Issues (161)

Security Analysis    not enabled

This project does not seem to handle request data directly as such no vulnerable execution paths were found.

  Cross-Site Scripting
Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.
  File Exposure
File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.
  File Manipulation
File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.
  Object Injection
Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.
  Code Injection
Code Injection enables an attacker to execute arbitrary code on the server.
  Response Splitting
Response Splitting can be used to send arbitrary responses.
  File Inclusion
File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.
  Command Injection
Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.
  SQL Injection
SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.
  XPath Injection
XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.
  LDAP Injection
LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.
  Header Injection
  Other Vulnerability
This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.
  Regex Injection
Regex Injection enables an attacker to execute arbitrary code in your PHP process.
  XML Injection
XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.
  Variable Injection
Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.
Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

includes/widgets/wsl.auth.widgets.php (1 issue)

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

1
<?php
2
/*!
3
* WordPress Social Login
4
*
5
* https://miled.github.io/wordpress-social-login/ | https://github.com/miled/wordpress-social-login
6
*   (c) 2011-2020 Mohamed Mrassi and contributors | https://wordpress.org/plugins/wordpress-social-login/
7
*/
8
9
/**
10
* Authentication widgets generator
11
*
12
* http://miled.github.io/wordpress-social-login/widget.html
13
* http://miled.github.io/wordpress-social-login/themes.html
14
* http://miled.github.io/wordpress-social-login/developer-api-widget.html
15
*/
16
17
// Exit if accessed directly
18
if( !defined( 'ABSPATH' ) ) exit;
19
20
// --------------------------------------------------------------------
21
22
/**
23
* Generate the HTML content of WSL Widget
24
*
25
* Note:
26
*   WSL shortcode arguments are still experimental and might change in future versions.
27
*
28
*   [wordpress_social_login
29
*        auth_mode="login"
30
*        caption="Connect with"
31
*        enable_providers="facebook|google"
32
*        restrict_content="wsl_user_logged_in"
33
*        assets_base_url="http://example.com/wp-content/uploads/2022/01/"
34
*   ]
35
*
36
*   Overall, WSL widget work with these simple rules :
37
*      1. Shortcode arguments rule over the defaults
38
*      2. Filters hooks rule over shortcode arguments
39
*      3. Bouncer rules over everything
40
*/
41
function wsl_render_auth_widget( $args = array() )
42
{
43
	$auth_mode = isset( $args['mode'] ) && $args['mode'] ? $args['mode'] : 'login';
44
45
	// validate auth-mode
46
	if( ! in_array( $auth_mode, array( 'login', 'link', 'test' ) ) )
47
	{
48
		return;
49
	}
50
51
	// auth-mode eq 'login' => display wsl widget only for NON logged in users
52
	// > this is the default mode of wsl widget.
53
	if( $auth_mode == 'login' && is_user_logged_in() )
54
	{
55
		return;
56
	}
57
58
	// auth-mode eq 'link' => display wsl widget only for LOGGED IN users
59
	// > this will allows users to manually link other social network accounts to their WordPress account
60
	if( $auth_mode == 'link' && ! is_user_logged_in() )
61
	{
62
		return;
63
	}
64
65
	// auth-mode eq 'test' => display wsl widget only for LOGGED IN users only on dashboard
66
	// > used in Authentication Playground on WSL admin dashboard
67
	if( $auth_mode == 'test' && ! is_user_logged_in() && ! is_admin() )
68
	{
69
		return;
70
	}
71
72
	// Bouncer :: Allow authentication?
73
	if( get_option( 'wsl_settings_bouncer_authentication_enabled' ) == 2 )
74
	{
75
		return;
76
	}
77
78
	// HOOKABLE: This action runs just before generating the WSL Widget.
79
	do_action( 'wsl_render_auth_widget_start' );
80
81
	GLOBAL $WORDPRESS_SOCIAL_LOGIN_PROVIDERS_CONFIG;
82
83
	ob_start();
84
85
	// Icon set. If eq 'none', we show text instead
86
	$social_icon_set = get_option( 'wsl_settings_social_icon_set' );
87
88
	// wpzoom icons set, is shown by default
89
	if( empty( $social_icon_set ) )
90
	{
91
		$social_icon_set = "wpzoom/";
92
	}
93
94
	$assets_base_url  = WORDPRESS_SOCIAL_LOGIN_PLUGIN_URL . 'assets/img/32x32/' . $social_icon_set . '/';
95
96
	$assets_base_url  = isset( $args['assets_base_url'] ) && $args['assets_base_url'] ? $args['assets_base_url'] : $assets_base_url;
97
98
	// HOOKABLE:
99
	$assets_base_url = apply_filters( 'wsl_render_auth_widget_alter_assets_base_url', $assets_base_url );
100
101
	// get the current page url, which we will use to redirect the user to,
102
	// unless Widget::Force redirection is set to 'yes', then this will be ignored and Widget::Redirect URL will be used instead
103
	$redirect_to = wsl_get_current_url();
104
105
	// Use the provided redirect_to if it is given and this is the login page.
106
	if ( in_array( $GLOBALS["pagenow"], array( "wp-login.php", "wp-register.php" ) ) && !empty( $_REQUEST["redirect_to"] ) )
107
	{
108
		$redirect_to = $_REQUEST["redirect_to"];
109
	}
110
111
	// build the authentication url which will call for wsl_process_login() : action=wordpress_social_authenticate
112
	$authenticate_base_url = add_query_arg(
113
		array(
114
			'action' => 'wordpress_social_authenticate',
115
			'mode'   => 'login',
116
		),
117
		site_url( 'wp-login.php', 'login_post' )
118
	);
119
120
	// if not in mode login, we overwrite the auth base url
121
	// > admin auth playground
122
	if( $auth_mode == 'test' )
123
	{
124
		$authenticate_base_url = add_query_arg(
125
            array(
126
                'action' => 'wordpress_social_authenticate',
127
                'mode'   => 'test',
128
            ),
129
            home_url()
130
        );
131
	}
132
133
	// > account linking
134
	elseif( $auth_mode == 'link' )
135
	{
136
		$authenticate_base_url = add_query_arg(
137
            array(
138
                'action' => 'wordpress_social_authenticate',
139
                'mode'   => 'link',
140
            ),
141
            home_url()
142
        );
143
	}
144
145
	// Connect with caption
146
	$connect_with_label = _wsl__( get_option( 'wsl_settings_connect_with_label' ), 'wordpress-social-login' );
147
148
	$connect_with_label = isset( $args['caption'] ) ? $args['caption'] : $connect_with_label;
149
150
	// HOOKABLE:
151
	$connect_with_label = apply_filters( 'wsl_render_auth_widget_alter_connect_with_label', $connect_with_label );
152
?>
153
154
<!--
155
	wsl_render_auth_widget
156
	WordPress Social Login <?php echo wsl_get_version(); ?>.
