This project does not seem to handle request data directly as such no vulnerable execution paths were found.
include
, or for example
via PHP's auto-loading mechanism.
These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more
1 | <?php |
||
2 | |||
3 | //------------------------------------------------------------------------------ |
||
4 | // |
||
5 | // eTraxis - Records tracking web-based system |
||
6 | // Copyright (C) 2006-2011 Artem Rodygin |
||
7 | // |
||
8 | // This program is free software: you can redistribute it and/or modify |
||
9 | // it under the terms of the GNU General Public License as published by |
||
10 | // the Free Software Foundation, either version 3 of the License, or |
||
11 | // (at your option) any later version. |
||
12 | // |
||
13 | // This program is distributed in the hope that it will be useful, |
||
14 | // but WITHOUT ANY WARRANTY; without even the implied warranty of |
||
15 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
||
16 | // GNU General Public License for more details. |
||
17 | // |
||
18 | // You should have received a copy of the GNU General Public License |
||
19 | // along with this program. If not, see <http://www.gnu.org/licenses/>. |
||
20 | // |
||
21 | //------------------------------------------------------------------------------ |
||
22 | |||
23 | /** |
||
24 | * @package eTraxis |
||
25 | * @ignore |
||
26 | */ |
||
27 | |||
28 | /**#@+ |
||
29 | * Dependency. |
||
30 | */ |
||
31 | require_once('../engine/engine.php'); |
||
32 | require_once('../dbo/records.php'); |
||
33 | require_once('../dbo/views.php'); |
||
34 | /**#@-*/ |
||
35 | |||
36 | global $column_type_align; |
||
37 | global $column_type_res; |
||
38 | |||
39 | init_page(LOAD_CONTAINER, GUEST_IS_ALLOWED); |
||
0 ignored issues
–
show
|
|||
40 | |||
41 | // get list of records |
||
42 | |||
43 | $columns = columns_list(); |
||
44 | |||
45 | $sort = $page = NULL; |
||
46 | $list = records_list($columns, $sort, $page, $_SESSION[VAR_SEARCH_MODE], $_SESSION[VAR_SEARCH_TEXT]); |
||
47 | |||
48 | // generate HTTP headers |
||
49 | |||
50 | header('Pragma: private'); |
||
51 | header('Cache-Control: private, must-revalidate'); |
||
52 | header('Content-Type: text/csv'); |
||
53 | header('Content-Disposition: attachment; filename="etraxis.csv"'); |
||
54 | |||
55 | // generate header of the list |
||
56 | |||
57 | $data = array(); |
||
58 | |||
59 | foreach ($columns as $column) |
||
60 | { |
||
61 | if ($column['column_type'] >= COLUMN_TYPE_MINIMUM && |
||
62 | $column['column_type'] <= COLUMN_TYPE_MAXIMUM) |
||
63 | { |
||
64 | $title = get_html_resource($column_type_res[$column['column_type']]); |
||
65 | } |
||
66 | else |
||
67 | { |
||
68 | $title = $column['field_name']; |
||
69 | } |
||
70 | |||
71 | array_push($data, ustr2csv($title)); |
||
72 | } |
||
73 | |||
74 | $csv = implode($_SESSION[VAR_DELIMITER], $data) . $_SESSION[VAR_LINE_ENDINGS]; |
||
75 | |||
76 | View Code Duplication | if ($_SESSION[VAR_ENCODING] != 'UTF-8') |
|
77 | { |
||
78 | $csv = iconv('UTF-8', $_SESSION[VAR_ENCODING], $csv); |
||
79 | } |
||
80 | |||
81 | echo($csv); |
||
82 | |||
83 | // generate list of records |
||
84 | |||
85 | while (($row = $list->fetch())) |
||
86 | { |
||
87 | $data = array(); |
||
88 | |||
89 | foreach ($columns as $column) |
||
90 | { |
||
91 | switch ($column['column_type']) |
||
92 | { |
||
93 | case COLUMN_TYPE_ID: |
||
94 | array_push($data, ustr2csv(record_id($row['record_id'], $row['template_prefix']))); |
||
95 | break; |
||
96 | |||
97 | case COLUMN_TYPE_STATE_ABBR: |
||
98 | array_push($data, ustr2csv($row['state_abbr'])); |
||
99 | break; |
||
100 | |||
101 | case COLUMN_TYPE_PROJECT: |
||
102 | array_push($data, ustr2csv($row['project_name'])); |
||
103 | break; |
||
104 | |||
105 | case COLUMN_TYPE_SUBJECT: |
||
106 | array_push($data, ustr2csv($row['subject'])); |
||
107 | break; |
||
108 | |||
109 | case COLUMN_TYPE_AUTHOR: |
||
110 | array_push($data, ustr2csv($row['author_fullname'])); |
||
111 | break; |
||
112 | |||
113 | case COLUMN_TYPE_RESPONSIBLE: |
||
114 | array_push($data, ustr2csv($row['responsible_fullname'])); |
||
115 | break; |
||
116 | |||
117 | case COLUMN_TYPE_LAST_EVENT: |
||
118 | array_push($data, get_record_last_event($row)); |
||
119 | break; |
||
120 | |||
121 | case COLUMN_TYPE_AGE: |
||
122 | array_push($data, get_record_age($row)); |
||
123 | break; |
||
124 | |||
125 | case COLUMN_TYPE_CREATION_DATE: |
||
126 | array_push($data, ustr2csv(get_date($row['creation_time']))); |
||
127 | break; |
||
128 | |||
129 | case COLUMN_TYPE_TEMPLATE: |
||
130 | array_push($data, ustr2csv($row['template_name'])); |
||
131 | break; |
||
132 | |||
133 | case COLUMN_TYPE_STATE_NAME: |
||
134 | array_push($data, ustr2csv($row['state_name'])); |
||
135 | break; |
||
136 | |||
137 | case COLUMN_TYPE_LAST_STATE: |
||
138 | array_push($data, ustr2csv(get_record_last_state($row))); |
||
139 | break; |
||
140 | |||
141 | case COLUMN_TYPE_NUMBER: |
||
142 | case COLUMN_TYPE_FLOAT: |
||
143 | case COLUMN_TYPE_LIST_NUMBER: |
||
144 | array_push($data, $row['value' . $column['column_id']]); |
||
145 | break; |
||
146 | |||
147 | case COLUMN_TYPE_STRING: |
||
148 | case COLUMN_TYPE_MULTILINED: |
||
149 | case COLUMN_TYPE_LIST_STRING: |
||
150 | array_push($data, ustr2csv($row['value' . $column['column_id']])); |
||
151 | break; |
||
152 | |||
153 | View Code Duplication | case COLUMN_TYPE_CHECKBOX: |
|
154 | |||
155 | if (is_null($row['value' . $column['column_id']])) |
||
156 | { |
||
157 | array_push($data, NULL); |
||
158 | } |
||
159 | else |
||
160 | { |
||
161 | array_push($data, ustr2csv(bool2sql($row['value' . $column['column_id']]))); |
||
162 | } |
||
163 | |||
164 | break; |
||
165 | |||
166 | View Code Duplication | case COLUMN_TYPE_RECORD: |
|
167 | |||
168 | if (is_null($row['value' . $column['column_id']])) |
||
169 | { |
||
170 | array_push($data, NULL); |
||
171 | } |
||
172 | else |
||
173 | { |
||
174 | array_push($data, ustr2csv(record_id($row['value' . $column['column_id']]))); |
||
175 | } |
||
176 | |||
177 | break; |
||
178 | |||
179 | View Code Duplication | case COLUMN_TYPE_DATE: |
|
180 | |||
181 | if (is_null($row['value' . $column['column_id']])) |
||
182 | { |
||
183 | array_push($data, NULL); |
||
184 | } |
||
185 | else |
||
186 | { |
||
187 | array_push($data, ustr2csv(get_date($row['value' . $column['column_id']]))); |
||
188 | } |
||
189 | |||
190 | break; |
||
191 | |||
192 | View Code Duplication | case COLUMN_TYPE_DURATION: |
|
193 | |||
194 | if (is_null($row['value' . $column['column_id']])) |
||
195 | { |
||
196 | array_push($data, NULL); |
||
197 | } |
||
198 | else |
||
199 | { |
||
200 | array_push($data, ustr2csv(time2ustr($row['value' . $column['column_id']]))); |
||
201 | } |
||
202 | |||
203 | break; |
||
204 | |||
205 | default: |
||
206 | debug_write_log(DEBUG_WARNING, 'Unknown column type.'); |
||
207 | array_push($data, NULL); |
||
208 | } |
||
209 | } |
||
210 | |||
211 | $csv = implode($_SESSION[VAR_DELIMITER], $data) . $_SESSION[VAR_LINE_ENDINGS]; |
||
212 | |||
213 | View Code Duplication | if ($_SESSION[VAR_ENCODING] != 'UTF-8') |
|
214 | { |
||
215 | $csv = iconv('UTF-8', $_SESSION[VAR_ENCODING], $csv); |
||
216 | } |
||
217 | |||
218 | echo($csv); |
||
219 | } |
||
220 | |||
221 | ?> |
||
222 |
It seems like the type of the argument is not accepted by the function/method which you are calling.
In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug.
We suggest to add an explicit type cast like in the following example: