Completed
Push — development ( c4d33f...5f74fd )
by Nils
09:26
created

install.queries.php ➔ chmodRecursive()   D

Complexity

Conditions 9
Paths 13

Size

Total Lines 30
Code Lines 19

Duplication

Lines 30
Ratio 100 %

Importance

Changes 0
Metric Value
cc 9
eloc 19
nc 13
nop 3
dl 30
loc 30
rs 4.909
c 0
b 0
f 0
1
<?php
2
/**
3
 * @file          install.queries.php
4
 * @author        Nils Laumaillé
5
 * @version       2.1.27
6
 * @copyright     (c) 2009-2017 Nils Laumaillé
7
 * @licensing     GNU AFFERO GPL 3.0
8
 * @link          http://www.teampass.net
9
 *
10
 * This library is distributed in the hope that it will be useful,
11
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
13
 */
14
require_once('../sources/SecureHandler.php');
15
session_start();
16
error_reporting(E_ERROR | E_PARSE);
17
header("Content-type: text/html; charset=utf-8");
18
$session_db_encoding = "utf8";
19
20 View Code Duplication
function chmodRecursive($dir, $dirPermissions, $filePermissions)
0 ignored issues
show
Duplication introduced by
This function seems to be duplicated in your project.

Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation.

You can also find more detailed suggestions in the “Code” section of your repository.

Loading history...
21
{
22
    $pointer_dir = opendir($dir);
0 ignored issues
show
Security File Exposure introduced by
$dir can contain request data and is used in file inclusion context(s) leading to a potential security vulnerability.

1 path for user data to reach this point

  1. Read from $_GET
    in includes/libraries/protect/SuperGlobal/SuperGlobal.php on line 45
  2. SuperGlobal::get() returns tainted data, and $session_abspath is assigned
    in install/install.queries.php on line 130
  3. $session_abspath is passed to chmodRecursive()
    in install/install.queries.php on line 1146

General Strategies to prevent injection

In general, it is advisable to prevent any user-data to reach this point. This can be done by white-listing certain values:

if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) {
    throw new \InvalidArgumentException('This input is not allowed.');
}

For numeric data, we recommend to explicitly cast the data:

$sanitized = (integer) $tainted;
Loading history...
23
    $res = true;
24
    while ($file = readdir($pointer_dir)) {
25
        if (($file == ".") || ($file == "..")) {
26
            continue;
27
        }
28
29
        $fullPath = $dir."/".$file;
30
31
        if (is_dir($fullPath)) {
32
            if ($res = @chmod($fullPath, $dirPermissions)) {
0 ignored issues
show
Security File Manipulation introduced by
$fullPath can contain request data and is used in file manipulation context(s) leading to a potential security vulnerability.

1 path for user data to reach this point

  1. Read from $_GET
    in includes/libraries/protect/SuperGlobal/SuperGlobal.php on line 45
  2. SuperGlobal::get() returns tainted data, and $session_abspath is assigned
    in install/install.queries.php on line 130
  3. $session_abspath is passed to chmodRecursive()
    in install/install.queries.php on line 1146
  4. $fullPath is assigned
    in install/install.queries.php on line 29

General Strategies to prevent injection

In general, it is advisable to prevent any user-data to reach this point. This can be done by white-listing certain values:

if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) {
    throw new \InvalidArgumentException('This input is not allowed.');
}

For numeric data, we recommend to explicitly cast the data:

$sanitized = (integer) $tainted;
Loading history...
33
                $res = @chmodRecursive($fullPath, $dirPermissions, $filePermissions);
34
            }
35
        } else {
36
            $res = chmod($fullPath, $filePermissions);
0 ignored issues
show
Security File Manipulation introduced by
$fullPath can contain request data and is used in file manipulation context(s) leading to a potential security vulnerability.

1 path for user data to reach this point

  1. Read from $_GET
    in includes/libraries/protect/SuperGlobal/SuperGlobal.php on line 45
  2. SuperGlobal::get() returns tainted data, and $session_abspath is assigned
    in install/install.queries.php on line 130
  3. $session_abspath is passed to chmodRecursive()
    in install/install.queries.php on line 1146
  4. $fullPath is assigned
    in install/install.queries.php on line 29

General Strategies to prevent injection

In general, it is advisable to prevent any user-data to reach this point. This can be done by white-listing certain values:

if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) {
    throw new \InvalidArgumentException('This input is not allowed.');
}

For numeric data, we recommend to explicitly cast the data:

$sanitized = (integer) $tainted;
Loading history...
37
        }
38
        if (!$res) {
39
            closedir($pointer_dir);
40
            return false;
41
        }
42
    }
43
    closedir($pointer_dir);
44
    if (is_dir($dir) && $res) {
45
            $res = @chmod($dir, $dirPermissions);
0 ignored issues
show
Security File Manipulation introduced by
$dir can contain request data and is used in file manipulation context(s) leading to a potential security vulnerability.

1 path for user data to reach this point

  1. Read from $_GET
    in includes/libraries/protect/SuperGlobal/SuperGlobal.php on line 45
  2. SuperGlobal::get() returns tainted data, and $session_abspath is assigned
    in install/install.queries.php on line 130
  3. $session_abspath is passed to chmodRecursive()
    in install/install.queries.php on line 1146

General Strategies to prevent injection

In general, it is advisable to prevent any user-data to reach this point. This can be done by white-listing certain values:

if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) {
    throw new \InvalidArgumentException('This input is not allowed.');
}

For numeric data, we recommend to explicitly cast the data:

$sanitized = (integer) $tainted;
Loading history...
46
    }
47
48
    return $res;
49
}
50
51
/**
52
 * genHash()
53
 *
54
 * Generate a hash for user login
55
 * @param string $password
56
 */
57 View Code Duplication
function bCrypt($password, $cost)
0 ignored issues
show
Duplication introduced by
This function seems to be duplicated in your project.

Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation.

You can also find more detailed suggestions in the “Code” section of your repository.

Loading history...
58
{
59
    $salt = sprintf('$2y$%02d$', $cost);
60
    if (function_exists('openssl_random_pseudo_bytes')) {
61
        $salt .= bin2hex(openssl_random_pseudo_bytes(11));
62
    } else {
63
        $chars = './ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
64
        for ($i = 0; $i < 22; $i++) {
65
            $salt .= $chars[mt_rand(0, 63)];
66
        }
67
    }
68
    return crypt($password, $salt);
69
}
70
71
/**
72
 * Permits to encrypt a message using Defuse
73
 * @param  string $message   Message to encrypt
74
 * @param  string $ascii_key Key to hash
75
 * @return array             String + Error
76
 */
77
function encryptFollowingDefuse($message, $ascii_key)
78
{
79
    // load PhpEncryption library
80
    $path = '../includes/libraries/Encryption/Encryption/';
81
    require_once $path.'Crypto.php';
82
    require_once $path.'Encoding.php';
83
    require_once $path.'DerivedKeys.php';
84
    require_once $path.'Key.php';
85
    require_once $path.'KeyOrPassword.php';
86
    require_once $path.'File.php';
87
    require_once $path.'RuntimeTests.php';
88
    require_once $path.'KeyProtectedByPassword.php';
89
    require_once $path.'Core.php';
90
91
    // convert KEY
92
    $key = \Defuse\Crypto\Key::loadFromAsciiSafeString($ascii_key);
93
94
    try {
95
        $text = \Defuse\Crypto\Crypto::encrypt($message, $key);
96
    } catch (Defuse\Crypto\Exception\WrongKeyOrModifiedCiphertextException $ex) {
97
        $err = "an attack! either the wrong key was loaded, or the ciphertext has changed since it was created either corrupted in the database or intentionally modified by someone trying to carry out an attack.";
98
    } catch (Defuse\Crypto\Exception\BadFormatException $ex) {
99
        $err = $ex;
100
    } catch (Defuse\Crypto\Exception\EnvironmentIsBrokenException $ex) {
101
        $err = $ex;
102
    } catch (Defuse\Crypto\Exception\CryptoException $ex) {
103
        $err = $ex;
104
    } catch (Defuse\Crypto\Exception\IOException $ex) {
105
        $err = $ex;
106
    }
107
108
    return array(
109
        'string' => isset($text) ? $text : "",
110
        'error' => $err
0 ignored issues
show
Bug introduced by
The variable $err does not seem to be defined for all execution paths leading up to this point.

If you define a variable conditionally, it can happen that it is not defined for all execution paths.

Let’s take a look at an example:

function myFunction($a) {
    switch ($a) {
        case 'foo':
            $x = 1;
            break;

        case 'bar':
            $x = 2;
            break;
    }

    // $x is potentially undefined here.
    echo $x;
}

In the above example, the variable $x is defined if you pass “foo” or “bar” as argument for $a. However, since the switch statement has no default case statement, if you pass any other value, the variable $x would be undefined.

Available Fixes

  1. Check for existence of the variable explicitly:

    function myFunction($a) {
        switch ($a) {
            case 'foo':
                $x = 1;
                break;
    
            case 'bar':
                $x = 2;
                break;
        }
    
        if (isset($x)) { // Make sure it's always set.
            echo $x;
        }
    }
    
  2. Define a default value for the variable:

    function myFunction($a) {
        $x = ''; // Set a default which gets overridden for certain paths.
        switch ($a) {
            case 'foo':
                $x = 1;
                break;
    
            case 'bar':
                $x = 2;
                break;
        }
    
        echo $x;
    }
    
  3. Add a value for the missing path:

    function myFunction($a) {
        switch ($a) {
            case 'foo':
                $x = 1;
                break;
    
            case 'bar':
                $x = 2;
                break;
    
            // We add support for the missing case.
            default:
                $x = '';
                break;
        }
    
        echo $x;
    }
    
Loading history...
111
    );
112
}
113
114
115
// Prepare POST variables
116
$post_type = filter_input(INPUT_POST, 'type', FILTER_SANITIZE_STRING);
117
$post_data = filter_input(INPUT_POST, 'data', FILTER_SANITIZE_STRING, FILTER_FLAG_NO_ENCODE_QUOTES);
118
$post_activity = filter_input(INPUT_POST, 'activity', FILTER_SANITIZE_STRING);
119
$post_task = filter_input(INPUT_POST, 'task', FILTER_SANITIZE_STRING);
120
$post_index = filter_input(INPUT_POST, 'index', FILTER_SANITIZE_NUMBER_INT);
121
$post_multiple = filter_input(INPUT_POST, 'multiple', FILTER_SANITIZE_STRING);
122
$post_db = filter_input(INPUT_POST, 'db', FILTER_SANITIZE_STRING);
123
124
// Load libraries
125
require_once '../includes/libraries/protect/SuperGlobal/SuperGlobal.php';
126
$superGlobal = new protect\SuperGlobal\SuperGlobal();
127
128
// Prepare SESSION variables
129
$session_url_path = $superGlobal->get("url_path", "SESSION");
130
$session_abspath = $superGlobal->get("abspath", "SESSION");
131
$session_db_encoding = $superGlobal->get("db_encoding", "SESSION");
132
133
$superGlobal->put("CPM", 1, "SESSION");
134
135
if (null !== $post_type) {
136
    switch ($post_type) {
137
        case "step_2":
138
            //decrypt
139
            require_once 'libs/aesctr.php'; // AES Counter Mode implementation
140
            $json = Encryption\Crypt\aesctr::decrypt($post_data, "cpm", 128);
0 ignored issues
show
Documentation introduced by
'cpm' is of type string, but the function expects a object<Encryption\Crypt\the>.

It seems like the type of the argument is not accepted by the function/method which you are calling.

In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug.

We suggest to add an explicit type cast like in the following example:

function acceptsInteger($int) { }

$x = '123'; // string "123"

// Instead of
acceptsInteger($x);

// we recommend to use
acceptsInteger((integer) $x);
Loading history...
141
            $data = json_decode($json, true);
142
            $json = Encryption\Crypt\aesctr::decrypt($post_activity, "cpm", 128);
0 ignored issues
show
Documentation introduced by
'cpm' is of type string, but the function expects a object<Encryption\Crypt\the>.

It seems like the type of the argument is not accepted by the function/method which you are calling.

In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug.

We suggest to add an explicit type cast like in the following example:

function acceptsInteger($int) { }

$x = '123'; // string "123"

// Instead of
acceptsInteger($x);

// we recommend to use
acceptsInteger((integer) $x);
Loading history...
143
            $data = array_merge($data, array("activity" => $json));
144
            $json = Encryption\Crypt\aesctr::decrypt($post_task, "cpm", 128);
0 ignored issues
show
Documentation introduced by
'cpm' is of type string, but the function expects a object<Encryption\Crypt\the>.

It seems like the type of the argument is not accepted by the function/method which you are calling.

In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug.

We suggest to add an explicit type cast like in the following example:

function acceptsInteger($int) { }

$x = '123'; // string "123"

// Instead of
acceptsInteger($x);

// we recommend to use
acceptsInteger((integer) $x);
Loading history...
145
            $data = array_merge($data, array("task" => $json));
146
147
            $abspath = str_replace('\\', '/', $data['root_path']);
148 View Code Duplication
            if (substr($abspath, strlen($abspath) - 1) == "/") {
149
                $abspath = substr($abspath, 0, strlen($abspath) - 1);
150
            }
151
            $session_abspath = $abspath;
152
            $session_url_path = $data['url_path'];
153
154
            if (isset($data['activity']) && $data['activity'] === "folder") {
155
                if (is_writable($abspath."/".$data['task']."/") === true) {
156
                    echo '[{"error" : "", "index" : "'.$post_index.'", "multiple" : "'.$post_multiple.'"}]';
157
                } else {
158
                    echo '[{"error" : " Path '.$data['task'].' is not writable!", "index" : "'.$post_index.'", "multiple" : "'.$post_multiple.'"}]';
159
                }
160
                break;
161
            }
162
163 View Code Duplication
            if (isset($data['activity']) && $data['activity'] === "extension") {
164
                if (extension_loaded($data['task'])) {
165
                    echo '[{"error" : "", "index" : "'.$post_index.'", "multiple" : "'.$post_multiple.'"}]';
166
                } else {
167
                    echo '[{"error" : " Extension '.$data['task'].' is not loaded!", "index" : "'.$post_index.'", "multiple" : "'.$post_multiple.'"}]';
168
                }
169
                break;
170
            }
171
172 View Code Duplication
            if (isset($data['activity']) && $data['activity'] === "function") {
173
                if (function_exists($data['task'])) {
174
                    echo '[{"error" : "", "index" : "'.$post_index.'", "multiple" : "'.$post_multiple.'"}]';
175
                } else {
176
                    echo '[{"error" : " Function '.$data['task'].' is not available!", "index" : "'.$post_index.'", "multiple" : "'.$post_multiple.'"}]';
177
                }
178
                break;
179
            }
180
181
            if (isset($data['activity']) && $data['activity'] === "version") {
182 View Code Duplication
                if (version_compare(phpversion(), '5.5.0', '>=')) {
183
                    echo '[{"error" : "", "index" : "'.$post_index.'", "multiple" : "'.$post_multiple.'"}]';
184
                } else {
185
                    echo '[{"error" : "PHP version '.phpversion().' is not OK (minimum is 5.5.0)", "index" : "'.$post_index.'", "multiple" : "'.$post_multiple.'"}]';
186
                }
187
                break;
188
            }
189
190
            if (isset($data['activity']) && $data['activity'] === "ini") {
191 View Code Duplication
                if (ini_get($data['task']) >= 60) {
192
                    echo '[{"error" : "", "index" : "'.$post_index.'"}]';
193
                } else {
194
                    echo '[{"error" : "PHP \"Maximum execution time\" is set to '.ini_get('max_execution_time').' seconds. Please try to set to 60s at least during installation.", "index" : "'.$post_index.'", "multiple" : "'.$post_multiple.'"}]';
195
                }
196
                break;
197
            }
198
            break;
199
200
        case "step_3":
201
            //decrypt
202
            require_once 'libs/aesctr.php'; // AES Counter Mode implementation
203
            $json = Encryption\Crypt\aesctr::decrypt($post_data, "cpm", 128);
0 ignored issues
show
Documentation introduced by
'cpm' is of type string, but the function expects a object<Encryption\Crypt\the>.

It seems like the type of the argument is not accepted by the function/method which you are calling.

In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug.

We suggest to add an explicit type cast like in the following example:

function acceptsInteger($int) { }

$x = '123'; // string "123"

// Instead of
acceptsInteger($x);

// we recommend to use
acceptsInteger((integer) $x);
Loading history...
204
            $data = json_decode($json, true);
205
            $json = Encryption\Crypt\aesctr::decrypt($post_db, "cpm", 128);
0 ignored issues
show
Documentation introduced by
'cpm' is of type string, but the function expects a object<Encryption\Crypt\the>.

It seems like the type of the argument is not accepted by the function/method which you are calling.

In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug.

We suggest to add an explicit type cast like in the following example:

function acceptsInteger($int) { }

$x = '123'; // string "123"

// Instead of
acceptsInteger($x);

// we recommend to use
acceptsInteger((integer) $x);
Loading history...
206
            $db = json_decode($json, true);
207
208
            // launch
209
            if ($dbTmp = mysqli_connect($db['db_host'], $db['db_login'], $db['db_pw'], $db['db_bdd'], $db['db_port'])) {
210
                // create temporary INSTALL mysqli table
211
                $mysqli_result = mysqli_query(
212
                    $dbTmp,
213
                    "CREATE TABLE IF NOT EXISTS `_install` (
214
                    `key` varchar(100) NOT NULL,
215
                    `value` varchar(500) NOT NULL
216
                    ) CHARSET=utf8;"
217
                );
218
                // store values
219 View Code Duplication
                foreach ($data as $key => $value) {
220
                    $superGlobal->put($key, $value, "SESSION");
221
                    $tmp = mysqli_num_rows(mysqli_query($db_link, "SELECT * FROM `_install` WHERE `key` = '".$key."'"));
222
                    if (intval($tmp) === 0) {
223
                        mysqli_query($dbTmp, "INSERT INTO `_install` (`key`, `value`) VALUES ('".$key."', '".$value."');");
224
                    } else {
225
                        mysqli_query($dbTmp, "UPDATE `_install` SET `value` = '".$value."' WHERE `key` = '".$key."';");
226
                    }
227
                }
228
                $tmp = mysqli_num_rows(mysqli_query($db_link, "SELECT * FROM `_install` WHERE `key` = 'url_path'"));
229 View Code Duplication
                if (intval($tmp) === 0) {
230
                    mysqli_query($dbTmp, "INSERT INTO `_install` (`key`, `value`) VALUES ('url_path', '", empty($session_url_path) ? $db['url_path'] : $session_url_path, "');");
231
                } else {
232
                    mysqli_query($dbTmp, "UPDATE `_install` SET `value` = '", empty($session_url_path) ? $db['url_path'] : $session_url_path, "' WHERE `key` = 'url_path';");
233
                }
234
                $tmp = mysqli_num_rows(mysqli_query($db_link, "SELECT * FROM `_install` WHERE `key` = 'abspath'"));
235 View Code Duplication
                if (intval($tmp) === 0) {
236
                    mysqli_query($dbTmp, "INSERT INTO `_install` (`key`, `value`) VALUES ('abspath', '", empty($session_abspath) ? $db['abspath'] : $session_abspath, "');");
237
                } else {
238
                    mysqli_query($dbTmp, "UPDATE `_install` SET `value` = '", empty($session_abspath) ? $db['abspath'] : $session_abspath, "' WHERE `key` = 'abspath';");
239
                }
240
241
                echo '[{"error" : "", "result" : "Connection is successful", "multiple" : ""}]';
242 View Code Duplication
            } else {
243
                echo '[{"error" : "'.addslashes(str_replace(array("'", "\n", "\r"), array('"', '', ''), mysqli_connect_error())).'", "result" : "Failed", "multiple" : ""}]';
244
            }
245
            mysqli_close($dbTmp);
246
            break;
247
248
        case "step_4":
249
            //decrypt
250
            require_once 'libs/aesctr.php'; // AES Counter Mode implementation
251
            $json = Encryption\Crypt\aesctr::decrypt($post_data, "cpm", 128);
0 ignored issues
show
Documentation introduced by
'cpm' is of type string, but the function expects a object<Encryption\Crypt\the>.

It seems like the type of the argument is not accepted by the function/method which you are calling.

In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug.

We suggest to add an explicit type cast like in the following example:

function acceptsInteger($int) { }

$x = '123'; // string "123"

// Instead of
acceptsInteger($x);

// we recommend to use
acceptsInteger((integer) $x);
Loading history...
252
            $data = json_decode($json, true);
253
            $json = Encryption\Crypt\aesctr::decrypt($post_db, "cpm", 128);
0 ignored issues
show
Documentation introduced by
'cpm' is of type string, but the function expects a object<Encryption\Crypt\the>.

It seems like the type of the argument is not accepted by the function/method which you are calling.

In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug.

We suggest to add an explicit type cast like in the following example:

function acceptsInteger($int) { }

$x = '123'; // string "123"

// Instead of
acceptsInteger($x);

// we recommend to use
acceptsInteger((integer) $x);
Loading history...
254
            $db = json_decode($json, true);
255
256
            $dbTmp = mysqli_connect($db['db_host'], $db['db_login'], $db['db_pw'], $db['db_bdd'], $db['db_port']);
257
258
            // prepare data
259
            foreach ($data as $key => $value) {
260
                $data[$key] = str_replace(array('&quot;', '&#92;'), array('""', '\\\\'), $value);
261
            }
262
263
            // check skpath
264
            if (empty($data['sk_path'])) {
265
                $data['sk_path'] = $session_abspath."/includes";
266
            } else {
267
                $data['sk_path'] = str_replace("&#92;", "/", $data['sk_path']);
268
            }
269
            if (substr($data['sk_path'], strlen($data['sk_path']) - 1) == "/" || substr($data['sk_path'], strlen($data['sk_path']) - 1) == "\"") {
270
                $data['sk_path'] = substr($data['sk_path'], 0, strlen($data['sk_path']) - 1);
271
            }
272
            if (is_dir($data['sk_path'])) {
273
                if (is_writable($data['sk_path'])) {
274
                    // store all variables in SESSION
275 View Code Duplication
                    foreach ($data as $key => $value) {
276
                        $superGlobal->put($key, $value, "SESSION");
277
                        $tmp = mysqli_num_rows(mysqli_query($db_link, "SELECT * FROM `_install` WHERE `key` = '".$key."'"));
0 ignored issues
show
Security SQL Injection introduced by
'SELECT * FROM `_install...ey` = \'' . $key . '\'' can contain request data and is used in sql context(s) leading to a potential security vulnerability.

1 path for user data to reach this point

  1. Read from $_GET
    in includes/libraries/protect/SuperGlobal/SuperGlobal.php on line 45
  2. SuperGlobal::get() returns tainted data, and $session_abspath is assigned
    in install/install.queries.php on line 130
  3. $data is assigned
    in install/install.queries.php on line 265
  4. $key is assigned
    in install/install.queries.php on line 275

Preventing SQL Injection

There are two options to prevent SQL injection. Generally, it is recommended to use parameter binding:

$stmt = mysqli_prepare("SELECT * FROM users WHERE name = ?");
$stmt->bind_param("s", $taintedUserName);

An alternative – although generally not recommended – is to escape your data manually:

$mysqli = new mysqli('localhost', 'user', 'pass', 'dbname');

$escaped = $mysqli->real_escape_string($taintedUserName);
$mysqli->query("SELECT * FROM users WHERE name = '".$escaped."'");

General Strategies to prevent injection

In general, it is advisable to prevent any user-data to reach this point. This can be done by white-listing certain values:

if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) {
    throw new \InvalidArgumentException('This input is not allowed.');
}

For numeric data, we recommend to explicitly cast the data:

$sanitized = (integer) $tainted;
Loading history...
278
                        if (intval($tmp) === 0) {
279
                            mysqli_query($dbTmp, "INSERT INTO `_install` (`key`, `value`) VALUES ('".$key."', '".$value."');");
0 ignored issues
show
Security SQL Injection introduced by
'INSERT INTO `_install` ..., \'' . $value . '\');' can contain request data and is used in sql context(s) leading to a potential security vulnerability.

1 path for user data to reach this point

  1. Read from $_GET
    in includes/libraries/protect/SuperGlobal/SuperGlobal.php on line 45
  2. SuperGlobal::get() returns tainted data, and $session_abspath is assigned
    in install/install.queries.php on line 130
  3. $data is assigned
    in install/install.queries.php on line 265
  4. $key is assigned
    in install/install.queries.php on line 275

Preventing SQL Injection

There are two options to prevent SQL injection. Generally, it is recommended to use parameter binding:

$stmt = mysqli_prepare("SELECT * FROM users WHERE name = ?");
$stmt->bind_param("s", $taintedUserName);

An alternative – although generally not recommended – is to escape your data manually:

$mysqli = new mysqli('localhost', 'user', 'pass', 'dbname');

$escaped = $mysqli->real_escape_string($taintedUserName);
$mysqli->query("SELECT * FROM users WHERE name = '".$escaped."'");

General Strategies to prevent injection

In general, it is advisable to prevent any user-data to reach this point. This can be done by white-listing certain values:

if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) {
    throw new \InvalidArgumentException('This input is not allowed.');
}

For numeric data, we recommend to explicitly cast the data:

$sanitized = (integer) $tainted;
Loading history...
280
                        } else {
281
                            mysqli_query($dbTmp, "UPDATE `_install` SET `value` = '".$value."' WHERE `key` = '".$key."';");
0 ignored issues
show
Security SQL Injection introduced by
'UPDATE `_install` SET `...y` = \'' . $key . '\';' can contain request data and is used in sql context(s) leading to a potential security vulnerability.

1 path for user data to reach this point

  1. Read from $_GET
    in includes/libraries/protect/SuperGlobal/SuperGlobal.php on line 45
  2. SuperGlobal::get() returns tainted data, and $session_abspath is assigned
    in install/install.queries.php on line 130
  3. $data is assigned
    in install/install.queries.php on line 265
  4. $value is assigned
    in install/install.queries.php on line 275

Preventing SQL Injection

There are two options to prevent SQL injection. Generally, it is recommended to use parameter binding:

$stmt = mysqli_prepare("SELECT * FROM users WHERE name = ?");
$stmt->bind_param("s", $taintedUserName);

An alternative – although generally not recommended – is to escape your data manually:

$mysqli = new mysqli('localhost', 'user', 'pass', 'dbname');

$escaped = $mysqli->real_escape_string($taintedUserName);
$mysqli->query("SELECT * FROM users WHERE name = '".$escaped."'");

General Strategies to prevent injection

In general, it is advisable to prevent any user-data to reach this point. This can be done by white-listing certain values:

if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) {
    throw new \InvalidArgumentException('This input is not allowed.');
}

For numeric data, we recommend to explicitly cast the data:

$sanitized = (integer) $tainted;
Loading history...
282
                        }
283
                    }
284
                    echo '[{"error" : "", "result" : "Information stored", "multiple" : ""}]';
285
                } else {
286
                    echo '[{"error" : "The Directory must be writable!", "result" : "Information stored", "multiple" : ""}]';
287
                }
288
            } else {
289
                echo '[{"error" : "'.$data['sk_path'].' is not a Directory!", "result" : "Information stored", "multiple" : ""}]';
0 ignored issues
show
Security Cross-Site Scripting introduced by
'[{"error" : "' . $data[...ed", "multiple" : ""}]' can contain request data and is used in output context(s) leading to a potential security vulnerability.

1 path for user data to reach this point

  1. Read from $_GET
    in includes/libraries/protect/SuperGlobal/SuperGlobal.php on line 45
  2. SuperGlobal::get() returns tainted data, and $session_abspath is assigned
    in install/install.queries.php on line 130
  3. $data is assigned
    in install/install.queries.php on line 265

Preventing Cross-Site-Scripting Attacks

Cross-Site-Scripting allows an attacker to inject malicious code into your website - in particular Javascript code, and have that code executed with the privileges of a visiting user. This can be used to obtain data, or perform actions on behalf of that visiting user.

In order to prevent this, make sure to escape all user-provided data:

// for HTML
$sanitized = htmlentities($tainted, ENT_QUOTES);

// for URLs
$sanitized = urlencode($tainted);

General Strategies to prevent injection

In general, it is advisable to prevent any user-data to reach this point. This can be done by white-listing certain values:

if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) {
    throw new \InvalidArgumentException('This input is not allowed.');
}

For numeric data, we recommend to explicitly cast the data:

$sanitized = (integer) $tainted;
Loading history...
290
            }
291
            mysqli_close($dbTmp);
292
            break;
293
294
        case "step_5":
295
            //decrypt
296
            require_once 'libs/aesctr.php'; // AES Counter Mode implementation
297
            $activity = Encryption\Crypt\aesctr::decrypt($post_activity, "cpm", 128);
0 ignored issues
show
Documentation introduced by
'cpm' is of type string, but the function expects a object<Encryption\Crypt\the>.

It seems like the type of the argument is not accepted by the function/method which you are calling.

In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug.

We suggest to add an explicit type cast like in the following example:

function acceptsInteger($int) { }

$x = '123'; // string "123"

// Instead of
acceptsInteger($x);

// we recommend to use
acceptsInteger((integer) $x);
Loading history...
298
            $task = Encryption\Crypt\aesctr::decrypt($post_task, "cpm", 128);
0 ignored issues
show
Documentation introduced by
'cpm' is of type string, but the function expects a object<Encryption\Crypt\the>.

It seems like the type of the argument is not accepted by the function/method which you are calling.

In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug.

We suggest to add an explicit type cast like in the following example:

function acceptsInteger($int) { }

$x = '123'; // string "123"

// Instead of
acceptsInteger($x);

// we recommend to use
acceptsInteger((integer) $x);
Loading history...
299
            $json = Encryption\Crypt\aesctr::decrypt($post_db, "cpm", 128);
0 ignored issues
show
Documentation introduced by
'cpm' is of type string, but the function expects a object<Encryption\Crypt\the>.

It seems like the type of the argument is not accepted by the function/method which you are calling.

In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug.

We suggest to add an explicit type cast like in the following example:

function acceptsInteger($int) { }

$x = '123'; // string "123"

// Instead of
acceptsInteger($x);

// we recommend to use
acceptsInteger((integer) $x);
Loading history...
300
            $db = json_decode($json, true);
301
302
            // launch
303
            $dbTmp = mysqli_connect($db['db_host'], $db['db_login'], $db['db_pw'], $db['db_bdd'], $db['db_port']);
304
            $dbBdd = $db['db_bdd'];
305
            if ($dbTmp) {
306
                $mysqli_result = "";
307
308
                // read install variables
309
                $result = mysqli_query($dbTmp, "SELECT * FROM `_install`");
310
                while ($row = $result->fetch_array()) {
311
                    $var[$row[0]] = $row[1];
312
                }
313
314
                if ($activity === "table") {
315
                    //FORCE UTF8 DATABASE
316
                    mysqli_query($dbTmp, "ALTER DATABASE `".$dbBdd."` DEFAULT CHARACTER SET utf8 COLLATE utf8_general_ci");
317
                    if ($task === "items") {
318
                        $mysqli_result = mysqli_query(
319
                            $dbTmp,
320
                            "CREATE TABLE IF NOT EXISTS `".$var['tbl_prefix']."items` (
321
                            `id` int(12) NOT null AUTO_INCREMENT,
322
                            `label` varchar(500) NOT NULL,
323
                            `description` text DEFAULT NULL,
324
                            `pw` text DEFAULT NULL,
325
                            `pw_iv` text DEFAULT NULL,
326
                            `pw_len` int(5) NOT NULL DEFAULT '0',
327
                            `url` varchar(500) DEFAULT NULL,
328
                            `id_tree` varchar(10) DEFAULT NULL,
329
                            `perso` tinyint(1) NOT null DEFAULT '0',
330
                            `login` varchar(200) DEFAULT NULL,
331
                            `inactif` tinyint(1) NOT null DEFAULT '0',
332
                            `restricted_to` varchar(200) DEFAULT NULL,
333
                            `anyone_can_modify` tinyint(1) NOT null DEFAULT '0',
334
                            `email` varchar(100) DEFAULT NULL,
335
                            `notification` varchar(250) DEFAULT NULL,
336
                            `viewed_no` int(12) NOT null DEFAULT '0',
337
                            `complexity_level` varchar(3) NOT null DEFAULT '-1',
338
                            `auto_update_pwd_frequency` tinyint(2) NOT null DEFAULT '0',
339
                            `auto_update_pwd_next_date` varchar(100) NOT null DEFAULT '0',
340
                            `encryption_type` VARCHAR(20) NOT NULL DEFAULT 'not_set',
341
                            PRIMARY KEY (`id`),
342
                            KEY    `restricted_inactif_idx` (`restricted_to`,`inactif`)
343
                            ) CHARSET=utf8;"
344
                        );
345 View Code Duplication
                    } elseif ($task === "log_items") {
346
                        $mysqli_result = mysqli_query(
347
                            $dbTmp,
348
                            "CREATE TABLE IF NOT EXISTS `".$var['tbl_prefix']."log_items` (
349
                            `id_item` int(8) NOT NULL,
350
                            `date` varchar(50) NOT NULL,
351
                            `id_user` int(8) NOT NULL,
352
                            `action` varchar(250) NULL,
353
                            `raison` text NULL,
354
                            `raison_iv` text NULL,
355
                            `encryption_type` VARCHAR(20) NOT NULL DEFAULT 'not_set'
356
                            ) CHARSET=utf8;"
357
                        );
358
                        // create index
359
                        mysqli_query(
360
                            $dbTmp,
361
                            "CREATE INDEX teampass_log_items_id_item_IDX ON ".$var['tbl_prefix']."log_items (id_item,date);"
362
                        );
363
                    } elseif ($task === "misc") {
364
                        $mysqli_result = mysqli_query(
365
                            $dbTmp,
366
                            "CREATE TABLE IF NOT EXISTS `".$var['tbl_prefix']."misc` (
367
                            `increment_id` int(12) NOT null AUTO_INCREMENT,
368
                            `type` varchar(50) NOT NULL,
369
                            `intitule` varchar(100) NOT NULL,
370
                            `valeur` varchar(500) NOT NULL,
371
                            PRIMARY KEY (`increment_id`)
372
                            ) CHARSET=utf8;"
373
                        );
374
375
                        // include constants
376
                        require_once "../includes/config/include.php";
377
378
                        // prepare config file
379
                        $tp_config_file = "../includes/config/tp.config.php";
380 View Code Duplication
                        if (file_exists($tp_config_file)) {
381
                            if (!copy($tp_config_file, $tp_config_file.'.'.date("Y_m_d", mktime(0, 0, 0, date('m'), date('d'), date('y'))))) {
382
                                echo '[{"error" : "includes/config/tp.config.php file already exists and cannot be renamed. Please do it by yourself and click on button Launch.", "result":"", "index" : "'.$post_index.'", "multiple" : "'.$post_multiple.'"}]';
383
                                break;
384
                            } else {
385
                                unlink($tp_config_file);
386
                            }
387
                        }
388
                        $file_handler = fopen($tp_config_file, 'w');
389
                        $config_text = "<?php
390
global \$SETTINGS;
391
\$SETTINGS = array (";
392
393
                        // add by default settings
394
                        $aMiscVal = array(
395
                            array('admin', 'max_latest_items', '10'),
396
                            array('admin', 'enable_favourites', '1'),
397
                            array('admin', 'show_last_items', '1'),
398
                            array('admin', 'enable_pf_feature', '0'),
399
                            array('admin', 'log_connections', '0'),
400
                            array('admin', 'log_accessed', '1'),
401
                            array('admin', 'time_format', 'H:i:s'),
402
                            array('admin', 'date_format', 'd/m/Y'),
403
                            array('admin', 'duplicate_folder', '0'),
404
                            array('admin', 'item_duplicate_in_same_folder', '0'),
405
                            array('admin', 'duplicate_item', '0'),
406
                            array('admin', 'number_of_used_pw', '3'),
407
                            array('admin', 'manager_edit', '1'),
408
                            array('admin', 'cpassman_dir', $var['abspath']),
409
                            array('admin', 'cpassman_url', $var['url_path']),
410
                            array('admin', 'favicon', $var['url_path'].'/favicon.ico'),
411
                            array('admin', 'path_to_upload_folder', $var['abspath'].'/upload'),
412
                            array('admin', 'url_to_upload_folder', $var['url_path'].'/upload'),
413
                            array('admin', 'path_to_files_folder', $var['abspath'].'/files'),
414
                            array('admin', 'url_to_files_folder', $var['url_path'].'/files'),
415
                            array('admin', 'activate_expiration', '0'),
416
                            array('admin', 'pw_life_duration', '0'),
417
                            array('admin', 'maintenance_mode', '1'),
418
                            array('admin', 'enable_sts', '0'),
419
                            array('admin', 'encryptClientServer', '1'),
420
                            array('admin', 'cpassman_version', $SETTINGS_EXT['version']),
421
                            array('admin', 'ldap_mode', '0'),
422
                            array('admin', 'ldap_type', '0'),
423
                            array('admin', 'ldap_suffix', '0'),
424
                            array('admin', 'ldap_domain_dn', '0'),
425
                            array('admin', 'ldap_domain_controler', '0'),
426
                            array('admin', 'ldap_user_attribute', '0'),
427
                            array('admin', 'ldap_ssl', '0'),
428
                            array('admin', 'ldap_tls', '0'),
429
                            array('admin', 'ldap_elusers', '0'),
430
                            array('admin', 'ldap_search_base', '0'),
431
                            array('admin', 'richtext', '0'),
432
                            array('admin', 'allow_print', '0'),
433
                            array('admin', 'roles_allowed_to_print', '0'),
434
                            array('admin', 'show_description', '1'),
435
                            array('admin', 'anyone_can_modify', '0'),
436
                            array('admin', 'anyone_can_modify_bydefault', '0'),
437
                            array('admin', 'nb_bad_authentication', '0'),
438
                            array('admin', 'utf8_enabled', '1'),
439
                            array('admin', 'restricted_to', '0'),
440
                            array('admin', 'restricted_to_roles', '0'),
441
                            array('admin', 'enable_send_email_on_user_login', '0'),
442
                            array('admin', 'enable_user_can_create_folders', '0'),
443
                            array('admin', 'insert_manual_entry_item_history', '0'),
444
                            array('admin', 'enable_kb', '0'),
445
                            array('admin', 'enable_email_notification_on_item_shown', '0'),
446
                            array('admin', 'enable_email_notification_on_user_pw_change', '0'),
447
                            array('admin', 'custom_logo', ''),
448
                            array('admin', 'custom_login_text', ''),
449
                            array('admin', 'default_language', 'english'),
450
                            array('admin', 'send_stats', '0'),
451
                            array('admin', 'send_statistics_items', 'stat_country;stat_users;stat_items;stat_items_shared;stat_folders;stat_folders_shared;stat_admins;stat_managers;stat_ro;stat_mysqlversion;stat_phpversion;stat_teampassversion;stat_languages;stat_kb;stat_suggestion;stat_customfields;stat_api;stat_2fa;stat_agses;stat_duo;stat_ldap;stat_syslog;stat_stricthttps;stat_fav;stat_pf;'),
452
                            array('admin', 'send_stats_time', time() - 2592000),
453
                            array('admin', 'get_tp_info', '1'),
454
                            array('admin', 'send_mail_on_user_login', '0'),
455
                            array('cron', 'sending_emails', '0'),
456
                            array('admin', 'nb_items_by_query', 'auto'),
457
                            array('admin', 'enable_delete_after_consultation', '0'),
458
                            array('admin', 'enable_personal_saltkey_cookie', '0'),
459
                            array('admin', 'personal_saltkey_cookie_duration', '31'),
460
                            array('admin', 'email_smtp_server', ''),
461
                            array('admin', 'email_smtp_auth', ''),
462
                            array('admin', 'email_auth_username', ''),
463
                            array('admin', 'email_auth_pwd', ''),
464
                            array('admin', 'email_port', ''),
465
                            array('admin', 'email_security', ''),
466
                            array('admin', 'email_server_url', ''),
467
                            array('admin', 'email_from', ''),
468
                            array('admin', 'email_from_name', ''),
469
                            array('admin', 'pwd_maximum_length', '40'),
470
                            array('admin', 'google_authentication', '0'),
471
                            array('admin', 'delay_item_edition', '0'),
472
                            array('admin', 'allow_import', '0'),
473
                            array('admin', 'proxy_ip', ''),
474
                            array('admin', 'proxy_port', ''),
475
                            array('admin', 'upload_maxfilesize', '10mb'),
476
                            array('admin', 'upload_docext', 'doc,docx,dotx,xls,xlsx,xltx,rtf,csv,txt,pdf,ppt,pptx,pot,dotx,xltx'),
477
                            array('admin', 'upload_imagesext', 'jpg,jpeg,gif,png'),
478
                            array('admin', 'upload_pkgext', '7z,rar,tar,zip'),
479
                            array('admin', 'upload_otherext', 'sql,xml'),
480
                            array('admin', 'upload_imageresize_options', '1'),
481
                            array('admin', 'upload_imageresize_width', '800'),
482
                            array('admin', 'upload_imageresize_height', '600'),
483
                            array('admin', 'upload_imageresize_quality', '90'),
484
                            array('admin', 'use_md5_password_as_salt', '0'),
485
                            array('admin', 'ga_website_name', 'TeamPass for ChangeMe'),
486
                            array('admin', 'api', '0'),
487
                            array('admin', 'subfolder_rights_as_parent', '0'),
488
                            array('admin', 'show_only_accessible_folders', '0'),
489
                            array('admin', 'enable_suggestion', '0'),
490
                            array('admin', 'otv_expiration_period', '7'),
491
                            array('admin', 'default_session_expiration_time', '60'),
492
                            array('admin', 'duo', '0'),
493
                            array('admin', 'enable_server_password_change', '0'),
494
                            array('admin', 'ldap_object_class', '0'),
495
                            array('admin', 'bck_script_path', $var['abspath']."/backups"),
496
                            array('admin', 'bck_script_filename', 'bck_teampass'),
497
                            array('admin', 'syslog_enable', '0'),
498
                            array('admin', 'syslog_host', 'localhost'),
499
                            array('admin', 'syslog_port', '514'),
500
                            array('admin', 'manager_move_item', '0'),
501
                            array('admin', 'create_item_without_password', '0'),
502
                            array('admin', 'otv_is_enabled', '0'),
503
                            array('admin', 'agses_authentication_enabled', '0'),
504
                            array('admin', 'item_extra_fields', '0'),
505
                            array('admin', 'saltkey_ante_2127', 'none'),
506
                            array('admin', 'migration_to_2127', 'done'),
507
                            array('admin', 'files_with_defuse', 'done'),
508
                            array('admin', 'timezone', 'UTC'),
509
                            array('admin', 'enable_attachment_encryption', '1'),
510
                            array('admin', 'personal_saltkey_security_level', '50'),
511
                            array('admin', 'ldap_new_user_is_administrated_by', '0')
512
                        );
513
                        foreach ($aMiscVal as $elem) {
514
                            //Check if exists before inserting
515
                            $tmp = mysqli_num_rows(
516
                                mysqli_query(
517
                                    $dbTmp,
518
                                    "SELECT * FROM `".$var['tbl_prefix']."misc`
519
                                    WHERE type='".$elem[0]."' AND intitule='".$elem[1]."'"
520
                                )
521
                            );
522
                            if (intval($tmp) === 0) {
523
                                $queryRes = mysqli_query(
524
                                    $dbTmp,
525
                                    "INSERT INTO `".$var['tbl_prefix']."misc`
526
                                    (`type`, `intitule`, `valeur`) VALUES
527
                                    ('".$elem[0]."', '".$elem[1]."', '".
528
                                    str_replace("'", "", $elem[2])."');"
529
                                ); // or die(mysqli_error($dbTmp))
0 ignored issues
show
Unused Code Comprehensibility introduced by
70% of this comment could be valid code. Did you maybe forget this after debugging?

Sometimes obsolete code just ends up commented out instead of removed. In this case it is better to remove the code once you have checked you do not need it.

The code might also have been commented out for debugging purposes. In this case it is vital that someone uncomments it again or your project may behave in very unexpected ways in production.

This check looks for comments that seem to be mostly valid code and reports them.

Loading history...
530
                            }
531
532
                            // append new setting in config file
533
                            $config_text .= "
534
    '".$elem[1]."' => '".str_replace("'", "", $elem[2])."',";
535
                        }
536
537
                        // write to config file
538
                        $result = fwrite(
539
                            $file_handler,
540
                            utf8_encode(
541
                                substr_replace($config_text, "", -1)."
542
);"
543
                            )
544
                        );
545
                        fclose($file_handler);
546
                    } elseif ($task === "nested_tree") {
547
                        $mysqli_result = mysqli_query(
548
                            $dbTmp,
549
                            "CREATE TABLE IF NOT EXISTS `".$var['tbl_prefix']."nested_tree` (
550
                            `id` bigint(20) unsigned NOT null AUTO_INCREMENT,
551
                            `parent_id` int(11) NOT NULL,
552
                            `title` varchar(255) NOT NULL,
553
                            `nleft` int(11) NOT NULL DEFAULT '0',
554
                            `nright` int(11) NOT NULL DEFAULT '0',
555
                            `nlevel` int(11) NOT NULL DEFAULT '0',
556
                            `bloquer_creation` tinyint(1) NOT null DEFAULT '0',
557
                            `bloquer_modification` tinyint(1) NOT null DEFAULT '0',
558
                            `personal_folder` tinyint(1) NOT null DEFAULT '0',
559
                            `renewal_period` TINYINT(4) NOT null DEFAULT '0',
560
                            PRIMARY KEY (`id`),
561
                            KEY `nested_tree_parent_id` (`parent_id`),
562
                            KEY `nested_tree_nleft` (`nleft`),
563
                            KEY `nested_tree_nright` (`nright`),
564
                            KEY `nested_tree_nlevel` (`nlevel`),
565
                            KEY `personal_folder_idx` (`personal_folder`)
566
                            ) CHARSET=utf8;"
567
                        );
568
                    } elseif ($task === "rights") {
569
                        $mysqli_result = mysqli_query(
570
                            $dbTmp,
571
                            "CREATE TABLE IF NOT EXISTS `".$var['tbl_prefix']."rights` (
572
                            `id` int(12) NOT null AUTO_INCREMENT,
573
                            `tree_id` int(12) NOT NULL,
574
                            `fonction_id` int(12) NOT NULL,
575
                            `authorized` tinyint(1) NOT null DEFAULT '0',
576
                            PRIMARY KEY (`id`)
577
                            ) CHARSET=utf8;"
578
                        );
579
                    } elseif ($task === "users") {
580
                        $mysqli_result = mysqli_query(
581
                            $dbTmp,
582
                            "CREATE TABLE IF NOT EXISTS `".$var['tbl_prefix']."users` (
583
                            `id` int(12) NOT null AUTO_INCREMENT,
584
                            `login` varchar(50) NOT NULL,
585
                            `pw` varchar(400) NOT NULL,
586
                            `groupes_visibles` varchar(250) NOT NULL,
587
                            `derniers` text NULL,
588
                            `key_tempo` varchar(100) NULL,
589
                            `last_pw_change` varchar(30) NULL,
590
                            `last_pw` text NULL,
591
                            `admin` tinyint(1) NOT null DEFAULT '0',
592
                            `fonction_id` varchar(255) NULL,
593
                            `groupes_interdits` varchar(255) NULL,
594
                            `last_connexion` varchar(30) NULL,
595
                            `gestionnaire` int(11) NOT null DEFAULT '0',
596
                            `email` varchar(300) NOT NULL DEFAULT 'none',
597
                            `favourites` varchar(300) NULL,
598
                            `latest_items` varchar(300) NULL,
599
                            `personal_folder` int(1) NOT null DEFAULT '0',
600
                            `disabled` tinyint(1) NOT null DEFAULT '0',
601
                            `no_bad_attempts` tinyint(1) NOT null DEFAULT '0',
602
                            `can_create_root_folder` tinyint(1) NOT null DEFAULT '0',
603
                            `read_only` tinyint(1) NOT null DEFAULT '0',
604
                            `timestamp` varchar(30) NOT null DEFAULT '0',
605
                            `user_language` varchar(50) NOT null DEFAULT '0',
606
                            `name` varchar(100) NULL,
607
                            `lastname` varchar(100) NULL,
608
                            `session_end` varchar(30) NULL,
609
                            `isAdministratedByRole` tinyint(5) NOT null DEFAULT '0',
610
                            `psk` varchar(400) NULL,
611
                            `ga` varchar(50) NULL,
612
                            `ga_temporary_code` VARCHAR(20) NOT NULL DEFAULT 'none',
613
                            `avatar` varchar(255) NULL,
614
                            `avatar_thumb` varchar(255) NULL,
615
                            `upgrade_needed` BOOLEAN NOT NULL DEFAULT FALSE,
616
                            `treeloadstrategy` varchar(30) NOT null DEFAULT 'full',
617
                            `can_manage_all_users` tinyint(1) NOT NULL DEFAULT '0',
618
                            `usertimezone` VARCHAR(50) NOT NULL DEFAULT 'not_defined',
619
                            `agses-usercardid` VARCHAR(50) NOT NULL DEFAULT '0',
620
                            `encrypted_psk` text NULL,
621
                            `user_ip` varchar(400) NOT null DEFAULT 'none',
622
                            PRIMARY KEY (`id`),
623
                            UNIQUE KEY `login` (`login`)
624
                            ) CHARSET=utf8;"
625
                        );
626
627
                        require_once "../includes/config/include.php";
628
                        // check that admin accounts doesn't exist
629
                        $tmp = mysqli_num_rows(mysqli_query($dbTmp, "SELECT * FROM `".$var['tbl_prefix']."users` WHERE login = 'admin'"));
630
                        if ($tmp === 0) {
631
                            $mysqli_result = mysqli_query(
632
                                $dbTmp,
633
                                "INSERT INTO `".$var['tbl_prefix']."users` (`id`, `login`, `pw`, `admin`, `gestionnaire`, `personal_folder`, `groupes_visibles`, `email`, `encrypted_psk`, `last_pw_change`) VALUES ('1', 'admin', '".bCrypt($var['admin_pwd'], '13')."', '1', '0', '0', '', '', '', '".time()."')"
634
                            );
635
                        } else {
636
                            $mysqli_result = mysqli_query($dbTmp, "UPDATE `".$var['tbl_prefix']."users` SET `pw` = '".bCrypt($var['admin_pwd'], '13')."' WHERE login = 'admin' AND id = '1'");
637
                        }
638
639
                        // check that API doesn't exist
640
                        $tmp = mysqli_num_rows(mysqli_query($dbTmp, "SELECT * FROM `".$var['tbl_prefix']."users` WHERE id = '".API_USER_ID."'"));
641
                        if ($tmp === 0) {
642
                            $mysqli_result = mysqli_query(
643
                                $dbTmp,
644
                                "INSERT INTO `".$var['tbl_prefix']."users` (`id`, `login`, `pw`, `groupes_visibles`, `derniers`, `key_tempo`, `last_pw_change`, `last_pw`, `admin`, `fonction_id`, `groupes_interdits`, `last_connexion`, `gestionnaire`, `email`, `favourites`, `latest_items`, `personal_folder`) VALUES ('".API_USER_ID."', 'API', '', '', '', '', '', '', '1', '', '', '', '0', '', '', '', '0')"
645
                            );
646
                        }
647
648
                        // check that OTV doesn't exist
649
                        $tmp = mysqli_num_rows(mysqli_query($dbTmp, "SELECT * FROM `".$var['tbl_prefix']."users` WHERE id = '".OTV_USER_ID."'"));
650
                        if ($tmp === 0) {
651
                            $mysqli_result = mysqli_query(
652
                                $dbTmp,
653
                                "INSERT INTO `".$var['tbl_prefix']."users` (`id`, `login`, `pw`, `groupes_visibles`, `derniers`, `key_tempo`, `last_pw_change`, `last_pw`, `admin`, `fonction_id`, `groupes_interdits`, `last_connexion`, `gestionnaire`, `email`, `favourites`, `latest_items`, `personal_folder`) VALUES ('".OTV_USER_ID."', 'OTV', '', '', '', '', '', '', '1', '', '', '', '0', '', '', '', '0')"
654
                            );
655
                        }
656
                    } elseif ($task === "tags") {
657
                        $mysqli_result = mysqli_query(
658
                            $dbTmp,
659
                            "CREATE TABLE IF NOT EXISTS `".$var['tbl_prefix']."tags` (
660
                            `id` int(12) NOT null AUTO_INCREMENT,
661
                            `tag` varchar(30) NOT NULL,
662
                            `item_id` int(12) NOT NULL,
663
                            PRIMARY KEY (`id`)
664
                            ) CHARSET=utf8;"
665
                        );
666
                    } elseif ($task === "log_system") {
667
                        $mysqli_result = mysqli_query(
668
                            $dbTmp,
669
                            "CREATE TABLE IF NOT EXISTS `".$var['tbl_prefix']."log_system` (
670
                            `id` int(12) NOT null AUTO_INCREMENT,
671
                            `type` varchar(20) NOT NULL,
672
                            `date` varchar(30) NOT NULL,
673
                            `label` text NOT NULL,
674
                            `qui` varchar(255) NOT NULL,
675
                            `field_1` varchar(250) DEFAULT NULL,
676
                            PRIMARY KEY (`id`)
677
                            ) CHARSET=utf8;"
678
                        );
679
                    } elseif ($task === "files") {
680
                        $mysqli_result = mysqli_query(
681
                            $dbTmp,
682
                            "CREATE TABLE IF NOT EXISTS `".$var['tbl_prefix']."files` (
683
                            `id` int(11) NOT null AUTO_INCREMENT,
684
                            `id_item` int(11) NOT NULL,
685
                            `name` varchar(100) NOT NULL,
686
                            `size` int(10) NOT NULL,
687
                            `extension` varchar(10) NOT NULL,
688
                            `type` varchar(255) NOT NULL,
689
                            `file` varchar(50) NOT NULL,
690
                            `status` varchar(50) NOT NULL DEFAULT '0',
691
                            PRIMARY KEY (`id`)
692
                           ) CHARSET=utf8;"
693
                        );
694
                    } elseif ($task === "cache") {
695
                        $mysqli_result = mysqli_query(
696
                            $dbTmp,
697
                            "CREATE TABLE IF NOT EXISTS `".$var['tbl_prefix']."cache` (
698
                            `id` int(12) NOT NULL,
699
                            `label` varchar(500) NOT NULL,
700
                            `description` text NOT NULL,
701
                            `tags` text DEFAULT NULL,
702
                            `id_tree` int(12) NOT NULL,
703
                            `perso` tinyint(1) NOT NULL,
704
                            `restricted_to` varchar(200) DEFAULT NULL,
705
                            `login` varchar(200) DEFAULT NULL,
706
                            `folder` varchar(300) NOT NULL,
707
                            `author` varchar(50) NOT NULL,
708
                            `renewal_period` tinyint(4) NOT NULL DEFAULT '0',
709
                            `timestamp` varchar(50) DEFAULT NULL,
710
                            `url` varchar(500) NOT NULL DEFAULT '0',
711
                            `encryption_type` VARCHAR(50) DEFAULT NULL DEFAULT '0'
712
                            ) CHARSET=utf8;"
713
                        );
714
                    } elseif ($task === "roles_title") {
715
                        $mysqli_result = mysqli_query(
716
                            $dbTmp,
717
                            "CREATE TABLE IF NOT EXISTS `".$var['tbl_prefix']."roles_title` (
718
                            `id` int(12) NOT null AUTO_INCREMENT,
719
                            `title` varchar(50) NOT NULL,
720
                            `allow_pw_change` TINYINT(1) NOT null DEFAULT '0',
721
                            `complexity` INT(5) NOT null DEFAULT '0',
722
                            `creator_id` int(11) NOT null DEFAULT '0',
723
                            PRIMARY KEY (`id`)
724
                            ) CHARSET=utf8;"
725
                        );
726
                    } elseif ($task === "roles_values") {
727
                        $mysqli_result = mysqli_query(
728
                            $dbTmp,
729
                            "CREATE TABLE IF NOT EXISTS `".$var['tbl_prefix']."roles_values` (
730
                            `role_id` int(12) NOT NULL,
731
                            `folder_id` int(12) NOT NULL,
732
                            `type` varchar(5) NOT NULL DEFAULT 'R',
733
                            KEY `role_id_idx` (`role_id`)
734
                            ) CHARSET=utf8;"
735
                        );
736
                    } elseif ($task === "kb") {
737
                        $mysqli_result = mysqli_query(
738
                            $dbTmp,
739
                            "CREATE TABLE IF NOT EXISTS `".$var['tbl_prefix']."kb` (
740
                            `id` int(12) NOT null AUTO_INCREMENT,
741
                            `category_id` int(12) NOT NULL,
742
                            `label` varchar(200) NOT NULL,
743
                            `description` text NOT NULL,
744
                            `author_id` int(12) NOT NULL,
745
                            `anyone_can_modify` tinyint(1) NOT null DEFAULT '0',
746
                            PRIMARY KEY (`id`)
747
                            ) CHARSET=utf8;"
748
                        );
749
                    } elseif ($task === "kb_categories") {
750
                        $mysqli_result = mysqli_query(
751
                            $dbTmp,
752
                            "CREATE TABLE IF NOT EXISTS `".$var['tbl_prefix']."kb_categories` (
753
                            `id` int(12) NOT null AUTO_INCREMENT,
754
                            `category` varchar(50) NOT NULL,
755
                            PRIMARY KEY (`id`)
756
                            ) CHARSET=utf8;"
757
                        );
758
                    } elseif ($task === "kb_items") {
759
                        $mysqli_result = mysqli_query(
760
                            $dbTmp,
761
                            "CREATE TABLE IF NOT EXISTS `".$var['tbl_prefix']."kb_items` (
762
                            `kb_id` int(12) NOT NULL,
763
                            `item_id` int(12) NOT NULL
764
                           ) CHARSET=utf8;"
765
                        );
766
                    } elseif ($task == "restriction_to_roles") {
767
                        $mysqli_result = mysqli_query(
768
                            $dbTmp,
769
                            "CREATE TABLE IF NOT EXISTS `".$var['tbl_prefix']."restriction_to_roles` (
770
                            `role_id` int(12) NOT NULL,
771
                            `item_id` int(12) NOT NULL,
772
                            KEY `role_id_idx`  (`role_id`)
773
                            ) CHARSET=utf8;"
774
                        );
775
                    } elseif ($task === "languages") {
776
                        $mysqli_result = mysqli_query(
777
                            $dbTmp,
778
                            "CREATE TABLE IF NOT EXISTS `".$var['tbl_prefix']."languages` (
779
                            `id` INT(10) NOT null AUTO_INCREMENT PRIMARY KEY ,
780
                            `name` VARCHAR(50) NOT null ,
781
                            `label` VARCHAR(50) NOT null ,
782
                            `code` VARCHAR(10) NOT null ,
783
                            `flag` VARCHAR(30) NOT NULL
784
                            ) CHARSET=utf8;"
785
                        );
786
787
                        // add lanaguages
788
                        $tmp = mysqli_num_rows(mysqli_query($dbTmp, "SELECT * FROM `".$var['tbl_prefix']."languages` WHERE name = 'french'"));
789
                        if ($tmp[0] == 0) {
790
                            $mysql_result = mysqli_query(
791
                                $dbTmp,
792
                                "INSERT INTO `".$var['tbl_prefix']."languages` (`name`, `label`, `code`, `flag`) VALUES
793
                                ('french', 'French' , 'fr', 'fr.png'),
794
                                ('english', 'English' , 'us', 'us.png'),
795
                                ('spanish', 'Spanish' , 'es', 'es.png'),
796
                                ('german', 'German' , 'de', 'de.png'),
797
                                ('czech', 'Czech' , 'cz', 'cz.png'),
798
                                ('italian', 'Italian' , 'it', 'it.png'),
799
                                ('russian', 'Russian' , 'ru', 'ru.png'),
800
                                ('turkish', 'Turkish' , 'tr', 'tr.png'),
801
                                ('norwegian', 'Norwegian' , 'no', 'no.png'),
802
                                ('japanese', 'Japanese' , 'ja', 'ja.png'),
803
                                ('portuguese', 'Portuguese' , 'pr', 'pr.png'),
804
                                ('portuguese_br', 'Portuguese (Brazil)' , 'pr-bt', 'pr-bt.png'),
805
                                ('chinese', 'Chinese' , 'cn', 'cn.png'),
806
                                ('swedish', 'Swedish' , 'se', 'se.png'),
807
                                ('dutch', 'Dutch' , 'nl', 'nl.png'),
808
                                ('catalan', 'Catalan' , 'ct', 'ct.png'),
809
                                ('vietnamese', 'Vietnamese' , 'vi', 'vi.png'),
810
                                ('estonian', 'Estonian' , 'ee', 'ee.png');"
811
                            );
812
                        }
813
                    } elseif ($task === "emails") {
814
                        $mysqli_result = mysqli_query(
815
                            $dbTmp,
816
                            "CREATE TABLE IF NOT EXISTS `".$var['tbl_prefix']."emails` (
817
                            `timestamp` INT(30) NOT null ,
818
                            `subject` VARCHAR(255) NOT null ,
819
                            `body` TEXT NOT null ,
820
                            `receivers` VARCHAR(255) NOT null ,
821
                            `status` VARCHAR(30) NOT NULL
822
                            ) CHARSET=utf8;"
823
                        );
824
                    } elseif ($task === "automatic_del") {
825
                        $mysqli_result = mysqli_query(
826
                            $dbTmp,
827
                            "CREATE TABLE IF NOT EXISTS `".$var['tbl_prefix']."automatic_del` (
828
                            `item_id` int(11) NOT NULL,
829
                            `del_enabled` tinyint(1) NOT NULL,
830
                            `del_type` tinyint(1) NOT NULL,
831
                            `del_value` varchar(35) NOT NULL
832
                            ) CHARSET=utf8;"
833
                        );
834
                    } elseif ($task === "items_edition") {
835
                        $mysqli_result = mysqli_query(
836
                            $dbTmp,
837
                            "CREATE TABLE IF NOT EXISTS `".$var['tbl_prefix']."items_edition` (
838
                            `item_id` int(11) NOT NULL,
839
                            `user_id` int(12) NOT NULL,
840
                            `timestamp` varchar(50) NOT NULL
841
                            ) CHARSET=utf8;"
842
                        );
843
                    } elseif ($task === "categories") {
844
                        $mysqli_result = mysqli_query(
845
                            $dbTmp,
846
                            "CREATE TABLE IF NOT EXISTS `".$var['tbl_prefix']."categories` (
847
                            `id` int(12) NOT NULL AUTO_INCREMENT,
848
                            `parent_id` int(12) NOT NULL,
849
                            `title` varchar(255) NOT NULL,
850
                            `level` int(2) NOT NULL,
851
                            `description` text NULL,
852
                            `type` varchar(50) NULL default '',
853
                            `order` int(12) NOT NULL default '0',
854
                            `encrypted_data` tinyint(1) NOT NULL default '1',
855
                            PRIMARY KEY (`id`)
856
                            ) CHARSET=utf8;"
857
                        );
858
                    } elseif ($task === "categories_items") {
859
                        $mysqli_result = mysqli_query(
860
                            $dbTmp,
861
                            "CREATE TABLE IF NOT EXISTS `".$var['tbl_prefix']."categories_items` (
862
                            `id` int(12) NOT NULL AUTO_INCREMENT,
863
                            `field_id` int(11) NOT NULL,
864
                            `item_id` int(11) NOT NULL,
865
                            `data` text NOT NULL,
866
                            `data_iv` text NOT NULL,
867
                            `encryption_type` VARCHAR(20) NOT NULL DEFAULT 'not_set',
868
                            PRIMARY KEY (`id`)
869
                            ) CHARSET=utf8;"
870
                        );
871
                    } elseif ($task === "categories_folders") {
872
                        $mysqli_result = mysqli_query(
873
                            $dbTmp,
874
                            "CREATE TABLE IF NOT EXISTS `".$var['tbl_prefix']."categories_folders` (
875
                            `id_category` int(12) NOT NULL,
876
                            `id_folder` int(12) NOT NULL
877
                            ) CHARSET=utf8;"
878
                        );
879
                    } elseif ($task === "api") {
880
                        $mysqli_result = mysqli_query(
881
                            $dbTmp,
882
                            "CREATE TABLE IF NOT EXISTS `".$var['tbl_prefix']."api` (
883
                            `id` int(20) NOT NULL AUTO_INCREMENT,
884
                            `type` varchar(15) NOT NULL,
885
                            `label` varchar(255) NOT NULL,
886
                            `value` varchar(255) NOT NULL,
887
                            `timestamp` varchar(50) NOT NULL,
888
                            PRIMARY KEY (`id`)
889
                            ) CHARSET=utf8;"
890
                        );
891
                    } elseif ($task === "otv") {
892
                        $mysqli_result = mysqli_query(
893
                            $dbTmp,
894
                            "CREATE TABLE IF NOT EXISTS `".$var['tbl_prefix']."otv` (
895
                            `id` int(10) NOT NULL AUTO_INCREMENT,
896
                            `timestamp` text NOT NULL,
897
                            `code` varchar(100) NOT NULL,
898
                            `item_id` int(12) NOT NULL,
899
                            `originator` int(12) NOT NULL,
900
                            PRIMARY KEY (`id`)
901
                            ) CHARSET=utf8;"
902
                        );
903 View Code Duplication
                    } elseif ($task === "suggestion") {
904
                        $mysqli_result = mysqli_query(
905
                            $dbTmp,
906
                            "CREATE TABLE IF NOT EXISTS `".$var['tbl_prefix']."suggestion` (
907
                            `id` tinyint(12) NOT NULL AUTO_INCREMENT,
908
                            `label` varchar(255) NOT NULL,
909
                            `pw` text NOT NULL,
910
                            `pw_iv` text NOT NULL,
911
                            `pw_len` int(5) NOT NULL,
912
                            `description` text NOT NULL,
913
                            `author_id` int(12) NOT NULL,
914
                            `folder_id` int(12) NOT NULL,
915
                            `comment` text NOT NULL,
916
                            `suggestion_type` varchar(10) NOT NULL default 'new',
917
                            PRIMARY KEY (`id`)
918
                            ) CHARSET=utf8;"
919
                        );
920
921
                        $mysqli_result = mysqli_query(
922
                            $dbTmp,
923
                            "CREATE TABLE IF NOT EXISTS `".$var['tbl_prefix']."export` (
924
                            `id` int(12) NOT NULL,
925
                            `label` varchar(500) NOT NULL,
926
                            `login` varchar(100) NOT NULL,
927
                            `description` text NOT NULL,
928
                            `pw` text NOT NULL,
929
                            `path` varchar(500) NOT NULL,
930
                            `email` varchar(500) NOT NULL default 'none',
931
                            `url` varchar(500) NOT NULL default 'none',
932
                            `kbs` varchar(500) NOT NULL default 'none',
933
                            `tags` varchar(500) NOT NULL default 'none'
934
                            ) CHARSET=utf8;"
935
                        );
936
                    } elseif ($task === "tokens") {
937
                        $mysqli_result = mysqli_query(
938
                            $dbTmp,
939
                            "CREATE TABLE IF NOT EXISTS `".$var['tbl_prefix']."tokens` (
940
                            `id` int(12) NOT NULL AUTO_INCREMENT,
941
                            `user_id` int(12) NOT NULL,
942
                            `token` varchar(255) NOT NULL,
943
                            `reason` varchar(255) NOT NULL,
944
                            `creation_timestamp` varchar(50) NOT NULL,
945
                            `end_timestamp` varchar(50) NOT NULL,
946
                            PRIMARY KEY (`id`)
947
                            ) CHARSET=utf8;"
948
                        );
949
                    } elseif ($task === "items_change") {
950
                        $mysqli_result = mysqli_query(
951
                            $dbTmp,
952
                            "CREATE TABLE IF NOT EXISTS `".$var['tbl_prefix']."items_change` (
953
                            `id` int(12) NOT NULL AUTO_INCREMENT,
954
                            `item_id` int(12) NOT NULL,
955
                            `label` varchar(255) NOT NULL DEFAULT 'none',
956
                            `pw` text NOT NULL,
957
                            `login` varchar(255) NOT NULL DEFAULT 'none',
958
                            `email` varchar(255) NOT NULL DEFAULT 'none',
959
                            `url` varchar(255) NOT NULL DEFAULT 'none',
960
                            `description` text NOT NULL,
961
                            `comment` text NOT NULL,
962
                            `folder_id` tinyint(12) NOT NULL,
963
                            `user_id` int(12) NOT NULL,
964
                            `timestamp` varchar(50) NOT NULL DEFAULT 'none',
965
                            PRIMARY KEY (`id`)
966
                            ) CHARSET=utf8;"
967
                        );
968
                    }
969
                }
970
                // answer back
971
                if ($mysqli_result) {
972
                    echo '[{"error" : "", "index" : "'.$post_index.'", "multiple" : "'.$post_multiple.'", "task" : "'.$task.'", "activity" : "'.$activity.'"}]';
973
                } else {
974
                    echo '[{"error" : "'.addslashes(str_replace(array("'", "\n", "\r"), array('"', '', ''), mysqli_error())).'", "index" : "'.$post_index.'", "multiple" : "'.$post_multiple.'", "table" : "'.$task.'"}]';
975
                }
976 View Code Duplication
            } else {
977
                echo '[{"error" : "'.addslashes(str_replace(array("'", "\n", "\r"), array('"', '', ''), mysqli_connect_error())).'", "result" : "Failed", "multiple" : ""}]';
978
            }
979
980
            mysqli_close($dbTmp);
981
            // Destroy session without writing to disk
982
            define('NODESTROY_SESSION', 'true');
983
            session_destroy();
984
            break;
985
986
        case "step_6":
987
            //decrypt
988
            require_once 'libs/aesctr.php'; // AES Counter Mode implementation
989
            $activity = Encryption\Crypt\aesctr::decrypt($post_activity, "cpm", 128);
0 ignored issues
show
Documentation introduced by
'cpm' is of type string, but the function expects a object<Encryption\Crypt\the>.