157
	http://wordpress.org/plugins/wordpress-social-login/
158
-->
159
<?php
160
	// Widget::Custom CSS
161
	$widget_css = get_option( 'wsl_settings_authentication_widget_css' );
162
163
	// HOOKABLE:
164
	$widget_css = apply_filters( 'wsl_render_auth_widget_alter_widget_css', $widget_css, $redirect_to );
165
166
	// show the custom widget css if not empty
167
	if( ! empty( $widget_css ) )
168
	{
169
?>
170
171
<style type="text/css">
172
<?php
173
	echo
174
		preg_replace(
175
			array( '%/\*(?:(?!\*/).)*\*/%s', '/\s{2,}/', "/\s*([;{}])[\r\n\t\s]/", '/\\s*;\\s*/', '/\\s*{\\s*/', '/;?\\s*}\\s*/' ),
176
				array( '', ' ', '$1', ';', '{', '}' ),
177
					$widget_css );
178
?>
179
</style>
180
<?php
181
	}
182
?>
183
184
<div class="wp-social-login-widget">
185
186
	<div class="wp-social-login-connect-with"><?php echo $connect_with_label; ?></div>
187
188
	<div class="wp-social-login-provider-list">
189
<?php
190
	// Widget::Authentication display
191
	$wsl_settings_use_popup = get_option( 'wsl_settings_use_popup' );
192
193
	// if a user is visiting using a mobile device, WSL will fall back to more in page
194
	$wsl_settings_use_popup = function_exists( 'wp_is_mobile' ) ? wp_is_mobile() ? 2 : $wsl_settings_use_popup : $wsl_settings_use_popup;
195
196
	$no_idp_used = true;
197
198
	// display provider icons
199
	foreach( $WORDPRESS_SOCIAL_LOGIN_PROVIDERS_CONFIG AS $item )
200
	{
201
		$provider_id    = isset( $item["provider_id"]    ) ? $item["provider_id"]   : '' ;
202
		$provider_name  = isset( $item["provider_name"]  ) ? $item["provider_name"] : '' ;
203
204
		// provider enabled?
205
		if( get_option( 'wsl_settings_' . $provider_id . '_enabled' ) )
206
		{
207
			// restrict the enabled providers list
208
			if( isset( $args['enable_providers'] ) )
209
			{
210
				$enable_providers = explode( '|', $args['enable_providers'] ); // might add a couple of pico seconds
211
212
				if( ! in_array( strtolower( $provider_id ), $enable_providers ) )
213
				{
214
					continue;
215
				}
216
			}
217
218
			// build authentication url
219
			$authenticate_url = add_query_arg(
220
				array(
221
					'provider'    => $provider_id,
222
					'redirect_to' => urlencode( $redirect_to ),
223
				),
224
				$authenticate_base_url
225
			);
226
227
			// http://codex.wordpress.org/Function_Reference/esc_url
228
			$authenticate_url = esc_url( $authenticate_url );
229
230
			// in case, Widget::Authentication display is set to 'popup', then we overwrite 'authenticate_url'
231
			// > /assets/js/connect.js will take care of the rest
232
			if( $wsl_settings_use_popup == 1 &&  $auth_mode != 'test' )
233
			{
234
				$authenticate_url= "javascript:void(0);";
235
			}
236
237
			// HOOKABLE: allow user to rebuilt the auth url
238
			$authenticate_url = apply_filters( 'wsl_render_auth_widget_alter_authenticate_url', $authenticate_url, $provider_id, $auth_mode, $redirect_to, $wsl_settings_use_popup );
239
240
			// HOOKABLE: allow use of other icon sets
241
			$provider_icon_markup = apply_filters( 'wsl_render_auth_widget_alter_provider_icon_markup', $provider_id, $provider_name, $authenticate_url );
242
243
			if( $provider_icon_markup != $provider_id )
244
			{
245
				echo $provider_icon_markup;
246
			}
247
			else
248
			{
249
?>
250
251
		<a rel="nofollow" href="<?php echo $authenticate_url; ?>" title="<?php echo sprintf( _wsl__("Connect with %s", 'wordpress-social-login'), $provider_name ) ?>" class="wp-social-login-provider wp-social-login-provider-<?php echo strtolower( $provider_id ); ?>" data-provider="<?php echo $provider_id ?>" role="button">
252
			<?php if( $social_icon_set == 'none' ){ echo apply_filters( 'wsl_render_auth_widget_alter_provider_name', $provider_name ); } else { ?><img alt="<?php echo $provider_name ?>" src="<?php echo $assets_base_url . strtolower( $provider_id ) . '.png' ?>" aria-hidden="true" /><?php } ?>
253
254
		</a>
255
<?php
256
			}
257
258
			$no_idp_used = false;
259
		}
260
	}
261
262
	// no provider enabled?
263
	if( $no_idp_used )
264
	{
265
?>
266
		<p style="background-color: #FFFFE0;border:1px solid #E6DB55;padding:5px;">
267
			<?php _wsl_e( '<strong>WordPress Social Login is not configured yet</strong>.<br />Please navigate to <strong>Settings &gt; WP Social Login</strong> to configure this plugin.<br />For more information, refer to the <a rel="nofollow" href="http://miled.github.io/wordpress-social-login">online user guide</a>.', 'wordpress-social-login') ?>.
268
		</p>
269
		<style>#wp-social-login-connect-with{display:none;}</style>
270
<?php
271
	}
272
?>
273
274
	</div>
275
276
	<div class="wp-social-login-widget-clearing"></div>
277
278
</div>
279
280
<?php
281
	// provide popup url for hybridauth callback
282
	if( $wsl_settings_use_popup == 1 )
283
	{
284
?>
285
<input type="hidden" id="wsl_popup_base_url" value="<?php echo esc_url( $authenticate_base_url ) ?>" />
286
<input type="hidden" id="wsl_login_form_uri" value="<?php echo esc_url( site_url( 'wp-login.php', 'login_post' ) ); ?>" />
287
288
<?php
289
	}
290
291
	// HOOKABLE: This action runs just after generating the WSL Widget.
292
	do_action( 'wsl_render_auth_widget_end' );
293
?>
294
<!-- wsl_render_auth_widget -->
295
296
<?php
297
	// Display WSL debugging area bellow the widget.
298
	// wsl_display_dev_mode_debugging_area(); // ! keep this line commented unless you know what you are doing :)
299
300
	return ob_get_clean();
301
}
302
303
// --------------------------------------------------------------------
304
305
/**
306
* WSL wordpress_social_login action
307
*
308
* Ref: http://codex.wordpress.org/Function_Reference/add_action
309
*/
310
function wsl_action_wordpress_social_login( $args = array() )
311
{
312
	echo wsl_render_auth_widget( $args );
313
}
314
315
add_action( 'wordpress_social_login', 'wsl_action_wordpress_social_login' );
316
317
// --------------------------------------------------------------------
318
319
/**
320
* WSL wordpress_social_login shortcode
321
*
322
* Note:
323
*   WSL shortcode arguments are still experimental and might change in future versions.
324
*
325
* Ref: http://codex.wordpress.org/Function_Reference/add_shortcode
326
*/
327
function wsl_shortcode_wordpress_social_login( $args = array(), $content = null )
328
{
329
	$restrict_content = isset( $args['restrict_content'] ) && $args['restrict_content'] ? true : false;
330
331
	if( 'wp_user_logged_in' == $restrict_content && is_user_logged_in() )
332
	{
333
		return do_shortcode( $content );
334
	}
335
336
	if( 'wsl_user_logged_in' == $restrict_content && wsl_get_stored_hybridauth_user_profiles_by_user_id( get_current_user_id() ) )
337
	{
338
		return do_shortcode( $content );
339
	}
340
341
	return wsl_render_auth_widget( $args );
342
}
343
344
add_shortcode( 'wordpress_social_login', 'wsl_shortcode_wordpress_social_login' );
345
346
// --------------------------------------------------------------------
347
348
/**
349
* WSL wordpress_social_login_meta shortcode
350
*
351
* Note:
352
*   This shortcode is experimental and might change in future versions.
