joomla-projects /
com_localise
| Conditions | 21 |
| Paths | 10 |
| Total Lines | 96 |
| Code Lines | 44 |
| Lines | 0 |
| Ratio | 0 % |
| Changes | 0 | ||
Small methods make your code easier to understand, in particular if combined with a good name. Besides, if your method is small, finding a good name is usually much easier.
For example, if you find yourself adding comments to a method's body, this is usually a good sign to extract the commented part to a new method, and use the comment as a starting point when coming up with a good name for this new method.
Commonly applied refactorings include:
If many parameters/temporary variables are present:
| 1 | <?php |
||
| 202 | public static function isOpensslParseSafe() |
||
| 203 | { |
||
| 204 | if (null !== self::$useOpensslParse) { |
||
| 205 | return self::$useOpensslParse; |
||
| 206 | } |
||
| 207 | |||
| 208 | if (PHP_VERSION_ID >= 50600) { |
||
| 209 | return self::$useOpensslParse = true; |
||
| 210 | } |
||
| 211 | |||
| 212 | // Vulnerable: |
||
| 213 | // PHP 5.3.0 - PHP 5.3.27 |
||
| 214 | // PHP 5.4.0 - PHP 5.4.22 |
||
| 215 | // PHP 5.5.0 - PHP 5.5.6 |
||
| 216 | if ( |
||
| 217 | (PHP_VERSION_ID < 50400 && PHP_VERSION_ID >= 50328) |
||
| 218 | || (PHP_VERSION_ID < 50500 && PHP_VERSION_ID >= 50423) |
||
| 219 | || (PHP_VERSION_ID < 50600 && PHP_VERSION_ID >= 50507) |
||
| 220 | ) { |
||
| 221 | // This version of PHP has the fix for CVE-2013-6420 applied. |
||
| 222 | return self::$useOpensslParse = true; |
||
| 223 | } |
||
| 224 | |||
| 225 | if (defined('PHP_WINDOWS_VERSION_BUILD')) { |
||
| 226 | // Windows is probably insecure in this case. |
||
| 227 | return self::$useOpensslParse = false; |
||
| 228 | } |
||
| 229 | |||
| 230 | $compareDistroVersionPrefix = function ($prefix, $fixedVersion) { |
||
| 231 | $regex = '{^'.preg_quote($prefix).'([0-9]+)$}'; |
||
| 232 | |||
| 233 | if (preg_match($regex, PHP_VERSION, $m)) { |
||
| 234 | return ((int) $m[1]) >= $fixedVersion; |
||
| 235 | } |
||
| 236 | |||
| 237 | return false; |
||
| 238 | }; |
||
| 239 | |||
| 240 | // Hard coded list of PHP distributions with the fix backported. |
||
| 241 | if ( |
||
| 242 | $compareDistroVersionPrefix('5.3.3-7+squeeze', 18) // Debian 6 (Squeeze) |
||
| 243 | || $compareDistroVersionPrefix('5.4.4-14+deb7u', 7) // Debian 7 (Wheezy) |
||
| 244 | || $compareDistroVersionPrefix('5.3.10-1ubuntu3.', 9) // Ubuntu 12.04 (Precise) |
||
| 245 | ) { |
||
| 246 | return self::$useOpensslParse = true; |
||
| 247 | } |
||
| 248 | |||
| 249 | // Symfony Process component is missing so we assume it is unsafe at this point |
||
| 250 | if (!class_exists('Symfony\Component\Process\PhpProcess')) { |
||
| 251 | return self::$useOpensslParse = false; |
||
| 252 | } |
||
| 253 | |||
| 254 | // This is where things get crazy, because distros backport security |
||
| 255 | // fixes the chances are on NIX systems the fix has been applied but |
||
| 256 | // it's not possible to verify that from the PHP version. |
||
| 257 | // |
||
| 258 | // To verify exec a new PHP process and run the issue testcase with |
||
| 259 | // known safe input that replicates the bug. |
||
| 260 | |||
| 261 | // Based on testcase in https://github.com/php/php-src/commit/c1224573c773b6845e83505f717fbf820fc18415 |
||
| 262 | // changes in https://github.com/php/php-src/commit/76a7fd893b7d6101300cc656058704a73254d593 |
||
