Issues in update.php (master) - Issues in master - rousnay/lighthouse - Measure and Improve Code Quality continuously with Scrutinizer

Issues (1378)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

includes/acf/admin/update.php (20 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

/*
*  ACF Admin Update Class
*
*  All the logic for updates
*
*  @class 		acf_admin_update
*  @package		ACF
*  @subpackage	Admin
*/

if( ! class_exists('acf_admin_update') ) :

class acf_admin_update {

	/*
	*  __construct
	*
	*  A good place to add actions / filters
	*
	*  @type	function
	*  @date	11/08/13
	*
	*  @param	N/A
	*  @return	N/A
	*/

	
	function __construct() {

		
		// actions
		add_action('admin_menu', 						array($this,'admin_menu'), 20);
		add_action('network_admin_menu', 				array($this,'network_admin_menu'), 20);
		
		
		// ajax
		add_action('wp_ajax_acf/admin/data_upgrade',	array($this, 'ajax_upgrade'));
		
	}
	
	
	/*
	*  network_admin_menu
	*
	*  This function will chck for available updates and add actions if needed
	*
	*  @type	function
	*  @date	2/04/2015
	*  @since	5.1.5
	*
	*  @param	n/a
	*  @return	n/a
	*/

	
	function network_admin_menu() {

		
		// bail early if no show_admin
		if( !acf_get_setting('show_admin') ) {
			
			return;
		
		}
		
		
		// vars
		$prompt = false;
		
		
		// loop through sites and find updates
		$sites = wp_get_sites();
		
		if( $sites ) {
			
			foreach( $sites as $site ) {
				
				// switch blog
				switch_to_blog( $site['blog_id'] );
				
				
				// get site updates
				$updates = acf_get_updates();
				
				
				// restore
				restore_current_blog();
				
				
				if( $updates ) {
				
					$prompt = true;
					break;
					
				}
				
			}
			
		}
		
		
		// bail if no prompt
		if( !$prompt ) {
			
			return;
			
		}
		
		
		// actions
		add_action('network_admin_notices', array($this, 'network_admin_notices'), 1);
		
		
		// add page
		add_submenu_page('update-core.php', __('Upgrade ACF','acf'), __('Upgrade ACF','acf'), acf_get_setting('capability'),'acf-upgrade', array($this,'network_html'));
		
	}
	
	
	/*
	*  network_admin_notices
	*
	*  This function will render the update notice
	*
	*  @type	function
	*  @date	2/04/2015
	*  @since	5.1.5
	*
	*  @param	n/a
	*  @return	n/a
	*/

	
	function network_admin_notices() {

		
		// bail ealry if already on update page
		if( acf_is_screen('admin_page_acf-upgrade-network') ) {
			
			return;
			
		}
		
				
		// view
		$view = array(
			'button_text'	=> __("Review sites & upgrade", 'acf'),
			'button_url'	=> network_admin_url('update-core.php?page=acf-upgrade'),
			'confirm'		=> false
		);
		
		
		// load view
		acf_get_view('update-notice', $view);
		
	}
	
	
	/*
	*  network_html
	*
	*  This function will render the HTML for the network upgrade page
	*
	*  @type	function
	*  @date	19/02/2014
	*  @since	5.0.0
	*
	*  @param	n/a
	*  @return	n/a
	*/

	
	function network_html() {

		
		// vars
		$plugin_version = acf_get_setting('version');
		
		
		// loop through sites and find updates
		$sites = wp_get_sites();
		
		if( $sites ) {
			
			foreach( $sites as $i => $site ) {
				
				// switch blog
				switch_to_blog( $site['blog_id'] );
				
				
				// extra info
				$site['name'] = get_bloginfo('name');
				$site['url'] = home_url();
				
				
				// get site updates
				$site['updates'] = acf_get_updates();
				
				
				// get site version
				$site['acf_version'] = get_option('acf_version');
				
				
				// no value equals new instal
				if( !$site['acf_version'] ) {
					
					$site['acf_version'] = $plugin_version;
					
				}
				
				
				// update
				$sites[ $i ] = $site;
				
				
				// restore
				restore_current_blog();
				
