Issues in message.php (master) - Issues in master - owncloud/mail - Measure and Improve Code Quality continuously with Scrutinizer

Issues (78)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

lib/model/message.php (1 issue)

Labels

Severity

Major 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

/**
 * @author Christoph Wurst <[email protected]>
 *
 * Mail
 *
 * This code is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License, version 3,
 * as published by the Free Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License, version 3,
 * along with this program.  If not, see <http://www.gnu.org/licenses/>
 *
 */
namespace OCA\Mail\Model;

use Horde_Mail_Rfc822_List;
use Horde_Mime_Part;
use OCP\Files\File;

class Message implements IMessage {

	use ConvertAddresses;

	/**
	 * @var string
	 */
	private $subject = '';

	/**
	 * @var string
	 */
	private $from = '';

	/**
	 *
	 * @var Horde_Mail_Rfc822_List
	 */
	private $to;

	/**
	 * @var Horde_Mail_Rfc822_List
	 */
	private $cc;

	/**
	 * @var Horde_Mail_Rfc822_List
	 */
	private $bcc;

	/**
	 * @var IMessage
	 */
	private $repliedMessage = null;

	/**
	 * @var array
	 */
	private $flags = [];

	/**
	 * @var string
	 */
	private $content = '';

	/**
	 * @var File[]
	 */
	private $attachments = [];

	/**
	 * @param string $list
	 * @return Horde_Mail_Rfc822_List
	 */
	public static function parseAddressList($list) {
		return new Horde_Mail_Rfc822_List($list);
	}

	public function __construct() {
		$this->to = new Horde_Mail_Rfc822_List();
		$this->cc = new Horde_Mail_Rfc822_List();
		$this->bcc = new Horde_Mail_Rfc822_List();
	}

	/**
	 * Get the ID
	 *
	 * @return int|null
	 */
	public function getMessageId() {
		return null;
	}

	/**
	 * Get all flags set on this message
	 * 
	 * @return array
	 */
	public function getFlags() {
		return $this->flags;
	}

	/**
	 * @param string[] $flags
	 */
	public function setFlags(array $flags) {
		$this->flags = $flags;
	}

	/**
	 * @return string
	 */
	public function getFrom() {
		return $this->from;
	}

	/**
	 * @param string $from
	 */
	public function setFrom($from) {
		$this->from = $from;
	}

	/**
	 * @return string
	 */
	public function getTo() {
		if ($this->to->count() > 0) {
			return $this->to->first()->writeAddress();
		}
		return null;
	}

	/**
	 * @param Horde_Mail_Rfc822_List $to
	 */
	public function setTo(Horde_Mail_Rfc822_List $to) {
		$this->to = $to;
	}

	/**
	 * @param bool $assoc
	 * @return string[]
	 */
	public function getToList($assoc = false) {
		if ($assoc) {
			return $this->hordeListToAssocArray($this->to);
		} else {
			return $this->hordeListToStringArray($this->to);
		}
	}

	/**
	 * @param bool $assoc
	 * @return Horde_Mail_Rfc822_List
	 */
	public function getCCList($assoc = false) {
		if ($assoc) {
			return $this->hordeListToAssocArray($this->cc);
		} else {
			return $this->hordeListToStringArray($this->cc);
		}
	}

	/**
	 * @param Horde_Mail_Rfc822_List $cc
	 */
	public function setCC(Horde_Mail_Rfc822_List $cc) {
		$this->cc = $cc;
	}

	/**
	 * @param bool $assoc
	 * @return Horde_Mail_Rfc822_List
	 */
	public function getBCCList($assoc = false) {
		if ($assoc) {
			return $this->hordeListToAssocArray($this->bcc);
		} else {
			return $this->hordeListToStringArray($this->bcc);
		}
	}

	/**
	 * @param Horde_Mail_Rfc822_List $bcc
	 */
	public function setBcc(Horde_Mail_Rfc822_List $bcc) {
		$this->bcc = $bcc;
	}

	/**
	 * @return IMessage
	 */
	public function getRepliedMessage() {
		return $this->repliedMessage;
	}

	/**
	 * @param IMessage $message
	 */
	public function setRepliedMessage(IMessage $message) {
		$this->repliedMessage = $message;
	}

	/**
	 * @return string
	 */
	public function getSubject() {
		return $this->subject;
	}

	/**
	 * @param string $subject
	 */
	public function setSubject($subject) {
		$this->subject = $subject;
	}

