Issues in curl.php (master) - Issues in master - fwolf/fwlib - Measure and Improve Code Quality continuously with Scrutinizer

Issues (1752)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

class/curl.php (1 issue)

Labels

Severity

Informational 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
require_once(dirname(__FILE__) . '/fwolflib.php');
require_once(FWOLFLIB . 'func/array.php');


/**
* A class aimed to use curl function efficiency
*
* Very useful in write a game bot, or an information thief program.
*
* @deprecated   Use Fwlib\Net\Curl
* @package    fwolflib
* @copyright  Copyright © 2007-2012, 2014, Fwolf
* @author     Fwolf <[email protected]>
* @since      2007-03-14
*/
class Curl extends Fwolflib {

	/**
	 * File to save cookie
	 * @var	string
	 * @access	protected
	 */
	protected $mCookiefile = '/dev/null';

	/**
	 * File to save log
	 * Set to empty string to direct echo out(default),
	 * Or set to a file to save in,
	 * Or set to /dev/null to do nothing.
	 * @var	string
	 * @access	public
	 */
	public $mLogfile = '';

	/**
	 * Result read from webserver
	 * @var	string
	 * @access	public
	 */
	public $mRs = '';

	/**
	 * Curl session resource
	 * @var	object
	 * @access	public
	 */
	public $mSh;


	/**
	 * Construct function
	 * @access public
	 */
	function __construct() {
		parent::__construct();

		$this->mSh = curl_init();
		$this->SetoptCommon();
	} // end of func __construct


	/**
	 * Destruct function
	 * @access public
	 */
	function __destruct() {
		curl_close($this->mSh);

		// Write log to file
		if (!empty($this->mLogfile))
			file_put_contents($this->mLogfile, $this->LogGet(), FILE_APPEND);

		parent::__destruct();
	} // end of func __destruct


	/**
	 * Http get content from host
	 *
	 * @param	string	$url	Host address
	 * @param	mixed	$param	Get parameter, can be string or array.
	 * @access	public
	 * @return	string
	 */
	public function Get ($url, $param = '') {
		curl_setopt($this->mSh, CURLOPT_HTTPGET, true);

		// Remove endding '?" of url
		if ('?' == substr($url, -1, 1))
			$url = substr($url, 0, strlen($url - 1));

		// Char used between url & param
		if (false === strpos($url, '?'))
			$s_linker = '?';
		else
			$s_linker = '&';

		// Parse param, join array and fix linker char with url
		if (is_array($param) && 0 < count($param))
		{
			$s = '';
			foreach ($param as $k => $v)
				$s .= "&" . urlencode($k) . '=' . urlencode($v);
			$param = $s;
		}
		if (!empty($param))
			$param{0} = $s_linker;

		//$this->Log($url . $param);
		curl_setopt($this->mSh, CURLOPT_URL, $url . $param);
		$this->mRs = curl_exec($this->mSh);

		if (0 != curl_errno($this->mSh))
			$this->Log(curl_error($this->mSh));

		return $this->mRs;
	} // end of func Get


	/**
	 * Get server return code of last curl_exec
	 * 200-ok, 404-missing file, etc...
	 * @return	int
	 */
	public function GetLastCode()
	{
		$i = curl_getinfo($this->mSh, CURLINFO_HTTP_CODE);
		return intval($i);
	} // end of func GetLastCode


	/**
	 * Get server return content type of last curl_exec
	 * text/html, image/png, etc...
	 * @return	string
	 */
	public function GetLastContentType()
	{
		$s = curl_getinfo($this->mSh, CURLINFO_CONTENT_TYPE);
		return $s;
	} // end of func GetLastContentType


	/**
	 * Match content to variables using preg
	 * To read content currectly, content parsing is nesessary
	 * Return value maybe string or array, use careful and
	 *   remind which value you use it for.
	 * @param	string	$preg
	 * @param	string	$str	If obmitted, use $this->mRs
	 * @return	mixed
	 * @see		$mRs
	 * @access	public
	 */
	public function Match($preg, $str = '')
	{
		if (empty($preg)) return '';
		if (empty($str))
			$str = &$this->mRs;
		$i = preg_match_all($preg, $str, $ar, PREG_SET_ORDER);
		if (0 == $i || false === $i)
			// Got none match or Got error
			$ar = '';
		elseif (1 == $i)
		{
			// Got 1 match, return as string or array(2 value in 1 match)
			$ar = $ar[0];
			array_shift($ar);
			if (1 == count($ar))
				$ar = $ar[0];
		}
		else
		{
			// Got more than 1 match return array contains string or sub-array
			foreach ($ar as &$row)
			{
				array_shift($row);
				if (1 == count($row))
					$row = $row[0];
			}
		}
		return $ar;
	} // end of func Match


	/**
	 * Http post content from host
	 *
	 * @param	string	$url	Host address
	 * @param	mixed	$param	Post parameter, can be string or array.
	 * @return	string
	 */
	public function Post ($url, $param = '') {
		curl_setopt($this->mSh, CURLOPT_POST, true);

		// Parse param, convert array to string
		if (is_array($param)) {
			$s = '';
			foreach ($param as $key=>$val)
				$s .= "$key=$val&";
			$param = $s;
		}

		curl_setopt($this->mSh, CURLOPT_POSTFIELDS, $param);
		curl_setopt($this->mSh, CURLOPT_URL, $url);
		$this->mRs = curl_exec($this->mSh);

		if (0 != curl_errno($this->mSh))
			$this->Log(curl_error($this->mSh), 4);

		return $this->mRs;
	} // end of func Post


	/**
	 * Set some common options using curl_setopt
	 * @access	public
	 */
	public function SetoptCommon () {
		$this->SetoptCookie();
		$this->SetoptUseragent('ff14');

		curl_setopt($this->mSh, CURLOPT_AUTOREFERER, true);
		// If got http error, report.
		curl_setopt($this->mSh, CURLOPT_FAILONERROR, true);

		// CURLOPT_FOLLOWLOCATION cannot set when open_basedir is set.
		// Also safe_mode, which are DEPRECATED in 5.3.0 and REMOVED in 5.4.0.
		if ('' == ini_get('open_basedir'))
			curl_setopt($this->mSh, CURLOPT_FOLLOWLOCATION, true);

		// Return result restead of display it.
		curl_setopt($this->mSh, CURLOPT_RETURNTRANSFER, true);
		curl_setopt($this->mSh, CURLOPT_CONNECTTIMEOUT, 300);
		curl_setopt($this->mSh, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_1);
		curl_setopt($this->mSh, CURLOPT_MAXREDIRS, 10);
		curl_setopt($this->mSh, CURLOPT_TIMEOUT, 300);

		// Accept all supported encoding(identity, deflate, gzip)
		// See CURLOPT_ACCEPT_ENCODING in libcurl
		// Set this to get uncompressed html content
		curl_setopt($this->mSh, CURLOPT_ENCODING, '');

        curl_setopt($this->mSh, CURLOPT_SSL_CIPHER_LIST, 'TLSv1');
	} // end of func SetoptCommon


	/**
	 * Set cookie option
	 *
	 * If filename is not given, use default,
	 * If file is given, use & set it as default.
	 *
	 * @param	string	$cookiefile
	 * @access	public
	 */
	public function SetoptCookie ($cookiefile = '') {
		if (!empty($cookiefile))
			$this->mCookiefile = $cookiefile;
		// /dev/null is useless cookie file, so does empty filename
		if (!empty($this->mCookiefile)
			&& ('/dev/null' != $this->mCookiefile)) {
			curl_setopt($this->mSh, CURLOPT_COOKIEFILE, $this->mCookiefile);
			curl_setopt($this->mSh, CURLOPT_COOKIEJAR, $this->mCookiefile);
		}
	} // end of func SetoptCookie


	/**
	 * Set proxy option
	 * @param	int		$ptype	0-no proxy, 1-http, 2-socks5
	 * @param	string	$phost
	 * @param	int		$pport
	 * @param	string	$pauth	[username]:[password]
	 * @access	public
	 */
	public function SetoptProxy($ptype, $phost, $pport, $pauth = '')
	{
		if (0 == $ptype) {
			// Some server refuse http proxy tunnel, it's useless settings.
			//curl_setopt($this->mSh, CURLOPT_HTTPPROXYTUNNEL, false);
		} else {
			//curl_setopt($this->mSh, CURLOPT_HTTPPROXYTUNNEL, true);
			curl_setopt($this->mSh, CURLOPT_PROXY, $phost);
			if (1 == $ptype)
				curl_setopt($this->mSh, CURLOPT_PROXYTYPE, CURLPROXY_HTTP);
			if (2 == $ptype)
				curl_setopt($this->mSh, CURLOPT_PROXYTYPE, CURLPROXY_SOCKS5);
			curl_setopt($this->mSh, CURLOPT_PROXYPORT, $pport);
			if (!empty($pauth))
				curl_setopt($this->mSh, CURLOPT_PROXYUSERPWD, $pauth);
		}
	} // end of func SetoptProxy


