Issues in index.php - All Issues - Inspection of "A few items, some questionable :D" - elkarte/Elkarte - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Pull Request — development (#2955)

by Stephen

created 2017-07-05 01:28 UTC

index.php (2 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

/**
 * This, as you have probably guessed, is the crux for all functions.
 * Everything should start here, so all the setup and security is done
 * properly.
 *
 * @name      ElkArte Forum
 * @copyright ElkArte Forum contributors
 * @license   BSD http://opensource.org/licenses/BSD-3-Clause
 *
 * This file contains code covered by:
 * copyright:	2011 Simple Machines (http://www.simplemachines.org)
 * license:		BSD, See included LICENSE.TXT for terms and conditions.
 *
 * @version 1.1 Release Candidate 1
 *
 */

$time_start = microtime(true);

// The software version
const FORUM_VERSION = 'ElkArte 1.1 RC 1';

// First things first, but not necessarily in that order.
const ELK = '1';

// Shortcut for the browser cache stale
const CACHE_STALE = '?R11RC1';

// Report errors but not depreciated ones
error_reporting(E_ALL | E_STRICT & ~8192);

// Directional only script time usage for display
// getrusage is missing in php < 7 on Windows
if (function_exists('getrusage'))
	$rusage_start = getrusage();
else
	$rusage_start = array();

// Turn on output buffering if it isn't already on (via php.ini for example)
if (!ob_get_level())
	ob_start();

$db_show_debug = false;

// We don't need no globals. (a bug in "old" versions of PHP)
foreach (array('db_character_set', 'cachedir') as $variable)
	if (isset($GLOBALS[$variable]))
		unset($GLOBALS[$variable], $GLOBALS[$variable]);

// Where the Settings.php file is located
$settings_loc = __DIR__ . '/Settings.php';

// First thing: if the install dir exists, just send anybody there
// The ignore_install_dir var is for developers only. Do not add it on production sites
if (file_exists('install'))
{
	if (file_exists($settings_loc))
	{
		require_once($settings_loc);
	}
	if (empty($ignore_install_dir))
	{
		// No install_time defined or finished the installing in the last 2 minutes
		if (empty($install_time) || $install_time - time() < 120)
		{
			$redirec_file = 'install.php';
		}
		else
		{
			$redirec_file = 'upgrade.php';
		}

		header('Location: http' . (!empty($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on' ? 's' : '') . '://' . (empty($_SERVER['HTTP_HOST']) ? $_SERVER['SERVER_NAME'] . (empty($_SERVER['SERVER_PORT']) || $_SERVER['SERVER_PORT'] == '80' ? '' : ':' . $_SERVER['SERVER_PORT']) : $_SERVER['HTTP_HOST']) . (strtr(dirname($_SERVER['PHP_SELF']), '\\', '/') == '/' ? '' : strtr(dirname($_SERVER['PHP_SELF']), '\\', '/')) . '/install/' . $redirec_file);
if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) {
    throw new \InvalidArgumentException('This input is not allowed.');
}
		die();
	}
}
else
{
	require_once($settings_loc);
}

// Make sure the paths are correct... at least try to fix them.
if (!file_exists($boarddir) && file_exists(__DIR__ . '/agreement.txt'))
	$boarddir = __DIR__;
if (!file_exists($sourcedir . '/SiteDispatcher.class.php') && file_exists($boarddir . '/sources'))
	$sourcedir = $boarddir . '/sources';

// Check that directories which didn't exist in past releases are initialized.
if ((empty($cachedir) || !file_exists($cachedir)) && file_exists($boarddir . '/cache'))
	$cachedir = $boarddir . '/cache';
if ((empty($extdir) || !file_exists($extdir)) && file_exists($sourcedir . '/ext'))
	$extdir = $sourcedir . '/ext';
if ((empty($languagedir) || !file_exists($languagedir)) && file_exists($boarddir . '/themes/default/languages'))
	$languagedir = $boarddir . '/themes/default/languages';

