Issues in start.php (master) - Issues in master - gctools-outilsgc/gcconnex - Measure and Improve Code Quality continuously with Scrutinizer

Issues (2473)

Security Analysis no vulnerabilities found

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

mod/uservalidationbyemail/start.php (1 issue)

Labels

Severity

Minor 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * Email user validation plugin.
 * Non-admin accounts are invalid until their email address is confirmed.
 *
 * @package Elgg.Core.Plugin
 * @subpackage UserValidationByEmail
 */

elgg_register_event_handler('init', 'system', 'uservalidationbyemail_init');

function uservalidationbyemail_init() {

	require_once dirname(__FILE__) . '/lib/functions.php';

	// Register page handler to validate users
	// This doesn't need to be an action because security is handled by the validation codes.
	elgg_register_page_handler('uservalidationbyemail', 'uservalidationbyemail_page_handler');

	// mark users as unvalidated and disable when they register
	elgg_register_plugin_hook_handler('register', 'user', 'uservalidationbyemail_disable_new_user');

	// forward to uservalidationbyemail/emailsent page after register
	elgg_register_plugin_hook_handler('forward', 'system', 'uservalidationbyemail_after_registration_url');

	// canEdit override to allow not logged in code to disable a user
	elgg_register_plugin_hook_handler('permissions_check', 'user', 'uservalidationbyemail_allow_new_user_can_edit');

	// prevent users from logging in if they aren't validated
	register_pam_handler('uservalidationbyemail_check_auth_attempt', "required");

	// when requesting a new password
	elgg_register_plugin_hook_handler('action', 'user/requestnewpassword', 'uservalidationbyemail_check_request_password');

	// prevent the engine from logging in users via login()
	elgg_register_event_handler('login:before', 'user', 'uservalidationbyemail_check_manual_login');

	// make admin users always validated
	elgg_register_event_handler('make_admin', 'user', 'uservalidationbyemail_validate_new_admin_user');

	// register Walled Garden public pages
	elgg_register_plugin_hook_handler('public_pages', 'walled_garden', 'uservalidationbyemail_public_pages');

	// admin interface to manually validate users
	elgg_register_admin_menu_item('administer', 'unvalidated', 'users');

	elgg_extend_view('css/admin', 'uservalidationbyemail/css');
	elgg_extend_view('js/elgg', 'uservalidationbyemail/js');

	$action_path = dirname(__FILE__) . '/actions';

	elgg_register_action('uservalidationbyemail/validate', "$action_path/validate.php", 'admin');
	elgg_register_action('uservalidationbyemail/resend_validation', "$action_path/resend_validation.php", 'admin');
	elgg_register_action('uservalidationbyemail/delete', "$action_path/delete.php", 'admin');
	elgg_register_action('uservalidationbyemail/bulk_action', "$action_path/bulk_action.php", 'admin');
}

/**
 * Disables a user upon registration.
 *
 * @param string $hook
 * @param string $type
 * @param bool   $value
 * @param array  $params
 * @return bool
 */
function uservalidationbyemail_disable_new_user($hook, $type, $value, $params) {
	$user = elgg_extract('user', $params);

	// no clue what's going on, so don't react.
	if (!$user instanceof ElggUser) {
		return;
	}

	// another plugin is requesting that registration be terminated
	// no need for uservalidationbyemail
	if (!$value) {
		return $value;
	}

	// has the user already been validated?
	if (elgg_get_user_validation_status($user->guid) == true) {
		return $value;
	}

	// disable user to prevent showing up on the site
	// set context so our canEdit() override works
	elgg_push_context('uservalidationbyemail_new_user');
	$hidden_entities = access_get_show_hidden_status();
	access_show_hidden_entities(TRUE);

	// Don't do a recursive disable.  Any entities owned by the user at this point
	// are products of plugins that hook into create user and might need
	// access to the entities.
	// @todo That ^ sounds like a specific case...would be nice to track it down...
	$user->disable('uservalidationbyemail_new_user', FALSE);

	// set user as unvalidated and send out validation email
	elgg_set_user_validation_status($user->guid, FALSE);
	uservalidationbyemail_request_validation($user->guid);

	elgg_pop_context();
	access_show_hidden_entities($hidden_entities);

	return $value;
}

/**
 * Override the URL to be forwarded after registration
 *
 * @param string $hook
 * @param string $type
 * @param bool   $value
 * @param array  $params
 * @return string
 */
function uservalidationbyemail_after_registration_url($hook, $type, $value, $params) {
	$url = elgg_extract('current_url', $params);
	if ($url == elgg_get_site_url() . 'action/register') {
		$session = elgg_get_session();
		$email = $session->get('emailsent', '');
		if ($email) {
			return elgg_get_site_url() . 'uservalidationbyemail/emailsent';
		}
	}
}

