Issues in Url.php (master) - Issues in master - nabble/ajde - Measure and Improve Code Quality continuously with Scrutinizer

Issues (1919)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

lib/Ajde/Http/Url.php (4 issues)

Labels

Severity

Major 4

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

/**
 * PHP URL CLASS.
 *
 * Wrapper which uses curl when url fopen wrappers are not available
 * I wrote it when my provider decided to stop supporting fopen wrappers
 * due to exploits so I had to start using curl in all my websites.
 *
 * USAGE
 *
 * $mode = Url::getMode();
 * // var_dump($mode);
 * $url = "http://www.google.com/";
 * readurl($url);
 * $len = strlen(url_get_contents($url));
 * // var_dump($len);
 *
 * TEST CONFIGURATION
 *
 * try modifying/adding this directive to your php.ini:
 *        allow_url_fopen = 0;
 * and uncommenting/adding this line:
 *        extension=php_curl.dll
 *
 * @license   It's free dude
 * @author    Joram van den Boezem
 * @copyright May 2010, Joram van den Boezem
 *
 * @version   0.1
 */

/**
 * If true, maps readurl() to Url::read() and url_get_contents() to Url::getContents().
 *
 * @var bool
 */
define('URL_USE_GLOBAL_FUNCTIONS', true);

class Ajde_Http_Url
{
    private static $_mode = null;
    private static $_errMessage = 'Function %s not available with this PHP configuration.';

    const MODE_FOPEN = 1;
    const MODE_CURL = 2;
    const MODE_NONE = 3;

    /**
     * Get supported mode for getting url, prefers fopen.
     *
     * @return int One of MODE_FOPEN, MODE_CURL, MODE_NONE
     */
    public static function getMode()
    {
        if (!isset(self::$_mode)) {
            if (ini_get('allow_url_fopen') == true) {

                // we have access to fopen url wrappers, use it!
                self::$_mode = self::MODE_FOPEN;
            } elseif (ini_get('allow_url_fopen') == false && function_exists('curl_init')) {

                // we have no access to fopen url wrappers, but we can use curl!
                self::$_mode = self::MODE_CURL;
            } else {
                // we have no access to fopen url wrappers, and no curl :(
                self::$_mode = self::MODE_NONE;
            }
        }

        return self::$_mode;
    }

    /**
     * Get contents of url with curl.
     *
     * @param string $url
     *
     * @return string Contents of url
     */
    private static function _getCurl($url)
    {
        $output = false;
        try {
            $ch = curl_init();
            curl_setopt($ch, CURLOPT_URL,
                $url);            // The URL to fetch. This can also be set when initializing a session with curl_init().
            curl_setopt($ch, CURLOPT_RETURNTRANSFER,
                true);    // TRUE to return the transfer as a string of the return value of curl_exec() instead of outputting it out directly.
            curl_setopt($ch, CURLOPT_HEADER, false);        // TRUE to include the header in the output.
            curl_setopt($ch, CURLOPT_FOLLOWLOCATION,
                true); // TRUE to follow any "Location: " header that the server sends as part of the HTTP header (note this is recursive, PHP will follow as many "Location: " headers that it is sent, unless CURLOPT_MAXREDIRS is set).
            curl_setopt($ch, CURLOPT_MAXREDIRS,
                10);        // The maximum amount of HTTP redirections to follow. Use this option alongside CURLOPT_FOLLOWLOCATION.
            curl_setopt($ch, CURLOPT_CONNECTTIMEOUT,
                5);    // The number of seconds to wait while trying to connect. Use 0 to wait indefinitely.
            curl_setopt($ch, CURLOPT_TIMEOUT,
                5);            // The maximum number of seconds to allow cURL functions to execute.
            curl_setopt($ch, CURLOPT_USERAGENT,
                'Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.7.3) Gecko/20041001 Firefox/0.10.1'); // The contents of the "User-Agent: " header to be used in a HTTP request.
            curl_setopt($ch, CURLOPT_ENCODING,
                '');            // The contents of the "Accept-Encoding: " header. This enables decoding of the response. Supported encodings are "identity", "deflate", and "gzip". If an empty string, "", is set, a header containing all supported encoding types is sent.
            curl_setopt($ch, CURLOPT_AUTOREFERER,
                true);    // TRUE to automatically set the Referer: field in requests where it follows a Location: redirect.
            curl_setopt($ch, CURLOPT_SSL_VERIFYPEER,
                false); // FALSE to stop cURL from verifying the peer's certificate. Alternate certificates to verify against can be specified with the CURLOPT_CAINFO option or a certificate directory can be specified with the CURLOPT_CAPATH option. CURLOPT_SSL_VERIFYHOST may also need to be TRUE or FALSE if CURLOPT_SSL_VERIFYPEER is disabled (it defaults to 2).
            $output = curl_exec($ch);
            curl_close($ch);
        } catch (Exception $e) {
            throw $e;
        }

