Issues in friends.php (master) - Issues in master - gctools-outilsgc/gcconnex - Measure and Improve Code Quality continuously with Scrutinizer

Issues (2473)

Security Analysis no vulnerabilities found

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

engine/lib/friends.php (1 issue)

Labels

Unused Code 1

Severity

Minor 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * Elgg friends library.
 * Provides the UI for friends. Includes access collections since they are based
 * on friends relationships.
 *
 * @package Elgg.Core
 * @subpackage Friends
 */

/**
 * Init friends library
 *
 * @access private
 */
function _elgg_friends_init() {
	elgg_register_action('friends/add');
	elgg_register_action('friends/remove');

	elgg_register_action('friends/collections/add');
	elgg_register_action('friends/collections/delete');
	elgg_register_action('friends/collections/edit');

	elgg_register_page_handler('friends', '_elgg_friends_page_handler');
	elgg_register_page_handler('friendsof', '_elgg_friends_page_handler');
	elgg_register_page_handler('collections', '_elgg_collections_page_handler');

	elgg_register_widget_type('friends', elgg_echo('friends'), elgg_echo('friends:widget:description'));

	elgg_register_event_handler('pagesetup', 'system', '_elgg_friends_page_setup');
	elgg_register_event_handler('pagesetup', 'system', '_elgg_setup_collections_menu');
	elgg_register_plugin_hook_handler('register', 'menu:user_hover', '_elgg_friends_setup_user_hover_menu');
	elgg_register_event_handler('create', 'friend', '_elgg_send_friend_notification');
}

/**
 * Register some menu items for friends UI
 * @access private
 */
function _elgg_friends_page_setup() {
	$owner = elgg_get_page_owner_entity();
	$viewer = elgg_get_logged_in_user_entity();

	if ($owner) {
		$params = array(
			'name' => 'friends',
			'text' => elgg_echo('friends'),
			'href' => 'friends/' . $owner->username,
			'contexts' => array('friends')
		);
		elgg_register_menu_item('page', $params);

		$params = array(
			'name' => 'friends:of',
			'text' => elgg_echo('friends:of'),
			'href' => 'friendsof/' . $owner->username,
			'contexts' => array('friends')
		);
		elgg_register_menu_item('page', $params);
	}

	// topbar
	if ($viewer) {
		elgg_register_menu_item('topbar', array(
			'name' => 'friends',
			'href' => "friends/{$viewer->username}",
			'text' => elgg_view_icon('users'),
			'title' => elgg_echo('friends'),
			'priority' => 300,
		));
	}
}

/**
 * Adds friending to user hover menu
 *
 * @access private
 */
function _elgg_friends_setup_user_hover_menu($hook, $type, $return, $params) {
	$user = $params['entity'];
	/* @var \ElggUser $user */

	if (elgg_is_logged_in()) {
		if (elgg_get_logged_in_user_guid() != $user->guid) {
			$isFriend = $user->isFriend();

			// Always emit both to make it super easy to toggle with ajax
			$return[] = \ElggMenuItem::factory(array(
				'name' => 'remove_friend',
				'href' => elgg_add_action_tokens_to_url("action/friends/remove?friend={$user->guid}"),
				'text' => elgg_echo('friend:remove'),
				'section' => 'action',
				'item_class' => $isFriend ? '' : 'hidden',
			));

			$return[] = \ElggMenuItem::factory(array(
				'name' => 'add_friend',
				'href' => elgg_add_action_tokens_to_url("action/friends/add?friend={$user->guid}"),
				'text' => elgg_echo('friend:add'),
				'section' => 'action',
				'item_class' => $isFriend ? 'hidden' : '',
			));
		}
	}

	return $return;
}

/**
 * Page handler for friends-related pages
 *
 * @param array  $segments URL segments
 * @param string $handler  The first segment in URL used for routing
 *
 * @return bool
 * @access private
 */
function _elgg_friends_page_handler($segments, $handler) {
	elgg_set_context('friends');

	if (isset($segments[0]) && $user = get_user_by_username($segments[0])) {
		elgg_set_page_owner_guid($user->getGUID());
	}

	if (!elgg_get_page_owner_guid()) {
		return false;
	}

	switch ($handler) {
		case 'friends':
			require_once(dirname(dirname(dirname(__FILE__))) . "/pages/friends/index.php");
			break;
		case 'friendsof':
			require_once(dirname(dirname(dirname(__FILE__))) . "/pages/friends/of.php");
			break;
		default:
			return false;
	}
	return true;
}

/**
 * Page handler for friends collections
 *
 * @param array $page_elements Page elements
 *
 * @return bool
 * @access private
 */
function _elgg_collections_page_handler($page_elements) {
	elgg_set_context('friends');
	$base = elgg_get_config('path');
	if (isset($page_elements[0])) {
		switch ($page_elements[0]) {
			case 'add':
				elgg_set_page_owner_guid(elgg_get_logged_in_user_guid());
				
				require_once "{$base}pages/friends/collections/add.php";
				return true;
				break;
switch ($x) {
    case 1:
        return 'foo';
        break; // This break is not necessary and can be left off.
}
			case 'owner':
				$user = get_user_by_username($page_elements[1]);
				if ($user) {
					elgg_set_page_owner_guid($user->getGUID());
					
					require_once "{$base}pages/friends/collections/view.php";
					return true;
				}
				break;
		}
	}
	return false;
}

/**
 * Adds collection sidebar menu items
 *
 * @return void
 * @access private
 */
function _elgg_setup_collections_menu() {
	
	if (elgg_is_logged_in() && elgg_get_logged_in_user_guid() == elgg_get_page_owner_guid()) {
		$user = elgg_get_page_owner_entity();
		
		elgg_register_menu_item('page', array(
			'name' => 'friends:view:collections',
			'text' => elgg_echo('friends:collections'),
			'href' => "collections/owner/$user->username",
			'contexts' => array('friends')
		));
	}
}

/**
 * Notify user that someone has friended them
 *
 * @param string           $event  Event name
 * @param string           $type   Object type
 * @param \ElggRelationship $object Object
 *
 * @return bool
 * @access private
 */
function _elgg_send_friend_notification($event, $type, $object) {
	$user_one = get_entity($object->guid_one);
	/* @var \ElggUser $user_one */

	$user_two = get_entity($object->guid_two);
	/* @var ElggUser $user_two */

	// Notification subject
	$subject = elgg_echo('friend:newfriend:subject', array(
		$user_one->name
	), $user_two->language);

	// Notification body
	$body = elgg_echo("friend:newfriend:body", array(
		$user_one->name,
		$user_one->getURL()
	), $user_two->language);

	// Notification params
	$params = [
		'action' => 'add_friend',
		'object' => $user_one,
	];
	
	return notify_user($user_two->guid, $object->guid_one, $subject, $body, $params);
}

return function(\Elgg\EventsService $events, \Elgg\HooksRegistrationService $hooks) {
	$events->registerHandler('init', 'system', '_elgg_friends_init');
};


1		<?php
2		/**
3		* Elgg friends library.
4		* Provides the UI for friends. Includes access collections since they are based
5		* on friends relationships.
6		*
7		* @package Elgg.Core
8		* @subpackage Friends
9		*/
10
11		/**
12		* Init friends library
13		*
14		* @access private
15		*/
16		function _elgg_friends_init() {
17		elgg_register_action('friends/add');
18		elgg_register_action('friends/remove');
19
20		elgg_register_action('friends/collections/add');
21		elgg_register_action('friends/collections/delete');
22		elgg_register_action('friends/collections/edit');
23
24		elgg_register_page_handler('friends', '_elgg_friends_page_handler');
25		elgg_register_page_handler('friendsof', '_elgg_friends_page_handler');
26		elgg_register_page_handler('collections', '_elgg_collections_page_handler');
27
28		elgg_register_widget_type('friends', elgg_echo('friends'), elgg_echo('friends:widget:description'));
29
30		elgg_register_event_handler('pagesetup', 'system', '_elgg_friends_page_setup');
31		elgg_register_event_handler('pagesetup', 'system', '_elgg_setup_collections_menu');
32		elgg_register_plugin_hook_handler('register', 'menu:user_hover', '_elgg_friends_setup_user_hover_menu');
33		elgg_register_event_handler('create', 'friend', '_elgg_send_friend_notification');
34		}
35
36		/**
37		* Register some menu items for friends UI
38		* @access private
39		*/
40		function _elgg_friends_page_setup() {
41		$owner = elgg_get_page_owner_entity();
42		$viewer = elgg_get_logged_in_user_entity();
43
44		if ($owner) {
45		$params = array(
46		'name' => 'friends',
47		'text' => elgg_echo('friends'),
48		'href' => 'friends/' . $owner->username,
49		'contexts' => array('friends')
50		);
51		elgg_register_menu_item('page', $params);
52
53		$params = array(
54		'name' => 'friends:of',
55		'text' => elgg_echo('friends:of'),
56		'href' => 'friendsof/' . $owner->username,
57		'contexts' => array('friends')
58		);
59		elgg_register_menu_item('page', $params);
60		}
61
62		// topbar
63		if ($viewer) {
64		elgg_register_menu_item('topbar', array(
65		'name' => 'friends',
66		'href' => "friends/{$viewer->username}",
67		'text' => elgg_view_icon('users'),
68		'title' => elgg_echo('friends'),
69		'priority' => 300,
70		));
71		}
72		}
73
74		/**
75		* Adds friending to user hover menu
76		*
77		* @access private
78		*/
79		function _elgg_friends_setup_user_hover_menu($hook, $type, $return, $params) {
80		$user = $params['entity'];
81		/* @var \ElggUser $user */
82
83	View Code Duplication	if (elgg_is_logged_in()) {
84		if (elgg_get_logged_in_user_guid() != $user->guid) {
85		$isFriend = $user->isFriend();
86
87		// Always emit both to make it super easy to toggle with ajax
88		$return[] = \ElggMenuItem::factory(array(
89		'name' => 'remove_friend',
90		'href' => elgg_add_action_tokens_to_url("action/friends/remove?friend={$user->guid}"),
91		'text' => elgg_echo('friend:remove'),
92		'section' => 'action',
93		'item_class' => $isFriend ? '' : 'hidden',
94		));
95
96		$return[] = \ElggMenuItem::factory(array(
97		'name' => 'add_friend',
98		'href' => elgg_add_action_tokens_to_url("action/friends/add?friend={$user->guid}"),
99		'text' => elgg_echo('friend:add'),
100		'section' => 'action',
101		'item_class' => $isFriend ? 'hidden' : '',
102		));
103		}
104		}
105
106		return $return;
107		}
108
109		/**
110		* Page handler for friends-related pages
111		*
112		* @param array $segments URL segments
113		* @param string $handler The first segment in URL used for routing
114		*
115		* @return bool
116		* @access private
117		*/
118		function _elgg_friends_page_handler($segments, $handler) {
119		elgg_set_context('friends');
120
121	View Code Duplication	if (isset($segments[0]) && $user = get_user_by_username($segments[0])) {
122		elgg_set_page_owner_guid($user->getGUID());
123		}
124
125		if (!elgg_get_page_owner_guid()) {
126		return false;
127		}
128
129		switch ($handler) {
130		case 'friends':
131		require_once(dirname(dirname(dirname(__FILE__))) . "/pages/friends/index.php");
132		break;
133		case 'friendsof':
134		require_once(dirname(dirname(dirname(__FILE__))) . "/pages/friends/of.php");
135		break;
136		default:
137		return false;
138		}
139		return true;
140		}
141
142		/**
143		* Page handler for friends collections
144		*
145		* @param array $page_elements Page elements
146		*
147		* @return bool
148		* @access private
149		*/
150		function _elgg_collections_page_handler($page_elements) {
151		elgg_set_context('friends');
152		$base = elgg_get_config('path');
153		if (isset($page_elements[0])) {
154		switch ($page_elements[0]) {
155		case 'add':
156		elgg_set_page_owner_guid(elgg_get_logged_in_user_guid());
157
158		require_once "{$base}pages/friends/collections/add.php";
159		return true;
160		break;
		0 ignored issues – show Unused Code introduced 2017-09-27 16:16 UTC by Report Bug Copy Issue Report Show Similar Issues like this `break` is not strictly necessary here and could be removed. The `break` statement is not necessary if it is preceded for example by a `return` statement: switch ($x) { case 1: return 'foo'; break; // This break is not necessary and can be left off. } If you would like to keep this construct to be consistent with other `case` statements, you can safely mark this issue as a false-positive. Loading history...
161		case 'owner':
162		$user = get_user_by_username($page_elements[1]);
163		if ($user) {
164		elgg_set_page_owner_guid($user->getGUID());
165
166		require_once "{$base}pages/friends/collections/view.php";
167		return true;
168		}
169		break;
170		}
171		}
172		return false;
173		}
174
175		/**
176		* Adds collection sidebar menu items
177		*
178		* @return void
179		* @access private
180		*/
181		function _elgg_setup_collections_menu() {
182
183		if (elgg_is_logged_in() && elgg_get_logged_in_user_guid() == elgg_get_page_owner_guid()) {
184		$user = elgg_get_page_owner_entity();
185
186		elgg_register_menu_item('page', array(
187		'name' => 'friends:view:collections',
188		'text' => elgg_echo('friends:collections'),
189		'href' => "collections/owner/$user->username",
190		'contexts' => array('friends')
191		));
192		}
193		}
194
195		/**
196		* Notify user that someone has friended them
197		*
198		* @param string $event Event name
199		* @param string $type Object type
200		* @param \ElggRelationship $object Object
201		*
202		* @return bool
203		* @access private
204		*/
205		function _elgg_send_friend_notification($event, $type, $object) {
206		$user_one = get_entity($object->guid_one);
207		/* @var \ElggUser $user_one */
208
209		$user_two = get_entity($object->guid_two);
210		/* @var ElggUser $user_two */
211
212		// Notification subject
213		$subject = elgg_echo('friend:newfriend:subject', array(
214		$user_one->name
215		), $user_two->language);
216
217		// Notification body
218		$body = elgg_echo("friend:newfriend:body", array(
219		$user_one->name,
220		$user_one->getURL()
221		), $user_two->language);
222
223		// Notification params
224		$params = [
225		'action' => 'add_friend',
226		'object' => $user_one,
227		];
228
229		return notify_user($user_two->guid, $object->guid_one, $subject, $body, $params);
230		}
231
232		return function(\Elgg\EventsService $events, \Elgg\HooksRegistrationService $hooks) {
233		$events->registerHandler('init', 'system', '_elgg_friends_init');
234		};
235

gctools-outilsgc / gcconnex

Issues (2473)

Security Analysis no vulnerabilities found

engine/lib/friends.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like