// Time to forget about variables and go with constants!
DEFINE('BOARDDIR', $boarddir);
DEFINE('CACHEDIR', $cachedir);
DEFINE('EXTDIR', $extdir);
DEFINE('LANGUAGEDIR', $languagedir);
DEFINE('SOURCEDIR', $sourcedir);
DEFINE('ADMINDIR', $sourcedir . '/admin');
DEFINE('CONTROLLERDIR', $sourcedir . '/controllers');
DEFINE('SUBSDIR', $sourcedir . '/subs');
DEFINE('ADDONSDIR', $boarddir . '/addons');
unset($boarddir, $cachedir, $sourcedir, $languagedir, $extdir);

// Files we cannot live without.
require_once(SOURCEDIR . '/QueryString.php');
require_once(SOURCEDIR . '/Session.php');
require_once(SOURCEDIR . '/Subs.php');
require_once(SOURCEDIR . '/Logging.php');
require_once(SOURCEDIR . '/Load.php');
require_once(SOURCEDIR . '/Security.php');
require_once(SUBSDIR . '/Cache.subs.php');

// Initialize the class Autoloader
require(SOURCEDIR . '/Autoloader.class.php');
$autoloder = Elk_Autoloader::getInstance();
$autoloder->setupAutoloader(array(SOURCEDIR, SUBSDIR, CONTROLLERDIR, ADMINDIR, ADDONSDIR));
$autoloder->register(SOURCEDIR, '\\ElkArte');
$autoloder->register(SOURCEDIR . '/subs/BBC', '\\BBC');

// Show lots of debug information below the page, not for production sites
if ($db_show_debug === true)
	Debug::get()->rusage('start', $rusage_start);

// Forum in extended maintenance mode? Our trip ends here with a bland message.
if (!empty($maintenance) && $maintenance == 2)
	Errors::instance()->display_maintenance_message();

// Clean the request.
cleanRequest();

// Initiate the database connection and define some database functions to use.
loadDatabase();

// Let's set up our shiny new hooks handler.
Hooks::init(database(), Debug::get());

// It's time for settings loaded from the database.
reloadSettings();

// Our good ole' contextual array, which will hold everything
if (!isset($context))
{
	$context = array();
}

// Seed the random generator.
elk_seed_generator();


// Before we get carried away, are we doing a scheduled task? If so save CPU cycles by jumping out!
if (isset($_GET['scheduled']))
{
	// Don't make people wait on us if we can help it.
	if (function_exists('fastcgi_finish_request'))
		fastcgi_finish_request();

	$controller = new ScheduledTasks_Controller();
	$controller->action_autotask();
}

// Check if compressed output is enabled, supported, and not already being done.
if (!empty($modSettings['enableCompressedOutput']) && !headers_sent())
{
	// If zlib is being used, turn off output compression.
	if (detectServer()->outPutCompressionEnabled())
		$modSettings['enableCompressedOutput'] = 0;
	else
	{
		@ob_end_clean();
		ob_start('ob_gzhandler');
	}
}

// Register error & exception handlers.
new ElkArte\Errors\ErrorHandler;

// Start the session. (assuming it hasn't already been.)
loadSession();

// Restore post data if we are revalidating OpenID.
if (isset($_GET['openid_restore_post']) && !empty($_SESSION['openid']['saved_data'][$_GET['openid_restore_post']]['post']) && empty($_POST))
{
	$_POST = $_SESSION['openid']['saved_data'][$_GET['openid_restore_post']]['post'];
	unset($_SESSION['openid']['saved_data'][$_GET['openid_restore_post']]);
}

// Pre-dispatch
elk_main();

// Call obExit specially; we're coming from the main area ;).
obExit(null, null, true);

/**
 * The main dispatcher.
 * This delegates to each area.
 */
function elk_main()
{
	global $modSettings, $context;

	// A safer way to work with our form globals
	// @todo Use a DIC
	$_req = HttpReq::instance();

	// What shall we do?
	$dispatcher = new Site_Dispatcher($_req);

	if ($dispatcher->needSecurity())
	{
		// We should set our security headers now.
		frameOptionsHeader();
		securityOptionsHeader();

		// Load the user's cookie (or set as guest) and load their settings.
		loadUserSettings();

		// Load the current board's information.
		loadBoard();

		// Load the current user's permissions.
		loadPermissions();

