Issues in timber-site.php (master) - Issues in master - jarednova/timber - Measure and Improve Code Quality continuously with Scrutinizer

Issues (311)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

lib/timber-site.php (11 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

/**
 * TimberSite gives you access to information you need about your site. In Multisite setups, you can get info on other sites in your network.
 * @example
 * ```php
 * $context = Timber::get_context();
 * $other_site_id = 2;
 * $context['other_site'] = new TimberSite($other_site_id);
 * Timber::render('index.twig', $context);
 * ```
 * ```twig
 * My site is called {{site.name}}, another site on my network is {{other_site.name}}
 * ```
 * ```html
 * My site is called Jared's blog, another site on my network is Upstatement.com
 * ```
 */
class TimberSite extends TimberCore implements TimberCoreInterface {

	/**
	 * @api
	 * @var string the admin email address set in the WP admin panel
	 */
	public $admin_email;
	public $blogname;
	/**
	 * @api
	 * @var string
	 */
	public $charset;

	/**
	 * @api
	 * @var string
	 */
	public $description;
	/**
	 * @api
	 * @var int the ID of a site in multisite
	 */
	public $id;
	/**
	 * @api
	 * @var string the language setting ex: en-US
	 */
	public $language;
	/**
	 * @api
	 * @var string of language attributes for usage in the <html> tag
	 */
	public $language_attributes;
	/**
	 * @api
	 * @var bool true if multisite, false if plain ole' WordPress
	 */
	public $multisite;

	/**
	 * @api
	 * @var string
	 */
	public $name;

	/** @api
	 * @var string for people who like trackback spam
	*/
	public $pingback_url;
	public $siteurl;
	/**
	 * @api
	 * @var [TimberTheme](#TimberTheme)
	 */
	public $theme;
	/**
	 * @api
	 * @var string
	 */
	public $title;
	public $url;

	/**
	 * @api
	 * @var string
	 */

	public $rdf;
	public $rss;
	public $rss2;
	public $atom;
	
	/**
	 * Constructs a TimberSite object
	 * @example
	 * ```php
	 * //multisite setup
	 * $site = new TimberSite(1);
	 * $site_two = new TimberSite("My Cool Site");
	 * //non-multisite
	 * $site = new TimberSite();
	 * ```
	 * @param string|int $site_name_or_id

	 */
	function __construct( $site_name_or_id = null ) {

		$this->init();
		if ( is_multisite() ) {
			$this->init_as_multisite( $site_name_or_id );
		} else {
			$this->init_as_singlesite();
		}
	}

	/**
	 * @internal
	 * @param string|int $site_name_or_id
	 */
	protected function init_as_multisite( $site_name_or_id ) {
		if ( $site_name_or_id === null ) {
			//this is necessary for some reason, otherwise returns 1 all the time
			if ( is_multisite() ) {
				restore_current_blog();
				$site_name_or_id = get_current_blog_id();
			}
		}
		$info = get_blog_details( $site_name_or_id );
		$this->import( $info );
		$this->ID = $info->blog_id;
		$this->id = $this->ID;
		$this->name = $this->blogname;
		$this->title = $this->blogname;
		$this->url = $this->siteurl;
		$theme_slug = get_blog_option( $info->blog_id, 'stylesheet' );
		$this->theme = new TimberTheme( $theme_slug );
		$this->description = get_blog_option( $info->blog_id, 'blogdescription' );
		$this->admin_email = get_blog_option( $info->blog_id, 'admin_email' );
		$this->multisite = true;
	}

	/**
	 * Executed for single-blog sites
	 * @internal
	 */
	protected function init_as_singlesite() {
		$this->admin_email = get_bloginfo( 'admin_email' );
		$this->name = get_bloginfo( 'name' );
		$this->title = $this->name;
		$this->description = get_bloginfo( 'description' );
		$this->url = get_bloginfo( 'url' );
		$this->theme = new TimberTheme();
		$this->language_attributes = TimberHelper::function_wrapper( 'language_attributes' );

		$this->multisite = false;
	}

	/**
	 * Executed for all types of sites: both multisite and "regular"
	 * @internal
	 */
	protected function init() {
		$this->rdf = get_bloginfo( 'rdf_url' );
		$this->rss = get_bloginfo( 'rss_url' );
		$this->rss2 = get_bloginfo( 'rss2_url' );
		$this->atom = get_bloginfo( 'atom_url' );
		$this->language = get_bloginfo( 'language' );
		$this->charset = get_bloginfo( 'charset' );
		$this->pingback = get_bloginfo( 'pingback_url' );

