This project does not seem to handle request data directly as such no vulnerable execution paths were found.
include
, or for example
via PHP's auto-loading mechanism.
These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more
1 | <?php |
||
2 | |||
3 | //------------------------------------------------------------------------------ |
||
4 | // |
||
5 | // eTraxis - Records tracking web-based system |
||
6 | // Copyright (C) 2005-2011 Artem Rodygin |
||
7 | // |
||
8 | // This program is free software: you can redistribute it and/or modify |
||
9 | // it under the terms of the GNU General Public License as published by |
||
10 | // the Free Software Foundation, either version 3 of the License, or |
||
11 | // (at your option) any later version. |
||
12 | // |
||
13 | // This program is distributed in the hope that it will be useful, |
||
14 | // but WITHOUT ANY WARRANTY; without even the implied warranty of |
||
15 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
||
16 | // GNU General Public License for more details. |
||
17 | // |
||
18 | // You should have received a copy of the GNU General Public License |
||
19 | // along with this program. If not, see <http://www.gnu.org/licenses/>. |
||
20 | // |
||
21 | //------------------------------------------------------------------------------ |
||
22 | |||
23 | /** |
||
24 | * @package eTraxis |
||
25 | * @ignore |
||
26 | */ |
||
27 | |||
28 | /**#@+ |
||
29 | * Dependency. |
||
30 | */ |
||
31 | require_once('../engine/engine.php'); |
||
32 | require_once('../dbo/records.php'); |
||
33 | /**#@-*/ |
||
34 | |||
35 | init_page(LOAD_TAB, GUEST_IS_ALLOWED); |
||
0 ignored issues
–
show
|
|||
36 | |||
37 | $attachname = NULL; |
||
38 | $xml = NULL; |
||
39 | |||
40 | // check that requested record exists |
||
41 | |||
42 | $id = ustr2int(try_request('id')); |
||
43 | $record = record_find($id); |
||
44 | |||
45 | if (!$record) |
||
46 | { |
||
47 | debug_write_log(DEBUG_NOTICE, 'Record cannot be found.'); |
||
48 | exit; |
||
49 | } |
||
50 | |||
51 | // get current user's permissions and verify them |
||
52 | |||
53 | $permissions = record_get_permissions($record['template_id'], $record['creator_id'], $record['responsible_id']); |
||
54 | |||
55 | if (!can_record_be_displayed($permissions)) |
||
56 | { |
||
57 | debug_write_log(DEBUG_NOTICE, 'Record cannot be displayed.'); |
||
58 | exit; |
||
59 | } |
||
60 | |||
61 | // attachment form is submitted |
||
62 | |||
63 | if (try_request('submitted') == 'attachform') |
||
64 | { |
||
65 | debug_write_log(DEBUG_NOTICE, 'Data are submitted.'); |
||
66 | |||
67 | if (can_file_be_attached($record, $permissions)) |
||
68 | { |
||
69 | $attachname = ustrcut($_REQUEST['attachname'], MAX_ATTACHMENT_NAME); |
||
70 | |||
71 | $error = isset($_FILES['attachfile']) |
||
72 | ? attachment_add($id, $attachname, $_FILES['attachfile']) |
||
73 | : ERROR_UPLOAD_NO_FILE; |
||
74 | |||
75 | switch ($error) |
||
76 | { |
||
77 | View Code Duplication | case NO_ERROR: |
|
78 | /** |
||
79 | * jQuery Form Plugin uses "success" callback function in both cases - success and failure |
||
80 | * (see https://github.com/malsup/form/issues/107 for details). |
||
81 | * It makes impossible to distinguish successful response from error messages. |
||
82 | * To make the difference a successful response is prefixed with "OK ". |
||
83 | * For the same reasons a workaround function "attachmentSuccess2" is appeared (see its code below). |
||
84 | */ |
||
85 | header('HTTP/1.0 200 OK'); |
||
86 | $rs = dal_query('attachs/list.sql', $record['record_id'], 'attachment_id'); |
||
87 | echo(sprintf('OK %s (%u)', get_html_resource(RES_ATTACHMENTS_ID), $rs->rows)); |
||
88 | break; |
||
89 | |||
90 | case ERROR_INCOMPLETE_FORM: |
||
91 | send_http_error(get_html_resource(RES_ALERT_REQUIRED_ARE_EMPTY_ID)); |
||
