Issues in openid.php - All Issues - Inspection of "Change Trigger::$table type to use TableName objec..." - phpmyadmin/phpmyadmin - Measure and Improve Code Quality continuously with Scrutinizer

Passed

Push — master ( 210521...1582b6 )

by Maurício

created 2023-05-27 19:23 UTC

examples/openid.php (3 issues)

Labels

Severity

Major 3

<?php
/**
 * Single signon for phpMyAdmin using OpenID
 *
 * This is just example how to use single signon with phpMyAdmin, it is
 * not intended to be perfect code and look, only shows how you can
 * integrate this functionality in your application.
 *
 * It uses OpenID pear package, see https://pear.php.net/package/OpenID
 *
 * User first authenticates using OpenID and based on content of $AUTH_MAP
 * the login information is passed to phpMyAdmin in session data.
 */

declare(strict_types=1);

if (false === @include_once 'OpenID/RelyingParty.php') {
    exit;
}

/* Change this to true if using phpMyAdmin over https */
$secureCookie = false;

/**
 * Map of authenticated users to MySQL user/password pairs.
 */
$authMap = ['https://launchpad.net/~username' => ['user' => 'root', 'password' => '']];

// phpcs:disable PSR1.Files.SideEffects,Squiz.Functions.GlobalFunction

/**
 * Simple function to show HTML page with given content.
 *
 * @param string $contents Content to include in page
 */
function Show_page(string $contents): void
{
    header('Content-Type: text/html; charset=utf-8');

    echo '<?xml version="1.0" encoding="utf-8"?>' . "\n";
    echo '<!DOCTYPE HTML>
<html lang="en" dir="ltr">
<head>
<link rel="icon" href="../favicon.ico" type="image/x-icon">
<link rel="shortcut icon" href="../favicon.ico" type="image/x-icon">
<meta charset="utf-8">
<title>phpMyAdmin OpenID signon example</title>
</head>
<body>';

    if (isset($_SESSION['PMA_single_signon_error_message'])) {
        echo '<p class="error">' . $_SESSION['PMA_single_signon_message'] . '</p>';
        unset($_SESSION['PMA_single_signon_message']);
    }

    echo $contents;
    echo '</body></html>';
}

/**
 * Display error and exit
 *
 * @param Exception $e Exception object
 */
function Die_error(Throwable $e): void
{
    $contents = "<div class='relyingparty_results'>\n";
    $contents .= '<pre>' . htmlspecialchars($e->getMessage()) . "</pre>\n";
    $contents .= "</div class='relyingparty_results'>";
    Show_page($contents);
    exit;

}

// phpcs:enable

/* Need to have cookie visible from parent directory */
session_set_cookie_params(0, '/', '', $secureCookie, true);
/* Create signon session */
$sessionName = 'SignonSession';
session_name($sessionName);
@session_start();

// Determine realm and return_to
$base = 'http';
if (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on') {
    $base .= 's';
}

$base .= '://' . $_SERVER['SERVER_NAME'] . ':' . $_SERVER['SERVER_PORT'];

$realm = $base . '/';
$returnTo = $base . dirname($_SERVER['PHP_SELF']);
if ($returnTo[strlen($returnTo) - 1] !== '/') {
    $returnTo .= '/';
}

$returnTo .= 'openid.php';

/* Display form */
if ((! count($_GET) && ! count($_POST)) || isset($_GET['phpMyAdmin'])) {
    /* Show simple form */
    $content = '<form action="openid.php" method="post">
OpenID: <input type="text" name="identifier"><br>
<input type="submit" name="start">
</form>';
    Show_page($content);
    exit;
}

/* Grab identifier */
$identifier = null;
if (isset($_POST['identifier']) && is_string($_POST['identifier'])) {
    $identifier = $_POST['identifier'];
} elseif (isset($_SESSION['identifier']) && is_string($_SESSION['identifier'])) {
    $identifier = $_SESSION['identifier'];
}

/* Create OpenID object */
try {
    $o = new OpenID_RelyingParty($returnTo, $realm, $identifier);
filter:
    dependency_paths: ["lib/*"]
} catch (Throwable $e) {
    Die_error($e);
}

/* Redirect to OpenID provider */
if (isset($_POST['start'])) {
    try {
        $authRequest = $o->prepare();
    } catch (Throwable $e) {
        Die_error($e);
    }