        return $output;
    }

    /**
     * Reads an url and writes it to the output buffer.
     *
     * @param string $url Name of the url to read.
     *
     * @return mixed Returns the number of bytes read from the file. If an error occurs, FALSE is returned and unless
     *               the function was called as @readurl(), an error message is printed.
     */
    public static function read($url)
    {
        switch (self::getMode()) {
            case self::MODE_FOPEN:
                return readfile($url);
            case self::MODE_CURL:
                try {
                    $data = self::_getCurl($url);
                    echo $data;

                    return strlen($data);
                } catch (Exception $e) {
                    echo $e->getMessage();

                    return false;
                }
            case self::MODE_NONE:
            default:
                throw new Exception(sprintf(self::$_errMessage, 'Ajde_Http_Url::read()'));

                return false;
function fx() {
    try {
        doSomething();
        return true;
    }
    catch (\Exception $e) {
        return false;
    }

    return false;
}
        }
    }

    /**
     * Reads entire url into a string.
     *
     * @param string $url Name of the url to read.
     *
     * @return mixed The function returns the read data or FALSE on failure.
     */
    public static function getContents($url)
    {
        switch (self::getMode()) {
            case self::MODE_FOPEN:
                return file_get_contents($url);
            case self::MODE_CURL:
                try {
                    return self::_getCurl($url);
                } catch (Exception $e) {
                    return false;
                }
            case self::MODE_NONE:
            default:
                throw new Exception(sprintf(self::$_errMessage, 'Ajde_Http_Url::getContents()'));

                return false;
function fx() {
    try {
        doSomething();
        return true;
    }
    catch (\Exception $e) {
        return false;
    }

    return false;
}
        }
    }
}

// define global functions

if (URL_USE_GLOBAL_FUNCTIONS) {

    /**
     * Reads an url and writes it to the output buffer.
     *
     * @param string $url Name of the url to read.
     *
     * @return mixed Returns the number of bytes read from the file. If an error occurs, FALSE is returned and unless the function was called as @readurl(), an error message is printed.
     */
    function readurl($url)
    {
        return Ajde_Http_Url::read($url);
    }

    /**
     * Reads entire url into a string.
     *
     * @param string $url Name of the url to read.
     *
     * @return mixed The function returns the read data or FALSE on failure.
     */
    function url_get_contents($url)
    {
        return Ajde_Http_Url::getContents($url);
    }
}