		// Load the current theme.  (note that ?theme=1 will also work, may be used for guest theming.)
		if ($dispatcher->needTheme())
		{
			loadTheme();

			// Load BadBehavior before we go much further
			loadBadBehavior();

			// The parser is not a DIC just yet
			loadBBCParsers();
		}
		// Otherwise don't require the entire theme to be loaded.
		else
		{
			detectBrowser();
		}

		// Check if the user should be disallowed access.
		is_not_banned();

		// Do some logging, unless this is an attachment, avatar, toggle of editor buttons, theme option, XML feed etc.
		if ($dispatcher->trackStats())
		{
			// I see you!
			writeLog();

			// Track forum statistics and hits...?
			if (!empty($modSettings['hitStats']))
				trackStats(array('hits' => '+'));
		}

		// Show where we came from, and go
		$context['site_action'] = $dispatcher->site_action();
	}

	$dispatcher->dispatch();
}


Pull Request — development (#2955)

index.php (2 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

1 path for user data to reach this point

Response Splitting Attacks

General Strategies to prevent injection

1		<?php
2
3		/**
4		* This, as you have probably guessed, is the crux for all functions.
5		* Everything should start here, so all the setup and security is done
6		* properly.
7		*
8		* @name ElkArte Forum
9		* @copyright ElkArte Forum contributors
10		* @license BSD http://opensource.org/licenses/BSD-3-Clause
11		*
12		* This file contains code covered by:
13		* copyright: 2011 Simple Machines (http://www.simplemachines.org)
14		* license: BSD, See included LICENSE.TXT for terms and conditions.
15		*
16		* @version 1.1 Release Candidate 1
17		*
18		*/
19
20		$time_start = microtime(true);
21
22		// The software version
23		const FORUM_VERSION = 'ElkArte 1.1 RC 1';
24
25		// First things first, but not necessarily in that order.
26		const ELK = '1';
27
28		// Shortcut for the browser cache stale
29		const CACHE_STALE = '?R11RC1';
30
31		// Report errors but not depreciated ones
32		error_reporting(E_ALL \| E_STRICT & ~8192);
33
34		// Directional only script time usage for display
35		// getrusage is missing in php < 7 on Windows
36		if (function_exists('getrusage'))
37		$rusage_start = getrusage();
38		else
39		$rusage_start = array();
40
41		// Turn on output buffering if it isn't already on (via php.ini for example)
42		if (!ob_get_level())
43		ob_start();
44
45		$db_show_debug = false;
46
47		// We don't need no globals. (a bug in "old" versions of PHP)
48	View Code Duplication	foreach (array('db_character_set', 'cachedir') as $variable)
49		if (isset($GLOBALS[$variable]))
50		unset($GLOBALS[$variable], $GLOBALS[$variable]);
51
52		// Where the Settings.php file is located
53		$settings_loc = __DIR__ . '/Settings.php';
54
55		// First thing: if the install dir exists, just send anybody there
56		// The ignore_install_dir var is for developers only. Do not add it on production sites
57		if (file_exists('install'))
58		{
59		if (file_exists($settings_loc))
60		{
61		require_once($settings_loc);
62		}
63		if (empty($ignore_install_dir))
64		{
65		// No install_time defined or finished the installing in the last 2 minutes
66		if (empty($install_time) \|\| $install_time - time() < 120)
67		{
68		$redirec_file = 'install.php';
69		}
70		else
71		{
72		$redirec_file = 'upgrade.php';
73		}
74
75		header('Location: http' . (!empty($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on' ? 's' : '') . '://' . (empty($_SERVER['HTTP_HOST']) ? $_SERVER['SERVER_NAME'] . (empty($_SERVER['SERVER_PORT']) \|\| $_SERVER['SERVER_PORT'] == '80' ? '' : ':' . $_SERVER['SERVER_PORT']) : $_SERVER['HTTP_HOST']) . (strtr(dirname($_SERVER['PHP_SELF']), '\\', '/') == '/' ? '' : strtr(dirname($_SERVER['PHP_SELF']), '\\', '/')) . '/install/' . $redirec_file);