/**
 * Override the canEdit() call for if we're in the context of registering a new user.
 *
 * @param string $hook
 * @param string $type
 * @param bool   $value
 * @param array  $params
 * @return bool|null
 */
function uservalidationbyemail_allow_new_user_can_edit($hook, $type, $value, $params) {
	// $params['user'] is the user to check permissions for.
	// we want the entity to check, which is a user.
	$user = elgg_extract('entity', $params);

	if (!($user instanceof ElggUser)) {
		return;
	}

	$context = elgg_get_context();
	if ($context == 'uservalidationbyemail_new_user' || $context == 'uservalidationbyemail_validate_user') {
		return TRUE;
	}

	return;
}

/**
 * Checks if an account is validated
 *
 * @params array $credentials The username and password
 * @return bool
 */
function uservalidationbyemail_check_auth_attempt($credentials) {

	if (!isset($credentials['username'])) {
		return;
	}

	$username = $credentials['username'];

	// See if the user exists and isn't validated
	$access_status = access_get_show_hidden_status();
	access_show_hidden_entities(TRUE);

	// check if logging in with email address
	if (strpos($username, '@') !== false) {
		$users = get_user_by_email($username);
		if ($users) {

			$username = $users[0]->username;
		}
	}

	$user = get_user_by_username($username);
	if ($user && isset($user->validated) && !$user->validated) {
		// show an error and resend validation email
		uservalidationbyemail_request_validation($user->guid);
		access_show_hidden_entities($access_status);
		throw new LoginException(elgg_echo('uservalidationbyemail:login:fail'));
	}

	access_show_hidden_entities($access_status);
}

/**
 * Checks sent passed validation code and user guids and validates the user.
 *
 * @param array $page
 * @return bool
 */
function uservalidationbyemail_page_handler($page) {
	$valid_pages = array('emailsent', 'confirm');

	if (empty($page[0]) || !in_array($page[0], $valid_pages)) {
		forward('', '404');
	}

	// note, safe to include based on input because we validated above.
	require dirname(__FILE__) . "/pages/{$page[0]}.php";
	return true;
}

/**
 * Make sure any admin users are automatically validated
 *
 * @param string   $event
 * @param string   $type
 * @param ElggUser $user
 */
function uservalidationbyemail_validate_new_admin_user($event, $type, $user) {
	if ($user instanceof ElggUser && !$user->validated) {
		elgg_set_user_validation_status($user->guid, TRUE, 'admin_user');
	}
}

/**
 * Registers public pages to allow in the case walled garden has been enabled.
 */
function uservalidationbyemail_public_pages($hook, $type, $return_value, $params) {
	$return_value[] = 'uservalidationbyemail/confirm';
	$return_value[] = 'uservalidationbyemail/emailsent';
	return $return_value;
}

/**
 * Prevent a manual code login with login().
 *
 * @param string   $event
 * @param string   $type
 * @param ElggUser $user
 * @return bool
 *
 * @throws LoginException
 */
function uservalidationbyemail_check_manual_login($event, $type, $user) {
	$access_status = access_get_show_hidden_status();
	access_show_hidden_entities(TRUE);

	if (($user instanceof ElggUser) && !$user->isEnabled() && !$user->validated) {
		// send new validation email

		// cyu - this sends out 2nd email to the user for validation (already been done back in function check_auth...)
		//uservalidationbyemail_request_validation($user->getGUID());
		// restore hidden entities settings
		access_show_hidden_entities($access_status);
		
		// throw error so we get a nice error message
		throw new LoginException(elgg_echo('uservalidationbyemail:login:fail'));
	}
	//GCTools - check if the user has deactivated their account, my event hook won't work :(
	if(elgg_is_active_plugin('member_selfdelete')){
		if(($user instanceof ElggUser) && $user->gcdeactivate == true){
			
			forward('gcreactivate');
			system_message('member_selfdelete:gc:youaredeactivated');
			return false;
		}
	}
	
