Issues in Request.class.php (master) - Issues in master - horros/agavi2 - Measure and Improve Code Quality continuously with Scrutinizer

Issues (1131)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/request/Request.class.php (5 issues)

Labels

Severity

Minor 5

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
namespace Agavi\Request;

// +---------------------------------------------------------------------------+
// | This file is part of the Agavi package.                                   |
// | Copyright (c) 2005-2011 the Agavi Project.                                |
// |                                                                           |
// | For the full copyright and license information, please view the LICENSE   |
// | file that was distributed with this source code. You can also view the    |
// | LICENSE file online at http://www.agavi.org/LICENSE.txt                   |
// |   vi: set noexpandtab:                                                    |
// |   Local Variables:                                                        |
// |   indent-tabs-mode: t                                                     |
// |   End:                                                                    |
// +---------------------------------------------------------------------------+

use Agavi\Core\Context;
use Agavi\Exception\AgaviException;
use Agavi\Util\AttributeHolder;
use Agavi\Util\Toolkit;

/**
 * AgaviRequest provides methods for manipulating client request information
 * such as attributes, errors and parameters. It is also possible to manipulate
 * the request method originally sent by the user.
 *
 * @package    agavi
 * @subpackage request
 *
 * @author     Sean Kerr <[email protected]>
 * @copyright  Authors
 * @copyright  The Agavi Project
 *
 * @since      0.9.0
 *
 * @version    $Id$
 */
abstract class Request extends AttributeHolder
{
    /**
     * @var        array An associative array of attributes
     */
    protected $attributes = array();

    /**
     * @var        array An associative array of errors
     */
    protected $errors     = array();

    /**
     * @var        string The request method name
     */
    protected $method     = null;

    /**
     * @var        Context A Context instance.
     */
    protected $context    = null;

    /**
     * @var        RequestDataHolder The request data holder instance.
     */
    private $requestData = null;

    /**
     * @var        string The key used to lock the request, or null if no lock set
     */
    private $key = null;

    /**
     * Retrieve the current application context.
     *
     * @return     Context A Context instance.
     *
     * @author     David Zülke <[email protected]>
     * @since      0.11.0
     */
    final public function getContext()
    {
        return $this->context;
    }

    /**
     * Retrieve this requests method.
     *
     * @return     string The request method name
     *
     * @author     Sean Kerr <[email protected]>
     * @author     David Zülke <[email protected]>
     * @since      0.9.0
     */
    public function getMethod()
    {
        return $this->method;
    }

    /**
     * Constructor.
     *
     * @author     David Zülke <[email protected]>
     * @since      0.11.0
     */
    public function __construct()
    {
        $this->setParameters(array(
            'use_module_controller_parameters' => false,
            'module_accessor' => 'module',
            'controller_accessor' => 'controller',
            'request_data_holder_class' => 'AgaviRequestDataHolder',
        ));
    }

    /**
     * Initialize this Request.
     *
     * @param      Context $context    A Context instance.
     * @param      array   $parameters An associative array of initialization parameters.
     *
     * @throws     <b>AgaviInitializationException</b> If an error occurs while
     *                                                 initializing this Request.
     *
     * @author     David Zülke <[email protected]>
     * @since      0.9.0
     */
    public function initialize(Context $context, array $parameters = array())
    {
        $this->context = $context;
        
        if (isset($parameters['default_namespace'])) {
            $this->defaultNamespace = $parameters['default_namespace'];
            unset($parameters['default_namespace']);
        }
        
        $this->setParameters($parameters);
    }

    /**
     * Set the request method.
     *
     * @param      string $method The request method name.
     *
     * @author     Sean Kerr <[email protected]>
     * @author     David Zülke <[email protected]>
     * @since      0.9.0
     */
    public function setMethod($method)
    {
        $this->method = $method;
    }

    /**
     * Set the data holder instance of this request.
     *
     * @param      RequestDataHolder $rd The request data holder.
     *
     * @author     David Zülke <[email protected]>
     * @author     Dominik del Bondio <[email protected]>
     * @since      0.11.0
     */
    final protected function setRequestData(RequestDataHolder $rd)
    {
        if (!$this->isLocked()) {
            $this->requestData = $rd;
        }
    }

    /**
     * Get the data holder instance of this request.
     *
     * @return     RequestDataHolder The request data holder.
     *
     * @author     David Zülke <[email protected]>
     * @author     Dominik del Bondio <[email protected]>
     * @since      0.11.0
     */
    final public function getRequestData()
    {
        if ($this->isLocked()) {
            throw new AgaviException("Access to request data is locked during Controller and View execution and while templates are rendered. Please use the local request data holder passed to your Controller's or View's execute*() method to access request data.");
        }
        return $this->requestData;
    }

    /**
     * Do any necessary startup work after initialization.
     *
     * This method is not called directly after initialize().
     *
     * @author     David Zülke <[email protected]>
     * @since      0.11.0
     */
    public function startup()
// Bad
class Router
{
    public function generate($path)
    {
        return $_SERVER['HOST'].$path;
    }
}

// Better
class Router
{
    private $host;

    public function __construct($host)
    {
        $this->host = $host;
    }

    public function generate($path)
    {
        return $this->host.$path;
    }
}

class Controller
{
    public function myAction(Request $request)
    {
        // Instead of
        $page = isset($_GET['page']) ? intval($_GET['page']) : 1;

        // Better (assuming you use the Symfony2 request)
        $page = $request->query->get('page', 1);
    }
}
    {
        if ($this->getParameter('unset_input', true)) {
            // remove raw post data
            // can still be read from php://input, but we can't prevent that
            unset($GLOBALS['HTTP_RAW_POST_DATA']);
            
            // nuke argc and argc if necessary
            $rla = ini_get('register_long_arrays');
            if ($rla) {
                trigger_error('Support for php.ini directive "register_long_arrays" is deprecated and will be dropped in Agavi 1.2. The setting is deprecated in PHP 5.3 and will be removed in PHP 5.4. Please refer to the PHP manual for details.', E_USER_DEPRECATED);
            }
            
            if (isset($_SERVER['argc'])) {
                $_SERVER['argc'] = 0;
                if (isset($GLOBALS['argc'])) {
                    $GLOBALS['argc'] = 0;
                }
                if ($rla) {
                    $GLOBALS['HTTP_SERVER_VARS']['argc'] = 0;
                }
            }
            if (isset($_SERVER['argv'])) {
                $_SERVER['argv'] = array();
                if (isset($GLOBALS['argv'])) {
                    $GLOBALS['argv'] = array();
                }
                if ($rla) {
                    $GLOBALS['HTTP_SERVER_VARS']['argv'] = array();
                }
            }
        }
    }

    /**
     * Execute the shutdown procedure.
     *
     * @author     Sean Kerr <[email protected]>
     * @since      0.9.0
     */
    public function shutdown()
    {
    }
    
    /**
     * Get a value by trying to find the given key in $_SERVER first, then in
     * $_ENV. If nothing was found, return the key, or the given default value.
     *
     * @param      mixed  $keys    The key (or an array of keys) of the value to fetch.
     * @param      mixed  $default A default return value, or null if the key should be
     *                             returned (static return values can be defined this way).
     *
     * @author     David Zülke
     * @since      0.11.0
     */
    public static function getSourceValue($keys, $default = null)
// Bad
class Router
{
    public function generate($path)
    {
        return $_SERVER['HOST'].$path;
    }
}

// Better
class Router
{
    private $host;

    public function __construct($host)
    {
        $this->host = $host;
    }

    public function generate($path)
    {
        return $this->host.$path;
    }
}

class Controller
{
    public function myAction(Request $request)
    {
        // Instead of
        $page = isset($_GET['page']) ? intval($_GET['page']) : 1;

        // Better (assuming you use the Symfony2 request)
        $page = $request->query->get('page', 1);
    }
}
    {
        $keys = (array)$keys;
        // walk over all possible keys
        foreach ($keys as $key) {
            if (isset($_SERVER[$key])) {
                return $_SERVER[$key];
            } elseif (isset($_ENV[$key])) {
                return $_ENV[$key];
            }
        }
        if ($default !== null) {
            return $default;
        }
        // nothing found so far. remember that the keys list is an array
        if ($keys) {

            return end($keys);
        }
    }

    /**
     * Whether or not the Request is locked.
     *
     * @author     David Zülke <[email protected]>
     * @since      0.11.0
     */
    final public function isLocked()
    {
        return $this->key !== null;
    }