		0 ignored issues – show Security Response Splitting introduced 2016-07-06 01:30 UTC by Report Bug Copy Issue Report Show Similar Issues like this `'Location: http' . (!emp...stall/' . $redirec_file` can contain request data and is used in response header context(s) leading to a potential security vulnerability. 1 path for user data to reach this point Fetching key `HTTP_HOST` from `$_SERVER` in index.php on line 75 Response Splitting Attacks Allowing an attacker to set a response header, opens your application to response splitting attacks; effectively allowing an attacker to send any response, he would like. General Strategies to prevent injection In general, it is advisable to prevent any user-data to reach this point. This can be done by white-listing certain values: if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) { throw new \InvalidArgumentException('This input is not allowed.'); } For numeric data, we recommend to explicitly cast the data: $sanitized = (integer) $tainted; Loading history...
76		die();
77		}
78		}
79		else
80		{
81		require_once($settings_loc);
82		}
83
84		// Make sure the paths are correct... at least try to fix them.
85		if (!file_exists($boarddir) && file_exists(__DIR__ . '/agreement.txt'))
86		$boarddir = __DIR__;
87	View Code Duplication	if (!file_exists($sourcedir . '/SiteDispatcher.class.php') && file_exists($boarddir . '/sources'))
88		$sourcedir = $boarddir . '/sources';
89
90		// Check that directories which didn't exist in past releases are initialized.
91	View Code Duplication	if ((empty($cachedir) \|\| !file_exists($cachedir)) && file_exists($boarddir . '/cache'))
92		$cachedir = $boarddir . '/cache';
93	View Code Duplication	if ((empty($extdir) \|\| !file_exists($extdir)) && file_exists($sourcedir . '/ext'))
94		$extdir = $sourcedir . '/ext';
95	View Code Duplication	if ((empty($languagedir) \|\| !file_exists($languagedir)) && file_exists($boarddir . '/themes/default/languages'))
96		$languagedir = $boarddir . '/themes/default/languages';
97
98		// Time to forget about variables and go with constants!
99		DEFINE('BOARDDIR', $boarddir);
100		DEFINE('CACHEDIR', $cachedir);
101		DEFINE('EXTDIR', $extdir);
102		DEFINE('LANGUAGEDIR', $languagedir);
103		DEFINE('SOURCEDIR', $sourcedir);
104		DEFINE('ADMINDIR', $sourcedir . '/admin');
105		DEFINE('CONTROLLERDIR', $sourcedir . '/controllers');
106		DEFINE('SUBSDIR', $sourcedir . '/subs');
107		DEFINE('ADDONSDIR', $boarddir . '/addons');
108		unset($boarddir, $cachedir, $sourcedir, $languagedir, $extdir);
109
110		// Files we cannot live without.
111		require_once(SOURCEDIR . '/QueryString.php');
112		require_once(SOURCEDIR . '/Session.php');
113		require_once(SOURCEDIR . '/Subs.php');
114		require_once(SOURCEDIR . '/Logging.php');
115		require_once(SOURCEDIR . '/Load.php');
116		require_once(SOURCEDIR . '/Security.php');
117		require_once(SUBSDIR . '/Cache.subs.php');
118
119		// Initialize the class Autoloader
120		require(SOURCEDIR . '/Autoloader.class.php');
121		$autoloder = Elk_Autoloader::getInstance();
122		$autoloder->setupAutoloader(array(SOURCEDIR, SUBSDIR, CONTROLLERDIR, ADMINDIR, ADDONSDIR));
123		$autoloder->register(SOURCEDIR, '\\ElkArte');
124		$autoloder->register(SOURCEDIR . '/subs/BBC', '\\BBC');
125
126		// Show lots of debug information below the page, not for production sites
127		if ($db_show_debug === true)
128		Debug::get()->rusage('start', $rusage_start);
129
130		// Forum in extended maintenance mode? Our trip ends here with a bland message.
131		if (!empty($maintenance) && $maintenance == 2)
132		Errors::instance()->display_maintenance_message();
133
134		// Clean the request.
135		cleanRequest();
136
137		// Initiate the database connection and define some database functions to use.
138		loadDatabase();
139
140		// Let's set up our shiny new hooks handler.
141		Hooks::init(database(), Debug::get());
142
143		// It's time for settings loaded from the database.
144		reloadSettings();
145
146		// Our good ole' contextual array, which will hold everything
