MimeTypes::getMimeTypeByExtension() - Code Metrics - Inspection of "let this map be protected so it might be inheritat..." - philiplb/CRUDlex - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Push — master ( 0cfe13...f1cf74 )

by Philip

created 2016-09-12 11:31 UTC

MimeTypes::getMimeTypeByExtension() A

↳ Parent: MimeTypes

Complexity

Conditions	2
Paths	2

Size

Total Lines	6
Code Lines	5

Duplication

Lines	0
Ratio	0 %

Importance

Changes	2
Bugs	0	Features	0

Metric	Value
c	2
b	0
f	0
dl	0
loc	6
rs	9.4285
cc	2
eloc	5
nc	2
nop	1

<?php

/*
 * This file is part of the CRUDlex package.
 *
 * (c) Philip Lehmann-Böhm <[email protected]>
 *
 * For the full copyright and license information, please view the LICENSE
 * file that was distributed with this source code.
 */

namespace CRUDlex;

/**
 * Class to get a mimetype from a file.
 */
class MimeTypes {

    /**
     * Map from file extension to mimetype.
     * THX to
     * http://stackoverflow.com/questions/134833/how-do-i-find-the-mime-type-of-a-file-with-php
     */
    protected $mimeTypes = [
        '323'       => 'text/h323',
        'acx'       => 'application/internet-property-stream',
        'ai'        => 'application/postscript',
        'aif'       => 'audio/x-aiff',
        'aifc'      => 'audio/x-aiff',
        'aiff'      => 'audio/x-aiff',
        'asf'       => 'video/x-ms-asf',
        'asr'       => 'video/x-ms-asf',
        'asx'       => 'video/x-ms-asf',
        'au'        => 'audio/basic',
        'avi'       => 'video/x-msvideo',
        'axs'       => 'application/olescript',
        'bas'       => 'text/plain',
        'bcpio'     => 'application/x-bcpio',
        'bin'       => 'application/octet-stream',
        'bmp'       => 'image/bmp',
        'c'         => 'text/plain',
        'cat'       => 'application/vnd.ms-pkiseccat',
        'cdf'       => 'application/x-cdf',
        'cer'       => 'application/x-x509-ca-cert',
        'class'     => 'application/octet-stream',
        'clp'       => 'application/x-msclip',
        'cmx'       => 'image/x-cmx',
        'cod'       => 'image/cis-cod',
        'cpio'      => 'application/x-cpio',
        'crd'       => 'application/x-mscardfile',
        'crl'       => 'application/pkix-crl',
        'crt'       => 'application/x-x509-ca-cert',
        'csh'       => 'application/x-csh',
        'css'       => 'text/css',
        'dcr'       => 'application/x-director',
        'der'       => 'application/x-x509-ca-cert',
        'dir'       => 'application/x-director',
        'dll'       => 'application/x-msdownload',
        'dms'       => 'application/octet-stream',
        'doc'       => 'application/msword',
        'dot'       => 'application/msword',
        'dvi'       => 'application/x-dvi',
        'dxr'       => 'application/x-director',
        'eps'       => 'application/postscript',
        'etx'       => 'text/x-setext',
        'evy'       => 'application/envoy',
        'exe'       => 'application/octet-stream',
        'fif'       => 'application/fractals',
        'flr'       => 'x-world/x-vrml',
        'gif'       => 'image/gif',
        'gtar'      => 'application/x-gtar',
        'gz'        => 'application/x-gzip',
        'h'         => 'text/plain',
        'hdf'       => 'application/x-hdf',
        'hlp'       => 'application/winhlp',
        'hqx'       => 'application/mac-binhex40',
        'hta'       => 'application/hta',
        'htc'       => 'text/x-component',
        'htm'       => 'text/html',
        'html'      => 'text/html',
        'htt'       => 'text/webviewhtml',
        'ico'       => 'image/x-icon',
        'ief'       => 'image/ief',
        'iii'       => 'application/x-iphone',
        'ins'       => 'application/x-internet-signup',
        'isp'       => 'application/x-internet-signup',
        'jfif'      => 'image/pipeg',
        'jpe'       => 'image/jpeg',
        'jpeg'      => 'image/jpeg',
        'jpg'       => 'image/jpeg',
        'js'        => 'application/x-javascript',
        'latex'     => 'application/x-latex',
        'lha'       => 'application/octet-stream',
        'lsf'       => 'video/x-la-asf',
        'lsx'       => 'video/x-la-asf',
        'lzh'       => 'application/octet-stream',
        'm13'       => 'application/x-msmediaview',
        'm14'       => 'application/x-msmediaview',
        'm3u'       => 'audio/x-mpegurl',
        'man'       => 'application/x-troff-man',
        'mdb'       => 'application/x-msaccess',
        'me'        => 'application/x-troff-me',
        'mht'       => 'message/rfc822',
        'mhtml'     => 'message/rfc822',
        'mid'       => 'audio/mid',
        'mny'       => 'application/x-msmoney',
        'mov'       => 'video/quicktime',
        'movie'     => 'video/x-sgi-movie',
        'mp2'       => 'video/mpeg',
        'mp3'       => 'audio/mpeg',
        'mpa'       => 'video/mpeg',
        'mpe'       => 'video/mpeg',
        'mpeg'      => 'video/mpeg',
        'mpg'       => 'video/mpeg',
        'mpp'       => 'application/vnd.ms-project',
        'mpv2'      => 'video/mpeg',
        'ms'        => 'application/x-troff-ms',
        'mvb'       => 'application/x-msmediaview',
        'nws'       => 'message/rfc822',
        'oda'       => 'application/oda',
        'p10'       => 'application/pkcs10',
        'p12'       => 'application/x-pkcs12',
        'p7b'       => 'application/x-pkcs7-certificates',
        'p7c'       => 'application/x-pkcs7-mime',
        'p7m'       => 'application/x-pkcs7-mime',
        'p7r'       => 'application/x-pkcs7-certreqresp',
        'p7s'       => 'application/x-pkcs7-signature',
        'pbm'       => 'image/x-portable-bitmap',
        'pdf'       => 'application/pdf',
        'pfx'       => 'application/x-pkcs12',
        'pgm'       => 'image/x-portable-graymap',
        'pko'       => 'application/ynd.ms-pkipko',
        'pma'       => 'application/x-perfmon',
        'pmc'       => 'application/x-perfmon',
        'pml'       => 'application/x-perfmon',
        'pmr'       => 'application/x-perfmon',
        'pmw'       => 'application/x-perfmon',
        'pnm'       => 'image/x-portable-anymap',
        'pot'       => 'application/vnd.ms-powerpoint',
        'ppm'       => 'image/x-portable-pixmap',
        'pps'       => 'application/vnd.ms-powerpoint',
        'ppt'       => 'application/vnd.ms-powerpoint',
        'prf'       => 'application/pics-rules',
        'ps'        => 'application/postscript',
        'pub'       => 'application/x-mspublisher',
        'qt'        => 'video/quicktime',
        'ra'        => 'audio/x-pn-realaudio',
        'ram'       => 'audio/x-pn-realaudio',
        'ras'       => 'image/x-cmu-raster',
        'rgb'       => 'image/x-rgb',
        'rmi'       => 'audio/mid',
        'roff'      => 'application/x-troff',
        'rtf'       => 'application/rtf',
        'rtx'       => 'text/richtext',
        'scd'       => 'application/x-msschedule',
        'sct'       => 'text/scriptlet',
        'setpay'    => 'application/set-payment-initiation',
        'setreg'    => 'application/set-registration-initiation',
        'sh'        => 'application/x-sh',
        'shar'      => 'application/x-shar',
        'sit'       => 'application/x-stuffit',
        'snd'       => 'audio/basic',
        'spc'       => 'application/x-pkcs7-certificates',
        'spl'       => 'application/futuresplash',
        'src'       => 'application/x-wais-source',
        'sst'       => 'application/vnd.ms-pkicertstore',
        'stl'       => 'application/vnd.ms-pkistl',
        'stm'       => 'text/html',
        'svg'       => 'image/svg+xml',
        'sv4cpio'   => 'application/x-sv4cpio',
        'sv4crc'    => 'application/x-sv4crc',
        't'         => 'application/x-troff',
        'tar'       => 'application/x-tar',
        'tcl'       => 'application/x-tcl',
        'tex'       => 'application/x-tex',
        'texi'      => 'application/x-texinfo',
        'texinfo'   => 'application/x-texinfo',
        'tgz'       => 'application/x-compressed',
        'tif'       => 'image/tiff',
        'tiff'      => 'image/tiff',
        'tr'        => 'application/x-troff',
        'trm'       => 'application/x-msterminal',
        'tsv'       => 'text/tab-separated-values',
        'txt'       => 'text/plain',
        'uls'       => 'text/iuls',
        'ustar'     => 'application/x-ustar',
        'vcf'       => 'text/x-vcard',
        'vrml'      => 'x-world/x-vrml',
        'wav'       => 'audio/x-wav',
        'wcm'       => 'application/vnd.ms-works',
        'wdb'       => 'application/vnd.ms-works',
        'wks'       => 'application/vnd.ms-works',
        'wmf'       => 'application/x-msmetafile',
        'wps'       => 'application/vnd.ms-works',
        'wri'       => 'application/x-mswrite',
        'wrl'       => 'x-world/x-vrml',
        'wrz'       => 'x-world/x-vrml',
        'xaf'       => 'x-world/x-vrml',
        'xbm'       => 'image/x-xbitmap',
        'xla'       => 'application/vnd.ms-excel',
        'xlc'       => 'application/vnd.ms-excel',
        'xlm'       => 'application/vnd.ms-excel',
        'xls'       => 'application/vnd.ms-excel',
        'xlsx'      => 'vnd.ms-excel',
        'xlt'       => 'application/vnd.ms-excel',
        'xlw'       => 'application/vnd.ms-excel',
        'xof'       => 'x-world/x-vrml',
        'xpm'       => 'image/x-xpixmap',
        'xwd'       => 'image/x-xwindowdump',
        'z'         => 'application/x-compress',
        'zip'       => 'application/zip',
        // Added
        'png'       => 'image/png',
    ];

    /**
     * Gets the mime type by just looking at the extension.
     *
     * @param string $file
     * the file to get the mimetype from
     *
     * @return string
     * the mimetype
     */
    public function getMimeTypeByExtension($file) {
        $exploded  = explode('.', $file);
        $extension = end($exploded);
        $extension = strtolower($extension);
        return isset($this->mimeTypes[$extension]) ? $this->mimeTypes[$extension] : 'application/octet-stream';
    }

    /**
     * Gets the mime type by looking at the file info.
     *
     * @param string $file
     * the file to get the mimetype from
     *
     * @return mixed|string
     * the mimetype
     */
    public function getMimeTypeByFileInfo($file) {

        // Some wrong read mimetypes
        $fallBack  = ['css', 'js'];
        $extension = pathinfo($file, PATHINFO_EXTENSION);
        if (in_array(strtolower($extension), $fallBack)) {
            return $this->getMimeTypeByExtension($file);
        }
        $finfo    = finfo_open(FILEINFO_MIME_TYPE);
        $mimeType = finfo_file($finfo, $file);
if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) {
    throw new \InvalidArgumentException('This input is not allowed.');
}
        finfo_close($finfo);
        return $mimeType;
    }

    /**
     * Function to get the mimetype of a file.
     *
     * @param string $file
     * the file to get the mimetype from
     *
     * @return string
     * the mimetype
     */
    public function getMimeType($file) {
        if (file_exists($file)) {
            return $this->getMimeTypeByFileInfo($file);
        }
        return $this->getMimeTypeByExtension($file);
    }

}


Push — master ( 0cfe13...f1cf74 )

MimeTypes::getMimeTypeByExtension() A

Complexity

Size

Duplication

Importance

8 paths for user data to reach this point

General Strategies to prevent injection

1			<?php
2
3			/*
4			* This file is part of the CRUDlex package.
5			*
6			* (c) Philip Lehmann-Böhm <[email protected]>
7			*
8			* For the full copyright and license information, please view the LICENSE
9			* file that was distributed with this source code.
10			*/
11
12			namespace CRUDlex;
13
14			/**
15			* Class to get a mimetype from a file.
16			*/
17			class MimeTypes {
18
19			/**
20			* Map from file extension to mimetype.
21			* THX to
22			* http://stackoverflow.com/questions/134833/how-do-i-find-the-mime-type-of-a-file-with-php
23			*/
24			protected $mimeTypes = [
25			'323' => 'text/h323',
26			'acx' => 'application/internet-property-stream',
27			'ai' => 'application/postscript',
28			'aif' => 'audio/x-aiff',
29			'aifc' => 'audio/x-aiff',
30			'aiff' => 'audio/x-aiff',
31			'asf' => 'video/x-ms-asf',
32			'asr' => 'video/x-ms-asf',
33			'asx' => 'video/x-ms-asf',
34			'au' => 'audio/basic',
35			'avi' => 'video/x-msvideo',
36			'axs' => 'application/olescript',
37			'bas' => 'text/plain',
38			'bcpio' => 'application/x-bcpio',
39			'bin' => 'application/octet-stream',
40			'bmp' => 'image/bmp',
41			'c' => 'text/plain',
42			'cat' => 'application/vnd.ms-pkiseccat',
43			'cdf' => 'application/x-cdf',
44			'cer' => 'application/x-x509-ca-cert',
45			'class' => 'application/octet-stream',
46			'clp' => 'application/x-msclip',
47			'cmx' => 'image/x-cmx',
48			'cod' => 'image/cis-cod',
49			'cpio' => 'application/x-cpio',
50			'crd' => 'application/x-mscardfile',
51			'crl' => 'application/pkix-crl',
52			'crt' => 'application/x-x509-ca-cert',
53			'csh' => 'application/x-csh',
54			'css' => 'text/css',
55			'dcr' => 'application/x-director',
56			'der' => 'application/x-x509-ca-cert',
57			'dir' => 'application/x-director',
58			'dll' => 'application/x-msdownload',
59			'dms' => 'application/octet-stream',
60			'doc' => 'application/msword',
61			'dot' => 'application/msword',
62			'dvi' => 'application/x-dvi',
63			'dxr' => 'application/x-director',
64			'eps' => 'application/postscript',
65			'etx' => 'text/x-setext',
66			'evy' => 'application/envoy',
67			'exe' => 'application/octet-stream',
68			'fif' => 'application/fractals',
69			'flr' => 'x-world/x-vrml',
70			'gif' => 'image/gif',
71			'gtar' => 'application/x-gtar',
72			'gz' => 'application/x-gzip',
73			'h' => 'text/plain',
74			'hdf' => 'application/x-hdf',
75			'hlp' => 'application/winhlp',
76			'hqx' => 'application/mac-binhex40',
77			'hta' => 'application/hta',
78			'htc' => 'text/x-component',
79			'htm' => 'text/html',
80			'html' => 'text/html',
81			'htt' => 'text/webviewhtml',
82			'ico' => 'image/x-icon',
83			'ief' => 'image/ief',
84			'iii' => 'application/x-iphone',
85			'ins' => 'application/x-internet-signup',
86			'isp' => 'application/x-internet-signup',
87			'jfif' => 'image/pipeg',
88			'jpe' => 'image/jpeg',
89			'jpeg' => 'image/jpeg',
90			'jpg' => 'image/jpeg',
91			'js' => 'application/x-javascript',
92			'latex' => 'application/x-latex',
93			'lha' => 'application/octet-stream',
94			'lsf' => 'video/x-la-asf',
95			'lsx' => 'video/x-la-asf',
96			'lzh' => 'application/octet-stream',
97			'm13' => 'application/x-msmediaview',
98			'm14' => 'application/x-msmediaview',
99			'm3u' => 'audio/x-mpegurl',
100			'man' => 'application/x-troff-man',
101			'mdb' => 'application/x-msaccess',
102			'me' => 'application/x-troff-me',
103			'mht' => 'message/rfc822',
104			'mhtml' => 'message/rfc822',
105			'mid' => 'audio/mid',
106			'mny' => 'application/x-msmoney',
107			'mov' => 'video/quicktime',
108			'movie' => 'video/x-sgi-movie',
109			'mp2' => 'video/mpeg',
110			'mp3' => 'audio/mpeg',
111			'mpa' => 'video/mpeg',
112			'mpe' => 'video/mpeg',
113			'mpeg' => 'video/mpeg',
114			'mpg' => 'video/mpeg',
115			'mpp' => 'application/vnd.ms-project',
116			'mpv2' => 'video/mpeg',
117			'ms' => 'application/x-troff-ms',
118			'mvb' => 'application/x-msmediaview',
119			'nws' => 'message/rfc822',
120			'oda' => 'application/oda',
121			'p10' => 'application/pkcs10',
122			'p12' => 'application/x-pkcs12',
