Issues in ajaximgedit.php (master) - Issues in master - mambax7/gwiki - Measure and Improve Code Quality continuously with Scrutinizer

Issues (207)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

ajaximgedit.php (1 issue)

Labels

Severity

Major 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * ajaximgedit.php - backend upload images and update image info
 *
 * @copyright  Copyright © 2013 geekwright, LLC. All rights reserved.
 * @license    gwiki/docs/license.txt  GNU General Public License (GPL)
 * @since      1.0
 * @author     Richard Griffith <[email protected]>
 * @package    gwiki
 */
include __DIR__ . '/../../mainfile.php';
$xoopsLogger->activated = false;
// provide error logging for our sanity in debugging ajax use (won't see xoops logger)
restore_error_handler();
error_reporting(-1);

$dir = basename(__DIR__);
require_once XOOPS_ROOT_PATH . '/modules/' . $dir . '/class/GwikiPage.php';
global $wikiPage;
$wikiPage = new GwikiPage;

$uploadpath = XOOPS_ROOT_PATH . "/uploads/{$dir}/";
$uploadurl  = XOOPS_URL . "/uploads/{$dir}/";

$newimage = (isset($_SERVER['HTTP_GW_FILENAME']) ? $_SERVER['HTTP_GW_FILENAME'] : false);
$jsondata = (isset($_SERVER['HTTP_GW_JSONDATA']) ? $_SERVER['HTTP_GW_JSONDATA'] : false);

//if (function_exists('xdebug_disable')) { xdebug_disable(); }
//foreach ($_SERVER as $k => $v) {
//    trigger_error($k.':'.$v);
//}

/**
 * @param $string
 *
 * @return string
 */
function cleaner($string)
{
    $string = stripcslashes($string);
    $string = html_entity_decode($string);
    $string = strip_tags($string); // DANGER -- kills wiki text
    $string = trim($string);
    $string = stripslashes($string);

    return $string;
}

/**
 * @param $input
 *
 * @return mixed
 */
function deleteData(&$input)
{
    global $xoopsDB, $uploadpath, $wikiPage;

    $q_image_id = (int)$input['image_id'];
    $q_keyword  = $wikiPage->escapeForDB($input['page']); // use keyword in delete so we know id and edit authority are connected

    // look up the name and delete the image file
    $sql = 'SELECT image_file FROM ' . $xoopsDB->prefix('gwiki_page_images') . " where image_id='{$q_image_id}' AND keyword = '{$q_keyword}' ";

    $result = $xoopsDB->query($sql);
    if ($result) {
        $rows = $xoopsDB->getRowsNum($result);
        if ($rows) {
            $myrow = $xoopsDB->fetchArray($result);
            if (!empty($myrow['image_file'])) {
                $oldfilename = $uploadpath . $myrow['image_file'];
                unlink($oldfilename);
            }
        }
    }

    // delete the row
    $sql = 'DELETE FROM ' . $xoopsDB->prefix('gwiki_page_images') . " where image_id='{$q_image_id}' AND keyword = '{$q_keyword}' ";

    $result = $xoopsDB->queryF($sql);
    $cnt    = $xoopsDB->getAffectedRows();
    if ($cnt) {
        $input['message'] = _MD_GWIKI_AJAX_IMGEDIT_DEL_OK;
    }

    return $result;
}

/**
 * @param $input
 *
 * @return mixed
 */
function updateData(&$input)
{
    global $xoopsDB, $wikiPage;

    $q_image_id       = (int)$input['image_id'];
    $q_keyword        = $wikiPage->escapeForDB($input['page']);
    $q_image_name     = $wikiPage->escapeForDB($input['image_name']);
    $q_image_alt_text = $wikiPage->escapeForDB($input['image_alt_text']);
    //  image_file only changed by image upload
    $q_use_to_represent = (int)$input['use_to_represent'];
    $q_image_file       = empty($input['image_file']) ? '' : $wikiPage->escapeForDB($input['image_file']);

    //  if(!$q_image_id) return false; // only updates

    // if we are setting this, clear it on all other images
    if ($q_use_to_represent) {
        $sql = 'UPDATE ' . $xoopsDB->prefix('gwiki_page_images') . " set use_to_represent = 0 where keyword = '{$q_keyword}' ";