		$this->language_attributes = TimberHelper::function_wrapper( 'language_attributes' );

		/* deprecated benath this comment */
		$this->pingback_url = get_bloginfo( 'pingback_url' );
	}

	/**
	 *
	 *
	 * @param string  $field
	 * @return mixed
	 */
	function __get( $field ) {

		if ( !isset( $this->$field ) ) {
			if ( is_multisite() ) {
				$this->$field = get_blog_option( $this->ID, $field );
			} else {
				$this->$field = get_option( $field );
			}
		}
		return $this->$field;
	}

	/**
	 * @deprecated 0.21.9
	 * @internal
	 * @return string
	 */
	function get_link() {

		return $this->link();
	}

	/**
	 * @deprecated 0.21.9
	 * @internal
	 * @return string
	 */
	function get_url() {

		return $this->get_link();

	}

	/**
	 * Returns the link to the site's home.
	 * @example
	 * ```twig
	 * <a href="{{ site.link }}" title="Home">
	 * 	  <img src="/wp-content/uploads/logo.png" alt="Logo for some stupid thing" />
	 * </a>
	 * ```
	 * ```html
	 * <a href="http://example.org" title="Home">
	 * 	  <img src="/wp-content/uploads/logo.png" alt="Logo for some stupid thing" />
	 * </a>
	 * ```
	 * @api
	 * @return string
	 */
	public function link() {
		return $this->url;
	}

	/**
	 * @ignore
	 */
	public function meta( $field ) {
		return $this->__get( $field );
	}

	/**
	 *
	 * @ignore
	 * @param string  $key
	 * @param mixed   $value
	 */
	public function update( $key, $value ) {
		$value = apply_filters( 'timber_site_set_meta', $value, $key, $this->ID, $this );
		if ( is_multisite() ) {
			update_blog_option( $this->ID, $key, $value );
		} else {
			update_option( $key, $value );
		}
		$this->$key = $value;
	}

	/**
	 *
	 * @api
	 * @see TimberSite::link
	 * @return string
	 */
	function url() {

		return $this->get_link();