353
*
354
*   [wordpress_social_login_meta
355
*        user_id="215"
356
*        meta="wsl_current_user_image"
357
*        display="html"
358
*        css_class="my_style_is_better"
359
*   ]
360
*/
361
function wsl_shortcode_wordpress_social_login_meta( $args = array() )
362
{
363
	// wordpress user id default to current user connected
364
	$user_id = isset( $args['user_id'] ) && $args['user_id'] ? $args['user_id'] : get_current_user_id();
365
366
	// display default to plain text
367
	$display = isset( $args['display'] ) && $args['display'] ? $args['display'] : 'plain';
368
369
	// when display is set to html, css_class will be used for the main dom el
370
	$css_class = isset( $args['css_class'] ) && $args['css_class'] ? $args['css_class'] : '';
371
372
	// wsl user meta to display
373
	$meta = isset( $args['meta'] ) && $args['meta'] ? $args['meta'] : null;
374
375
	if( ! is_numeric( $user_id ) )
376
	{
377
		return;
378
	}
379
380
	if( ! $meta )
381
	{
382
		return;
383
	}
384
385
	$assets_base_url  = WORDPRESS_SOCIAL_LOGIN_PLUGIN_URL . 'assets/img/16x16/';
386
387
	$assets_base_url  = isset( $args['assets_base_url'] ) && $args['assets_base_url'] ? $args['assets_base_url'] : $assets_base_url;
388
389
	$return = '';
390
391
	if( 'current_avatar' == $meta )
392
	{
393
		if( 'plain' == $display )
394
		{
395
			$return = wsl_get_user_custom_avatar( $user_id );
396
		}
397
		else
398
		{
399
			$return = '<img class="wordpress_social_login_meta_user_avatar ' . $css_class . '" src="' . wsl_get_user_custom_avatar( $user_id ) . '" />';
400
		}
401
	}
402
403
	if( 'current_provider' == $meta )
404
	{
405
		$provider = get_user_meta( $user_id, 'wsl_current_provider', true );
406
407
		if( 'plain' == $display )
408
		{
409
			$return = $provider;
410
		}
411
		else
412
		{
413
			$return = '<img class="wordpress_social_login_meta_user_provider ' . $css_class . '" src="' . $assets_base_url . strtolower( $provider ) . '.png"> ' . $provider;
414
		}
415
	}
416
417
	if( 'user_identities' == $meta )
418
	{
419
		ob_start();
420
421
		$linked_accounts = wsl_get_stored_hybridauth_user_profiles_by_user_id( $user_id );
422
423
		if( $linked_accounts )
424
		{
425
			?><table class="wp-social-login-linked-accounts-list <?php echo $css_class; ?>"><?php
426
427
			foreach( $linked_accounts AS $item )
428
			{
429
				$identity = $item->profileurl;
430
				$photourl = $item->photourl;
431
432
				if( ! $identity )
433
				{
434
					$identity = $item->identifier;
435
				}
436
437
				?><tr><td><?php if( $photourl ) { ?><img  style="vertical-align: top;width:16px;height:16px;" src="<?php echo $photourl ?>"> <?php } else { ?><img src="<?php echo $assets_base_url . strtolower(  $item->provider ) . '.png' ?>" /> <?php } ?><?php echo ucfirst( $item->provider ); ?> </td><td><?php echo $identity; ?></td></tr><?php
438
439
				echo "\n";
440
			}
441
442
			?></table><?php
443
		}
444
445
		$return = ob_get_clean();
446
447
		if( 'plain' == $display )
448
		{
449
			$return = strip_tags( $return );
450
		}
451
	}
452
453
	return $return;
454
}
455
456
add_shortcode( 'wordpress_social_login_meta', 'wsl_shortcode_wordpress_social_login_meta' );
457
458
// --------------------------------------------------------------------
459
460
/**
461
* Display on comment area
462
*/
463
function wsl_render_auth_widget_in_comment_form()
464
{
465
	$wsl_settings_widget_display = get_option( 'wsl_settings_widget_display' );
466
467
	if( comments_open() )
468
	{
469
		if(
470
			!  $wsl_settings_widget_display
