr( $this->mediaName, $ext + 1 ));
		if ( isset( $this->extensionToMime[$ext] ) ) {
			$this->mediaRealType = $this->extensionToMime[$ext];
			//trigger_error( "XoopsMediaUploader: Set mediaRealType to {$this->mediaRealType} (file extension is $ext)", E_USER_NOTICE );
		}
	}
*/

	$this->mediaExt = strtolower(substr( $this->mediaName, strrpos( $this->mediaName, '.' ) + 1 ));
	if ( array_key_exists($this->mediaExt, $this->extensionToMime) ) {
		$this->maxFileSize = $this->extensionToMime[$this->mediaExt]['maxSize'];
		$this->maxWidth = $this->extensionToMime[$this->mediaExt]['maxWidth'];
		$this->maxHeight = $this->extensionToMime[$this->mediaExt]['maxHeight'];
	}

	$this->errors = array();
	if (intval($this->mediaSize) < 0) {
		$this->setErrors(  _ER_UP_INVALIDFILESIZE );
		return false;
	}

	if ($this->mediaName == '') {
		$this->setErrors( _ER_UP_FILENAMEEMPTY );
		return false;
	}

	if ($this->mediaTmpName == 'none' || !is_uploaded_file($this->mediaTmpName)) {
		$this->setErrors( _ER_UP_NOFILEUPLOADED );
		return false;
	}

	if ($this->mediaError > 0) {
		$this->setErrors( sprintf(_ER_UP_ERROROCCURRED, $this->mediaError) );
		return false;
	}

	return true;
}

	/**
	* Set the target filename
	*
	* @param   string  $value
	**/
	function setTargetFileName($value) {
		$this->targetFileName = strval(trim($value));
	}

	/**
	* Set the prefix
	*
	* @param   string  $value
	**/
	function setPrefix($value){
		$this->prefix = strval(trim($value));
	}

	/**
	* Get the uploaded filename
	*
	* @return  string
	**/
	function getMediaName() {
		return $this->mediaName;
	}

	/**
	* Get the type of the uploaded file
	*
	* @return  string
	**/
	function getMediaType() {
		return $this->mediaType;
	}

	/**
	* Get the size of the uploaded file
	*
	* @return  int
	**/
	function getMediaSize() {
		return $this->mediaSize;
	}

	/**
	* Get the temporary name that the uploaded file was stored under
	*
	* @return  string
	**/
	function getMediaTmpName() {
		return $this->mediaTmpName;
	}

	/**
	* Get the saved filename
	*
	* @return  string
	**/
	function getSavedFileName(){
		return $this->savedFileName;
	}

	/**
	* Get the destination the file is saved to
	*
	* @return  string
	**/
	function getSavedDestination(){
		return $this->savedDestination;
	}

	/**
	* Check the file and copy it to the destination
	*
	* @return  bool
	**/
	function upload($chmod = 0644) {
		if ($this->uploadDir == '') {
			$this->setErrors( _ER_UP_UPLOADDIRNOTSET );
			return false;
		}

		if (!$this->checkMimeType()) {
			$this->setErrors( sprintf(_ER_UP_MIMETYPENOTALLOWED, $this->mediaType) );
			return false;
		}

		if (!is_dir($this->uploadDir)) {
			$this->setErrors( sprintf(_ER_UP_FAILEDOPENDIR, $this->uploadDir) );
		}
		if (!is_writeable($this->uploadDir)) {
			$this->setErrors( sprintf(_ER_UP_FAILEDOPENDIRWRITE, $this->uploadDir) );
		}

		$this->sanitizeMultipleExtensions();

		if (!$this->checkMaxFileSize()) {
			$this->setErrors( sprintf(_ER_UP_FILESIZETOOLARGE, $this->mediaSize) );
		}
		if (!$this->checkMaxWidth()) {
			$this->setErrors( sprintf(_ER_UP_FILEWIDTHTOOLARGE, $this->maxWidth) );
		}
		if (!$this->checkMaxHeight()) {
			$this->setErrors( sprintf(_ER_UP_FILEHEIGHTTOOLARGE, $this->maxHeight) );
		}
/*
		if (!$this->checkMimeType()) {
			$this->setErrors('MIME type not allowed: '.$this->mediaType);
		}
*/

		if (!$this->checkImageType()) {
			$this->setErrors( _ER_UP_INVALIDIMAGEFILE );
		}
		if (count($this->errors) > 0) {
			return false;
		}
		if (!$this->_copyFile($chmod)) {
			$this->setErrors( sprintf(_ER_UP_FAILEDUPLOADFILE, $this->mediaName) );
			return false;
		}
		return true;
	}

	/**
	* Copy the file to its destination
	*
	* @return  bool
	**/
	function _copyFile($chmod) {
		$matched = array();
		if (!preg_match("/\.([a-zA-Z0-9]+)$/", $this->mediaName, $matched)) {
			return false;
		}
		if (isset($this->targetFileName)) {
			$this->savedFileName = $this->targetFileName;
		} elseif (isset($this->prefix)) {
			$this->savedFileName = uniqid($this->prefix).'.'.strtolower($matched[1]);
		} else {
			$this->savedFileName = strtolower($this->mediaName);
		}
		$this->savedDestination = $this->uploadDir.'/'.$this->savedFileName;
		if (!move_uploaded_file($this->mediaTmpName, $this->savedDestination)) {
			return false;
		}

		// Check IE XSS before returning success
		$ext = strtolower( substr( strrchr( $this->savedDestination , '.' ) , 1 ) ) ;
		if( in_array( $ext , $this->imageExtensions ) ) {
			$info = @getimagesize( $this->savedDestination ) ;
			if( $info === false || $this->imageExtensions[ (int)$info[2] ] != $ext ) {
				$this->setErrors( _ER_UP_SUSPICIOUSIMAGE );
				@unlink( $this->savedDestination );
				return false;
			}
		}

