Issues in admin-header.php (ticket-41057) - Issues in ticket-41057 - ntwb/wordpress - Measure and Improve Code Quality continuously with Scrutinizer

Issues (4967)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/wp-admin/admin-header.php (1 issue)

Labels

Severity

Major 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * WordPress Administration Template Header
 *
 * @package WordPress
 * @subpackage Administration
 */

@header('Content-Type: ' . get_option('html_type') . '; charset=' . get_option('blog_charset'));
// For example instead of
@mkdir($dir);

// Better use
if (@mkdir($dir) === false) {
    throw new \RuntimeException('The directory '.$dir.' could not be created.');
}
if ( ! defined( 'WP_ADMIN' ) )
	require_once( dirname( __FILE__ ) . '/admin.php' );

/**
 * In case admin-header.php is included in a function.
 *
 * @global string    $title
 * @global string    $hook_suffix
 * @global WP_Screen $current_screen
 * @global WP_Locale $wp_locale
 * @global string    $pagenow
 * @global string    $update_title
 * @global int       $total_update_count
 * @global string    $parent_file
 */
global $title, $hook_suffix, $current_screen, $wp_locale, $pagenow,
	$update_title, $total_update_count, $parent_file;

// Catch plugins that include admin-header.php before admin.php completes.
if ( empty( $current_screen ) )
	set_current_screen();

get_admin_page_title();
$title = esc_html( strip_tags( $title ) );

if ( is_network_admin() ) {
	/* translators: Network admin screen title. 1: Network name */
	$admin_title = sprintf( __( 'Network Admin: %s' ), esc_html( get_network()->site_name ) );
} elseif ( is_user_admin() ) {
	/* translators: User dashboard screen title. 1: Network name */
	$admin_title = sprintf( __( 'User Dashboard: %s' ), esc_html( get_network()->site_name ) );
} else {
	$admin_title = get_bloginfo( 'name' );
}

if ( $admin_title == $title ) {
	/* translators: Admin screen title. 1: Admin screen name */
	$admin_title = sprintf( __( '%1$s &#8212; WordPress' ), $title );
} else {
	/* translators: Admin screen title. 1: Admin screen name, 2: Network or site name */
	$admin_title = sprintf( __( '%1$s &lsaquo; %2$s &#8212; WordPress' ), $title, $admin_title );
}

/**
 * Filters the title tag content for an admin page.
 *
 * @since 3.1.0
 *
 * @param string $admin_title The page title, with extra context added.
 * @param string $title       The original page title.
 */
$admin_title = apply_filters( 'admin_title', $admin_title, $title );

wp_user_settings();

_wp_admin_html_begin();
?>
<title><?php echo $admin_title; ?></title>
<?php

wp_enqueue_style( 'colors' );
wp_enqueue_style( 'ie' );
wp_enqueue_script('utils');
wp_enqueue_script( 'svg-painter' );

$admin_body_class = preg_replace('/[^a-z0-9_-]+/i', '-', $hook_suffix);
?>
<script type="text/javascript">
addLoadEvent = function(func){if(typeof jQuery!="undefined")jQuery(document).ready(func);else if(typeof wpOnload!='function'){wpOnload=func;}else{var oldonload=wpOnload;wpOnload=function(){oldonload();func();}}};
var ajaxurl = '<?php echo admin_url( 'admin-ajax.php', 'relative' ); ?>',
	pagenow = '<?php echo $current_screen->id; ?>',
	typenow = '<?php echo $current_screen->post_type; ?>',
	adminpage = '<?php echo $admin_body_class; ?>',
	thousandsSeparator = '<?php echo addslashes( $wp_locale->number_format['thousands_sep'] ); ?>',
	decimalPoint = '<?php echo addslashes( $wp_locale->number_format['decimal_point'] ); ?>',
	isRtl = <?php echo (int) is_rtl(); ?>;
</script>
<meta name="viewport" content="width=device-width,initial-scale=1.0">
<?php

/**
 * Enqueue scripts for all admin pages.
 *
 * @since 2.8.0
 *
 * @param string $hook_suffix The current admin page.
 */
do_action( 'admin_enqueue_scripts', $hook_suffix );

/**
 * Fires when styles are printed for a specific admin page based on $hook_suffix.
 *
 * @since 2.6.0
 */
do_action( "admin_print_styles-{$hook_suffix}" );

/**
 * Fires when styles are printed for all admin pages.
 *
 * @since 2.6.0
 */
do_action( 'admin_print_styles' );

/**
 * Fires when scripts are printed for a specific admin page based on $hook_suffix.
 *
 * @since 2.1.0
 */
do_action( "admin_print_scripts-{$hook_suffix}" );

/**
 * Fires when scripts are printed for all admin pages.
 *
 * @since 2.1.0
 */
do_action( 'admin_print_scripts' );