    $url = $authRequest->getAuthorizeURL();

    header('Location: ' . $url);
    exit;
}

/* Grab query string */
if (! count($_POST)) {
    [, $queryString] = explode('?', $_SERVER['REQUEST_URI']);
} else {
    // Fetch the raw query body
    $queryString = file_get_contents('php://input');
}

/* Check reply */
try {
    $message = new OpenID_Message($queryString, OpenID_Message::FORMAT_HTTP);
filter:
    dependency_paths: ["lib/*"]
} catch (Throwable $e) {
    Die_error($e);
}

$id = $message->get('openid.claimed_id');

if (empty($id) || ! isset($authMap[$id])) {
    Show_page('<p>User not allowed!</p>');
    exit;
}

$_SESSION['PMA_single_signon_user'] = $authMap[$id]['user'];
$_SESSION['PMA_single_signon_password'] = $authMap[$id]['password'];
$_SESSION['PMA_single_signon_HMAC_secret'] = hash('sha1', uniqid(strval(random_int(0, mt_getrandmax())), true));
session_write_close();
/* Redirect to phpMyAdmin (should use absolute URL here!) */
header('Location: ../index.php');


1			<?php
2			/**
3			* Single signon for phpMyAdmin using OpenID
4			*
5			* This is just example how to use single signon with phpMyAdmin, it is
6			* not intended to be perfect code and look, only shows how you can
7			* integrate this functionality in your application.
8			*
9			* It uses OpenID pear package, see https://pear.php.net/package/OpenID
10			*
11			* User first authenticates using OpenID and based on content of $AUTH_MAP
12			* the login information is passed to phpMyAdmin in session data.
13			*/
14
15			declare(strict_types=1);
16
17			if (false === @include_once 'OpenID/RelyingParty.php') {
18			exit;
19			}
20
21			/* Change this to true if using phpMyAdmin over https */
22			$secureCookie = false;
23
24			/**
25			* Map of authenticated users to MySQL user/password pairs.
26			*/
27			$authMap = ['https://launchpad.net/~username' => ['user' => 'root', 'password' => '']];
28
29			// phpcs:disable PSR1.Files.SideEffects,Squiz.Functions.GlobalFunction
30
31			/**
32			* Simple function to show HTML page with given content.
33			*
34			* @param string $contents Content to include in page
35			*/
36			function Show_page(string $contents): void
37			{
38			header('Content-Type: text/html; charset=utf-8');
39
40			echo '<?xml version="1.0" encoding="utf-8"?>' . "\n";
41			echo '<!DOCTYPE HTML>
42			<html lang="en" dir="ltr">
43			<head>
44			<link rel="icon" href="../favicon.ico" type="image/x-icon">
45			<link rel="shortcut icon" href="../favicon.ico" type="image/x-icon">
46			<meta charset="utf-8">
47			<title>phpMyAdmin OpenID signon example</title>
48			</head>
49			<body>';
50
51			if (isset($_SESSION['PMA_single_signon_error_message'])) {
52			echo '<p class="error">' . $_SESSION['PMA_single_signon_message'] . '</p>';
53			unset($_SESSION['PMA_single_signon_message']);
54			}
55
56			echo $contents;
57			echo '</body></html>';
58			}
59
60			/**
61			* Display error and exit
62			*
63			* @param Exception $e Exception object
64			*/
65			function Die_error(Throwable $e): void
66			{
67			$contents = "<div class='relyingparty_results'>\n";
68			$contents .= '<pre>' . htmlspecialchars($e->getMessage()) . "</pre>\n";
69			$contents .= "</div class='relyingparty_results'>";
70			Show_page($contents);
71			exit;
			0 ignored issues – show Best Practice introduced 2020-01-20 01:40 UTC by Report Bug Copy Issue Report Show Similar Issues like this Using `exit` here is not recommended. In general, usage of exit should be done with care and only when running in a scripting context like a CLI script. Loading history...
72			}
73
74			// phpcs:enable
75
76			/* Need to have cookie visible from parent directory */
77			session_set_cookie_params(0, '/', '', $secureCookie, true);
78			/* Create signon session */
79			$sessionName = 'SignonSession';
80			session_name($sessionName);
81			@session_start();
82
83			// Determine realm and return_to
84			$base = 'http';
85			if (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on') {
86			$base .= 's';
87			}
88
89			$base .= '://' . $_SERVER['SERVER_NAME'] . ':' . $_SERVER['SERVER_PORT'];
90
91			$realm = $base . '/';
92			$returnTo = $base . dirname($_SERVER['PHP_SELF']);
93			if ($returnTo[strlen($returnTo) - 1] !== '/') {
94			$returnTo .= '/';
95			}
96
97			$returnTo .= 'openid.php';
98
99			/* Display form */
100			if ((! count($_GET) && ! count($_POST)) \|\| isset($_GET['phpMyAdmin'])) {
101			/* Show simple form */
102			$content = '<form action="openid.php" method="post">
103			OpenID: <input type="text" name="identifier"><br>
104			<input type="submit" name="start">
105			</form>';
106			Show_page($content);
107			exit;
108			}
109
110			/* Grab identifier */
111			$identifier = null;
112			if (isset($_POST['identifier']) && is_string($_POST['identifier'])) {
113			$identifier = $_POST['identifier'];
114			} elseif (isset($_SESSION['identifier']) && is_string($_SESSION['identifier'])) {
115			$identifier = $_SESSION['identifier'];
116			}
117
118			/* Create OpenID object */
119			try {
120			$o = new OpenID_RelyingParty($returnTo, $realm, $identifier);
			0 ignored issues – show Bug introduced 2018-05-31 01:03 UTC by Report Bug Copy Issue Report Show Similar Issues like this The type `OpenID_RelyingParty` was not found. Maybe you did not declare it correctly or list all dependencies? The issue could also be caused by a filter entry in the build configuration. If the path has been excluded in your configuration, e.g. `excluded_paths: ["lib/"]`, you can move it to the dependency path list as follows: filter: dependency_paths: ["lib/"] For further information see https://scrutinizer-ci.com/docs/tools/php/php-scrutinizer/#list-dependency-paths Loading history...
121			} catch (Throwable $e) {
122			Die_error($e);
123			}
124
125			/* Redirect to OpenID provider */
126			if (isset($_POST['start'])) {
127			try {
128			$authRequest = $o->prepare();
129			} catch (Throwable $e) {
130			Die_error($e);
131			}
132
133			$url = $authRequest->getAuthorizeURL();
134
135			header('Location: ' . $url);
136			exit;
137			}
138
139			/* Grab query string */
140			if (! count($_POST)) {
141			[, $queryString] = explode('?', $_SERVER['REQUEST_URI']);
142			} else {
143			// Fetch the raw query body
144			$queryString = file_get_contents('php://input');
145			}
146
147			/* Check reply */
148			try {
149			$message = new OpenID_Message($queryString, OpenID_Message::FORMAT_HTTP);
			0 ignored issues – show Bug introduced 2018-05-31 01:03 UTC by Report Bug Copy Issue Report Show Similar Issues like this The type `OpenID_Message` was not found. Maybe you did not declare it correctly or list all dependencies? The issue could also be caused by a filter entry in the build configuration. If the path has been excluded in your configuration, e.g. `excluded_paths: ["lib/"]`, you can move it to the dependency path list as follows: filter: dependency_paths: ["lib/"] For further information see https://scrutinizer-ci.com/docs/tools/php/php-scrutinizer/#list-dependency-paths Loading history...
150			} catch (Throwable $e) {
151			Die_error($e);
152			}
153
154			$id = $message->get('openid.claimed_id');
155
156			if (empty($id) \|\| ! isset($authMap[$id])) {
157			Show_page('<p>User not allowed!</p>');
158			exit;
159			}
160
161			$_SESSION['PMA_single_signon_user'] = $authMap[$id]['user'];
162			$_SESSION['PMA_single_signon_password'] = $authMap[$id]['password'];
163			$_SESSION['PMA_single_signon_HMAC_secret'] = hash('sha1', uniqid(strval(random_int(0, mt_getrandmax())), true));
164			session_write_close();
165			/* Redirect to phpMyAdmin (should use absolute URL here!) */
166			header('Location: ../index.php');
167

phpmyadmin / phpmyadmin

Push — master ( 210521...1582b6 )

examples/openid.php (3 issues)

Labels

Severity

Introduced By

Duplication Side-by-Side

Filter issues like