		@chmod($this->savedDestination, $chmod);
		return true;
	}

	/**
	* Is the file the right size?
	*
	* @return  bool
	**/
	function checkMaxFileSize() {
		if ($this->mediaSize > $this->maxFileSize) {
			return false;
		}
		return true;
	}

	/**
	* Is the picture the right width?
	*
	* @return  bool
	**/
	function checkMaxWidth() {
		if (!isset($this->maxWidth)) {
			return true;
		}
		if (false !== $dimension = getimagesize($this->mediaTmpName)) {
			if ($dimension[0] > $this->maxWidth) {
				return false;
			}
		} else {
			trigger_error(sprintf('Failed fetching image size of %s, skipping max width check..', $this->mediaTmpName), E_USER_WARNING);
		}
		return true;
	}

	/**
	* Is the picture the right height?
	*
	* @return  bool
	**/
	function checkMaxHeight() {
		if (!isset($this->maxHeight)) {
			return true;
		}
		if (false !== $dimension = getimagesize($this->mediaTmpName)) {
			if ($dimension[1] > $this->maxHeight) {
				return false;
			}
 			trigger_error(sprintf('Failed fetching image size of %s, skipping max height check..', $this->mediaTmpName), E_USER_WARNING);
		}
		return true;
	}

	/**
	* Check whether or not the uploaded file type is allowed
	*
	* @return  bool
	**/
	function checkMimeType() {
/*
		if ( empty( $this->mediaRealType ) && !$this->allowUnknownTypes ) {
			$this->setErrors( 'Unknown filetype rejected' );
			return false;
		}

		return ( empty($this->allowedMimeTypes) || in_array($this->mediaRealType, $this->allowedMimeTypes) );
*/

		if ( count( $this->extensionToMime ) == 0 ) {
			$this->setErrors( _ER_UP_UNKNOWNFILETYPEREJECTED );
			return false;
		}
		return ( empty($this->extensionToMime) || array_key_exists($this->mediaExt, $this->extensionToMime) );
	}

	/**
	* Check whether or not the uploaded image type is valid
	*
	* @return  bool
	**/
	function checkImageType() {
		if(empty($this->checkImageType)) return true;

		if( ("image" == substr($this->mediaType, 0, strpos($this->mediaType, "/"))) ||
			(!empty($this->mediaRealType) && "image" == substr($this->mediaRealType, 0, strpos($this->mediaRealType, "/"))) ){

			if ( ! ( $info = @getimagesize( $this->mediaTmpName ) ) ) {
				return false;
			}
		}
		return true;
	}

	/**
	* Sanitize executable filename with multiple extensions
	*
	**/
	function sanitizeMultipleExtensions() {
		if(empty($this->extensionsToBeSanitized)) return;
			$patterns = array();
			$replaces = array();
			foreach($this->extensionsToBeSanitized as $ext){
			$patterns[] = "/\.".preg_quote($ext)."\./i";
			$replaces[] = "_".$ext.".";
		}
		$this->mediaName = preg_replace($patterns, $replaces, $this->mediaName);
	}

	function GetextensionToMime() {
		global $xoopsModule, $xoopsUser, $xoopsDB;
		if (!is_object ( $xoopsModule ) ) {
			$hModule = &xoops_gethandler('module');
			$xoopsModule = $hModule->getByDirname('system');
		}

		$groups = is_object( $xoopsUser ) ? $xoopsUser -> getGroups() : array(XOOPS_GROUP_ANONYMOUS) ;
		$sql = 'SELECT t.mime_types, t.mime_ext, p.mperm_maxwidth, p.mperm_maxheight, p.mperm_maxsize FROM ' .
		$xoopsDB->prefix('mimetypes_perms') . ' p LEFT JOIN ' .
		$xoopsDB->prefix("mimetypes") . ' t on p.mperm_mime = t.mime_id' . ' WHERE p.mperm_module=' . $xoopsModule->mid() . ' AND p.mperm_groups IN (' . implode(',' , $groups) . ')' . ' GROUP BY t.mime_ext' ;

		$result = $xoopsDB->query($sql);
		while ( $myrow = $xoopsDB->fetchArray($result) ) {
			$mime_types = explode('|',$myrow['mime_types']);
			$intersect = array_intersect($this->allowedMimeTypes,$mime_types);
			if (count($intersect) > 0) {
				$mimeExt = $myrow['mime_ext'];
				$this->extensionToMime[$mimeExt] = array( 'maxWidth' => $myrow['mperm_maxwidth'], 'maxHeight' => $myrow['mperm_maxwidth'], 'maxSize' => $myrow['mperm_maxsize'] );
			}
		}
	}

	/**
	* Add an error
	*
	* @param   string  $error
	**/
	function setErrors($error) {
		$this->errors[] = trim($error);
	}

	/**
	* Get generated errors
	*
	* @param    bool    $ashtml Format using HTML?
	*
	* @return    array|string    Array of array messages OR HTML string
	*/
	function &getErrors($ashtml = true) {
		if (!$ashtml) {
			return $this->errors;
		} else {
			$ret = '';
			if (count($this->errors) > 0) {
				$ret = '<h4>Errors Returned While Uploading</h4>';
				foreach ($this->errors as $error) {
					$ret .= $error.'<br />';
				}
			}
			return $ret;
		}
	}
}
?>

XoopsModules25x / xoopsinfo

Issues (1626)

Security Analysis not enabled

class/uploader.php (25 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like