    /**
     * Lock or unlock the Request so request data can(not) be fetched anymore.
     *
     * @param      string $key The key to unlock, if the lock should be removed, or
     *                         null if the lock should be set.
     *
     * @return     mixed The key, if a lock was set, or a boolean value indicating
     *                   whether or not the unlocking was successful.
     *
     * @author     David Zülke <[email protected]>
     * @since      0.11.0
     */
    final public function toggleLock($key = null)
    {
        if (!$this->isLocked() && $key === null) {
            return $this->key = Toolkit::uniqid();
        } elseif ($this->isLocked()) {
            if ($this->key === $key) {
                $this->key = null;
                return true;
            }
            return false;
        }
    }
}


1			<?php
2			namespace Agavi\Request;
3
4			// +---------------------------------------------------------------------------+
5			// \| This file is part of the Agavi package. \|
6			// \| Copyright (c) 2005-2011 the Agavi Project. \|
7			// \| \|
8			// \| For the full copyright and license information, please view the LICENSE \|
9			// \| file that was distributed with this source code. You can also view the \|
10			// \| LICENSE file online at http://www.agavi.org/LICENSE.txt \|
11			// \| vi: set noexpandtab: \|
12			// \| Local Variables: \|
13			// \| indent-tabs-mode: t \|
14			// \| End: \|
15			// +---------------------------------------------------------------------------+
16
17			use Agavi\Core\Context;
18			use Agavi\Exception\AgaviException;
19			use Agavi\Util\AttributeHolder;
20			use Agavi\Util\Toolkit;
21
22			/**
23			* AgaviRequest provides methods for manipulating client request information
24			* such as attributes, errors and parameters. It is also possible to manipulate
25			* the request method originally sent by the user.
26			*
27			* @package agavi
28			* @subpackage request
29			*
30			* @author Sean Kerr <[email protected]>
31			* @copyright Authors
32			* @copyright The Agavi Project
33			*
34			* @since 0.9.0
35			*
36			* @version $Id$
37			*/
38			abstract class Request extends AttributeHolder
39			{
40			/**
41			* @var array An associative array of attributes
42			*/
43			protected $attributes = array();
44
45			/**
46			* @var array An associative array of errors
47			*/
48			protected $errors = array();
49
50			/**
51			* @var string The request method name
52			*/
53			protected $method = null;
54
55			/**
56			* @var Context A Context instance.
57			*/
58			protected $context = null;
59
60			/**
61			* @var RequestDataHolder The request data holder instance.
62			*/
63			private $requestData = null;
64
65			/**
66			* @var string The key used to lock the request, or null if no lock set
67			*/
68			private $key = null;
69
70			/**
71			* Retrieve the current application context.
72			*
73			* @return Context A Context instance.
74			*
75			* @author David Zülke <[email protected]>
76			* @since 0.11.0
77			*/
78			final public function getContext()
79			{
80			return $this->context;
81			}
82
83			/**
84			* Retrieve this requests method.
85			*
86			* @return string The request method name
87			*
88			* @author Sean Kerr <[email protected]>
89			* @author David Zülke <[email protected]>
90			* @since 0.9.0
91			*/
92			public function getMethod()
93			{
94			return $this->method;
95			}
96
97			/**
98			* Constructor.
99			*
100			* @author David Zülke <[email protected]>
101			* @since 0.11.0
102			*/
103			public function __construct()
104			{
105			$this->setParameters(array(
106			'use_module_controller_parameters' => false,
107			'module_accessor' => 'module',
108			'controller_accessor' => 'controller',
109			'request_data_holder_class' => 'AgaviRequestDataHolder',
110			));
111			}
112
113			/**
114			* Initialize this Request.
115			*
116			* @param Context $context A Context instance.
117			* @param array $parameters An associative array of initialization parameters.
118			*
119			* @throws <b>AgaviInitializationException</b> If an error occurs while
120			* initializing this Request.
121			*
122			* @author David Zülke <[email protected]>
123			* @since 0.9.0
124			*/
125			public function initialize(Context $context, array $parameters = array())
126			{
127			$this->context = $context;
128
129			if (isset($parameters['default_namespace'])) {
130			$this->defaultNamespace = $parameters['default_namespace'];
131			unset($parameters['default_namespace']);
132			}
133
134			$this->setParameters($parameters);
135			}
136
137			/**
138			* Set the request method.
139			*