147		if (!isset($context))
148		{
149		$context = array();
150		}
151
152		// Seed the random generator.
153		elk_seed_generator();
		0 ignored issues – show Deprecated Code introduced 2017-01-28 23:22 UTC by Report Bug Copy Issue Report Show Similar Issues like this The function `elk_seed_generator()` has been deprecated. This function has been deprecated. Loading history...
154
155		// Before we get carried away, are we doing a scheduled task? If so save CPU cycles by jumping out!
156		if (isset($_GET['scheduled']))
157		{
158		// Don't make people wait on us if we can help it.
159		if (function_exists('fastcgi_finish_request'))
160		fastcgi_finish_request();
161
162		$controller = new ScheduledTasks_Controller();
163		$controller->action_autotask();
164		}
165
166		// Check if compressed output is enabled, supported, and not already being done.
167		if (!empty($modSettings['enableCompressedOutput']) && !headers_sent())
168		{
169		// If zlib is being used, turn off output compression.
170		if (detectServer()->outPutCompressionEnabled())
171		$modSettings['enableCompressedOutput'] = 0;
172		else
173		{
174		@ob_end_clean();
175		ob_start('ob_gzhandler');
176		}
177		}
178
179		// Register error & exception handlers.
180		new ElkArte\Errors\ErrorHandler;
181
182		// Start the session. (assuming it hasn't already been.)
183		loadSession();
184
185		// Restore post data if we are revalidating OpenID.
186		if (isset($_GET['openid_restore_post']) && !empty($_SESSION['openid']['saved_data'][$_GET['openid_restore_post']]['post']) && empty($_POST))
187		{
188		$_POST = $_SESSION['openid']['saved_data'][$_GET['openid_restore_post']]['post'];
189		unset($_SESSION['openid']['saved_data'][$_GET['openid_restore_post']]);
190		}
191
192		// Pre-dispatch
193		elk_main();
194
195		// Call obExit specially; we're coming from the main area ;).
196		obExit(null, null, true);
197
198		/**
199		* The main dispatcher.
200		* This delegates to each area.
201		*/
202		function elk_main()
203		{
204		global $modSettings, $context;
205
206		// A safer way to work with our form globals
207		// @todo Use a DIC
208		$_req = HttpReq::instance();
209
210		// What shall we do?
211		$dispatcher = new Site_Dispatcher($_req);
212
213		if ($dispatcher->needSecurity())
214		{
215		// We should set our security headers now.
216		frameOptionsHeader();
217		securityOptionsHeader();
218
219		// Load the user's cookie (or set as guest) and load their settings.
220		loadUserSettings();
221
222		// Load the current board's information.
223		loadBoard();
224
225		// Load the current user's permissions.
226		loadPermissions();
227
228		// Load the current theme. (note that ?theme=1 will also work, may be used for guest theming.)
229		if ($dispatcher->needTheme())
230		{
231		loadTheme();
232
233		// Load BadBehavior before we go much further
234		loadBadBehavior();
235
236		// The parser is not a DIC just yet
237		loadBBCParsers();
238		}
239		// Otherwise don't require the entire theme to be loaded.
240		else
241		{
242		detectBrowser();
243		}
244
245		// Check if the user should be disallowed access.
246		is_not_banned();
247
248		// Do some logging, unless this is an attachment, avatar, toggle of editor buttons, theme option, XML feed etc.
249		if ($dispatcher->trackStats())
250		{
251		// I see you!
252		writeLog();
253
254		// Track forum statistics and hits...?
255		if (!empty($modSettings['hitStats']))
256		trackStats(array('hits' => '+'));
257		}
258
259		// Show where we came from, and go
260		$context['site_action'] = $dispatcher->site_action();
261		}
262
263		$dispatcher->dispatch();
264		}
265

elkarte / Elkarte

Pull Request — development (#2955)

index.php (2 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

1 path for user data to reach this point

Response Splitting Attacks

General Strategies to prevent injection

Duplication Side-by-Side

Filter issues like