	/**
	 * Set http referer url
	 * @param	string	$url
	 */
	public function SetoptReferer($url)
	{
		if (!empty($url))
			curl_setopt($this->mSh, CURLOPT_REFERER, $url);
	} // end of func SetoptReferer


	/**
	 * Enable or disable ssl verify functin
	 * Ssl verify is enabled by curl in default
	 *
	 * @param	boolean	$en		True to enable, false to disable
	 */
	public function SetoptSslverify ($en = true)	{
		if (false === $en) {
		    curl_setopt($this->mSh, CURLOPT_SSL_VERIFYPEER, false);
		    curl_setopt($this->mSh, CURLOPT_SSL_VERIFYHOST, false);
		}
	} // end of func SetoptSslverify


	/**
	 * Set browser agent option
	 * @param	string	$browser
	 * @access	public
	 */
	public function SetoptUseragent ($browser) {
		$b['ff14'] = 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:14.0) Gecko/20100101 Firefox/14';
foreach ($collection as $item) {
    $myArray['foo'] = $item->getFoo();

    if ($item->hasBar()) {
        $myArray['bar'] = $item->getBar();
    }

    // do something with $myArray
}
		$b['ie6'] = 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)';
		$b['googlebot'] = 'Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)';

		if (isset($b[$browser]))
			curl_setopt($this->mSh, CURLOPT_USERAGENT, $b[$browser]);
	} // end of func SetoptUseragent