92 | break; |
||
93 | |||
94 | case ERROR_ALREADY_EXISTS: |
||
95 | send_http_error(get_html_resource(RES_ALERT_ATTACHMENT_ALREADY_EXISTS_ID)); |
||
96 | break; |
||
97 | |||
98 | case ERROR_UPLOAD_INI_SIZE: |
||
99 | send_http_error(get_html_resource(RES_ALERT_UPLOAD_INI_SIZE_ID)); |
||
100 | break; |
||
101 | |||
102 | case ERROR_UPLOAD_FORM_SIZE: |
||
103 | send_http_error(ustrprocess(get_html_resource(RES_ALERT_UPLOAD_FORM_SIZE_ID), ATTACHMENTS_MAXSIZE)); |
||
104 | break; |
||
105 | |||
106 | case ERROR_UPLOAD_PARTIAL: |
||
107 | send_http_error(get_html_resource(RES_ALERT_UPLOAD_PARTIAL_ID)); |
||
108 | break; |
||
109 | |||
110 | case ERROR_UPLOAD_NO_FILE: |
||
111 | send_http_error(get_html_resource(RES_ALERT_UPLOAD_NO_FILE_ID)); |
||
112 | break; |
||
113 | |||
114 | case ERROR_UPLOAD_NO_TMP_DIR: |
||
115 | send_http_error(get_html_resource(RES_ALERT_UPLOAD_NO_TMP_DIR_ID)); |
||
116 | break; |
||
117 | |||
118 | case ERROR_UPLOAD_CANT_WRITE: |
||
119 | send_http_error(get_html_resource(RES_ALERT_UPLOAD_CANT_WRITE_ID)); |
||
120 | break; |
||
121 | |||
122 | case ERROR_UPLOAD_EXTENSION: |
||
123 | send_http_error(get_html_resource(RES_ALERT_UPLOAD_EXTENSION_ID)); |
||
124 | break; |
||
125 | |||
126 | default: |
||
127 | send_http_error(get_html_resource(RES_ALERT_UNKNOWN_ERROR_ID)); |
||
128 | } |
||
129 | } |
||
130 | else |
||
131 | { |
||
132 | debug_write_log(DEBUG_NOTICE, 'No permissions to attach file.'); |
||
133 | } |
||
134 | |||
135 | exit; |
||
136 | } |
||
137 | |||
138 | // attachments list is submitted |
||
139 | |||
140 | elseif (try_request('submitted') == 'attachlist') |
||
141 | { |
||
142 | debug_write_log(DEBUG_NOTICE, 'Attachments are removed.'); |
||
143 | |||
144 | if (can_file_be_removed($record)) |
||
145 | { |
||
146 | View Code Duplication | foreach ($_REQUEST as $request) |
|
147 | { |
||
148 | if (substr($request, 0, 4) == 'file') |
||
149 | { |
||
150 | attachment_remove($id, $permissions, intval(substr($request, 4))); |
||
151 | } |
||
152 | } |
||
153 | } |
||
154 | else |
||
155 | { |
||
156 | debug_write_log(DEBUG_NOTICE, 'Files cannot be removed.'); |
||
157 | } |
||
158 | |||
159 | $rs = dal_query('attachs/list.sql', $record['record_id'], 'attachment_id'); |
||
160 | echo(sprintf('%s (%u)', get_html_resource(RES_ATTACHMENTS_ID), $rs->rows)); |
||
161 | exit; |
||
162 | } |
||
163 | |||
164 | else |
||
165 | { |
||
166 | debug_write_log(DEBUG_NOTICE, 'Data are being requested.'); |
||
167 | } |
||
168 | |||
169 | // local JS functions |
||
170 | |||
171 | $resTitle = get_js_resource(RES_ERROR_ID); |
||
172 | $resOK = get_js_resource(RES_OK_ID); |
||
173 | |||
174 | $xml = <<<JQUERY |
||
175 | <script> |
||
176 | |||
177 | function attachmentSuccess (data) |
||
178 | { |
||
179 | var index = $("#tabs").tabs("option", "selected") + 1; |
||
180 | $("[href=#ui-tabs-" + index + "]").html(data); |
||
181 | reloadTab(); |
||
182 | } |
||
183 | |||
184 | function attachmentError (XMLHttpRequest) |
||
185 | { |
||
186 | jqAlert("{$resTitle}", XMLHttpRequest.responseText, "{$resOK}"); |
||
187 | } |
||
188 | |||
189 | function attachmentSuccess2 (data) |
||
190 | { |
||
191 | if (data.substr(0,3) == "OK ") // success |
||
192 | { |
||
193 | attachmentSuccess(data.substr(3)); |
||
194 | } |
||
195 | else // error |
||
196 | { |
||
197 | jqAlert("{$resTitle}", data, "{$resOK}"); |
||
198 | } |
||
199 | } |
||
200 | |||
201 | </script> |
||
202 | JQUERY; |
||
203 | |||
204 | // mark the record as read |
||
205 | |||
206 | record_read($id); |
||
207 | |||
208 | // whether user is allowed to add new attachment |
||
209 | |||
210 | if (can_file_be_attached($record, $permissions)) |
||
211 | { |
||
212 | $xml .= '<form name="attachform" action="attachments.php?id=' . $id . '" upload="' . (ATTACHMENTS_MAXSIZE * 1024) . '" success="attachmentSuccess2" error="attachmentError">' |
