Issues in Cookie.php (master) - Issues in master - fuelphp/common - Measure and Improve Code Quality continuously with Scrutinizer

Issues (85)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Cookie.php (1 issue)

Labels

Severity

Major 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * @package    Fuel\Common
 * @version    2.0
 * @author     Fuel Development Team
 * @license    MIT License
 * @copyright  2010 - 2015 Fuel Development Team
 * @link       http://fuelphp.com
 */

namespace Fuel\Common;

/**
 * Cookie class, encapsulation of a browser cookie
 *
 * @package Fuel\Common
 *
 * @since 2.0
 */
class SetcookieWrapper
{
	/**
	 * wrapper for the setcookie() function, for testability reasons
	 *
	 * @codeCoverageIgnore
	 */
	public function setcookie($name, $value, $expire = 0, $path = null, $domain = null, $secure = false, $httponly = false)
	{
		return setcookie($name, $value, $expire, $path, $domain, $secure, $httponly);
	}
}

/**
 * Cookie class, encapsulation of a browser cookie
 *
 * @package Fuel\Common
 *
 * @since 2.0
 */
class Cookie
{
	/**
	 * @var  string  The name of this cookie
	 */
	protected $name = null;

	/**
	 * @var  string  The value of this cookie
	 */
	protected $value = null;

	/**
	 * @var  array  Cookie class configuration defaults
	 */
	protected $config = array(
		'expiration'  => 0,           // int, Cookie expiration
		'path'        => '/',         // string, Cookie path
		'domain'      => null,        // string, Cookie domain
		'secure'      => false,       // bool, Send only over HTTPS
		'http_only'   => false,       // only accessible via HTTP client-side
	);

	/**
	 * @var  bool  Is this a new cookie, or one that was send to the server?
	 */
	protected $isNew = true;

	/**
	 * @var  bool  Wether or not we want to delete this cookie
	 */
	protected $isDeleted = false;

	/**
	 * @var  bool  Wether or not this cookie was already sent to the browser
	 */
	protected $isSent = false;

	/**
	 * @var  CookieWrapper  wrapper around the setcookie() function for testability
	 */
	protected $wrapper;

	/**
	 * Create a new cookie object, optionally load an existing cookie value
	 *
	 * @param  string            $name     Name of this cookie
	 * @param  array             $config   Configuration for this cookie
	 * @param  string            $value    Initial value to be set for this cookie
	 * @pararm SetcookieWrapper  $wrapper  So we can inject a custom wrapper for unit testing
	 */
	public function __construct($name, Array $config = array(), $value = null, $wrapper = null)
	{
		// store the name and value passed
		$this->name = $name;
		$this->value = $value;

		// merge the config
		$this->config = array_merge($this->config, $config);

		// and if set flag this object as used
		$this->isNew = ($value === null);

		// create a wrapper instance if none was passed
		if (empty($wrapper))
		{
			$this->wrapper = new SetcookieWrapper();

		}
		else
		{
			$this->wrapper = $wrapper;
		}
	}

	/**
	 * Magic getter/setter methods
	 *
	 * @throws  InvalidArgumentException  if a setter is called without a value
	 */
	public function __call($method, $arguments)
	{
		if (substr($method, 0,3) === 'get')
		{
			if (isset($this->config[$var = strtolower(substr($method, 3))]))
			{
				return $this->config[$var];
			}
			elseif ($var == 'name')
			{
				return $this->name;
			}
			elseif ($var == 'value')
			{
				return $this->value;
			}
		}
		elseif (substr($method, 0,3) === 'set')
		{
			if (empty($arguments))
			{
				throw new \InvalidArgumentException($method.' is missing required parameter $value');
			}

			if (isset($this->config[$var = strtolower(substr($method, 3))]))
			{
				$this->config[$var] = $arguments[0];
			}
			elseif ($var == 'value')
			{
				if ($this->isSent)
				{
					throw new \RuntimeException('Cookie "'.$this->name.'" has already been send to the browser, no point updating it');
				}

				$this->value = (string) $arguments[0];

				// reset to new state
				$this->isNew = true;
				$this->isDeleted = false;
				$this->isSent = false;
			}
		}

		return null;
	}

	/**
	 * Delete this Cookie
	 *
	 * @return  bool
	 */
	public function delete()
	{
		$this->isDeleted = true;
		return $this->isDeleted;
	}

	/**
	 * Send this cookie to the client
	 *
	 * @return  bool
	 *
	 * @since   2.0.0
	 */
	public function send()
	{
		$result = true;

		if ($this->isNew)
		{
			// make this cookie as used
			$this->isNew = false;

			// set the cookie
			$result = $this->wrapper->setcookie($this->name, $this->value, $this->config['expiration'], $this->config['path'], $this->config['domain'], $this->config['secure'], $this->config['http_only']);

			// mark the cookie as sent
			if ($result)
			{
				$this->isSent = true;
			}
		}
		elseif ($this->isDeleted)
		{
			// delete the cookie by nullifying and expiring it
			$result = $this->wrapper->setcookie($this->name, null, -86400, $this->config['path'], $this->config['domain'], $this->config['secure'], $this->config['http_only']);

			// mark the cookie as sent
			if ($result)
			{
				$this->isSent = true;
			}
		}

		return $result;
	}

	/**
	 * Return the state of this Cookie object
	 */
	public function isNew()
	{
		return $this->isNew;
	}

	/**
	 * Return the state of this Cookie object
	 */
	public function isSent()
	{
		return $this->isSent;
	}

	/**
	 * Return the state of this Cookie object
	 */
	public function isDeleted()
	{
		return $this->isDeleted;
	}

}


1			<?php
2			/**
3			* @package Fuel\Common
4			* @version 2.0
5			* @author Fuel Development Team
6			* @license MIT License
7			* @copyright 2010 - 2015 Fuel Development Team
8			* @link http://fuelphp.com
9			*/
10
11			namespace Fuel\Common;
12
13			/**
14			* Cookie class, encapsulation of a browser cookie
15			*
16			* @package Fuel\Common
17			*
18			* @since 2.0
19			*/
20			class SetcookieWrapper
21			{
22			/**
23			* wrapper for the setcookie() function, for testability reasons
24			*
25			* @codeCoverageIgnore
26			*/
27			public function setcookie($name, $value, $expire = 0, $path = null, $domain = null, $secure = false, $httponly = false)
28			{
29			return setcookie($name, $value, $expire, $path, $domain, $secure, $httponly);
30			}
31			}
32
33			/**
34			* Cookie class, encapsulation of a browser cookie
35			*
36			* @package Fuel\Common
37			*
38			* @since 2.0
39			*/
40			class Cookie
41			{
42			/**
43			* @var string The name of this cookie
44			*/
45			protected $name = null;
46
47			/**
48			* @var string The value of this cookie
49			*/
50			protected $value = null;
51
52			/**
53			* @var array Cookie class configuration defaults
54			*/
55			protected $config = array(
56			'expiration' => 0, // int, Cookie expiration
57			'path' => '/', // string, Cookie path
58			'domain' => null, // string, Cookie domain
59			'secure' => false, // bool, Send only over HTTPS
60			'http_only' => false, // only accessible via HTTP client-side
61			);
62
63			/**
64			* @var bool Is this a new cookie, or one that was send to the server?
65			*/
66			protected $isNew = true;
67
68			/**
69			* @var bool Wether or not we want to delete this cookie
70			*/
71			protected $isDeleted = false;
72
73			/**
74			* @var bool Wether or not this cookie was already sent to the browser
75			*/
76			protected $isSent = false;
77
78			/**
79			* @var CookieWrapper wrapper around the setcookie() function for testability
80			*/
81			protected $wrapper;
82
83			/**
84			* Create a new cookie object, optionally load an existing cookie value
85			*
86			* @param string $name Name of this cookie
87			* @param array $config Configuration for this cookie
88			* @param string $value Initial value to be set for this cookie
89			* @pararm SetcookieWrapper $wrapper So we can inject a custom wrapper for unit testing
90			*/
91			public function __construct($name, Array $config = array(), $value = null, $wrapper = null)
92			{
93			// store the name and value passed
94			$this->name = $name;
95			$this->value = $value;
96
97			// merge the config
98			$this->config = array_merge($this->config, $config);
99
100			// and if set flag this object as used
101			$this->isNew = ($value === null);
102
103			// create a wrapper instance if none was passed
104			if (empty($wrapper))
105			{
106			$this->wrapper = new SetcookieWrapper();
			0 ignored issues – show Documentation Bug introduced 2016-05-06 13:38 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `new \Fuel\Common\SetcookieWrapper()` of type `object<Fuel\Common\SetcookieWrapper>` is incompatible with the declared type `object<Fuel\Common\CookieWrapper>` of property `$wrapper`. Our type inference engine has found an assignment to a property that is incompatible with the declared type of that property. Either this assignment is in error or the assigned type should be added to the documentation/type hint for that property.. Loading history...
107			}
108			else
109			{
110			$this->wrapper = $wrapper;
111			}
112			}
113
114			/**
115			* Magic getter/setter methods
116			*
117			* @throws InvalidArgumentException if a setter is called without a value
118			*/
119			public function __call($method, $arguments)
120			{
121			if (substr($method, 0,3) === 'get')
122			{
123			if (isset($this->config[$var = strtolower(substr($method, 3))]))
124			{
125			return $this->config[$var];
126			}
127			elseif ($var == 'name')
128			{
129			return $this->name;
130			}
131			elseif ($var == 'value')
132			{
133			return $this->value;
134			}
135			}
136			elseif (substr($method, 0,3) === 'set')
137			{
138			if (empty($arguments))
139			{
140			throw new \InvalidArgumentException($method.' is missing required parameter $value');
141			}
142
143			if (isset($this->config[$var = strtolower(substr($method, 3))]))
144			{
145			$this->config[$var] = $arguments[0];
146			}
147			elseif ($var == 'value')
148			{
149			if ($this->isSent)
150			{
151			throw new \RuntimeException('Cookie "'.$this->name.'" has already been send to the browser, no point updating it');
152			}
153
154			$this->value = (string) $arguments[0];
155
156			// reset to new state
157			$this->isNew = true;
158			$this->isDeleted = false;
159			$this->isSent = false;
160			}
161			}
162
163			return null;
164			}
165
166			/**
167			* Delete this Cookie
168			*
169			* @return bool
170			*/
171			public function delete()
172			{
173			$this->isDeleted = true;
174			return $this->isDeleted;
175			}
176
177			/**
178			* Send this cookie to the client
179			*
180			* @return bool
181			*
182			* @since 2.0.0
183			*/
184			public function send()
185			{
186			$result = true;
187
188			if ($this->isNew)
189			{
190			// make this cookie as used
191			$this->isNew = false;
192
193			// set the cookie
194			$result = $this->wrapper->setcookie($this->name, $this->value, $this->config['expiration'], $this->config['path'], $this->config['domain'], $this->config['secure'], $this->config['http_only']);
195
196			// mark the cookie as sent
197			if ($result)
198			{
199			$this->isSent = true;
200			}
201			}
202			elseif ($this->isDeleted)
203			{
204			// delete the cookie by nullifying and expiring it
205			$result = $this->wrapper->setcookie($this->name, null, -86400, $this->config['path'], $this->config['domain'], $this->config['secure'], $this->config['http_only']);
206
207			// mark the cookie as sent
208			if ($result)
209			{
210			$this->isSent = true;
211			}
212			}
213
214			return $result;
215			}
216
217			/**
218			* Return the state of this Cookie object
219			*/
220			public function isNew()
221			{
222			return $this->isNew;
223			}
224
225			/**
226			* Return the state of this Cookie object
227			*/
228			public function isSent()
229			{
230			return $this->isSent;
231			}
232
233			/**
234			* Return the state of this Cookie object
235			*/
236			public function isDeleted()
237			{
238			return $this->isDeleted;
239			}
240
241			}
242

fuelphp / common

Issues (85)

Security Analysis not enabled

src/Cookie.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like