1			<?php
2
3			/**
4			* PHP URL CLASS.
5			*
6			* Wrapper which uses curl when url fopen wrappers are not available
7			* I wrote it when my provider decided to stop supporting fopen wrappers
8			* due to exploits so I had to start using curl in all my websites.
9			*
10			* USAGE
11			*
12			* $mode = Url::getMode();
13			* // var_dump($mode);
14			* $url = "http://www.google.com/";
15			* readurl($url);
16			* $len = strlen(url_get_contents($url));
17			* // var_dump($len);
18			*
19			* TEST CONFIGURATION
20			*
21			* try modifying/adding this directive to your php.ini:
22			* allow_url_fopen = 0;
23			* and uncommenting/adding this line:
24			* extension=php_curl.dll
25			*
26			* @license It's free dude
27			* @author Joram van den Boezem
28			* @copyright May 2010, Joram van den Boezem
29			*
30			* @version 0.1
31			*/
32
33			/**
34			* If true, maps readurl() to Url::read() and url_get_contents() to Url::getContents().
35			*
36			* @var bool
37			*/
38			define('URL_USE_GLOBAL_FUNCTIONS', true);
39
40			class Ajde_Http_Url
41			{
42			private static $_mode = null;
43			private static $_errMessage = 'Function %s not available with this PHP configuration.';
44
45			const MODE_FOPEN = 1;
46			const MODE_CURL = 2;
47			const MODE_NONE = 3;
48
49			/**
50			* Get supported mode for getting url, prefers fopen.
51			*
52			* @return int One of MODE_FOPEN, MODE_CURL, MODE_NONE
53			*/
54			public static function getMode()
55			{
56			if (!isset(self::$_mode)) {
57			if (ini_get('allow_url_fopen') == true) {
			0 ignored issues – show Bug Best Practice introduced 2015-12-10 15:15 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like you are loosely comparing `ini_get('allow_url_fopen')` of type `string` to the boolean `true`. If you are specifically checking for a non-empty string, consider using the more explicit `!== ''` instead. Loading history...
58			// we have access to fopen url wrappers, use it!
59			self::$_mode = self::MODE_FOPEN;
60			} elseif (ini_get('allow_url_fopen') == false && function_exists('curl_init')) {
			0 ignored issues – show Bug Best Practice introduced 2015-12-10 15:15 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like you are loosely comparing `ini_get('allow_url_fopen')` of type `string` to the boolean `false`. If you are specifically checking for an empty string, consider using the more explicit `=== ''` instead. Loading history...
61			// we have no access to fopen url wrappers, but we can use curl!
62			self::$_mode = self::MODE_CURL;
63			} else {
64			// we have no access to fopen url wrappers, and no curl :(
65			self::$_mode = self::MODE_NONE;
66			}
67			}
68
69			return self::$_mode;
70			}
71
72			/**
73			* Get contents of url with curl.
74			*
75			* @param string $url
76			*
77			* @return string Contents of url
78			*/
79			private static function _getCurl($url)
80			{
81			$output = false;
82			try {
83			$ch = curl_init();
84			curl_setopt($ch, CURLOPT_URL,
85			$url); // The URL to fetch. This can also be set when initializing a session with curl_init().
86			curl_setopt($ch, CURLOPT_RETURNTRANSFER,
87			true); // TRUE to return the transfer as a string of the return value of curl_exec() instead of outputting it out directly.
88			curl_setopt($ch, CURLOPT_HEADER, false); // TRUE to include the header in the output.
89			curl_setopt($ch, CURLOPT_FOLLOWLOCATION,
90			true); // TRUE to follow any "Location: " header that the server sends as part of the HTTP header (note this is recursive, PHP will follow as many "Location: " headers that it is sent, unless CURLOPT_MAXREDIRS is set).
91			curl_setopt($ch, CURLOPT_MAXREDIRS,
92			10); // The maximum amount of HTTP redirections to follow. Use this option alongside CURLOPT_FOLLOWLOCATION.
93			curl_setopt($ch, CURLOPT_CONNECTTIMEOUT,
94			5); // The number of seconds to wait while trying to connect. Use 0 to wait indefinitely.
95			curl_setopt($ch, CURLOPT_TIMEOUT,
96			5); // The maximum number of seconds to allow cURL functions to execute.
97			curl_setopt($ch, CURLOPT_USERAGENT,
98			'Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.7.3) Gecko/20041001 Firefox/0.10.1'); // The contents of the "User-Agent: " header to be used in a HTTP request.
99			curl_setopt($ch, CURLOPT_ENCODING,
100			''); // The contents of the "Accept-Encoding: " header. This enables decoding of the response. Supported encodings are "identity", "deflate", and "gzip". If an empty string, "", is set, a header containing all supported encoding types is sent.
101			curl_setopt($ch, CURLOPT_AUTOREFERER,
102			true); // TRUE to automatically set the Referer: field in requests where it follows a Location: redirect.
103			curl_setopt($ch, CURLOPT_SSL_VERIFYPEER,
104			false); // FALSE to stop cURL from verifying the peer's certificate. Alternate certificates to verify against can be specified with the CURLOPT_CAINFO option or a certificate directory can be specified with the CURLOPT_CAPATH option. CURLOPT_SSL_VERIFYHOST may also need to be TRUE or FALSE if CURLOPT_SSL_VERIFYPEER is disabled (it defaults to 2).
105			$output = curl_exec($ch);
106			curl_close($ch);
107			} catch (Exception $e) {
108			throw $e;
109			}
110
111			return $output;
112			}
113
114			/**
115			* Reads an url and writes it to the output buffer.
116			*
117			* @param string $url Name of the url to read.
118			*
119			* @return mixed Returns the number of bytes read from the file. If an error occurs, FALSE is returned and unless
120			* the function was called as @readurl(), an error message is printed.
121			*/
122			public static function read($url)
123			{
124			switch (self::getMode()) {
125			case self::MODE_FOPEN:
126			return readfile($url);
127			case self::MODE_CURL:
128			try {
129			$data = self::_getCurl($url);
130			echo $data;
131
132			return strlen($data);
133			} catch (Exception $e) {
134			echo $e->getMessage();
135
136			return false;
137			}
138			case self::MODE_NONE:
139			default:
140			throw new Exception(sprintf(self::$_errMessage, 'Ajde_Http_Url::read()'));
141
142			return false;
			0 ignored issues – show Unused Code introduced 2015-12-10 15:15 UTC by Report Bug Copy Issue Report Show Similar Issues like this `return false;` does not seem to be reachable. This check looks for unreachable code. It uses sophisticated control flow analysis techniques to find statements which will never be executed. Unreachable code is most often the result of `return`, `die` or `exit` statements that have been added for debug purposes. function fx() { try { doSomething(); return true; } catch (\Exception $e) { return false; } return false; } In the above example, the last `return false` will never be executed, because a return statement has already been met in every possible execution path. Loading history...
143			}
144			}
145
146			/**
147			* Reads entire url into a string.
148			*
149			* @param string $url Name of the url to read.
150			*
151			* @return mixed The function returns the read data or FALSE on failure.
152			*/
153			public static function getContents($url)
154			{
155			switch (self::getMode()) {
156			case self::MODE_FOPEN:
157			return file_get_contents($url);
158			case self::MODE_CURL:
159			try {
160			return self::_getCurl($url);
161			} catch (Exception $e) {
162			return false;
163			}
164			case self::MODE_NONE:
165			default:
166			throw new Exception(sprintf(self::$_errMessage, 'Ajde_Http_Url::getContents()'));
167
168			return false;
			0 ignored issues – show Unused Code introduced 2015-12-10 15:15 UTC by Report Bug Copy Issue Report Show Similar Issues like this `return false;` does not seem to be reachable. This check looks for unreachable code. It uses sophisticated control flow analysis techniques to find statements which will never be executed. Unreachable code is most often the result of `return`, `die` or `exit` statements that have been added for debug purposes. function fx() { try { doSomething(); return true; } catch (\Exception $e) { return false; } return false; } In the above example, the last `return false` will never be executed, because a return statement has already been met in every possible execution path. Loading history...
169			}
170			}
171			}
172
173			// define global functions
174
175			if (URL_USE_GLOBAL_FUNCTIONS) {
176
177			/**
178			* Reads an url and writes it to the output buffer.
179			*
180			* @param string $url Name of the url to read.
181			*
182			* @return mixed Returns the number of bytes read from the file. If an error occurs, FALSE is returned and unless the function was called as @readurl(), an error message is printed.
183			*/
184			function readurl($url)
185			{
186			return Ajde_Http_Url::read($url);
187			}
188
189			/**
190			* Reads entire url into a string.
191			*
192			* @param string $url Name of the url to read.
193			*
194			* @return mixed The function returns the read data or FALSE on failure.
195			*/
196			function url_get_contents($url)
197			{
198			return Ajde_Http_Url::getContents($url);
199			}
200			}
201

nabble / ajde

Issues (1919)

Security Analysis not enabled

lib/Ajde/Http/Url.php (4 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like