/**
 * Fires in head section for a specific admin page.
 *
 * The dynamic portion of the hook, `$hook_suffix`, refers to the hook suffix
 * for the admin page.
 *
 * @since 2.1.0
 */
do_action( "admin_head-{$hook_suffix}" );

/**
 * Fires in head section for all admin pages.
 *
 * @since 2.1.0
 */
do_action( 'admin_head' );

if ( get_user_setting('mfold') == 'f' )
	$admin_body_class .= ' folded';

if ( !get_user_setting('unfold') )
	$admin_body_class .= ' auto-fold';

if ( is_admin_bar_showing() )
	$admin_body_class .= ' admin-bar';

if ( is_rtl() )
	$admin_body_class .= ' rtl';

if ( $current_screen->post_type )
	$admin_body_class .= ' post-type-' . $current_screen->post_type;

if ( $current_screen->taxonomy )
	$admin_body_class .= ' taxonomy-' . $current_screen->taxonomy;

$admin_body_class .= ' branch-' . str_replace( array( '.', ',' ), '-', floatval( get_bloginfo( 'version' ) ) );
$admin_body_class .= ' version-' . str_replace( '.', '-', preg_replace( '/^([.0-9]+).*/', '$1', get_bloginfo( 'version' ) ) );
$admin_body_class .= ' admin-color-' . sanitize_html_class( get_user_option( 'admin_color' ), 'fresh' );
$admin_body_class .= ' locale-' . sanitize_html_class( strtolower( str_replace( '_', '-', get_user_locale() ) ) );

if ( wp_is_mobile() )
	$admin_body_class .= ' mobile';

if ( is_multisite() )
	$admin_body_class .= ' multisite';

if ( is_network_admin() )
	$admin_body_class .= ' network-admin';

$admin_body_class .= ' no-customize-support no-svg';

?>
</head>
<?php
/**
 * Filters the CSS classes for the body tag in the admin.
 *
 * This filter differs from the {@see 'post_class'} and {@see 'body_class'} filters
 * in two important ways:
 *
 * 1. `$classes` is a space-separated string of class names instead of an array.
 * 2. Not all core admin classes are filterable, notably: wp-admin, wp-core-ui,
 *    and no-js cannot be removed.
 *
 * @since 2.3.0
 *
 * @param string $classes Space-separated list of CSS classes.
 */
$admin_body_classes = apply_filters( 'admin_body_class', '' );
?>
<body class="wp-admin wp-core-ui no-js <?php echo $admin_body_classes . ' ' . $admin_body_class; ?>">
<script type="text/javascript">
	document.body.className = document.body.className.replace('no-js','js');
</script>

<?php
// Make sure the customize body classes are correct as early as possible.
if ( current_user_can( 'customize' ) ) {
	wp_customize_support_script();
}
?>

<div id="wpwrap">
<?php require(ABSPATH . 'wp-admin/menu-header.php'); ?>
<div id="wpcontent">

<?php
/**
 * Fires at the beginning of the content section in an admin page.
 *
 * @since 3.0.0
 */
do_action( 'in_admin_header' );
?>

<div id="wpbody" role="main">
<?php
unset($title_class, $blog_name, $total_update_count, $update_title);

$current_screen->set_parentage( $parent_file );

?>

<div id="wpbody-content" aria-label="<?php esc_attr_e('Main content'); ?>" tabindex="0">
<?php

$current_screen->render_screen_meta();

if ( is_network_admin() ) {
	/**
	 * Prints network admin screen notices.
	 *
	 * @since 3.1.0
	 */
	do_action( 'network_admin_notices' );
} elseif ( is_user_admin() ) {
	/**
	 * Prints user admin screen notices.
	 *
	 * @since 3.1.0
	 */
	do_action( 'user_admin_notices' );
} else {
	/**
	 * Prints admin screen notices.
	 *
	 * @since 3.1.0
	 */
	do_action( 'admin_notices' );
}

/**
 * Prints generic admin screen notices.
 *
 * @since 3.1.0
 */
do_action( 'all_admin_notices' );

if ( $parent_file == 'options-general.php' )
	require(ABSPATH . 'wp-admin/options-head.php');


1		<?php
2		/**
3		* WordPress Administration Template Header
4		*
5		* @package WordPress
6		* @subpackage Administration
7		*/
8
9		@header('Content-Type: ' . get_option('html_type') . '; charset=' . get_option('blog_charset'));
		0 ignored issues – show Security Best Practice introduced 2015-12-17 04:17 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like you do not handle an error condition here. This can introduce security issues, and is generally not recommended. If you suppress an error, we recommend checking for the error condition explicitly: // For example instead of @mkdir($dir); // Better use if (@mkdir($dir) === false) { throw new \RuntimeException('The directory '.$dir.' could not be created.'); } Loading history...
10		if ( ! defined( 'WP_ADMIN' ) )
11		require_once( dirname( __FILE__ ) . '/admin.php' );
12
13		/**
14		* In case admin-header.php is included in a function.
15		*
16		* @global string $title
17		* @global string $hook_suffix
18		* @global WP_Screen $current_screen
19		* @global WP_Locale $wp_locale
20		* @global string $pagenow
21		* @global string $update_title
22		* @global int $total_update_count
23		* @global string $parent_file
24		*/
25		global $title, $hook_suffix, $current_screen, $wp_locale, $pagenow,
26		$update_title, $total_update_count, $parent_file;
27
28		// Catch plugins that include admin-header.php before admin.php completes.
29		if ( empty( $current_screen ) )
30		set_current_screen();
31
32		get_admin_page_title();
33		$title = esc_html( strip_tags( $title ) );
34
35	View Code Duplication	if ( is_network_admin() ) {
36		/* translators: Network admin screen title. 1: Network name */
37		$admin_title = sprintf( __( 'Network Admin: %s' ), esc_html( get_network()->site_name ) );
38		} elseif ( is_user_admin() ) {
39		/* translators: User dashboard screen title. 1: Network name */
40		$admin_title = sprintf( __( 'User Dashboard: %s' ), esc_html( get_network()->site_name ) );
41		} else {
42		$admin_title = get_bloginfo( 'name' );
43		}
44
45		if ( $admin_title == $title ) {
46		/* translators: Admin screen title. 1: Admin screen name */
47		$admin_title = sprintf( __( '%1$s — WordPress' ), $title );
48		} else {
49		/* translators: Admin screen title. 1: Admin screen name, 2: Network or site name */
50		$admin_title = sprintf( __( '%1$s &lsaquo; %2$s — WordPress' ), $title, $admin_title );
51		}
52
53		/**
54		* Filters the title tag content for an admin page.
55		*
56		* @since 3.1.0
57		*
58		* @param string $admin_title The page title, with extra context added.
59		* @param string $title The original page title.
60		*/
61		$admin_title = apply_filters( 'admin_title', $admin_title, $title );
62
63		wp_user_settings();
64
65		_wp_admin_html_begin();
66		?>
67		<title><?php echo $admin_title; ?></title>
68		<?php
69
70		wp_enqueue_style( 'colors' );
71		wp_enqueue_style( 'ie' );
72		wp_enqueue_script('utils');
73		wp_enqueue_script( 'svg-painter' );
74
75		$admin_body_class = preg_replace('/[^a-z0-9_-]+/i', '-', $hook_suffix);
76		?>
77		<script type="text/javascript">
78		addLoadEvent = function(func){if(typeof jQuery!="undefined")jQuery(document).ready(func);else if(typeof wpOnload!='function'){wpOnload=func;}else{var oldonload=wpOnload;wpOnload=function(){oldonload();func();}}};
79		var ajaxurl = '<?php echo admin_url( 'admin-ajax.php', 'relative' ); ?>',
80		pagenow = '<?php echo $current_screen->id; ?>',
81		typenow = '<?php echo $current_screen->post_type; ?>',
82		adminpage = '<?php echo $admin_body_class; ?>',
83		thousandsSeparator = '<?php echo addslashes( $wp_locale->number_format['thousands_sep'] ); ?>',
84		decimalPoint = '<?php echo addslashes( $wp_locale->number_format['decimal_point'] ); ?>',
85		isRtl = <?php echo (int) is_rtl(); ?>;
86		</script>
87		<meta name="viewport" content="width=device-width,initial-scale=1.0">
88		<?php
89
90		/**
91		* Enqueue scripts for all admin pages.
92		*
93		* @since 2.8.0
94		*
95		* @param string $hook_suffix The current admin page.
96		*/
97		do_action( 'admin_enqueue_scripts', $hook_suffix );
98
99		/**
100		* Fires when styles are printed for a specific admin page based on $hook_suffix.
101		*
102		* @since 2.6.0
103		*/
104		do_action( "admin_print_styles-{$hook_suffix}" );
105
106		/**
107		* Fires when styles are printed for all admin pages.
108		*
109		* @since 2.6.0
110		*/
111		do_action( 'admin_print_styles' );
112
113		/**
114		* Fires when scripts are printed for a specific admin page based on $hook_suffix.