||
213 | . '<group title="' . get_html_resource(RES_ATTACHMENT_ID) . '">' |
||
214 | . '<control name="attachname">' |
||
215 | . '<label>' . get_html_resource(RES_ATTACHMENT_NAME_ID) . '</label>' |
||
216 | . '<editbox maxlen="' . MAX_ATTACHMENT_NAME . '">' . ustr2html($attachname) . '</editbox>' |
||
217 | . '</control>' |
||
218 | . '<control name="attachfile" required="' . get_html_resource(RES_REQUIRED3_ID) . '">' |
||
219 | . '<label>' . get_html_resource(RES_ATTACHMENT_FILE_ID) . '</label>' |
||
220 | . '<filebox/>' |
||
221 | . '</control>' |
||
222 | . '</group>' |
||
223 | . '<button default="true">' . get_html_resource(RES_OK_ID) . '</button>' |
||
224 | . '<note>' . get_html_resource(RES_ALERT_REQUIRED_ARE_EMPTY_ID) . '</note>' |
||
225 | . '<note>' . ustrprocess(get_html_resource(RES_ALERT_UPLOAD_FORM_SIZE_ID), ATTACHMENTS_MAXSIZE) . '</note>' |
||
226 | . '</form>'; |
||
227 | } |
||
228 | |||
229 | // get the attachments list |
||
230 | |||
231 | $sort = $page = NULL; |
||
232 | $list = attachments_list($id, $sort, $page); |
||
233 | |||
234 | if ($list->rows == 0) |
||
235 | { |
||
236 | debug_write_log(DEBUG_NOTICE, 'No attachments are found.'); |
||
237 | |||
238 | if (!can_file_be_attached($record, $permissions)) |
||
239 | { |
||
240 | $xml .= get_html_resource(RES_NONE2_ID); |
||
241 | } |
||
242 | } |
||
243 | else |
||
244 | { |
||
245 | // generate list header |
||
246 | |||
247 | $columns = array |
||
248 | ( |
||
249 | RES_ATTACHMENT_NAME_ID, |
||
250 | RES_SIZE_ID, |
||
251 | RES_ORIGINATOR_ID, |
||
252 | RES_TIMESTAMP_ID, |
||
253 | ); |
||
254 | |||
255 | $rec_from = $rec_to = 0; |
||
256 | |||
257 | $bookmarks = gen_xml_bookmarks($page, $list->rows, $rec_from, $rec_to, 'attachments.php?id=' . $id . '&'); |
||
258 | |||
259 | $xml .= '<form name="attachlist" action="attachments.php?id=' . $id . '" success="attachmentSuccess">' |
||
260 | . '<list>' |
||
261 | . '<hrow>' |
||
262 | . '<hcell checkboxes="true"/>'; |
||
263 | |||
264 | View Code Duplication | for ($i = 1; $i <= count($columns); $i++) |
|
265 | { |
||
266 | $smode = ($sort == $i ? ($i + count($columns)) : $i); |
||
267 | |||
268 | $xml .= "<hcell url=\"attachments.php?id={$id}&sort={$smode}&page={$page}\">" |
||
269 | . get_html_resource($columns[$i - 1]) |
||
270 | . '</hcell>'; |
||
271 | } |
||
272 | |||
273 | $xml .= '</hrow>'; |
||
274 | |||
275 | // go through the attachments list |
||
276 | |||
277 | $list->seek($rec_from - 1); |
||
278 | |||
279 | for ($i = $rec_from; $i <= $rec_to; $i++) |
||
280 | { |
||
281 | $row = $list->fetch(); |
||
282 | |||
283 | $xml .= (($permissions & PERMIT_REMOVE_FILES) == 0 |
||
284 | ? '<row name="file' . $row['attachment_id'] . '" url="download.php?id=' . $row['attachment_id'] . '" disabled="true">' |
||
285 | : '<row name="file' . $row['attachment_id'] . '" url="download.php?id=' . $row['attachment_id'] . '">') |
||
286 | . '<cell>' . ustr2html($row['attachment_name']) . '</cell>' |
||
287 | . '<cell>' . $row['attachment_size'] . '</cell>' |
||
288 | . '<cell>' . ustr2html(sprintf('%s (%s)', $row['fullname'], account_get_username($row['username']))) . '</cell>' |
||
289 | . '<cell>' . get_datetime($row['event_time']) . '</cell>' |
||
290 | . '</row>'; |
||
291 | } |
||
292 | |||
293 | $xml .= '</list>' |
||
294 | . '</form>' |
||
295 | . $bookmarks; |
||
296 | |||
297 | $xml .= '<button action="$(\'#attachlist\').submit()">' |
||
298 | . get_html_resource(RES_REMOVE_FILE_ID) |
||
299 | . '</button>'; |
||
300 | } |
||
301 | |||
302 | echo(xml2html($xml)); |
||
303 | |||
304 | ?> |
||
305 |
It seems like the type of the argument is not accepted by the function/method which you are calling.
In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug.
We suggest to add an explicit type cast like in the following example: