This project does not seem to handle request data directly as such no vulnerable execution paths were found.
include
, or for example
via PHP's auto-loading mechanism.
Encourage use of @property annotation when providing magic access
These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more
1 | <?php |
||
2 | |||
3 | //------------------------------------------------------------------------------ |
||
4 | // |
||
5 | // eTraxis - Records tracking web-based system |
||
6 | // Copyright (C) 2005-2011 Artem Rodygin |
||
7 | // |
||
8 | // This program is free software: you can redistribute it and/or modify |
||
9 | // it under the terms of the GNU General Public License as published by |
||
10 | // the Free Software Foundation, either version 3 of the License, or |
||
11 | // (at your option) any later version. |
||
12 | // |
||
13 | // This program is distributed in the hope that it will be useful, |
||
14 | // but WITHOUT ANY WARRANTY; without even the implied warranty of |
||
15 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
||
16 | // GNU General Public License for more details. |
||
17 | // |
||
18 | // You should have received a copy of the GNU General Public License |
||
19 | // along with this program. If not, see <http://www.gnu.org/licenses/>. |
||
20 | // |
||
21 | //------------------------------------------------------------------------------ |
||
22 | |||
23 | /** |
||
24 | * @package eTraxis |
||
25 | * @ignore |
||
26 | */ |
||
27 | |||
28 | /**#@+ |
||
29 | * Dependency. |
||
30 | */ |
||
31 | require_once('../engine/engine.php'); |
||
32 | require_once('../dbo/accounts.php'); |
||
33 | require_once('../dbo/records.php'); |
||
34 | require_once('../dbo/events.php'); |
||
35 | /**#@-*/ |
||
36 | |||
37 | init_page(LOAD_TAB, GUEST_IS_ALLOWED); |
||
38 | |||
39 | // check that requested record exists |
||
40 | |||
41 | $id = ustr2int(try_request('id')); |
||
42 | $record = record_find($id); |
||
43 | |||
44 | if (!$record) |
||
45 | { |
||
46 | debug_write_log(DEBUG_NOTICE, 'Record cannot be found.'); |
||
47 | exit; |
||
48 | } |
||
49 | |||
50 | // get current user's permissions and verify them |
||
51 | |||
52 | $permissions = record_get_permissions($record['template_id'], $record['creator_id'], $record['responsible_id']); |
||
53 | |||
54 | if (!can_record_be_displayed($permissions)) |
||
55 | { |
||
56 | debug_write_log(DEBUG_NOTICE, 'Record cannot be displayed.'); |
||
57 | exit; |
||
58 | } |
||
59 | |||
60 | // comment is submitted |
||
61 | |||
62 | if (try_request('submitted') == 'commentform' || |
||
63 | try_request('submitted') == 'rcommentform' || |
||
64 | try_request('submitted') == 'confidentialform' || |
||
65 | try_request('submitted') == 'rconfidentialform') |
||
66 | { |
||
67 | debug_write_log(DEBUG_NOTICE, 'Data are submitted.'); |
||
68 | |||
69 | if (can_comment_be_added($record, $permissions)) |
||
70 | { |
||
71 | $is_confidential = (try_request('submitted') == 'confidentialform' || try_request('submitted') == 'rconfidentialform'); |
||
72 | |||
73 | if ($is_confidential && ($permissions & PERMIT_CONFIDENTIAL_COMMENTS) == 0) |
||
74 | { |
||
75 | debug_write_log(DEBUG_NOTICE, 'Lack of permissions to add confidential comments.'); |
||
76 | } |
||
77 | else |
||
78 | { |
||
79 | $comment = ustrcut($_REQUEST['rcomment'], MAX_COMMENT_BODY); |
||
80 | |||
81 | $rs = dal_query('records/efnd2.sql', $id, $_SESSION[VAR_USERID], ($is_confidential ? EVENT_CONFIDENTIAL_COMMENT : EVENT_COMMENT_ADDED), time() - 3); |
||
82 | |||
83 | if ($rs->rows != 0) |
||
0 ignored issues
–
show
|
|||
84 | { |
||
85 | debug_write_log(DEBUG_NOTICE, 'Double click issue is detected.'); |
||
86 | } |
||
87 | else |
||
88 | { |
||
89 | comment_add($id, $comment, $is_confidential); |
||
90 | } |
||
91 | } |
||
92 | } |
||
93 | else |
||
94 | { |
||
95 | debug_write_log(DEBUG_NOTICE, 'Comment cannot be added.'); |
||
96 | } |
||
97 | |||
98 | $rs = dal_query('comments/list.sql', $record['record_id'], ($permissions & PERMIT_CONFIDENTIAL_COMMENTS) ? EVENT_CONFIDENTIAL_COMMENT : EVENT_UNUSED); |
||
99 | echo(sprintf('%s (%u)', get_html_resource(RES_COMMENTS_ID), $rs->rows)); |
||
0 ignored issues
–
show
The property
$rows is declared protected in CRecordset . Since you implemented __get() , maybe consider adding a @property or @property-read annotation. This makes it easier for IDEs to provide auto-completion.