115		*
116		* @since 2.1.0
117		*/
118		do_action( "admin_print_scripts-{$hook_suffix}" );
119
120		/**
121		* Fires when scripts are printed for all admin pages.
122		*
123		* @since 2.1.0
124		*/
125		do_action( 'admin_print_scripts' );
126
127		/**
128		* Fires in head section for a specific admin page.
129		*
130		* The dynamic portion of the hook, `$hook_suffix`, refers to the hook suffix
131		* for the admin page.
132		*
133		* @since 2.1.0
134		*/
135		do_action( "admin_head-{$hook_suffix}" );
136
137		/**
138		* Fires in head section for all admin pages.
139		*
140		* @since 2.1.0
141		*/
142		do_action( 'admin_head' );
143
144		if ( get_user_setting('mfold') == 'f' )
145		$admin_body_class .= ' folded';
146
147		if ( !get_user_setting('unfold') )
148		$admin_body_class .= ' auto-fold';
149
150		if ( is_admin_bar_showing() )
151		$admin_body_class .= ' admin-bar';
152
153		if ( is_rtl() )
154		$admin_body_class .= ' rtl';
155
156		if ( $current_screen->post_type )
157		$admin_body_class .= ' post-type-' . $current_screen->post_type;
158
159		if ( $current_screen->taxonomy )
160		$admin_body_class .= ' taxonomy-' . $current_screen->taxonomy;
161
162		$admin_body_class .= ' branch-' . str_replace( array( '.', ',' ), '-', floatval( get_bloginfo( 'version' ) ) );
163		$admin_body_class .= ' version-' . str_replace( '.', '-', preg_replace( '/^([.0-9]+).*/', '$1', get_bloginfo( 'version' ) ) );
164		$admin_body_class .= ' admin-color-' . sanitize_html_class( get_user_option( 'admin_color' ), 'fresh' );
165		$admin_body_class .= ' locale-' . sanitize_html_class( strtolower( str_replace( '_', '-', get_user_locale() ) ) );
166
167		if ( wp_is_mobile() )
168		$admin_body_class .= ' mobile';
169
170		if ( is_multisite() )
171		$admin_body_class .= ' multisite';
172
173		if ( is_network_admin() )
174		$admin_body_class .= ' network-admin';
175
176		$admin_body_class .= ' no-customize-support no-svg';
177
178		?>
179		</head>
180		<?php
181		/**
182		* Filters the CSS classes for the body tag in the admin.
183		*
184		* This filter differs from the {@see 'post_class'} and {@see 'body_class'} filters
185		* in two important ways:
186		*
187		* 1. `$classes` is a space-separated string of class names instead of an array.
188		* 2. Not all core admin classes are filterable, notably: wp-admin, wp-core-ui,
189		* and no-js cannot be removed.
190		*
191		* @since 2.3.0
192		*
193		* @param string $classes Space-separated list of CSS classes.
194		*/
195		$admin_body_classes = apply_filters( 'admin_body_class', '' );
196		?>
197		<body class="wp-admin wp-core-ui no-js <?php echo $admin_body_classes . ' ' . $admin_body_class; ?>">
198		<script type="text/javascript">
199		document.body.className = document.body.className.replace('no-js','js');
200		</script>
201
202		<?php
203		// Make sure the customize body classes are correct as early as possible.
204		if ( current_user_can( 'customize' ) ) {
205		wp_customize_support_script();
206		}
207		?>
208
209		<div id="wpwrap">
210		<?php require(ABSPATH . 'wp-admin/menu-header.php'); ?>
211		<div id="wpcontent">
212
213		<?php
214		/**
215		* Fires at the beginning of the content section in an admin page.
216		*
217		* @since 3.0.0
218		*/
219		do_action( 'in_admin_header' );
220		?>
221
222		<div id="wpbody" role="main">
223		<?php
224		unset($title_class, $blog_name, $total_update_count, $update_title);
225
226		$current_screen->set_parentage( $parent_file );
227
228		?>
229
230		<div id="wpbody-content" aria-label="<?php esc_attr_e('Main content'); ?>" tabindex="0">
231		<?php
232
233		$current_screen->render_screen_meta();
234
235		if ( is_network_admin() ) {
236		/**
237		* Prints network admin screen notices.
238		*
239		* @since 3.1.0
240		*/
241		do_action( 'network_admin_notices' );
242		} elseif ( is_user_admin() ) {
243		/**
244		* Prints user admin screen notices.
245		*
246		* @since 3.1.0
247		*/
248		do_action( 'user_admin_notices' );
249		} else {
250		/**
251		* Prints admin screen notices.
252		*
253		* @since 3.1.0
254		*/
255		do_action( 'admin_notices' );
256		}
257
258		/**
259		* Prints generic admin screen notices.
260		*
261		* @since 3.1.0
262		*/
263		do_action( 'all_admin_notices' );
264
265		if ( $parent_file == 'options-general.php' )
266		require(ABSPATH . 'wp-admin/options-head.php');
267

ntwb / wordpress

Issues (4967)

Security Analysis not enabled

src/wp-admin/admin-header.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like