It seems like the type of the argument is not accepted by the function/method which you are calling.

In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug.

We suggest to add an explicit type cast like in the following example:

function acceptsInteger($int) { }

$x = '123'; // string "123"

// Instead of
acceptsInteger($x);

// we recommend to use
acceptsInteger((integer) $x);
Loading history...
990
            $data_sent = Encryption\Crypt\aesctr::decrypt($post_data, "cpm", 128);
0 ignored issues
show
Documentation introduced by
'cpm' is of type string, but the function expects a object<Encryption\Crypt\the>.

It seems like the type of the argument is not accepted by the function/method which you are calling.

In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug.

We suggest to add an explicit type cast like in the following example:

function acceptsInteger($int) { }

$x = '123'; // string "123"

// Instead of
acceptsInteger($x);

// we recommend to use
acceptsInteger((integer) $x);
Loading history...
991
            $data_sent = json_decode($data_sent, true);
992
            $task = Encryption\Crypt\aesctr::decrypt($post_task, "cpm", 128);
0 ignored issues
show
Documentation introduced by
'cpm' is of type string, but the function expects a object<Encryption\Crypt\the>.

It seems like the type of the argument is not accepted by the function/method which you are calling.

In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug.

We suggest to add an explicit type cast like in the following example:

function acceptsInteger($int) { }

$x = '123'; // string "123"

// Instead of
acceptsInteger($x);

// we recommend to use
acceptsInteger((integer) $x);
Loading history...
993
            $json = Encryption\Crypt\aesctr::decrypt($post_db, "cpm", 128);
0 ignored issues
show
Documentation introduced by
'cpm' is of type string, but the function expects a object<Encryption\Crypt\the>.

It seems like the type of the argument is not accepted by the function/method which you are calling.

In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug.

We suggest to add an explicit type cast like in the following example:

function acceptsInteger($int) { }

$x = '123'; // string "123"

// Instead of
acceptsInteger($x);