        $result = $xoopsDB->queryF($sql);
    }

    $sql = 'UPDATE ' . $xoopsDB->prefix('gwiki_page_images');
    $sql .= " set image_name = '{$q_image_name}' ";
    $sql .= " , image_alt_text = '{$q_image_alt_text}' ";
    $sql .= " , use_to_represent = '{$q_use_to_represent}' ";
    if (!empty($q_image_file)) {
        $sql .= " , image_file = '{$q_image_file}' ";
    }
    $sql .= " where image_id = '{$q_image_id}' ";

    $result = $xoopsDB->queryF($sql);
    if (!$result) {
        $input['message'] = $xoopsDB->error();

        return 0;
    }
    $cnt = $xoopsDB->getAffectedRows();
    if (!$cnt) {
        $input['message'] = _MD_GWIKI_AJAX_IMGEDIT_NOT_DEFINED;
    } else {
        $input['message'] = _MD_GWIKI_AJAX_IMGEDIT_UPD_OK;
    }

    if ($result && !$cnt && !empty($q_image_file)) { // database is OK but nothing to update - require image_file
        $sql = 'insert into ' . $xoopsDB->prefix('gwiki_page_images');
        $sql .= ' (keyword, image_name, image_alt_text, use_to_represent, image_file) ';
        $sql .= " values ('{$q_keyword}', '{$q_image_name}', '{$q_image_alt_text}', '{$q_use_to_represent}', '{$q_image_file}' )";
        $result            = $xoopsDB->queryF($sql);
        $input['image_id'] = $xoopsDB->getInsertId();
        $input['message']  = _MD_GWIKI_AJAX_IMGEDIT_ADD_OK;
    }

    return $input['image_id'];
}

/**
 * @param $newimage
 * @param $input
 *
 * @return mixed
 */
function updateImage($newimage, &$input)
{
    global $uploadpath, $xoopsDB;
    // For now, images are stored in individual directories for each page.
    // We can change the directory distribution later, as the entire path
    // relative to /uploads/gwiki/ ($relpath) is stored in the database.

    // We get rid of any colons in the page name in case the filesystem has
    // issues with them. (undescore is illegal in page name, so it stays unique.)
    $relpath  = 'pages/' . str_replace(':', '_', $input['page']) . '/img/';
    $ourpath  = $uploadpath . $relpath;
    $oldUmask = umask(0);
    @mkdir($ourpath, 0755, true);
// For example instead of
@mkdir($dir);

// Better use
if (@mkdir($dir) === false) {
    throw new \RuntimeException('The directory '.$dir.' could not be created.');
}
    umask($oldUmask);
    $tempfn = tempnam($ourpath, 'WIKIIMG_');
    $image  = file_get_contents('php://input');
    file_put_contents($tempfn, $image);

    $ogimage_parts = pathinfo($newimage);

    // we are intentionally ignoring $ogimage_parts['dirname']
    // get rid of extra dots, commas and spaces
    $ogimage  = str_replace(array('.', ' ', ','), '_', $ogimage_parts['basename']) . '.' . strtolower($ogimage_parts['extension']);
    $filename = $tempfn . '_' . $ogimage;
    $justfn   = basename($filename);
    if (empty($input['image_name'])) {
        $input['image_name'] = $justfn;
    }
    $input['image_file'] = $relpath . $justfn;

    rename($tempfn, $filename);
    chmod($filename, 0644);
    $q_image_id = (int)$input['image_id'];
    $sql        = 'SELECT image_file FROM ' . $xoopsDB->prefix('gwiki_page_images') . " where image_id='{$q_image_id}' ";

    $result = $xoopsDB->query($sql);
    if ($result) {
        $rows = $xoopsDB->getRowsNum($result);
        if ($rows) {
            $myrow = $xoopsDB->fetchArray($result);
            if (!empty($myrow['image_file'])) {
                $oldfilename = $uploadpath . $myrow['image_file'];
                unlink($oldfilename);
            }
            // update
        } else {
            // new row
        }
    }
    // $result=$xoopsDB->getInsertId();
    //$rows=$xoopsDB->getRowsNum($result);
    return updateData($input);
}

if ($jsondata === false) {
    header('Status: 500 Internal Error - No Data Passed');
    exit;
}
$input = json_decode($jsondata, true);
//file_put_contents ( XOOPS_ROOT_PATH.'/uploads/debug.txt', print_r($input,true));

if (!empty($input['image_id'])) {
    $q_image_id = (int)$input['image_id'];
    $sql        = 'SELECT keyword FROM ' . $xoopsDB->prefix('gwiki_page_images') . " where image_id = '{$q_image_id}' ";
    $result     = $xoopsDB->query($sql);
    if ($row = $xoopsDB->fetcharray($result)) {
        $input['page'] = $row['keyword'];
    }
}

if (empty($input['page'])) {
    header('Status: 500 Internal Error - No Page');
    exit;
}
$input['page'] = strtolower($wikiPage->normalizeKeyword($input['page']));
$pageX         = $wikiPage->getPage($input['page']);
$mayEdit       = $wikiPage->checkEdit();

if (!$mayEdit) {
    header('Status: 403 Forbidden - No Permission');
    if (!$mayEdit) {
        $out['message'] = _MD_GWIKI_AJAX_IMGEDIT_NO_AUTH;
    }
    echo json_encode($out);
    exit;
}

/*
 * This creates issues if page being edited has not been saved yet, so let's not be anal about it
    if (!$pageX) {
        header("Status: 403 Forbidden - No Page");
        if(!$pageX) $out['message']='Page does not exist';
        echo json_encode($out);
        exit;
    }
*/

if ($newimage) {
    $input['image_id'] = updateImage($newimage, $input);
    if ($input['image_id']) {
        $input['message'] = 'Image Saved';
        $input['link']    = $uploadurl . $input['image_file'];
    }
} else {
    if (!empty($input['op']) && $input['op'] === 'delete') {
        deleteData($input);
    } else {
        updateData($input);
    }
}
echo json_encode($input);
exit;


1		<?php
2		/**
3		* ajaximgedit.php - backend upload images and update image info
4		*
5		* @copyright Copyright © 2013 geekwright, LLC. All rights reserved.
6		* @license gwiki/docs/license.txt GNU General Public License (GPL)
7		* @since 1.0
8		* @author Richard Griffith <[email protected]>
9		* @package gwiki
10		*/
11		include __DIR__ . '/../../mainfile.php';
12		$xoopsLogger->activated = false;
13		// provide error logging for our sanity in debugging ajax use (won't see xoops logger)
14		restore_error_handler();
15		error_reporting(-1);
16
17		$dir = basename(__DIR__);
18		require_once XOOPS_ROOT_PATH . '/modules/' . $dir . '/class/GwikiPage.php';
19		global $wikiPage;
20		$wikiPage = new GwikiPage;
21
22		$uploadpath = XOOPS_ROOT_PATH . "/uploads/{$dir}/";
23		$uploadurl = XOOPS_URL . "/uploads/{$dir}/";
24
25		$newimage = (isset($_SERVER['HTTP_GW_FILENAME']) ? $_SERVER['HTTP_GW_FILENAME'] : false);
26		$jsondata = (isset($_SERVER['HTTP_GW_JSONDATA']) ? $_SERVER['HTTP_GW_JSONDATA'] : false);
27
28		//if (function_exists('xdebug_disable')) { xdebug_disable(); }
29		//foreach ($_SERVER as $k => $v) {
30		// trigger_error($k.':'.$v);
31		//}
32
33		/**
34		* @param $string
35		*
36		* @return string
37		*/
38	View Code Duplication	function cleaner($string)
39		{
40		$string = stripcslashes($string);
41		$string = html_entity_decode($string);
42		$string = strip_tags($string); // DANGER -- kills wiki text
43		$string = trim($string);
44		$string = stripslashes($string);
45
46		return $string;
47		}
48
49		/**
50		* @param $input
51		*
52		* @return mixed
53		*/
54	View Code Duplication	function deleteData(&$input)
55		{
56		global $xoopsDB, $uploadpath, $wikiPage;
57
58		$q_image_id = (int)$input['image_id'];
59		$q_keyword = $wikiPage->escapeForDB($input['page']); // use keyword in delete so we know id and edit authority are connected
60
61		// look up the name and delete the image file
62		$sql = 'SELECT image_file FROM ' . $xoopsDB->prefix('gwiki_page_images') . " where image_id='{$q_image_id}' AND keyword = '{$q_keyword}' ";
63
64		$result = $xoopsDB->query($sql);
65		if ($result) {
66		$rows = $xoopsDB->getRowsNum($result);
67		if ($rows) {
68		$myrow = $xoopsDB->fetchArray($result);
69		if (!empty($myrow['image_file'])) {
70		$oldfilename = $uploadpath . $myrow['image_file'];
71		unlink($oldfilename);
72		}
73		}
74		}
75
76		// delete the row
77		$sql = 'DELETE FROM ' . $xoopsDB->prefix('gwiki_page_images') . " where image_id='{$q_image_id}' AND keyword = '{$q_keyword}' ";
78
79		$result = $xoopsDB->queryF($sql);
80		$cnt = $xoopsDB->getAffectedRows();
81		if ($cnt) {
82		$input['message'] = _MD_GWIKI_AJAX_IMGEDIT_DEL_OK;
83		}
84
85		return $result;
86		}
87
88		/**
89		* @param $input
90		*
91		* @return mixed
92		*/
93		function updateData(&$input)
94		{
95		global $xoopsDB, $wikiPage;
96
97		$q_image_id = (int)$input['image_id'];
98		$q_keyword = $wikiPage->escapeForDB($input['page']);
99		$q_image_name = $wikiPage->escapeForDB($input['image_name']);
100		$q_image_alt_text = $wikiPage->escapeForDB($input['image_alt_text']);
101		// image_file only changed by image upload
102		$q_use_to_represent = (int)$input['use_to_represent'];
103		$q_image_file = empty($input['image_file']) ? '' : $wikiPage->escapeForDB($input['image_file']);
104
105		// if(!$q_image_id) return false; // only updates
106
107		// if we are setting this, clear it on all other images
108		if ($q_use_to_represent) {
109		$sql = 'UPDATE ' . $xoopsDB->prefix('gwiki_page_images') . " set use_to_represent = 0 where keyword = '{$q_keyword}' ";
110
111		$result = $xoopsDB->queryF($sql);
112		}
113
114		$sql = 'UPDATE ' . $xoopsDB->prefix('gwiki_page_images');
115		$sql .= " set image_name = '{$q_image_name}' ";
116		$sql .= " , image_alt_text = '{$q_image_alt_text}' ";
117		$sql .= " , use_to_represent = '{$q_use_to_represent}' ";
118		if (!empty($q_image_file)) {
119		$sql .= " , image_file = '{$q_image_file}' ";
120		}
121		$sql .= " where image_id = '{$q_image_id}' ";
122
123		$result = $xoopsDB->queryF($sql);
124		if (!$result) {
125		$input['message'] = $xoopsDB->error();
126
127		return 0;
128		}
129		$cnt = $xoopsDB->getAffectedRows();
130		if (!$cnt) {
131		$input['message'] = _MD_GWIKI_AJAX_IMGEDIT_NOT_DEFINED;
132		} else {
133		$input['message'] = _MD_GWIKI_AJAX_IMGEDIT_UPD_OK;
134		}
135
136		if ($result && !$cnt && !empty($q_image_file)) { // database is OK but nothing to update - require image_file
137		$sql = 'insert into ' . $xoopsDB->prefix('gwiki_page_images');
138		$sql .= ' (keyword, image_name, image_alt_text, use_to_represent, image_file) ';
139		$sql .= " values ('{$q_keyword}', '{$q_image_name}', '{$q_image_alt_text}', '{$q_use_to_represent}', '{$q_image_file}' )";
140		$result = $xoopsDB->queryF($sql);