	}

}


1			<?php
2
3			/**
4			* TimberSite gives you access to information you need about your site. In Multisite setups, you can get info on other sites in your network.
5			* @example
6			* ```php
7			* $context = Timber::get_context();
8			* $other_site_id = 2;
9			* $context['other_site'] = new TimberSite($other_site_id);
10			* Timber::render('index.twig', $context);
11			* ```
12			* ```twig
13			* My site is called {{site.name}}, another site on my network is {{other_site.name}}
14			* ```
15			* ```html
16			* My site is called Jared's blog, another site on my network is Upstatement.com
17			* ```
18			*/
19			class TimberSite extends TimberCore implements TimberCoreInterface {
20
21			/**
22			* @api
23			* @var string the admin email address set in the WP admin panel
24			*/
25			public $admin_email;
26			public $blogname;
27			/**
28			* @api
29			* @var string
30			*/
31			public $charset;
32
33			/**
34			* @api
35			* @var string
36			*/
37			public $description;
38			/**
39			* @api
40			* @var int the ID of a site in multisite
41			*/
42			public $id;
43			/**
44			* @api
45			* @var string the language setting ex: en-US
46			*/
47			public $language;
48			/**
49			* @api
50			* @var string of language attributes for usage in the <html> tag
51			*/
52			public $language_attributes;
53			/**
54			* @api
55			* @var bool true if multisite, false if plain ole' WordPress
56			*/
57			public $multisite;
58
59			/**
60			* @api
61			* @var string
62			*/
63			public $name;
64
65			/** @api
66			* @var string for people who like trackback spam
67			*/
68			public $pingback_url;
69			public $siteurl;
70			/**
71			* @api
72			* @var [TimberTheme](#TimberTheme)
73			*/
74			public $theme;
75			/**
76			* @api
77			* @var string
78			*/
79			public $title;
80			public $url;
81
82			/**
83			* @api
84			* @var string
85			*/
86
87			public $rdf;
88			public $rss;
89			public $rss2;
90			public $atom;
91
92			/**
93			* Constructs a TimberSite object
94			* @example
95			* ```php
96			* //multisite setup
97			* $site = new TimberSite(1);
98			* $site_two = new TimberSite("My Cool Site");
99			* //non-multisite
100			* $site = new TimberSite();
101			* ```
102			* @param string\|int $site_name_or_id
			0 ignored issues – show Documentation introduced 2015-11-23 18:11 UTC by Report Bug Copy Issue Report Show Similar Issues like this Should the type for parameter `$site_name_or_id` not be `string\|integer\|null`? This check looks for `@param` annotations where the type inferred by our type inference engine differs from the declared type. It makes a suggestion as to what type it considers more descriptive. Most often this is a case of a parameter that can be null in addition to its declared types. Loading history...
103			*/
104			function __construct( $site_name_or_id = null ) {
			0 ignored issues – show Best Practice introduced 2015-11-23 18:11 UTC by Report Bug Copy Issue Report Show Similar Issues like this It is generally recommended to explicitly declare the visibility for methods. Adding explicit visibility (`private`, `protected`, or `public`) is generally recommend to communicate to other developers how, and from where this method is intended to be used. Loading history...
105			$this->init();
106			if ( is_multisite() ) {
107			$this->init_as_multisite( $site_name_or_id );
108			} else {
109			$this->init_as_singlesite();
110			}
111			}
112
113			/**
114			* @internal
115			* @param string\|int $site_name_or_id
116			*/
117			protected function init_as_multisite( $site_name_or_id ) {
118			if ( $site_name_or_id === null ) {
119			//this is necessary for some reason, otherwise returns 1 all the time
120			if ( is_multisite() ) {
121			restore_current_blog();
122			$site_name_or_id = get_current_blog_id();
123			}
124			}
125			$info = get_blog_details( $site_name_or_id );
126			$this->import( $info );
127			$this->ID = $info->blog_id;
128			$this->id = $this->ID;
129			$this->name = $this->blogname;
130			$this->title = $this->blogname;
131			$this->url = $this->siteurl;
132			$theme_slug = get_blog_option( $info->blog_id, 'stylesheet' );
133			$this->theme = new TimberTheme( $theme_slug );
134			$this->description = get_blog_option( $info->blog_id, 'blogdescription' );
135			$this->admin_email = get_blog_option( $info->blog_id, 'admin_email' );
136			$this->multisite = true;
137			}
138
139			/**
140			* Executed for single-blog sites
141			* @internal
142			*/
143			protected function init_as_singlesite() {
144			$this->admin_email = get_bloginfo( 'admin_email' );
145			$this->name = get_bloginfo( 'name' );
146			$this->title = $this->name;
147			$this->description = get_bloginfo( 'description' );
148			$this->url = get_bloginfo( 'url' );
149			$this->theme = new TimberTheme();
150			$this->language_attributes = TimberHelper::function_wrapper( 'language_attributes' );
			0 ignored issues – show Documentation Bug introduced 2015-11-23 18:11 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `\TimberHelper::function_...('language_attributes')` of type `object<TimberFunctionWrapper>` is incompatible with the declared type `string` of property `$language_attributes`. Our type inference engine has found an assignment to a property that is incompatible with the declared type of that property. Either this assignment is in error or the assigned type should be added to the documentation/type hint for that property.. Loading history...
151			$this->multisite = false;
152			}
153
154			/**
155			* Executed for all types of sites: both multisite and "regular"
156			* @internal
157			*/
158			protected function init() {
159			$this->rdf = get_bloginfo( 'rdf_url' );
160			$this->rss = get_bloginfo( 'rss_url' );
161			$this->rss2 = get_bloginfo( 'rss2_url' );
162			$this->atom = get_bloginfo( 'atom_url' );
163			$this->language = get_bloginfo( 'language' );
164			$this->charset = get_bloginfo( 'charset' );
165			$this->pingback = get_bloginfo( 'pingback_url' );
			0 ignored issues – show Bug introduced 2015-11-23 18:11 UTC by Report Bug Copy Issue Report Show Similar Issues like this The property `pingback` does not seem to exist. Did you mean `pingback_url`? An attempt at access to an undefined property has been detected. This may either be a typographical error or the property has been renamed but there are still references to its old name. If you really want to allow access to undefined properties, you can define magic methods to allow access. See the php core documentation on Overloading. Loading history...
166			$this->language_attributes = TimberHelper::function_wrapper( 'language_attributes' );
			0 ignored issues – show Documentation Bug introduced 2015-11-23 18:11 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `\TimberHelper::function_...('language_attributes')` of type `object<TimberFunctionWrapper>` is incompatible with the declared type `string` of property `$language_attributes`. Our type inference engine has found an assignment to a property that is incompatible with the declared type of that property. Either this assignment is in error or the assigned type should be added to the documentation/type hint for that property.. Loading history...
167			/* deprecated benath this comment */
168			$this->pingback_url = get_bloginfo( 'pingback_url' );
169			}
170
171			/**
172			*
173			*
174			* @param string $field
175			* @return mixed
176			*/
177			function __get( $field ) {
			0 ignored issues – show Best Practice introduced 2015-11-23 18:11 UTC by Report Bug Copy Issue Report Show Similar Issues like this It is generally recommended to explicitly declare the visibility for methods. Adding explicit visibility (`private`, `protected`, or `public`) is generally recommend to communicate to other developers how, and from where this method is intended to be used. Loading history...
178			if ( !isset( $this->$field ) ) {
179			if ( is_multisite() ) {
180			$this->$field = get_blog_option( $this->ID, $field );
181			} else {
182			$this->$field = get_option( $field );
183			}
184			}
185			return $this->$field;
186			}
187
188			/**
189			* @deprecated 0.21.9
190			* @internal
191			* @return string
192			*/
193			function get_link() {
			0 ignored issues – show Best Practice introduced 2015-11-23 18:11 UTC by Report Bug Copy Issue Report Show Similar Issues like this It is generally recommended to explicitly declare the visibility for methods. Adding explicit visibility (`private`, `protected`, or `public`) is generally recommend to communicate to other developers how, and from where this method is intended to be used. Loading history...
194			return $this->link();
195			}
196
197			/**
198			* @deprecated 0.21.9
199			* @internal
200			* @return string
201			*/
202			function get_url() {
			0 ignored issues – show Best Practice introduced 2015-11-23 18:11 UTC by Report Bug Copy Issue Report Show Similar Issues like this It is generally recommended to explicitly declare the visibility for methods. Adding explicit visibility (`private`, `protected`, or `public`) is generally recommend to communicate to other developers how, and from where this method is intended to be used. Loading history...
203			return $this->get_link();
			0 ignored issues – show Deprecated Code introduced 2015-11-23 18:11 UTC by Report Bug Copy Issue Report Show Similar Issues like this The method `TimberSite::get_link()` has been deprecated with message: 0.21.9 This method has been deprecated. The supplier of the class has supplied an explanatory message. The explanatory message should give you some clue as to whether and when the method will be removed from the class and what other method or class to use instead. Loading history...
204			}
205
206			/**
207			* Returns the link to the site's home.
208			* @example
209			* ```twig
210			* <a href="{{ site.link }}" title="Home">
211			* <img src="/wp-content/uploads/logo.png" alt="Logo for some stupid thing" />
212			* </a>
213			* ```
214			* ```html
215			* <a href="http://example.org" title="Home">
216			* <img src="/wp-content/uploads/logo.png" alt="Logo for some stupid thing" />
217			* </a>
218			* ```
219			* @api
220			* @return string
221			*/
222			public function link() {
223			return $this->url;
224			}
225
226			/**
227			* @ignore
228			*/
229			public function meta( $field ) {
230			return $this->__get( $field );
231			}
232
233			/**
234			*
235			* @ignore
236			* @param string $key
237			* @param mixed $value
238			*/
239			public function update( $key, $value ) {
240			$value = apply_filters( 'timber_site_set_meta', $value, $key, $this->ID, $this );
241			if ( is_multisite() ) {
242			update_blog_option( $this->ID, $key, $value );
243			} else {
244			update_option( $key, $value );
245			}
246			$this->$key = $value;
247			}
248
249			/**
250			*
251			* @api
252			* @see TimberSite::link
253			* @return string
254			*/
255			function url() {
			0 ignored issues – show Best Practice introduced 2015-11-23 18:11 UTC by Report Bug Copy Issue Report Show Similar Issues like this It is generally recommended to explicitly declare the visibility for methods. Adding explicit visibility (`private`, `protected`, or `public`) is generally recommend to communicate to other developers how, and from where this method is intended to be used. Loading history...
256			return $this->get_link();
			0 ignored issues – show Deprecated Code introduced 2015-11-23 18:11 UTC by Report Bug Copy Issue Report Show Similar Issues like this The method `TimberSite::get_link()` has been deprecated with message: 0.21.9 This method has been deprecated. The supplier of the class has supplied an explanatory message. The explanatory message should give you some clue as to whether and when the method will be removed from the class and what other method or class to use instead. Loading history...
257			}
258
259			}
260

jarednova / timber

Issues (311)

Security Analysis not enabled

lib/timber-site.php (11 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like