Since your code implements the magic setter <?php
/**
* @property int $x
* @property int $y
* @property string $text
*/
class MyLabel
{
private $properties;
private $allowedProperties = array('x', 'y', 'text');
public function __get($name)
{
if (isset($properties[$name]) && in_array($name, $this->allowedProperties)) {
return $properties[$name];
} else {
return null;
}
}
public function __set($name, $value)
{
if (in_array($name, $this->allowedProperties)) {
$properties[$name] = $value;
} else {
throw new \LogicException("Property $name is not defined.");
}
}
}
Since the property has write access only, you can use the @property-write annotation instead. Of course, you may also just have mistyped another name, in which case you should fix the error. See also the PhpDoc documentation for @property.
Loading history...
|
|||
100 | exit; |
||
101 | } |
||
102 | |||
103 | // mark the record as read |
||
104 | |||
105 | record_read($id); |
||
106 | |||
107 | // get list of comments |
||
108 | |||
109 | $comments = dal_query('comments/list.sql', $id, ($permissions & PERMIT_CONFIDENTIAL_COMMENTS) ? EVENT_CONFIDENTIAL_COMMENT : EVENT_UNUSED); |
||
110 | |||
111 | // local JS functions |
||
112 | |||
113 | $xml = <<<JQUERY |
||
114 | <script> |
||
115 | |||
116 | function addConfidentialComment () |
||
117 | { |
||
118 | $("#commentform :input[name=submitted]").val("confidentialform"); |
||
119 | $("#commentform").submit(); |
||
120 | $("#commentform :input[name=submitted]").val("commentform"); |
||
121 | } |
||
122 | |||
123 | function previewComment () |
||
124 | { |
||
125 | $("#previewdiv").load("preview.php", $("#commentform").serialize()); |
||
126 | } |
||
127 | |||
128 | function commentSuccess (data) |
||
129 | { |
||
130 | var index = $("#tabs").tabs("option", "selected") + 1; |
||
131 | $("[href=#ui-tabs-" + index + "]").html(data); |
||
132 | reloadTab(); |
||
133 | } |
||
134 | |||
135 | </script> |
||
136 | JQUERY; |
||
137 | |||
138 | // whether user is allowed to add new comment |
||
139 | |||
140 | if (can_comment_be_added($record, $permissions)) |
||
141 | { |
||
142 | $xml .= '<form name="commentform" action="comments.php?id=' . $id . '" success="commentSuccess">' |
||
143 | . '<group title="' . get_html_resource(RES_COMMENT_ID) . '">' |
||
144 | . '<control name="rcomment">' |
||
145 | . '<textbox rows="' . $_SESSION[VAR_TEXTROWS] . '" resizeable="true" maxlen="' . MAX_COMMENT_BODY . '">' |
||
146 | . '</textbox>' |
||
147 | . '</control>' |
||
148 | . '</group>' |
||
149 | . '<buttonset>' |
||
150 | . '<button default="true">' . get_html_resource(RES_ADD_COMMENT_ID) . '</button>'; |
||
151 | |||
152 | if ($permissions & PERMIT_CONFIDENTIAL_COMMENTS) |
||
153 | { |
||
154 | $xml .= '<button action="addConfidentialComment()">' |
||
155 | . get_html_resource(RES_ADD_CONFIDENTIAL_COMMENT_ID) |
||
156 | . '</button>'; |
||
157 | } |
||
158 | |||
159 | $xml .= '</buttonset>' |
||
160 | . '<button action="previewComment()">' . get_html_resource(RES_PREVIEW_ID) . '</button>' |