	access_show_hidden_entities($access_status);
}


1		<?php
2		/**
3		* Email user validation plugin.
4		* Non-admin accounts are invalid until their email address is confirmed.
5		*
6		* @package Elgg.Core.Plugin
7		* @subpackage UserValidationByEmail
8		*/
9
10		elgg_register_event_handler('init', 'system', 'uservalidationbyemail_init');
11
12		function uservalidationbyemail_init() {
13
14		require_once dirname(__FILE__) . '/lib/functions.php';
15
16		// Register page handler to validate users
17		// This doesn't need to be an action because security is handled by the validation codes.
18		elgg_register_page_handler('uservalidationbyemail', 'uservalidationbyemail_page_handler');
19
20		// mark users as unvalidated and disable when they register
21		elgg_register_plugin_hook_handler('register', 'user', 'uservalidationbyemail_disable_new_user');
22
23		// forward to uservalidationbyemail/emailsent page after register
24		elgg_register_plugin_hook_handler('forward', 'system', 'uservalidationbyemail_after_registration_url');
25
26		// canEdit override to allow not logged in code to disable a user
27		elgg_register_plugin_hook_handler('permissions_check', 'user', 'uservalidationbyemail_allow_new_user_can_edit');
28
29		// prevent users from logging in if they aren't validated
30		register_pam_handler('uservalidationbyemail_check_auth_attempt', "required");
31
32		// when requesting a new password
33		elgg_register_plugin_hook_handler('action', 'user/requestnewpassword', 'uservalidationbyemail_check_request_password');
34
35		// prevent the engine from logging in users via login()
36		elgg_register_event_handler('login:before', 'user', 'uservalidationbyemail_check_manual_login');
37
38		// make admin users always validated
39		elgg_register_event_handler('make_admin', 'user', 'uservalidationbyemail_validate_new_admin_user');
40
41		// register Walled Garden public pages
42		elgg_register_plugin_hook_handler('public_pages', 'walled_garden', 'uservalidationbyemail_public_pages');
43
44		// admin interface to manually validate users
45		elgg_register_admin_menu_item('administer', 'unvalidated', 'users');
46
47		elgg_extend_view('css/admin', 'uservalidationbyemail/css');
48		elgg_extend_view('js/elgg', 'uservalidationbyemail/js');
49
50		$action_path = dirname(__FILE__) . '/actions';
51
52		elgg_register_action('uservalidationbyemail/validate', "$action_path/validate.php", 'admin');
53		elgg_register_action('uservalidationbyemail/resend_validation', "$action_path/resend_validation.php", 'admin');
54		elgg_register_action('uservalidationbyemail/delete', "$action_path/delete.php", 'admin');
55		elgg_register_action('uservalidationbyemail/bulk_action', "$action_path/bulk_action.php", 'admin');
56		}
57
58		/**
59		* Disables a user upon registration.
60		*
61		* @param string $hook
62		* @param string $type
63		* @param bool $value
64		* @param array $params
65		* @return bool
66		*/
67		function uservalidationbyemail_disable_new_user($hook, $type, $value, $params) {
68		$user = elgg_extract('user', $params);
69
70		// no clue what's going on, so don't react.
71		if (!$user instanceof ElggUser) {
72		return;
73		}
74
75		// another plugin is requesting that registration be terminated
76		// no need for uservalidationbyemail
77		if (!$value) {
78		return $value;
79		}
80
81		// has the user already been validated?
82		if (elgg_get_user_validation_status($user->guid) == true) {
83		return $value;
84		}
85
86		// disable user to prevent showing up on the site
87		// set context so our canEdit() override works
88		elgg_push_context('uservalidationbyemail_new_user');
89		$hidden_entities = access_get_show_hidden_status();
90		access_show_hidden_entities(TRUE);
91
92		// Don't do a recursive disable. Any entities owned by the user at this point
93		// are products of plugins that hook into create user and might need
94		// access to the entities.
95		// @todo That ^ sounds like a specific case...would be nice to track it down...
96		$user->disable('uservalidationbyemail_new_user', FALSE);
97
98		// set user as unvalidated and send out validation email
99		elgg_set_user_validation_status($user->guid, FALSE);
100		uservalidationbyemail_request_validation($user->guid);
101
102		elgg_pop_context();
103		access_show_hidden_entities($hidden_entities);
104
105		return $value;
106		}
107
108		/**
109		* Override the URL to be forwarded after registration
110		*
111		* @param string $hook
112		* @param string $type
113		* @param bool $value
114		* @param array $params
115		* @return string
116		*/
117		function uservalidationbyemail_after_registration_url($hook, $type, $value, $params) {
118		$url = elgg_extract('current_url', $params);
119		if ($url == elgg_get_site_url() . 'action/register') {
120		$session = elgg_get_session();
121		$email = $session->get('emailsent', '');
122		if ($email) {
123		return elgg_get_site_url() . 'uservalidationbyemail/emailsent';
124		}
125		}
126		}
127
128		/**
129		* Override the canEdit() call for if we're in the context of registering a new user.
130		*
131		* @param string $hook
132		* @param string $type
133		* @param bool $value