// we recommend to use
acceptsInteger((integer) $x);
Loading history...
994
            $db = json_decode($json, true);
995
996
            $dbTmp = mysqli_connect(
997
                $db['db_host'],
998
                $db['db_login'],
999
                $db['db_pw'],
1000
                $db['db_bdd'],
1001
                $db['db_port']
1002
            );
1003
1004
            // read install variables
1005
            $result = mysqli_query($dbTmp, "SELECT * FROM `_install`");
1006
            while ($row = $result->fetch_array()) {
1007
                $var[$row[0]] = $row[1];
1008
            }
1009
1010
            // launch
1011
            if (empty($var['sk_path'])) {
1012
                $skFile = $var['abspath'].'/includes/sk.php';
1013
                $securePath = $var['abspath'];
1014
            } else {
1015
                //ensure $var['sk_path'] has no trailing slash
1016
                $var['sk_path'] = rtrim($var['sk_path'], '/\\');
1017
                $skFile = $var['sk_path'].'/sk.php';
1018
                $securePath = $var['sk_path'];
1019
            }
1020
1021
            $events = "";
1022
1023
            if ($activity === "file") {
1024
                if ($task === "settings.php") {
1025
                    // first is to create teampass-seckey.txt
1026
                    // 0- check if exists
1027
                    $filename_seckey = $securePath."/teampass-seckey.txt";
1028
1029 View Code Duplication
                    if (file_exists($filename_seckey)) {
1030
                        if (!copy($filename_seckey, $filename_seckey.'.'.date("Y_m_d", mktime(0, 0, 0, date('m'), date('d'), date('y'))))) {
1031
                            echo '[{"error" : "File `$filename_seckey` already exists and cannot be renamed. Please do it by yourself and click on button Launch.", "result":"", "index" : "'.$post_index.'", "multiple" : "'.$post_multiple.'"}]';
1032
                            break;
1033
                        } else {
1034
                            unlink($filename);
1035
                        }
1036
                    }
1037
1038
                    // 1- generate saltkey
1039
                    require_once '../includes/libraries/Encryption/Encryption/Crypto.php';
1040
                    require_once '../includes/libraries/Encryption/Encryption/Encoding.php';
1041
                    require_once '../includes/libraries/Encryption/Encryption/DerivedKeys.php';
1042
                    require_once '../includes/libraries/Encryption/Encryption/Key.php';
1043
                    require_once '../includes/libraries/Encryption/Encryption/KeyOrPassword.php';
1044
                    require_once '../includes/libraries/Encryption/Encryption/File.php';
1045
                    require_once '../includes/libraries/Encryption/Encryption/RuntimeTests.php';
1046
                    require_once '../includes/libraries/Encryption/Encryption/KeyProtectedByPassword.php';
1047
                    require_once '../includes/libraries/Encryption/Encryption/Core.php';
1048
1049
                    $key = \Defuse\Crypto\Key::createNewRandomKey();
1050
                    $new_salt = $key->saveToAsciiSafeString();
1051
1052
                    // 2- store key in file
1053
                    file_put_contents(
1054
                        $filename_seckey,
1055
                        $new_salt
1056
                    );
1057
1058
                    // Now create settings file
1059
                    $filename = "../includes/config/settings.php";
1060
1061 View Code Duplication
                    if (file_exists($filename)) {
1062
                        if (!copy($filename, $filename.'.'.date("Y_m_d", mktime(0, 0, 0, date('m'), date('d'), date('y'))))) {
1063
                            echo '[{"error" : "Setting.php file already exists and cannot be renamed. Please do it by yourself and click on button Launch.", "result":"", "index" : "'.$post_index.'", "multiple" : "'.$post_multiple.'"}]';
1064
                            break;
1065
                        } else {
1066
                            unlink($filename);
1067
                        }
1068
                    }
1069
1070
                    // Encrypt the DB password
1071
                    $encrypted_text = encryptFollowingDefuse(
1072
                        $db['db_pw'],
1073
                        $new_salt
1074
                    )['string'];
1075
1076
                    // Open and write Settings file
1077
                    $file_handler = fopen($filename, 'w');
1078
                    $result = fwrite(
1079
                        $file_handler,
1080
                        utf8_encode(
0 ignored issues
show
Security File Manipulation introduced by
utf8_encode('<?php globa.../', $skFile) . '"; } ') can contain request data and is used in file manipulation context(s) leading to a potential security vulnerability.

1 path for user data to reach this point

  1. Read from $_GET
    in includes/libraries/protect/SuperGlobal/SuperGlobal.php on line 45
  2. SuperGlobal::get() returns tainted data, and $session_db_encoding is assigned
    in install/install.queries.php on line 131
  3. ``'$lang, $txt, $pathTeampas, $urlTeampass, $pwComplexity, $mngPages; global $server, $user, $pass, $database, $pre, $db, $port, $encoding; ### DATABASE connexion parameters ### $server = "' . $db['db_host'] . '"; $user = "' . $db['db_login'] . '"; $pass = "' . str_replace('$', '\\$', $encrypted_text) . '"; $database = "' . $db['db_bdd'] . '"; $pre = "' . $var['tbl_prefix'] . '"; $port = ' . $db['db_port'] . '; $encoding = "' . $session_db_encoding . '"; @date_default_timezone_set($_SESSION[\'settings\'][\'timezone\']); @define(\'SECUREPATH\', \'' . $securePath . '\'); if (file_exists("' . str_replace('\\', '/', $skFile) . '")) { require_once "' . str_replace('\\', '/', $skFile) . '"; } '`` is passed through utf8_encode()
    in install/install.queries.php on line 1081

General Strategies to prevent injection

In general, it is advisable to prevent any user-data to reach this point. This can be done by white-listing certain values:

if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) {
    throw new \InvalidArgumentException('This input is not allowed.');
}

For numeric data, we recommend to explicitly cast the data:

$sanitized = (integer) $tainted;
Loading history...
1081
                            "<?php
1082
global \$lang, \$txt, \$pathTeampas, \$urlTeampass, \$pwComplexity, \$mngPages;
1083
global \$server, \$user, \$pass, \$database, \$pre, \$db, \$port, \$encoding;
1084
1085
### DATABASE connexion parameters ###
1086
\$server = \"".$db['db_host']."\";
1087
\$user = \"".$db['db_login']."\";
1088
\$pass = \"".str_replace("$", "\\$", $encrypted_text)."\";
1089
\$database = \"".$db['db_bdd']."\";
1090
\$pre = \"".$var['tbl_prefix']."\";
1091
\$port = ".$db['db_port'].";
1092
\$encoding = \"".$session_db_encoding."\";
1093
1094
@date_default_timezone_set(\$_SESSION['settings']['timezone']);
1095
@define('SECUREPATH', '".$securePath."');
1096
if (file_exists(\"".str_replace('\\', '/', $skFile)."\")) {
1097
    require_once \"".str_replace('\\', '/', $skFile)."\";
1098
}
1099
"
1100
                        )
1101
                    );
1102
                    fclose($file_handler);
1103 View Code Duplication
                    if ($result === false) {
1104
                        echo '[{"error" : "Setting.php file could not be created. Please check the path and the rights", "result":"", "index" : "'.$post_index.'", "multiple" : "'.$post_multiple.'"}]';
1105
                    } else {
1106
                        echo '[{"error" : "", "index" : "'.$post_index.'", "multiple" : "'.$post_multiple.'"}]';
1107
                    }
1108
                } elseif ($task === "sk.php") {
1109
//Create sk.php file
1110 View Code Duplication
                    if (file_exists($skFile)) {
1111
                        if (!copy($skFile, $skFile.'.'.date("Y_m_d", mktime(0, 0, 0, date('m'), date('d'), date('y'))))) {
1112
                            echo '[{"error" : "sk.php file already exists and cannot be renamed. Please do it by yourself and click on button Launch.", "result":"", "index" : "'.$post_index.'", "multiple" : "'.$post_multiple.'"}]';
1113
                            break;
1114
                        } else {
1115
                            unlink($skFile);
1116
                        }
1117
                    }
1118
                    $file_handler = fopen($skFile, 'w');
1119
1120
                    $result = fwrite(
1121
                        $file_handler,
1122
                        utf8_encode(
1123
                            "<?php
1124
@define('COST', '13'); // Don't change this.
1125
@define('AKEY', '');
1126
@define('IKEY', '');
1127
@define('SKEY', '');
1128
@define('HOST', '');
1129
?>"
1130
                        )
1131
                    );
1132
                    fclose($file_handler);
1133
1134
                    // finalize
1135 View Code Duplication
                    if ($result === false) {
1136
                        echo '[{"error" : "sk.php file could not be created. Please check the path and the rights.", "result":"", "index" : "'.$post_index.'", "multiple" : "'.$post_multiple.'"}]';
1137
                    } else {
1138
                        echo '[{"error" : "", "index" : "'.$post_index.'", "multiple" : "'.$post_multiple.'"}]';
1139
                    }
1140
                } elseif ($task === "security") {
1141
                    # Sort out the file permissions
1142
1143
                    // is server Windows or Linux?
1144
                    if (strtoupper(substr(PHP_OS, 0, 3)) != 'WIN') {
1145
                        // Change directory permissions
1146
                        $result = chmodRecursive($session_abspath, 0770, 0740);
1147
                        if ($result) {
1148
                            $result = chmodRecursive($session_abspath.'/files', 0770, 0770);
1149
                        }
1150
                        if ($result) {
1151
                            $result = chmodRecursive($session_abspath.'/upload', 0770, 0770);
1152
                        }
1153
                    }
1154
1155 View Code Duplication
                    if ($result === false) {
1156
                        echo '[{"error" : "Cannot change directory permissions - please fix manually", "result":"", "index" : "'.$post_index.'", "multiple" : "'.$post_multiple.'"}]';
1157
                    } else {
1158
                        echo '[{"error" : "", "index" : "'.$post_index.'", "multiple" : "'.$post_multiple.'"}]';
1159
                    }
1160
                } elseif ($task === "csrfp-token") {
1161
                    // update CSRFP TOKEN
1162
                    $csrfp_file_sample = "../includes/libraries/csrfp/libs/csrfp.config.sample.php";
1163
                    $csrfp_file = "../includes/libraries/csrfp/libs/csrfp.config.php";
1164 View Code Duplication
                    if (file_exists($csrfp_file)) {
1165
                        if (!copy($csrfp_file, $csrfp_file.'.'.date("Y_m_d", mktime(0, 0, 0, date('m'), date('d'), date('y'))))) {
1166
                            echo '[{"error" : "csrfp.config.php file already exists and cannot be renamed. Please do it by yourself and click on button Launch.", "result":"", "index" : "'.$post_index.'", "multiple" : "'.$post_multiple.'"}]';
1167
                            break;
1168
                        } else {
1169
                            $events .= "The file $csrfp_file already exist. A copy has been created.<br />";
1170
                        }
1171
                    }
1172
                    unlink($csrfp_file); // delete existing csrfp.config file
1173
                    copy($csrfp_file_sample, $csrfp_file); // make a copy of csrfp.config.sample file
1174
                    $data = file_get_contents($csrfp_file);
1175
                    $newdata = str_replace('"CSRFP_TOKEN" => ""', '"CSRFP_TOKEN" => "'.bin2hex(openssl_random_pseudo_bytes(25)).'"', $data);
1176
                    $jsUrl = $data_sent['url_path'].'/includes/libraries/csrfp/js/csrfprotector.js';
1177
                    $newdata = str_replace('"jsUrl" => ""', '"jsUrl" => "'.$jsUrl.'"', $newdata);
1178
                    file_put_contents("../includes/libraries/csrfp/libs/csrfp.config.php", $newdata);
1179
1180
                    echo '[{"error" : "", "index" : "'.$post_index.'", "multiple" : "'.$post_multiple.'"}]';
1181
                }
1182
            } elseif ($activity === "install") {
1183
                if ($task === "cleanup") {
1184
                    // Mark a tag to force Install stuff (folders, files and table) to be cleanup while first login
1185
                    mysqli_query($dbTmp, "INSERT INTO `".$var['tbl_prefix']."misc` (`type`, `intitule`, `valeur`) VALUES ('install', 'clear_install_folder', 'true')");
1186
1187
                    echo '[{"error" : "", "index" : "'.$post_index.'", "multiple" : "'.$post_multiple.'"}]';
1188
                }
1189
            }
1190
1191
            mysqli_close($dbTmp);
1192
            // Destroy session without writing to disk
1193
            define('NODESTROY_SESSION', 'true');
1194
            session_destroy();
1195
            break;
1196
    }
1197
}
1198