123			'p7b' => 'application/x-pkcs7-certificates',
124			'p7c' => 'application/x-pkcs7-mime',
125			'p7m' => 'application/x-pkcs7-mime',
126			'p7r' => 'application/x-pkcs7-certreqresp',
127			'p7s' => 'application/x-pkcs7-signature',
128			'pbm' => 'image/x-portable-bitmap',
129			'pdf' => 'application/pdf',
130			'pfx' => 'application/x-pkcs12',
131			'pgm' => 'image/x-portable-graymap',
132			'pko' => 'application/ynd.ms-pkipko',
133			'pma' => 'application/x-perfmon',
134			'pmc' => 'application/x-perfmon',
135			'pml' => 'application/x-perfmon',
136			'pmr' => 'application/x-perfmon',
137			'pmw' => 'application/x-perfmon',
138			'pnm' => 'image/x-portable-anymap',
139			'pot' => 'application/vnd.ms-powerpoint',
140			'ppm' => 'image/x-portable-pixmap',
141			'pps' => 'application/vnd.ms-powerpoint',
142			'ppt' => 'application/vnd.ms-powerpoint',
143			'prf' => 'application/pics-rules',
144			'ps' => 'application/postscript',
145			'pub' => 'application/x-mspublisher',
146			'qt' => 'video/quicktime',
147			'ra' => 'audio/x-pn-realaudio',
148			'ram' => 'audio/x-pn-realaudio',
149			'ras' => 'image/x-cmu-raster',
150			'rgb' => 'image/x-rgb',
151			'rmi' => 'audio/mid',
152			'roff' => 'application/x-troff',
153			'rtf' => 'application/rtf',
154			'rtx' => 'text/richtext',
155			'scd' => 'application/x-msschedule',
156			'sct' => 'text/scriptlet',
157			'setpay' => 'application/set-payment-initiation',
158			'setreg' => 'application/set-registration-initiation',
159			'sh' => 'application/x-sh',
160			'shar' => 'application/x-shar',
161			'sit' => 'application/x-stuffit',
162			'snd' => 'audio/basic',
163			'spc' => 'application/x-pkcs7-certificates',
164			'spl' => 'application/futuresplash',
165			'src' => 'application/x-wais-source',
166			'sst' => 'application/vnd.ms-pkicertstore',
167			'stl' => 'application/vnd.ms-pkistl',
168			'stm' => 'text/html',
169			'svg' => 'image/svg+xml',
170			'sv4cpio' => 'application/x-sv4cpio',
171			'sv4crc' => 'application/x-sv4crc',
172			't' => 'application/x-troff',
173			'tar' => 'application/x-tar',
174			'tcl' => 'application/x-tcl',
175			'tex' => 'application/x-tex',
176			'texi' => 'application/x-texinfo',
177			'texinfo' => 'application/x-texinfo',
178			'tgz' => 'application/x-compressed',
179			'tif' => 'image/tiff',
180			'tiff' => 'image/tiff',
181			'tr' => 'application/x-troff',
182			'trm' => 'application/x-msterminal',
183			'tsv' => 'text/tab-separated-values',
184			'txt' => 'text/plain',
185			'uls' => 'text/iuls',
186			'ustar' => 'application/x-ustar',
187			'vcf' => 'text/x-vcard',
188			'vrml' => 'x-world/x-vrml',
189			'wav' => 'audio/x-wav',
190			'wcm' => 'application/vnd.ms-works',
191			'wdb' => 'application/vnd.ms-works',
192			'wks' => 'application/vnd.ms-works',
193			'wmf' => 'application/x-msmetafile',
194			'wps' => 'application/vnd.ms-works',
195			'wri' => 'application/x-mswrite',
196			'wrl' => 'x-world/x-vrml',
197			'wrz' => 'x-world/x-vrml',
198			'xaf' => 'x-world/x-vrml',
199			'xbm' => 'image/x-xbitmap',
200			'xla' => 'application/vnd.ms-excel',
201			'xlc' => 'application/vnd.ms-excel',
202			'xlm' => 'application/vnd.ms-excel',
203			'xls' => 'application/vnd.ms-excel',
204			'xlsx' => 'vnd.ms-excel',
205			'xlt' => 'application/vnd.ms-excel',
206			'xlw' => 'application/vnd.ms-excel',
207			'xof' => 'x-world/x-vrml',
208			'xpm' => 'image/x-xpixmap',
209			'xwd' => 'image/x-xwindowdump',
210			'z' => 'application/x-compress',
211			'zip' => 'application/zip',
212			// Added
213			'png' => 'image/png',
214			];
215
216			/**
217			* Gets the mime type by just looking at the extension.
218			*
219			* @param string $file
220			* the file to get the mimetype from
221			*
222			* @return string
223			* the mimetype
224			*/
225			public function getMimeTypeByExtension($file) {
226			$exploded = explode('.', $file);
227			$extension = end($exploded);
228			$extension = strtolower($extension);
229			return isset($this->mimeTypes[$extension]) ? $this->mimeTypes[$extension] : 'application/octet-stream';
230			}
231
232			/**
233			* Gets the mime type by looking at the file info.
234			*
235			* @param string $file
236			* the file to get the mimetype from
237			*
238			* @return mixed\|string
239			* the mimetype
240			*/
241			public function getMimeTypeByFileInfo($file) {
242
243			// Some wrong read mimetypes
244			$fallBack = ['css', 'js'];
245			$extension = pathinfo($file, PATHINFO_EXTENSION);
246			if (in_array(strtolower($extension), $fallBack)) {
247			return $this->getMimeTypeByExtension($file);
248			}
249			$finfo = finfo_open(FILEINFO_MIME_TYPE);
250			$mimeType = finfo_file($finfo, $file);
			0 ignored issues – show Security File Exposure introduced 2016-09-12 10:39 UTC by Report Bug Copy Issue Report `$file` can contain request data and is used in file inclusion context(s) leading to a potential security vulnerability. 8 paths for user data to reach this point 1. Path: `$this->parameters['HTTP_AUTHORIZATION']` seems to return tainted data, and `$authorizationHeader` is assigned in ServerBag.php on line 62 `$this->parameters['HTTP_AUTHORIZATION']` seems to return tainted data, and `$authorizationHeader` is assigned in vendor/ServerBag.php on line 62 ParameterBag::$parameters is assigned in vendor/ServerBag.php on line 77 Tainted property ParameterBag::$parameters is read in vendor/ParameterBag.php on line 88 ParameterBag::get() returns tainted data, and `$result` is assigned in vendor/Request.php on line 719 Request::get() returns tainted data, and `$request->get('file')` is passed through str_replace(), and `$fileParam` is assigned in src/CRUDlex/ControllerProvider.php on line 593 `$file` is assigned in src/CRUDlex/ControllerProvider.php on line 594 `$file` is passed to MimeTypes::getMimeType() in src/CRUDlex/ControllerProvider.php on line 600 `$file` is passed to MimeTypes::getMimeTypeByFileInfo() in src/CRUDlex/MimeTypes.php on line 266 2. Path: Read from `$_POST,` and `$_POST` is passed to Request::createRequestFromFactory() in Request.php on line 281 Read from `$_POST,` and `$_POST` is passed to Request::createRequestFromFactory() in vendor/Request.php on line 281 `$request` is passed to Request::__construct() in vendor/Request.php on line 1929 `$request` is passed to Request::initialize() in vendor/Request.php on line 222 `$request` is passed to ParameterBag::__construct() in vendor/Request.php on line 240 ParameterBag::$parameters is assigned in vendor/ParameterBag.php on line 35 Tainted property ParameterBag::$parameters is read in vendor/ParameterBag.php on line 88 ParameterBag::get() returns tainted data, and `$result` is assigned in vendor/Request.php on line 719 Request::get() returns tainted data, and `$request->get('file')` is passed through str_replace(), and `$fileParam` is assigned in src/CRUDlex/ControllerProvider.php on line 593 `$file` is assigned in src/CRUDlex/ControllerProvider.php on line 594 `$file` is passed to MimeTypes::getMimeType() in src/CRUDlex/ControllerProvider.php on line 600 `$file` is passed to MimeTypes::getMimeTypeByFileInfo() in src/CRUDlex/MimeTypes.php on line 266 3. Path: Read from `$_SERVER,` and `$server` is assigned in Request.php on line 271 Read from `$_SERVER,` and `$server` is assigned in vendor/Request.php on line 271 `$server` is passed to Request::createRequestFromFactory() in vendor/Request.php on line 281 `$server` is passed to Request::__construct() in vendor/Request.php on line 1929 `$server` is passed to Request::initialize() in vendor/Request.php on line 222 `$server` is passed to ParameterBag::__construct() in vendor/Request.php on line 245 ParameterBag::$parameters is assigned in vendor/ParameterBag.php on line 35 Tainted property ParameterBag::$parameters is read in vendor/ParameterBag.php on line 88 ParameterBag::get() returns tainted data, and `$result` is assigned in vendor/Request.php on line 719 Request::get() returns tainted data, and `$request->get('file')` is passed through str_replace(), and `$fileParam` is assigned in src/CRUDlex/ControllerProvider.php on line 593 `$file` is assigned in src/CRUDlex/ControllerProvider.php on line 594 `$file` is passed to MimeTypes::getMimeType() in src/CRUDlex/ControllerProvider.php on line 600 `$file` is passed to MimeTypes::getMimeTypeByFileInfo() in src/CRUDlex/MimeTypes.php on line 266 4. Path: Fetching key `HTTP_CONTENT_LENGTH` from `$_SERVER,` and `$server` is assigned in Request.php on line 274 Fetching key `HTTP_CONTENT_LENGTH` from `$_SERVER,` and `$server` is assigned in vendor/Request.php on line 274 `$server` is passed to Request::createRequestFromFactory() in vendor/Request.php on line 281 `$server` is passed to Request::__construct() in vendor/Request.php on line 1929 `$server` is passed to Request::initialize() in vendor/Request.php on line 222 `$server` is passed to ParameterBag::__construct() in vendor/Request.php on line 245 ParameterBag::$parameters is assigned in vendor/ParameterBag.php on line 35 Tainted property ParameterBag::$parameters is read in vendor/ParameterBag.php on line 88 ParameterBag::get() returns tainted data, and `$result` is assigned in vendor/Request.php on line 719 Request::get() returns tainted data, and `$request->get('file')` is passed through str_replace(), and `$fileParam` is assigned in src/CRUDlex/ControllerProvider.php on line 593 `$file` is assigned in src/CRUDlex/ControllerProvider.php on line 594 `$file` is passed to MimeTypes::getMimeType() in src/CRUDlex/ControllerProvider.php on line 600 `$file` is passed to MimeTypes::getMimeTypeByFileInfo() in src/CRUDlex/MimeTypes.php on line 266 5. Path: Fetching key `HTTP_CONTENT_TYPE` from `$_SERVER,` and `$server` is assigned in Request.php on line 277 Fetching key `HTTP_CONTENT_TYPE` from `$_SERVER,` and `$server` is assigned in vendor/Request.php on line 277 `$server` is passed to Request::createRequestFromFactory() in vendor/Request.php on line 281 `$server` is passed to Request::__construct() in vendor/Request.php on line 1929 `$server` is passed to Request::initialize() in vendor/Request.php on line 222 `$server` is passed to ParameterBag::__construct() in vendor/Request.php on line 245 ParameterBag::$parameters is assigned in vendor/ParameterBag.php on line 35 Tainted property ParameterBag::$parameters is read in vendor/ParameterBag.php on line 88 ParameterBag::get() returns tainted data, and `$result` is assigned in vendor/Request.php on line 719 Request::get() returns tainted data, and `$request->get('file')` is passed through str_replace(), and `$fileParam` is assigned in src/CRUDlex/ControllerProvider.php on line 593 `$file` is assigned in src/CRUDlex/ControllerProvider.php on line 594 `$file` is passed to MimeTypes::getMimeType() in src/CRUDlex/ControllerProvider.php on line 600 `$file` is passed to MimeTypes::getMimeTypeByFileInfo() in src/CRUDlex/MimeTypes.php on line 266 6. Path: `$server['HTTP_HOST']` seems to return tainted data, and `$server` is assigned in Request.php on line 347 `$server['HTTP_HOST']` seems to return tainted data, and `$server` is assigned in vendor/Request.php on line 347 `$server` is assigned in vendor/Request.php on line 395 `$server` is assigned in vendor/Request.php on line 396 `$server` is passed to Request::createRequestFromFactory() in vendor/Request.php on line 398 `$server` is passed to Request::__construct() in vendor/Request.php on line 1929 `$server` is passed to Request::initialize() in vendor/Request.php on line 222 `$server` is passed to ParameterBag::__construct() in vendor/Request.php on line 245 ParameterBag::$parameters is assigned in vendor/ParameterBag.php on line 35 Tainted property ParameterBag::$parameters is read in vendor/ParameterBag.php on line 88 ParameterBag::get() returns tainted data, and `$result` is assigned in vendor/Request.php on line 719 Request::get() returns tainted data, and `$request->get('file')` is passed through str_replace(), and `$fileParam` is assigned in src/CRUDlex/ControllerProvider.php on line 593 `$file` is assigned in src/CRUDlex/ControllerProvider.php on line 594 `$file` is passed to MimeTypes::getMimeType() in src/CRUDlex/ControllerProvider.php on line 600 `$file` is passed to MimeTypes::getMimeTypeByFileInfo() in src/CRUDlex/MimeTypes.php on line 266 7. Path: `$this->parameters['PHP_AUTH_USER']` seems to return tainted data, and `$headers` is assigned in ServerBag.php on line 43 `$this->parameters['PHP_AUTH_USER']` seems to return tainted data, and `$headers` is assigned in vendor/ServerBag.php on line 43 `$headers` is assigned in vendor/ServerBag.php on line 44 ServerBag::getHeaders() returns tainted data, and `$this->server->getHeaders()` is passed to HeaderBag::__construct() in vendor/Request.php on line 246 `$values` is assigned in vendor/HeaderBag.php on line 31 `$values` is passed to HeaderBag::set() in vendor/HeaderBag.php on line 32 `(array) $values` is passed through array_values(), and `$values` is assigned in vendor/HeaderBag.php on line 142 HeaderBag::$headers is assigned in vendor/HeaderBag.php on line 145 Tainted property HeaderBag::$headers is read in vendor/HeaderBag.php on line 125 HeaderBag::get() returns tainted data, and `$requestUri` is assigned in vendor/Request.php on line 1699 `$requestUri` is passed to ParameterBag::set() in vendor/Request.php on line 1730 ParameterBag::$parameters is assigned in vendor/ParameterBag.php on line 99 Tainted property ParameterBag::$parameters is read in vendor/ParameterBag.php on line 88 ParameterBag::get() returns tainted data, and `$result` is assigned in vendor/Request.php on line 719 Request::get() returns tainted data, and `$request->get('file')` is passed through str_replace(), and `$fileParam` is assigned in src/CRUDlex/ControllerProvider.php on line 593 `$file` is assigned in src/CRUDlex/ControllerProvider.php on line 594 `$file` is passed to MimeTypes::getMimeType() in src/CRUDlex/ControllerProvider.php on line 600 `$file` is passed to MimeTypes::getMimeTypeByFileInfo() in src/CRUDlex/MimeTypes.php on line 266 8. Path: `$this->parameters['PHP_AUTH_PW']` seems to return tainted data, and `$headers` is assigned in ServerBag.php on line 44 `$this->parameters['PHP_AUTH_PW']` seems to return tainted data, and `$headers` is assigned in vendor/ServerBag.php on line 44 ServerBag::getHeaders() returns tainted data, and `$this->server->getHeaders()` is passed to HeaderBag::__construct() in vendor/Request.php on line 246 `$values` is assigned in vendor/HeaderBag.php on line 31 `$values` is passed to HeaderBag::set() in vendor/HeaderBag.php on line 32 `(array) $values` is passed through array_values(), and `$values` is assigned in vendor/HeaderBag.php on line 142 HeaderBag::$headers is assigned in vendor/HeaderBag.php on line 145 Tainted property HeaderBag::$headers is read in vendor/HeaderBag.php on line 125 HeaderBag::get() returns tainted data, and `$requestUri` is assigned in vendor/Request.php on line 1699 `$requestUri` is passed to ParameterBag::set() in vendor/Request.php on line 1730 ParameterBag::$parameters is assigned in vendor/ParameterBag.php on line 99 Tainted property ParameterBag::$parameters is read in vendor/ParameterBag.php on line 88 ParameterBag::get() returns tainted data, and `$result` is assigned in vendor/Request.php on line 719 Request::get() returns tainted data, and `$request->get('file')` is passed through str_replace(), and `$fileParam` is assigned in src/CRUDlex/ControllerProvider.php on line 593 `$file` is assigned in src/CRUDlex/ControllerProvider.php on line 594 `$file` is passed to MimeTypes::getMimeType() in src/CRUDlex/ControllerProvider.php on line 600 `$file` is passed to MimeTypes::getMimeTypeByFileInfo() in src/CRUDlex/MimeTypes.php on line 266 General Strategies to prevent injection In general, it is advisable to prevent any user-data to reach this point. This can be done by white-listing certain values: if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) { throw new \InvalidArgumentException('This input is not allowed.'); } For numeric data, we recommend to explicitly cast the data: $sanitized = (integer) $tainted; Loading history...
251			finfo_close($finfo);
252			return $mimeType;
253			}
254
255			/**
256			* Function to get the mimetype of a file.
257			*
258			* @param string $file
259			* the file to get the mimetype from
260			*
261			* @return string
262			* the mimetype
263			*/
264			public function getMimeType($file) {
265			if (file_exists($file)) {
266			return $this->getMimeTypeByFileInfo($file);
267			}
268			return $this->getMimeTypeByExtension($file);
269			}
270
271			}
272

philiplb / CRUDlex

Push — master ( 0cfe13...f1cf74 )

MimeTypes::getMimeTypeByExtension() A

Complexity

Size

Duplication

Importance

8 paths for user data to reach this point

General Strategies to prevent injection

Duplication Side-by-Side

Filter issues like