140			* @param string $method The request method name.
141			*
142			* @author Sean Kerr <[email protected]>
143			* @author David Zülke <[email protected]>
144			* @since 0.9.0
145			*/
146			public function setMethod($method)
147			{
148			$this->method = $method;
149			}
150
151			/**
152			* Set the data holder instance of this request.
153			*
154			* @param RequestDataHolder $rd The request data holder.
155			*
156			* @author David Zülke <[email protected]>
157			* @author Dominik del Bondio <[email protected]>
158			* @since 0.11.0
159			*/
160			final protected function setRequestData(RequestDataHolder $rd)
161			{
162			if (!$this->isLocked()) {
163			$this->requestData = $rd;
164			}
165			}
166
167			/**
168			* Get the data holder instance of this request.
169			*
170			* @return RequestDataHolder The request data holder.
171			*
172			* @author David Zülke <[email protected]>
173			* @author Dominik del Bondio <[email protected]>
174			* @since 0.11.0
175			*/
176			final public function getRequestData()
177			{
178			if ($this->isLocked()) {
179			throw new AgaviException("Access to request data is locked during Controller and View execution and while templates are rendered. Please use the local request data holder passed to your Controller's or View's execute*() method to access request data.");
180			}
181			return $this->requestData;
182			}
183
184			/**
185			* Do any necessary startup work after initialization.
186			*
187			* This method is not called directly after initialize().
188			*
189			* @author David Zülke <[email protected]>
190			* @since 0.11.0
191			*/
192			public function startup()
			0 ignored issues – show Coding Style introduced 2016-11-27 20:51 UTC by Report Bug Copy Issue Report Show Similar Issues like this `startup` uses the super-global variable `$GLOBALS` which is generally not recommended. Instead of super-globals, we recommend to explicitly inject the dependencies of your class. This makes your code less dependent on global state and it becomes generally more testable: // Bad class Router { public function generate($path) { return $_SERVER['HOST'].$path; } } // Better class Router { private $host; public function __construct($host) { $this->host = $host; } public function generate($path) { return $this->host.$path; } } class Controller { public function myAction(Request $request) { // Instead of $page = isset($_GET['page']) ? intval($_GET['page']) : 1; // Better (assuming you use the Symfony2 request) $page = $request->query->get('page', 1); } } Loading history... Coding Style introduced 2016-11-27 20:51 UTC by Report Bug Copy Issue Report Show Similar Issues like this `startup` uses the super-global variable `$_SERVER` which is generally not recommended. Instead of super-globals, we recommend to explicitly inject the dependencies of your class. This makes your code less dependent on global state and it becomes generally more testable: // Bad class Router { public function generate($path) { return $_SERVER['HOST'].$path; } } // Better class Router { private $host; public function __construct($host) { $this->host = $host; } public function generate($path) { return $this->host.$path; } } class Controller { public function myAction(Request $request) { // Instead of $page = isset($_GET['page']) ? intval($_GET['page']) : 1; // Better (assuming you use the Symfony2 request) $page = $request->query->get('page', 1); } } Loading history...
193			{
194			if ($this->getParameter('unset_input', true)) {
195			// remove raw post data
196			// can still be read from php://input, but we can't prevent that
197			unset($GLOBALS['HTTP_RAW_POST_DATA']);
198
199			// nuke argc and argc if necessary
200			$rla = ini_get('register_long_arrays');
201			if ($rla) {
202			trigger_error('Support for php.ini directive "register_long_arrays" is deprecated and will be dropped in Agavi 1.2. The setting is deprecated in PHP 5.3 and will be removed in PHP 5.4. Please refer to the PHP manual for details.', E_USER_DEPRECATED);
203			}
204
205			if (isset($_SERVER['argc'])) {
206			$_SERVER['argc'] = 0;
207			if (isset($GLOBALS['argc'])) {
208			$GLOBALS['argc'] = 0;
209			}
210			if ($rla) {
211			$GLOBALS['HTTP_SERVER_VARS']['argc'] = 0;
212			}
213			}
214			if (isset($_SERVER['argv'])) {
215			$_SERVER['argv'] = array();
216			if (isset($GLOBALS['argv'])) {
217			$GLOBALS['argv'] = array();
218			}
219			if ($rla) {
220			$GLOBALS['HTTP_SERVER_VARS']['argv'] = array();
221			}
222			}
223			}
224			}
225
226			/**
227			* Execute the shutdown procedure.
228			*
229			* @author Sean Kerr <[email protected]>
230			* @since 0.9.0
231			*/
232			public function shutdown()
233			{
234			}
235
236			/**
237			* Get a value by trying to find the given key in $_SERVER first, then in
238			* $_ENV. If nothing was found, return the key, or the given default value.
239			*
240			* @param mixed $keys The key (or an array of keys) of the value to fetch.
241			* @param mixed $default A default return value, or null if the key should be
242			* returned (static return values can be defined this way).
243			*
244			* @author David Zülke
245			* @since 0.11.0
246			*/
247			public static function getSourceValue($keys, $default = null)
			0 ignored issues – show Coding Style introduced 2016-11-27 20:51 UTC by Report Bug Copy Issue Report Show Similar Issues like this `getSourceValue` uses the super-global variable `$_SERVER` which is generally not recommended. Instead of super-globals, we recommend to explicitly inject the dependencies of your class. This makes your code less dependent on global state and it becomes generally more testable: // Bad class Router { public function generate($path) { return $_SERVER['HOST'].$path; } } // Better class Router { private $host; public function __construct($host) { $this->host = $host; } public function generate($path) { return $this->host.$path; } } class Controller { public function myAction(Request $request) { // Instead of $page = isset($_GET['page']) ? intval($_GET['page']) : 1; // Better (assuming you use the Symfony2 request) $page = $request->query->get('page', 1); } } Loading history... Coding Style introduced 2016-11-27 20:51 UTC by Report Bug Copy Issue Report Show Similar Issues like this `getSourceValue` uses the super-global variable `$_ENV` which is generally not recommended. Instead of super-globals, we recommend to explicitly inject the dependencies of your class. This makes your code less dependent on global state and it becomes generally more testable: // Bad class Router { public function generate($path) { return $_SERVER['HOST'].$path; } } // Better class Router { private $host; public function __construct($host) { $this->host = $host; } public function generate($path) { return $this->host.$path; } } class Controller { public function myAction(Request $request) { // Instead of $page = isset($_GET['page']) ? intval($_GET['page']) : 1; // Better (assuming you use the Symfony2 request) $page = $request->query->get('page', 1); } } Loading history...
248			{
249			$keys = (array)$keys;
250			// walk over all possible keys
251			foreach ($keys as $key) {
252			if (isset($_SERVER[$key])) {
253			return $_SERVER[$key];
254			} elseif (isset($_ENV[$key])) {
255			return $_ENV[$key];
256			}
257			}
258			if ($default !== null) {
259			return $default;
260			}
261			// nothing found so far. remember that the keys list is an array
262			if ($keys) {
			0 ignored issues – show Bug Best Practice introduced 2016-11-27 20:51 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `$keys` of type `array` is implicitly converted to a boolean; are you sure this is intended? If so, consider using `! empty($expr)` instead to make it clear that you intend to check for an array without elements. This check marks implicit conversions of arrays to boolean values in a comparison. While in PHP an empty array is considered to be equal (but not identical) to false, this is not always apparent. Consider making the comparison explicit by using `empty(..)` or `! empty(...)` instead. Loading history...
263			return end($keys);
264			}
265			}
266
267			/**
268			* Whether or not the Request is locked.
269			*
270			* @author David Zülke <[email protected]>
271			* @since 0.11.0
272			*/
273			final public function isLocked()
274			{
275			return $this->key !== null;
276			}
277
278			/**
279			* Lock or unlock the Request so request data can(not) be fetched anymore.
280			*
281			* @param string $key The key to unlock, if the lock should be removed, or
282			* null if the lock should be set.
283			*
284			* @return mixed The key, if a lock was set, or a boolean value indicating
285			* whether or not the unlocking was successful.
286			*
287			* @author David Zülke <[email protected]>
288			* @since 0.11.0
289			*/
290			final public function toggleLock($key = null)
291			{
292			if (!$this->isLocked() && $key === null) {
293			return $this->key = Toolkit::uniqid();
294			} elseif ($this->isLocked()) {
295			if ($this->key === $key) {
296			$this->key = null;
297			return true;
298			}
299			return false;
300			}
301			}
302			}
303

horros / agavi2

Issues (1131)

Security Analysis not enabled

src/request/Request.class.php (5 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like