} // end of class Curl
?>


1		<?php
2		require_once(dirname(__FILE__) . '/fwolflib.php');
3		require_once(FWOLFLIB . 'func/array.php');
4
5
6		/**
7		* A class aimed to use curl function efficiency
8		*
9		* Very useful in write a game bot, or an information thief program.
10		*
11		* @deprecated Use Fwlib\Net\Curl
12		* @package fwolflib
13		* @copyright Copyright © 2007-2012, 2014, Fwolf
14		* @author Fwolf <[email protected]>
15		* @since 2007-03-14
16		*/
17		class Curl extends Fwolflib {
18
19		/**
20		* File to save cookie
21		* @var string
22		* @access protected
23		*/
24		protected $mCookiefile = '/dev/null';
25
26		/**
27		* File to save log
28		* Set to empty string to direct echo out(default),
29		* Or set to a file to save in,
30		* Or set to /dev/null to do nothing.
31		* @var string
32		* @access public
33		*/
34		public $mLogfile = '';
35
36		/**
37		* Result read from webserver
38		* @var string
39		* @access public
40		*/
41		public $mRs = '';
42
43		/**
44		* Curl session resource
45		* @var object
46		* @access public
47		*/
48		public $mSh;
49
50
51		/**
52		* Construct function
53		* @access public
54		*/
55		function __construct() {
56		parent::__construct();
57
58		$this->mSh = curl_init();
59		$this->SetoptCommon();
60		} // end of func __construct
61
62
63		/**
64		* Destruct function
65		* @access public
66		*/
67		function __destruct() {
68		curl_close($this->mSh);
69
70		// Write log to file
71		if (!empty($this->mLogfile))
72		file_put_contents($this->mLogfile, $this->LogGet(), FILE_APPEND);
73
74		parent::__destruct();
75		} // end of func __destruct
76
77
78		/**
79		* Http get content from host
80		*
81		* @param string $url Host address
82		* @param mixed $param Get parameter, can be string or array.
83		* @access public
84		* @return string
85		*/
86		public function Get ($url, $param = '') {
87		curl_setopt($this->mSh, CURLOPT_HTTPGET, true);
88
89		// Remove endding '?" of url
90	View Code Duplication	if ('?' == substr($url, -1, 1))
91		$url = substr($url, 0, strlen($url - 1));
92
93		// Char used between url & param
94		if (false === strpos($url, '?'))
95		$s_linker = '?';
96		else
97		$s_linker = '&';
98
99		// Parse param, join array and fix linker char with url
100	View Code Duplication	if (is_array($param) && 0 < count($param))
101		{
102		$s = '';
103		foreach ($param as $k => $v)
104		$s .= "&" . urlencode($k) . '=' . urlencode($v);
105		$param = $s;
106		}
107		if (!empty($param))
108		$param{0} = $s_linker;
109
110		//$this->Log($url . $param);
111		curl_setopt($this->mSh, CURLOPT_URL, $url . $param);
112		$this->mRs = curl_exec($this->mSh);
113
114		if (0 != curl_errno($this->mSh))
115		$this->Log(curl_error($this->mSh));
116
117		return $this->mRs;
118		} // end of func Get
119
120
121		/**
122		* Get server return code of last curl_exec
123		* 200-ok, 404-missing file, etc...
124		* @return int
125		*/
126		public function GetLastCode()
127		{
128		$i = curl_getinfo($this->mSh, CURLINFO_HTTP_CODE);
129		return intval($i);
130		} // end of func GetLastCode
131
132
133		/**
134		* Get server return content type of last curl_exec
135		* text/html, image/png, etc...
136		* @return string
137		*/
138		public function GetLastContentType()
139		{
140		$s = curl_getinfo($this->mSh, CURLINFO_CONTENT_TYPE);
141		return $s;
142		} // end of func GetLastContentType
143
144
145		/**
146		* Match content to variables using preg
147		* To read content currectly, content parsing is nesessary
148		* Return value maybe string or array, use careful and
149		* remind which value you use it for.
150		* @param string $preg
151		* @param string $str If obmitted, use $this->mRs
152		* @return mixed
153		* @see $mRs
154		* @access public
155		*/
156		public function Match($preg, $str = '')
157		{
158		if (empty($preg)) return '';
159		if (empty($str))
160		$str = &$this->mRs;
161		$i = preg_match_all($preg, $str, $ar, PREG_SET_ORDER);
162	View Code Duplication	if (0 == $i \|\| false === $i)
163		// Got none match or Got error
164		$ar = '';
165		elseif (1 == $i)
166		{
167		// Got 1 match, return as string or array(2 value in 1 match)
168		$ar = $ar[0];
169		array_shift($ar);
170		if (1 == count($ar))
171		$ar = $ar[0];
172		}
173		else
174		{
175		// Got more than 1 match return array contains string or sub-array
176		foreach ($ar as &$row)
177		{
178		array_shift($row);
179		if (1 == count($row))
180		$row = $row[0];
181		}
182		}
183		return $ar;
184		} // end of func Match
185
186
187		/**
188		* Http post content from host
189		*
190		* @param string $url Host address
191		* @param mixed $param Post parameter, can be string or array.
192		* @return string
193		*/
194		public function Post ($url, $param = '') {
195		curl_setopt($this->mSh, CURLOPT_POST, true);
196
197		// Parse param, convert array to string
198		if (is_array($param)) {
199		$s = '';
200		foreach ($param as $key=>$val)
201		$s .= "$key=$val&";
202		$param = $s;
203		}
204
205		curl_setopt($this->mSh, CURLOPT_POSTFIELDS, $param);
206		curl_setopt($this->mSh, CURLOPT_URL, $url);
207		$this->mRs = curl_exec($this->mSh);
208
209		if (0 != curl_errno($this->mSh))
210		$this->Log(curl_error($this->mSh), 4);
211
212		return $this->mRs;
213		} // end of func Post
214
215
216		/**
217		* Set some common options using curl_setopt
218		* @access public
219		*/
220		public function SetoptCommon () {
221		$this->SetoptCookie();
222		$this->SetoptUseragent('ff14');
223
224		curl_setopt($this->mSh, CURLOPT_AUTOREFERER, true);
225		// If got http error, report.
226		curl_setopt($this->mSh, CURLOPT_FAILONERROR, true);
227
228		// CURLOPT_FOLLOWLOCATION cannot set when open_basedir is set.
229		// Also safe_mode, which are DEPRECATED in 5.3.0 and REMOVED in 5.4.0.
230		if ('' == ini_get('open_basedir'))
231		curl_setopt($this->mSh, CURLOPT_FOLLOWLOCATION, true);
232
233		// Return result restead of display it.
234		curl_setopt($this->mSh, CURLOPT_RETURNTRANSFER, true);
235		curl_setopt($this->mSh, CURLOPT_CONNECTTIMEOUT, 300);
236		curl_setopt($this->mSh, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_1);
237		curl_setopt($this->mSh, CURLOPT_MAXREDIRS, 10);
238		curl_setopt($this->mSh, CURLOPT_TIMEOUT, 300);
239
240		// Accept all supported encoding(identity, deflate, gzip)
241		// See CURLOPT_ACCEPT_ENCODING in libcurl
242		// Set this to get uncompressed html content
243		curl_setopt($this->mSh, CURLOPT_ENCODING, '');
244
245		curl_setopt($this->mSh, CURLOPT_SSL_CIPHER_LIST, 'TLSv1');
246		} // end of func SetoptCommon
247
248
249		/**
250		* Set cookie option
251		*
252		* If filename is not given, use default,
253		* If file is given, use & set it as default.
254		*
255		* @param string $cookiefile
256		* @access public
257		*/
258		public function SetoptCookie ($cookiefile = '') {
259		if (!empty($cookiefile))
260		$this->mCookiefile = $cookiefile;
261		// /dev/null is useless cookie file, so does empty filename
262		if (!empty($this->mCookiefile)
263		&& ('/dev/null' != $this->mCookiefile)) {
264		curl_setopt($this->mSh, CURLOPT_COOKIEFILE, $this->mCookiefile);
265		curl_setopt($this->mSh, CURLOPT_COOKIEJAR, $this->mCookiefile);
266		}
267		} // end of func SetoptCookie
268
269
270		/**
271		* Set proxy option
272		* @param int $ptype 0-no proxy, 1-http, 2-socks5
273		* @param string $phost
274		* @param int $pport
275		* @param string $pauth [username]:[password]
276		* @access public
277		*/
278		public function SetoptProxy($ptype, $phost, $pport, $pauth = '')
279		{
280		if (0 == $ptype) {
281		// Some server refuse http proxy tunnel, it's useless settings.
282		//curl_setopt($this->mSh, CURLOPT_HTTPPROXYTUNNEL, false);
283		} else {
284		//curl_setopt($this->mSh, CURLOPT_HTTPPROXYTUNNEL, true);
285		curl_setopt($this->mSh, CURLOPT_PROXY, $phost);
286		if (1 == $ptype)
287		curl_setopt($this->mSh, CURLOPT_PROXYTYPE, CURLPROXY_HTTP);
288		if (2 == $ptype)
289		curl_setopt($this->mSh, CURLOPT_PROXYTYPE, CURLPROXY_SOCKS5);
290		curl_setopt($this->mSh, CURLOPT_PROXYPORT, $pport);
291		if (!empty($pauth))
292		curl_setopt($this->mSh, CURLOPT_PROXYUSERPWD, $pauth);
293		}
294		} // end of func SetoptProxy
295
296
297		/**
298		* Set http referer url
299		* @param string $url
300		*/
301		public function SetoptReferer($url)
302		{
303		if (!empty($url))
304		curl_setopt($this->mSh, CURLOPT_REFERER, $url);
305		} // end of func SetoptReferer
306
307
308		/**
309		* Enable or disable ssl verify functin
310		* Ssl verify is enabled by curl in default
311		*
312		* @param boolean $en True to enable, false to disable
313		*/
314		public function SetoptSslverify ($en = true) {
315		if (false === $en) {
316		curl_setopt($this->mSh, CURLOPT_SSL_VERIFYPEER, false);
317		curl_setopt($this->mSh, CURLOPT_SSL_VERIFYHOST, false);
318		}
319		} // end of func SetoptSslverify
320
321
322		/**
323		* Set browser agent option
324		* @param string $browser
325		* @access public
326		*/
327		public function SetoptUseragent ($browser) {
328		$b['ff14'] = 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:14.0) Gecko/20100101 Firefox/14';
		0 ignored issues – show Coding Style Comprehensibility introduced 2016-06-01 06:17 UTC by Report Bug Copy Issue Report Show Similar Issues like this `$b` was never initialized. Although not strictly required by PHP, it is generally a good practice to add `$b = array();` before regardless. Adding an explicit array definition is generally preferable to implicit array definition as it guarantees a stable state of the code. Let’s take a look at an example: foreach ($collection as $item) { $myArray['foo'] = $item->getFoo(); if ($item->hasBar()) { $myArray['bar'] = $item->getBar(); } // do something with $myArray } As you can see in this example, the array `$myArray` is initialized the first time when the foreach loop is entered. You can also see that the value of the `bar` key is only written conditionally; thus, its value might result from a previous iteration. This might or might not be intended. To make your intention clear, your code more readible and to avoid accidental bugs, we recommend to add an explicit initialization `$myArray = array()` either outside or inside the foreach loop. Loading history...
329		$b['ie6'] = 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)';
330		$b['googlebot'] = 'Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)';
331
332		if (isset($b[$browser]))
333		curl_setopt($this->mSh, CURLOPT_USERAGENT, $b[$browser]);
334		} // end of func SetoptUseragent
335
336
337		} // end of class Curl
338		?>
339

fwolf / fwlib

Issues (1752)

Security Analysis not enabled

class/curl.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like