471
		||
472
			$wsl_settings_widget_display == 1
473
		||
474
			$wsl_settings_widget_display == 2
475
		)
476
		{
477
			echo wsl_render_auth_widget();
478
		}
479
	}
480
}
481
482
add_action( 'comment_form_top'              , 'wsl_render_auth_widget_in_comment_form' );
483
add_action( 'comment_form_must_log_in_after', 'wsl_render_auth_widget_in_comment_form' );
484
485
// --------------------------------------------------------------------
486
487
/**
488
* Display on login form
489
*/
490
function wsl_render_auth_widget_in_wp_login_form()
491
{
492
	$wsl_settings_widget_display = get_option( 'wsl_settings_widget_display' );
493
494
	if( $wsl_settings_widget_display == 1 || $wsl_settings_widget_display == 3 )
495
	{
496
		echo wsl_render_auth_widget();
497
	}
498
}
499
500
add_action( 'login_form'                      , 'wsl_render_auth_widget_in_wp_login_form' );
501
add_action( 'bp_before_account_details_fields', 'wsl_render_auth_widget_in_wp_login_form' );
502
add_action( 'bp_before_sidebar_login_form'    , 'wsl_render_auth_widget_in_wp_login_form' );
503
504
// --------------------------------------------------------------------
505
506
/**
507
* Display on login & register form
508
*/
509
function wsl_render_auth_widget_in_wp_register_form()
510
{
511
	$wsl_settings_widget_display = get_option( 'wsl_settings_widget_display' );
512
513
	if( $wsl_settings_widget_display == 1 || $wsl_settings_widget_display == 3 )
514
	{
515
		echo wsl_render_auth_widget();
516
	}
517
}
518
519
add_action( 'register_form'    , 'wsl_render_auth_widget_in_wp_register_form' );
520
add_action( 'after_signup_form', 'wsl_render_auth_widget_in_wp_register_form' );
521
522
// --------------------------------------------------------------------
523
524
/**
525
* Enqueue WSL CSS file
526
*/
527 View Code Duplication
function wsl_add_stylesheets()
0 ignored issues
show
This function seems to be duplicated in your project.

Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation.

You can also find more detailed suggestions in the “Code” section of your repository.

Loading history...
528
{
529
	if( ! wp_style_is( 'wsl-widget', 'registered' ) )
530
	{
531
		wp_register_style( "wsl-widget", WORDPRESS_SOCIAL_LOGIN_PLUGIN_URL . "assets/css/style.css" );
532
	}
533
534
	wp_enqueue_style( "wsl-widget" );
535
}
536
537
add_action( 'wp_enqueue_scripts'   , 'wsl_add_stylesheets' );
538
add_action( 'login_enqueue_scripts', 'wsl_add_stylesheets' );
539
540
// --------------------------------------------------------------------
541
542
/**
543
* Enqueue WSL Javascript, only if we use popup
544
*/
545
function wsl_add_javascripts()
546
{
547
	$wsl_settings_use_popup = get_option( 'wsl_settings_use_popup' );
548
549
    // if a user is visiting using a mobile device, WSL will fall back to more in page
550
	$wsl_settings_use_popup = function_exists( 'wp_is_mobile' ) ? wp_is_mobile() ? 2 : $wsl_settings_use_popup : $wsl_settings_use_popup;
551
552
	if( $wsl_settings_use_popup != 1 )
553
	{
554
		return null;
555
	}
556
557
	if( ! wp_script_is( 'wsl-widget', 'registered' ) )
558
	{
559
		wp_register_script( "wsl-widget", WORDPRESS_SOCIAL_LOGIN_PLUGIN_URL . "assets/js/widget.js" );
560
	}
561
562
	wp_enqueue_script( "jquery" );
563
	wp_enqueue_script( "wsl-widget" );
564
}
565
566
add_action( 'wp_enqueue_scripts'   , 'wsl_add_javascripts' );
567
add_action( 'login_enqueue_scripts', 'wsl_add_javascripts' );
568
569
// --------------------------------------------------------------------
570