141		$input['image_id'] = $xoopsDB->getInsertId();
142		$input['message'] = _MD_GWIKI_AJAX_IMGEDIT_ADD_OK;
143		}
144
145		return $input['image_id'];
146		}
147
148		/**
149		* @param $newimage
150		* @param $input
151		*
152		* @return mixed
153		*/
154		function updateImage($newimage, &$input)
155		{
156		global $uploadpath, $xoopsDB;
157		// For now, images are stored in individual directories for each page.
158		// We can change the directory distribution later, as the entire path
159		// relative to /uploads/gwiki/ ($relpath) is stored in the database.
160
161		// We get rid of any colons in the page name in case the filesystem has
162		// issues with them. (undescore is illegal in page name, so it stays unique.)
163		$relpath = 'pages/' . str_replace(':', '_', $input['page']) . '/img/';
164		$ourpath = $uploadpath . $relpath;
165		$oldUmask = umask(0);
166		@mkdir($ourpath, 0755, true);
		0 ignored issues – show Security Best Practice introduced 2016-01-18 06:21 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like you do not handle an error condition here. This can introduce security issues, and is generally not recommended. If you suppress an error, we recommend checking for the error condition explicitly: // For example instead of @mkdir($dir); // Better use if (@mkdir($dir) === false) { throw new \RuntimeException('The directory '.$dir.' could not be created.'); } Loading history...
167		umask($oldUmask);
168		$tempfn = tempnam($ourpath, 'WIKIIMG_');
169		$image = file_get_contents('php://input');
170		file_put_contents($tempfn, $image);
171
172		$ogimage_parts = pathinfo($newimage);
173
174		// we are intentionally ignoring $ogimage_parts['dirname']
175		// get rid of extra dots, commas and spaces
176		$ogimage = str_replace(array('.', ' ', ','), '_', $ogimage_parts['basename']) . '.' . strtolower($ogimage_parts['extension']);
177		$filename = $tempfn . '_' . $ogimage;
178		$justfn = basename($filename);
179		if (empty($input['image_name'])) {
180		$input['image_name'] = $justfn;
181		}
182		$input['image_file'] = $relpath . $justfn;
183
184		rename($tempfn, $filename);
185		chmod($filename, 0644);
186		$q_image_id = (int)$input['image_id'];
187		$sql = 'SELECT image_file FROM ' . $xoopsDB->prefix('gwiki_page_images') . " where image_id='{$q_image_id}' ";
188
189		$result = $xoopsDB->query($sql);
190		if ($result) {
191		$rows = $xoopsDB->getRowsNum($result);
192		if ($rows) {
193		$myrow = $xoopsDB->fetchArray($result);
194		if (!empty($myrow['image_file'])) {
195		$oldfilename = $uploadpath . $myrow['image_file'];
196		unlink($oldfilename);
197		}
198		// update
199		} else {
200		// new row
201		}
202		}
203		// $result=$xoopsDB->getInsertId();
204		//$rows=$xoopsDB->getRowsNum($result);
205		return updateData($input);
206		}
207
208		if ($jsondata === false) {
209		header('Status: 500 Internal Error - No Data Passed');
210		exit;
211		}
212		$input = json_decode($jsondata, true);
213		//file_put_contents ( XOOPS_ROOT_PATH.'/uploads/debug.txt', print_r($input,true));
214
215		if (!empty($input['image_id'])) {
216		$q_image_id = (int)$input['image_id'];
217		$sql = 'SELECT keyword FROM ' . $xoopsDB->prefix('gwiki_page_images') . " where image_id = '{$q_image_id}' ";
218		$result = $xoopsDB->query($sql);
219		if ($row = $xoopsDB->fetcharray($result)) {
220		$input['page'] = $row['keyword'];
221		}
222		}
223
224		if (empty($input['page'])) {
225		header('Status: 500 Internal Error - No Page');
226		exit;
227		}
228		$input['page'] = strtolower($wikiPage->normalizeKeyword($input['page']));
229		$pageX = $wikiPage->getPage($input['page']);
230		$mayEdit = $wikiPage->checkEdit();
231
232	View Code Duplication	if (!$mayEdit) {
233		header('Status: 403 Forbidden - No Permission');
234		if (!$mayEdit) {
235		$out['message'] = _MD_GWIKI_AJAX_IMGEDIT_NO_AUTH;
236		}
237		echo json_encode($out);
238		exit;
239		}
240
241		/*
242		* This creates issues if page being edited has not been saved yet, so let's not be anal about it
243		if (!$pageX) {
244		header("Status: 403 Forbidden - No Page");
245		if(!$pageX) $out['message']='Page does not exist';
246		echo json_encode($out);
247		exit;
248		}
249		*/
250
251		if ($newimage) {
252		$input['image_id'] = updateImage($newimage, $input);
253		if ($input['image_id']) {
254		$input['message'] = 'Image Saved';
255		$input['link'] = $uploadurl . $input['image_file'];
256		}
257	View Code Duplication	} else {
258		if (!empty($input['op']) && $input['op'] === 'delete') {
259		deleteData($input);
260		} else {
261		updateData($input);
262		}
263		}
264		echo json_encode($input);
265		exit;
266

mambax7 / gwiki

Issues (207)

Security Analysis not enabled

ajaximgedit.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like