134		* @param array $params
135		* @return bool\|null
136		*/
137		function uservalidationbyemail_allow_new_user_can_edit($hook, $type, $value, $params) {
138		// $params['user'] is the user to check permissions for.
139		// we want the entity to check, which is a user.
140		$user = elgg_extract('entity', $params);
141
142		if (!($user instanceof ElggUser)) {
143		return;
144		}
145
146		$context = elgg_get_context();
147		if ($context == 'uservalidationbyemail_new_user' \|\| $context == 'uservalidationbyemail_validate_user') {
148		return TRUE;
149		}
150
151		return;
152		}
153
154		/**
155		* Checks if an account is validated
156		*
157		* @params array $credentials The username and password
158		* @return bool
159		*/
160		function uservalidationbyemail_check_auth_attempt($credentials) {
161
162		if (!isset($credentials['username'])) {
163		return;
164		}
165
166		$username = $credentials['username'];
167
168		// See if the user exists and isn't validated
169		$access_status = access_get_show_hidden_status();
170		access_show_hidden_entities(TRUE);
171
172		// check if logging in with email address
173	View Code Duplication	if (strpos($username, '@') !== false) {
174		$users = get_user_by_email($username);
175		if ($users) {
		0 ignored issues – show Bug Best Practice introduced 2017-09-27 16:16 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `$users` of type `array` is implicitly converted to a boolean; are you sure this is intended? If so, consider using `! empty($expr)` instead to make it clear that you intend to check for an array without elements. This check marks implicit conversions of arrays to boolean values in a comparison. While in PHP an empty array is considered to be equal (but not identical) to false, this is not always apparent. Consider making the comparison explicit by using `empty(..)` or `! empty(...)` instead. Loading history...
176		$username = $users[0]->username;
177		}
178		}
179
180		$user = get_user_by_username($username);
181		if ($user && isset($user->validated) && !$user->validated) {
182		// show an error and resend validation email
183		uservalidationbyemail_request_validation($user->guid);
184		access_show_hidden_entities($access_status);
185		throw new LoginException(elgg_echo('uservalidationbyemail:login:fail'));
186		}
187
188		access_show_hidden_entities($access_status);
189		}
190
191		/**
192		* Checks sent passed validation code and user guids and validates the user.
193		*
194		* @param array $page
195		* @return bool
196		*/
197		function uservalidationbyemail_page_handler($page) {
198		$valid_pages = array('emailsent', 'confirm');
199
200		if (empty($page[0]) \|\| !in_array($page[0], $valid_pages)) {
201		forward('', '404');
202		}
203
204		// note, safe to include based on input because we validated above.
205		require dirname(__FILE__) . "/pages/{$page[0]}.php";
206		return true;
207		}
208
209		/**
210		* Make sure any admin users are automatically validated
211		*
212		* @param string $event
213		* @param string $type
214		* @param ElggUser $user
215		*/
216		function uservalidationbyemail_validate_new_admin_user($event, $type, $user) {
217		if ($user instanceof ElggUser && !$user->validated) {
218		elgg_set_user_validation_status($user->guid, TRUE, 'admin_user');
219		}
220		}
221
222		/**
223		* Registers public pages to allow in the case walled garden has been enabled.
224		*/
225		function uservalidationbyemail_public_pages($hook, $type, $return_value, $params) {
226		$return_value[] = 'uservalidationbyemail/confirm';
227		$return_value[] = 'uservalidationbyemail/emailsent';
228		return $return_value;
229		}
230
231		/**
232		* Prevent a manual code login with login().
233		*
234		* @param string $event
235		* @param string $type
236		* @param ElggUser $user
237		* @return bool
238		*
239		* @throws LoginException
240		*/
241		function uservalidationbyemail_check_manual_login($event, $type, $user) {
242		$access_status = access_get_show_hidden_status();
243		access_show_hidden_entities(TRUE);
244
245		if (($user instanceof ElggUser) && !$user->isEnabled() && !$user->validated) {
246		// send new validation email
247
248		// cyu - this sends out 2nd email to the user for validation (already been done back in function check_auth...)
249		//uservalidationbyemail_request_validation($user->getGUID());
250		// restore hidden entities settings
251		access_show_hidden_entities($access_status);
252
253		// throw error so we get a nice error message
254		throw new LoginException(elgg_echo('uservalidationbyemail:login:fail'));
255		}
256		//GCTools - check if the user has deactivated their account, my event hook won't work :(
257		if(elgg_is_active_plugin('member_selfdelete')){
258		if(($user instanceof ElggUser) && $user->gcdeactivate == true){
259
260		forward('gcreactivate');
261		system_message('member_selfdelete:gc:youaredeactivated');
262		return false;
263		}
264		}
265
266		access_show_hidden_entities($access_status);
267		}
268

gctools-outilsgc / gcconnex

Issues (2473)

Security Analysis no vulnerabilities found

mod/uservalidationbyemail/start.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like