	/**
	 * @return string
	 */
	public function getContent() {
		return $this->content;
	}

	/**
	 * @param string $content
	 */
	public function setContent($content) {
		$this->content = $content;
	}

	/**
	 * @return File[]
	 */
	public function getAttachments() {
		return $this->attachments;
class Author {
    private $name;

    public function __construct($name) {
        $this->name = $name;
    }

    public function getName() {
        return $this->name;
    }
}

abstract class Post {
    public function getAuthor() {
        return 'Johannes';
    }
}

class BlogPost extends Post {
    public function getAuthor() {
        return new Author('Johannes');
    }
}

class ForumPost extends Post { /* ... */ }

function my_function(Post $post) {
    echo strtoupper($post->getAuthor());
}
	}

	/**
	 * @param File $file
	 */
	public function addAttachmentFromFiles(File $file) {
		$part = new Horde_Mime_Part();
		$part->setCharset('us-ascii');
		$part->setDisposition('attachment');
		$part->setName($file->getName());
		$part->setContents($file->getContent());
		$part->setType($file->getMimeType());
		$this->attachments[] = $part;
	}

}


1		<?php
2
3		/**
4		* @author Christoph Wurst <[email protected]>
5		*
6		* Mail
7		*
8		* This code is free software: you can redistribute it and/or modify
9		* it under the terms of the GNU Affero General Public License, version 3,
10		* as published by the Free Software Foundation.
11		*
12		* This program is distributed in the hope that it will be useful,
13		* but WITHOUT ANY WARRANTY; without even the implied warranty of
14		* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15		* GNU Affero General Public License for more details.
16		*
17		* You should have received a copy of the GNU Affero General Public License, version 3,
18		* along with this program. If not, see <http://www.gnu.org/licenses/>
19		*
20		*/
21		namespace OCA\Mail\Model;
22
23		use Horde_Mail_Rfc822_List;
24		use Horde_Mime_Part;
25		use OCP\Files\File;
26
27		class Message implements IMessage {
28
29		use ConvertAddresses;
30
31		/**
32		* @var string
33		*/
34		private $subject = '';
35
36		/**
37		* @var string
38		*/
39		private $from = '';
40
41		/**
42		*
43		* @var Horde_Mail_Rfc822_List
44		*/
45		private $to;
46
47		/**
48		* @var Horde_Mail_Rfc822_List
49		*/
50		private $cc;
51
52		/**
53		* @var Horde_Mail_Rfc822_List
54		*/
55		private $bcc;
56
57		/**
58		* @var IMessage
59		*/
60		private $repliedMessage = null;
61
62		/**
63		* @var array
64		*/
65		private $flags = [];
66
67		/**
68		* @var string
69		*/
70		private $content = '';
71
72		/**
73		* @var File[]
74		*/
75		private $attachments = [];
76
77		/**
78		* @param string $list
79		* @return Horde_Mail_Rfc822_List
80		*/
81	24	public static function parseAddressList($list) {
82	24	return new Horde_Mail_Rfc822_List($list);
83		}
84
85	40	public function __construct() {
86	40	$this->to = new Horde_Mail_Rfc822_List();
87	40	$this->cc = new Horde_Mail_Rfc822_List();
88	40	$this->bcc = new Horde_Mail_Rfc822_List();
89	40	}
90
91		/**
92		* Get the ID
93		*
94		* @return int\|null
95		*/
96		public function getMessageId() {
97		return null;
98		}
99
100		/**
101		* Get all flags set on this message
102		*
103		* @return array
104		*/
105	2	public function getFlags() {
106	2	return $this->flags;
107		}
108
109		/**
110		* @param string[] $flags
111		*/
112	2	public function setFlags(array $flags) {
113	2	$this->flags = $flags;
114	2	}
115
116		/**
117		* @return string
118		*/
119	2	public function getFrom() {
120	2	return $this->from;
121		}
122
123		/**
124		* @param string $from
125		*/
126	2	public function setFrom($from) {
127	2	$this->from = $from;
128	2	}
129
130		/**
131		* @return string
132		*/
133	4	public function getTo() {
134	4	if ($this->to->count() > 0) {
135	2	return $this->to->first()->writeAddress();
136		}
137	2	return null;
138		}
139
140		/**
141		* @param Horde_Mail_Rfc822_List $to
142		*/
143	2	public function setTo(Horde_Mail_Rfc822_List $to) {
144	2	$this->to = $to;
145	2	}
146
147		/**
148		* @param bool $assoc
149		* @return string[]
150		*/
151	4	public function getToList($assoc = false) {
152	4	if ($assoc) {
153		return $this->hordeListToAssocArray($this->to);
154		} else {
155	4	return $this->hordeListToStringArray($this->to);
156		}
157		}
158
159		/**
160		* @param bool $assoc
161		* @return Horde_Mail_Rfc822_List
162		*/
163	4	public function getCCList($assoc = false) {
164	4	if ($assoc) {
165		return $this->hordeListToAssocArray($this->cc);
166		} else {
167	4	return $this->hordeListToStringArray($this->cc);
168		}
169		}
170
171		/**
172		* @param Horde_Mail_Rfc822_List $cc
173		*/
174	2	public function setCC(Horde_Mail_Rfc822_List $cc) {
175	2	$this->cc = $cc;
176	2	}
177
178		/**
179		* @param bool $assoc
180		* @return Horde_Mail_Rfc822_List
181		*/
182	4	public function getBCCList($assoc = false) {
183	4	if ($assoc) {
184		return $this->hordeListToAssocArray($this->bcc);
185		} else {
186	4	return $this->hordeListToStringArray($this->bcc);
187		}
188		}
189
190		/**
191		* @param Horde_Mail_Rfc822_List $bcc
192		*/
193	2	public function setBcc(Horde_Mail_Rfc822_List $bcc) {
194	2	$this->bcc = $bcc;
195	2	}
196
197		/**
198		* @return IMessage
199		*/
200	2	public function getRepliedMessage() {
201	2	return $this->repliedMessage;
202		}
203
204		/**
205		* @param IMessage $message
206		*/
207	2	public function setRepliedMessage(IMessage $message) {
208	2	$this->repliedMessage = $message;
209	2	}
210
211		/**
212		* @return string
213		*/
214	6	public function getSubject() {
215	6	return $this->subject;
216		}
217
218		/**
219		* @param string $subject
220		*/
221	4	public function setSubject($subject) {
222	4	$this->subject = $subject;
223	4	}
224
225		/**
226		* @return string
227		*/
228	2	public function getContent() {
229	2	return $this->content;
230		}
231
232		/**
233		* @param string $content
234		*/
235	2	public function setContent($content) {
236	2	$this->content = $content;
237	2	}
238
239		/**
240		* @return File[]
241		*/
242	2	public function getAttachments() {
243	2	return $this->attachments;
		0 ignored issues – show Bug Best Practice introduced 2015-11-21 15:04 UTC by Report Bug Copy Issue Report Show Similar Issues like this The return type of `return $this->attachments;` (`OCP\Files\File[]`) is incompatible with the return type declared by the interface `OCA\Mail\Model\IMessage::getAttachments` of type `OCA\Mail\Model\Horde_Mime_Part[]`. If you return a value from a function or method, it should be a sub-type of the type that is given by the parent type f.e. an interface, or abstract method. This is more formally defined by the Lizkov substitution principle, and guarantees that classes that depend on the parent type can use any instance of a child type interchangably. This principle also belongs to the SOLID principles for object oriented design. Let’s take a look at an example: class Author { private $name; public function __construct($name) { $this->name = $name; } public function getName() { return $this->name; } } abstract class Post { public function getAuthor() { return 'Johannes'; } } class BlogPost extends Post { public function getAuthor() { return new Author('Johannes'); } } class ForumPost extends Post { /* ... */ } function my_function(Post $post) { echo strtoupper($post->getAuthor()); } Our function `my_function` expects a `Post` object, and outputs the author of the post. The base class `Post` returns a simple string and outputting a simple string will work just fine. However, the child class `BlogPost` which is a sub-type of `Post` instead decided to return an `object`, and is therefore violating the SOLID principles. If a `BlogPost` were passed to `my_function`, PHP would not complain, but ultimately fail when executing the `strtoupper` call in its body. Loading history...
244		}
245
246		/**
247		* @param File $file
248		*/
249	2	public function addAttachmentFromFiles(File $file) {
250	2	$part = new Horde_Mime_Part();
251	2	$part->setCharset('us-ascii');
252	2	$part->setDisposition('attachment');
253	2	$part->setName($file->getName());
254	2	$part->setContents($file->getContent());
255	2	$part->setType($file->getMimeType());
256	2	$this->attachments[] = $part;
257	2	}
258
259		}
260

owncloud / mail

Issues (78)

Security Analysis no request data

lib/model/message.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like