| 263 | $cert = 'LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVwRENDQTR5Z0F3SUJBZ0lKQUp6dThyNnU2ZUJjTUEwR0NTcUdTSWIzRFFFQkJRVUFNSUhETVFzd0NRWUQKVlFRR0V3SkVSVEVjTUJvR0ExVUVDQXdUVG05eVpISm9aV2x1TFZkbGMzUm1ZV3hsYmpFUU1BNEdBMVVFQnd3SApTOE9Ed3Jac2JqRVVNQklHQTFVRUNnd0xVMlZyZEdsdmJrVnBibk14SHpBZEJnTlZCQXNNRmsxaGJHbGphVzkxCmN5QkRaWEowSUZObFkzUnBiMjR4SVRBZkJnTlZCQU1NR0cxaGJHbGphVzkxY3k1elpXdDBhVzl1WldsdWN5NWsKWlRFcU1DZ0dDU3FHU0liM0RRRUpBUlliYzNSbFptRnVMbVZ6YzJWeVFITmxhM1JwYjI1bGFXNXpMbVJsTUhVWQpaREU1TnpBd01UQXhNREF3TURBd1dnQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBCkFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUEKQUFBQUFBQVhEVEUwTVRFeU9ERXhNemt6TlZvd2djTXhDekFKQmdOVkJBWVRBa1JGTVJ3d0dnWURWUVFJREJOTwpiM0prY21obGFXNHRWMlZ6ZEdaaGJHVnVNUkF3RGdZRFZRUUhEQWRMdzRQQ3RteHVNUlF3RWdZRFZRUUtEQXRUClpXdDBhVzl1UldsdWN6RWZNQjBHQTFVRUN3d1dUV0ZzYVdOcGIzVnpJRU5sY25RZ1UyVmpkR2x2YmpFaE1COEcKQTFVRUF3d1liV0ZzYVdOcGIzVnpMbk5sYTNScGIyNWxhVzV6TG1SbE1Tb3dLQVlKS29aSWh2Y05BUWtCRmh0egpkR1ZtWVc0dVpYTnpaWEpBYzJWcmRHbHZibVZwYm5NdVpHVXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCCkR3QXdnZ0VLQW9JQkFRRERBZjNobDdKWTBYY0ZuaXlFSnBTU0RxbjBPcUJyNlFQNjV1c0pQUnQvOFBhRG9xQnUKd0VZVC9OYSs2ZnNnUGpDMHVLOURaZ1dnMnRIV1dvYW5TYmxBTW96NVBINlorUzRTSFJaN2UyZERJalBqZGhqaAowbUxnMlVNTzV5cDBWNzk3R2dzOWxOdDZKUmZIODFNTjJvYlhXczROdHp0TE11RDZlZ3FwcjhkRGJyMzRhT3M4CnBrZHVpNVVhd1Raa3N5NXBMUEhxNWNNaEZHbTA2djY1Q0xvMFYyUGQ5K0tBb2tQclBjTjVLTEtlYno3bUxwazYKU01lRVhPS1A0aWRFcXh5UTdPN2ZCdUhNZWRzUWh1K3ByWTNzaTNCVXlLZlF0UDVDWm5YMmJwMHdLSHhYMTJEWAoxbmZGSXQ5RGJHdkhUY3lPdU4rblpMUEJtM3ZXeG50eUlJdlZBZ01CQUFHalFqQkFNQWtHQTFVZEV3UUNNQUF3CkVRWUpZSVpJQVliNFFnRUJCQVFEQWdlQU1Bc0dBMVVkRHdRRUF3SUZvREFUQmdOVkhTVUVEREFLQmdnckJnRUYKQlFjREFqQU5CZ2txaGtpRzl3MEJBUVVGQUFPQ0FRRUFHMGZaWVlDVGJkajFYWWMrMVNub2FQUit2SThDOENhRAo4KzBVWWhkbnlVNGdnYTBCQWNEclk5ZTk0ZUVBdTZacXljRjZGakxxWFhkQWJvcHBXb2NyNlQ2R0QxeDMzQ2tsClZBcnpHL0t4UW9oR0QySmVxa2hJTWxEb214SE83a2EzOStPYThpMnZXTFZ5alU4QVp2V01BcnVIYTRFRU55RzcKbFcyQWFnYUZLRkNyOVRuWFRmcmR4R1ZFYnY3S1ZRNmJkaGc1cDVTanBXSDErTXEwM3VSM1pYUEJZZHlWODMxOQpvMGxWajFLRkkyRENML2xpV2lzSlJvb2YrMWNSMzVDdGQwd1lCY3BCNlRac2xNY09QbDc2ZHdLd0pnZUpvMlFnClpzZm1jMnZDMS9xT2xOdU5xLzBUenprVkd2OEVUVDNDZ2FVK1VYZTRYT1Z2a2NjZWJKbjJkZz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K'; |
||
| 264 | $script = <<<'EOT' |
||
| 265 | |||
| 266 | error_reporting(-1); |
||
| 267 | $info = openssl_x509_parse(base64_decode('%s')); |
||
| 268 | var_dump(PHP_VERSION, $info['issuer']['emailAddress'], $info['validFrom_time_t']); |
||
| 269 | |||
| 270 | EOT; |
||
| 271 | $script = '<'."?php\n".sprintf($script, $cert); |
||
| 272 | |||
| 273 | try { |
||
| 274 | $process = new PhpProcess($script); |
||
| 275 | $process->mustRun(); |
||
| 276 | } catch (\Exception $e) { |
||
| 277 | // In the case of any exceptions just accept it is not possible to |
||
| 278 | // determine the safety of openssl_x509_parse and bail out. |
||
| 279 | return self::$useOpensslParse = false; |
||
| 280 | } |
||
| 281 | |||
| 282 | $output = preg_split('{\r?\n}', trim($process->getOutput())); |
||
| 283 | $errorOutput = trim($process->getErrorOutput()); |
||
| 284 | |||
| 285 | if ( |
||
| 286 | count($output) === 3 |
||
| 287 | && $output[0] === sprintf('string(%d) "%s"', strlen(PHP_VERSION), PHP_VERSION) |
||
| 288 | && $output[1] === 'string(27) "[email protected]"' |
||
| 289 | && $output[2] === 'int(-1)' |
||
| 290 | && preg_match('{openssl_x509_parse\(\): illegal (?:ASN1 data type for|length in) timestamp in - on line \d+}', $errorOutput) |
||
| 291 | ) { |
||
| 292 | // This PHP has the fix backported probably by a distro security team. |
||
| 293 | return self::$useOpensslParse = true; |
||
| 294 | } |
||
| 295 | |||
| 296 | return self::$useOpensslParse = false; |
||
| 297 | } |
||
| 298 | |||
| 309 |
If you suppress an error, we recommend checking for the error condition explicitly: