Issues (2473)

Branch: master

Security Analysis    no vulnerabilities found

This project does not seem to handle request data directly as such no vulnerable execution paths were found.

  Cross-Site Scripting
Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.
  File Exposure
File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.
  File Manipulation
File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.
  Object Injection
Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.
  Code Injection
Code Injection enables an attacker to execute arbitrary code on the server.
  Response Splitting
Response Splitting can be used to send arbitrary responses.
  File Inclusion
File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.
  Command Injection
Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.
  SQL Injection
SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.
  XPath Injection
XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.
  LDAP Injection
LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.
  Header Injection
  Other Vulnerability
This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.
  Regex Injection
Regex Injection enables an attacker to execute arbitrary code in your PHP process.
  XML Injection
XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.
  Variable Injection
Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.
Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

engine/lib/pageowner.php (1 issue)

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

1
<?php
2
/**
3
 * Elgg page owner library
4
 * Contains functions for managing page ownership and context
5
 *
6
 * @package Elgg.Core
7
 * @subpackage PageOwner
8
 */
9
10
/**
11
 * Gets the guid of the entity that owns the current page.
12
 *
13
 * @param int $guid Optional parameter used by elgg_set_page_owner_guid().
14
 *
15
 * @return int The current page owner guid (0 if none).
16
 * @since 1.8.0
17
 */
18
function elgg_get_page_owner_guid($guid = 0) {
19 1
	static $page_owner_guid;
20
21 1
	if ($guid === false || $guid === null) {
22 1
		$page_owner_guid = 0;
23 1
		return $page_owner_guid;
24
	}
25
	
26 1
	if ($guid) {
27 1
		$page_owner_guid = (int)$guid;
28 1
	}
29
30 1
	if (isset($page_owner_guid)) {
31 1
		return $page_owner_guid;
32
	}
33
34
	// return guid of page owner entity
35
	$guid = (int)elgg_trigger_plugin_hook('page_owner', 'system', null, 0);
36
37
	if ($guid) {
38
		$page_owner_guid = $guid;
39
	}
40
41
	return $guid;
42
}
43
44
/**
45
 * Gets the owner entity for the current page.
46
 *
47
 * @return \ElggEntity|false The current page owner or false if none.
48
 *
49
 * @since 1.8.0
50
 */
51
function elgg_get_page_owner_entity() {
52
	$guid = elgg_get_page_owner_guid();
53
	if (!$guid) {
54
		return false;
55
	}
56
57
	return get_entity($guid);
58
}
59
60
/**
61
 * Set the guid of the entity that owns this page
62
 *
63
 * @param int $guid The guid of the page owner
64
 * @return void
65
 * @since 1.8.0
66
 */
67
function elgg_set_page_owner_guid($guid) {
68 1
	elgg_get_page_owner_guid($guid);
69 1
}
70
71
/**
72
 * Sets the page owner based on request
73
 *
74
 * Tries to figure out the page owner by looking at the URL or a request
75
 * parameter. The request parameters used are 'username' and 'owner_guid'.
76
 * Otherwise, this function attempts to figure out the owner if the url
77
 * fits the patterns of:
78
 *   <identifier>/owner/<username>
79
 *   <identifier>/friends/<username>
80
 *   <identifier>/view/<entity guid>
81
 *   <identifier>/add/<container guid>
82
 *   <identifier>/edit/<entity guid>
83
 *   <identifier>/group/<group guid>
84
 *
85
 * @note Access is disabled while finding the page owner for the group gatekeeper functions.
86
 *
87
 *
88
 * @param string $hook        'page_owner'
89
 * @param string $entity_type 'system'
90
 * @param int    $returnvalue Previous function's return value
91
 * @param array  $params      no parameters
92
 *
93
 * @return int GUID
94
 * @access private
95
 */
96
function default_page_owner_handler($hook, $entity_type, $returnvalue, $params) {
97
98
	if ($returnvalue) {
99
		return $returnvalue;
100
	}
101
102
	$ia = elgg_set_ignore_access(true);
103
104
	$username = get_input("username");
105
	if ($username) {
106
		// @todo using a username of group:<guid> is deprecated
107
		if (substr_count($username, 'group:')) {
108
			preg_match('/group\:([0-9]+)/i', $username, $matches);
109
			$guid = $matches[1];
110
			if ($entity = get_entity($guid)) {
111
				elgg_set_ignore_access($ia);
112
				return $entity->getGUID();
113
			}
114
		}
115
116
		if ($user = get_user_by_username($username)) {
117
			elgg_set_ignore_access($ia);
118
			return $user->getGUID();
119
		}
120
	}
121
122
	$owner = get_input("owner_guid");
123
	if ($owner) {
124
		if ($user = get_entity($owner)) {
125
			elgg_set_ignore_access($ia);
126
			return $user->getGUID();
127
		}
128
	}
129
130
	// ignore root and query
131
	$uri = current_page_url();
132
	$path = str_replace(elgg_get_site_url(), '', $uri);
133
	$path = trim($path, "/");
134
	if (strpos($path, "?")) {
135
		$path = substr($path, 0, strpos($path, "?"));
136
	}
137
138
	// @todo feels hacky
139
	$segments = explode('/', $path);
140
	if (isset($segments[1]) && isset($segments[2])) {
141
		switch ($segments[1]) {
142
			case 'owner':
143
			case 'friends':
144
				$user = get_user_by_username($segments[2]);
145
				if ($user) {
146
					elgg_set_ignore_access($ia);
147
					return $user->getGUID();
148
				}
149
				break;
150
			case 'view':
151
			case 'edit':
152
				$entity = get_entity($segments[2]);
153
				if ($entity) {
154
					elgg_set_ignore_access($ia);
155
					return $entity->getContainerGUID();
156
				}
157
				break;
158
			case 'add':
159
			case 'group':
160
				$entity = get_entity($segments[2]);
161
				if ($entity) {
162
					elgg_set_ignore_access($ia);
163
					return $entity->getGUID();
164
				}
165
				break;
166
		}
167
	}
168
169
	elgg_set_ignore_access($ia);
170
}
171
172
/**
173
 * Sets the page context
174
 *
175
 * Views can modify their output based on the local context. You may want to
176
 * display a list of blogs on a blog page or in a small widget. The rendered
177
 * output could be different for those two contexts ('blog' vs 'widget').
178
 *
179
 * Pages that pass through the page handling system set the context to the
180
 * first string after the root url. Example: http://example.org/elgg/bookmarks/ 
181
 * results in the initial context being set to 'bookmarks'.
182
 *
183
 * The context is a stack so that for a widget on a profile, the context stack
184
 * may contain first 'profile' and then 'widget'.
185
 *
186
 * If no context was been set, the default context returned is 'main'.
187
 *
188
 * @warning The context is not available until the page_handler runs (after
189
 * the 'init, system' event processing has completed).
190
 *
191
 * @param string $context The context of the page
192
 * @return bool
193
 * @since 1.8.0
194
 */
195
function elgg_set_context($context) {
196 1
	return _elgg_services()->context->set($context);
197
}
198
199
/**
200
 * Get the current context.
201
 *
202
 * Since context is a stack, this is equivalent to a peek.
203
 *
204
 * @return string|null
205
 * @since 1.8.0
206
 */
207
function elgg_get_context() {
208 2
	return _elgg_services()->context->peek();
209
}
210
211
/**
212
 * Push a context onto the top of the stack
213
 *
214
 * @param string $context The context string to add to the context stack
215
 * @return void
216
 * @since 1.8.0
217
 */
218
function elgg_push_context($context) {
219 14
	_elgg_services()->context->push($context);
220 14
}
221
222
/**
223
 * Removes and returns the top context string from the stack
224
 *
225
 * @return string|null
226
 * @since 1.8.0
227
 */
228
function elgg_pop_context() {
229 15
	return _elgg_services()->context->pop();
230
}
231
232
/**
233
 * Check if this context exists anywhere in the stack
234
 *
235
 * This is useful for situations with more than one element in the stack. For
236
 * example, a widget has a context of 'widget'. If a widget view needs to render
237
 * itself differently based on being on the dashboard or profile pages, it
238
 * can check the stack.
239
 *
240
 * @param string $context The context string to check for
241
 * @return bool
242
 * @since 1.8.0
243
 */
244
function elgg_in_context($context) {
245 3
	return _elgg_services()->context->contains($context);
246
}
247
248
/**
249
 * Get the entire context stack (e.g. for backing it up)
250
 *
251
 * @return string[]
252
 * @since 1.11
253
 */
254
function elgg_get_context_stack() {
255
	return _elgg_services()->context->toArray();
256
}
257
258
/**
259
 * Set the entire context stack
260
 *
261
 * @param string[] $stack All contexts to be placed on the stack
262
 * @return void
263
 * @since 1.11
264
 */
265
function elgg_set_context_stack(array $stack) {
266
	_elgg_services()->context->fromArray($stack);
267
}
268
269
/**
270
 * Initializes the page owner functions
271
 *
272
 * @note This is on the 'boot, system' event so that the context is set up quickly.
273
 *
274
 * @return void
275
 * @access private
276
 */
277
function page_owner_boot() {
278
	
279
	elgg_register_plugin_hook_handler('page_owner', 'system', 'default_page_owner_handler');
280
281
	// Bootstrap the context stack by setting its first entry to the handler.
282
	// This is the first segment of the URL and the handler is set by the rewrite rules.
283
	// @todo this does not work for actions
284
285
	$request = _elgg_services()->request;
286
287
	// don't do this for *_handler.php, etc.
288
	if (basename($request->server->get('SCRIPT_FILENAME')) === 'index.php') {
289
		$context = $request->getFirstUrlSegment();
290
		if (!$context) {
0 ignored issues
show
Bug Best Practice introduced by
The expression $context of type string|null is loosely compared to false; this is ambiguous if the string can be empty. You might want to explicitly use === null instead.

In PHP, under loose comparison (like ==, or !=, or switch conditions), values of different types might be equal.

For string values, the empty string '' is a special case, in particular the following results might be unexpected:

''   == false // true
''   == null  // true
'ab' == false // false
'ab' == null  // false

// It is often better to use strict comparison
'' === false // false
'' === null  // false
Loading history...
291
			$context = 'main';
292
		}
293
294
		elgg_set_context($context);
295
	}
296
}
297
298
return function(\Elgg\EventsService $events, \Elgg\HooksRegistrationService $hooks) {
299
	$events->registerHandler('boot', 'system', 'page_owner_boot');
300
};
301