||
161 | . '<div id="previewdiv"/>' |
||
162 | . '<note>' . get_html_resource(RES_LINK_TO_ANOTHER_RECORD_ID) . '</note>' |
||
163 | . '</form>'; |
||
164 | } |
||
165 | else |
||
166 | { |
||
167 | debug_write_log(DEBUG_NOTICE, 'Comment cannot be added.'); |
||
168 | |||
169 | if ($comments->rows == 0) |
||
0 ignored issues
–
show
The property
$rows is declared protected in CRecordset . Since you implemented __get() , maybe consider adding a @property or @property-read annotation. This makes it easier for IDEs to provide auto-completion.
Since your code implements the magic setter <?php
/**
* @property int $x
* @property int $y
* @property string $text
*/
class MyLabel
{
private $properties;
private $allowedProperties = array('x', 'y', 'text');
public function __get($name)
{
if (isset($properties[$name]) && in_array($name, $this->allowedProperties)) {
return $properties[$name];
} else {
return null;
}
}
public function __set($name, $value)
{
if (in_array($name, $this->allowedProperties)) {
$properties[$name] = $value;
} else {
throw new \LogicException("Property $name is not defined.");
}
}
}
Since the property has write access only, you can use the @property-write annotation instead. Of course, you may also just have mistyped another name, in which case you should fix the error. See also the PhpDoc documentation for @property.
Loading history...
|
|||
170 | { |
||
171 | debug_write_log(DEBUG_NOTICE, 'No comments are found.'); |
||
172 | |||
173 | $xml .= get_html_resource(RES_NONE2_ID); |
||
174 | } |
||
175 | } |
||
176 | |||
177 | // go through the list of all comments |
||
178 | |||
179 | while (($comment = $comments->fetch())) |
||
180 | { |
||
181 | if ($comment['event_type'] == EVENT_CONFIDENTIAL_COMMENT && |
||
182 | ($permissions & PERMIT_CONFIDENTIAL_COMMENTS) == 0) |
||
183 | { |
||
184 | continue; |
||
185 | } |
||
186 | |||
187 | $group_title = sprintf('%s - %s (%s)', |
||
188 | get_datetime($comment['event_time']), |
||
189 | $comment['fullname'], |
||
190 | account_get_username($comment['username'])); |
||
191 | |||
192 | $xml .= '<group title="' . ustr2html($group_title) . '">' |
||
193 | . ($comment['is_confidential'] |
||
194 | ? '<text label="' . get_html_resource(RES_CONFIDENTIAL_ID) . '">' |
||
195 | : '<text>') |
||
196 | . update_references($comment['comment_body']) |
||
197 | . '</text>' |
||
198 | . '</group>'; |
||
199 | } |
||
200 | |||
201 | echo(xml2html($xml)); |
||
202 | |||
203 | ?> |
||
204 |
Since your code implements the magic setter
_set
, this function will be called for any write access on an undefined variable. You can add the@property
annotation to your class or interface to document the existence of this variable.Since the property has write access only, you can use the @property-write annotation instead.
Of course, you may also just have mistyped another name, in which case you should fix the error.
See also the PhpDoc documentation for @property.