			}
			
		}
		
		
		// view
		$view = array(
			'sites' => $sites,
			'plugin_version'	=> $plugin_version
		);
		
		
		// enqueue
		acf_enqueue_scripts();
		
		
		// load view
		acf_get_view('update-network', $view);
		
	}
	
	
	/*
	*  admin_menu
	*
	*  This function will chck for available updates and add actions if needed
	*
	*  @type	function
	*  @date	19/02/2014
	*  @since	5.0.0
	*
	*  @param	n/a
	*  @return	n/a
	*/

	
	function admin_menu() {

		
		// vars
		$plugin_version = acf_get_setting('version');
		$acf_version = get_option('acf_version');

		
		// bail early if a new install
		if( !$acf_version ) {
		
			update_option('acf_version', $plugin_version );
			return;
			
		}
		
		
		// bail early if $acf_version is >= $plugin_version
		if( version_compare( $acf_version, $plugin_version, '>=') ) {
		
			return;
			
		}
		
		
		// vars
		$updates = acf_get_updates();
		
		
		// bail early if no updates available
		if( empty($updates) ) {
			
			update_option('acf_version', $plugin_version );
			return;
			
		}
		
		
		// bail early if no show_admin
		if( !acf_get_setting('show_admin') ) {
			
			return;
		
		}
		
		
		// actions
		add_action('admin_notices', array($this, 'admin_notices'), 1);
		
		
		// add page
		add_submenu_page('edit.php?post_type=acf-field-group', __('Upgrade','acf'), __('Upgrade','acf'), acf_get_setting('capability'),'acf-upgrade', array($this,'html') );
		
	}
	
	
	/*
	*  admin_notices
	*
	*  This function will render any admin notices
	*
	*  @type	function
	*  @date	17/10/13
	*  @since	5.0.0
	*
	*  @param	n/a
	*  @return	n/a
	*/

	
	function admin_notices() {

		
		// bail ealry if already on update page
		if( acf_is_screen('custom-fields_page_acf-upgrade') ) {
			
			return;
			
		}
		
				
		// view
		$view = array(
			'button_text'	=> __("Upgrade Database", 'acf'),
			'button_url'	=> admin_url('edit.php?post_type=acf-field-group&page=acf-upgrade')
		);
		
		
		// load view
		acf_get_view('update-notice', $view);
		
	}
	
	
	/*
	*  html
	*
	*  description
	*
	*  @type	function
	*  @date	19/02/2014
	*  @since	5.0.0
	*
	*  @param	$post_id (int)
	*  @return	$post_id (int)
	*/

	
	function html() {

		
		// view
		$view = array(
			'updates'			=> acf_get_updates(),
			'plugin_version'	=> acf_get_setting('version')
		);
		
		
		// enqueue
		acf_enqueue_scripts();
		
		
		// load view
		acf_get_view('update', $view);
		
	}
	
	
	/*
	*  ajax_upgrade
	*
	*  description
	*
	*  @type	function
	*  @date	24/10/13
	*  @since	5.0.0
	*
	*  @param	$post_id (int)
	*  @return	$post_id (int)
	*/

	
	function ajax_upgrade() {

		
   		// options
   		$options = wp_parse_args( $_POST, array(
			'nonce'		=> '',
			'blog_id'	=> '',
		));
		
		
		// validate
		if( !wp_verify_nonce($options['nonce'], 'acf_upgrade') ) {
		
			wp_send_json_error();
			
		}
		
		
		// switch blog
		if( $options['blog_id'] ) { 
			
			switch_to_blog( $options['blog_id'] );
			
		}
		
		
		// vars
		$updates = acf_get_updates();
		$message = '';
		
		
		// bail early if no updates
		if( empty($updates) ) {
			
			wp_send_json_error(array(
				'message' => 'No updates available'
			));	
			
		}
		
		
		// install updates
		foreach( $updates as $version ) {
$collection = json_decode($data, true);
if ( ! is_array($collection)) {
    throw new \RuntimeException('$collection must be an array.');
}

foreach ($collection as $item) { /** ... */ }
			
			// get path
			$path = acf_get_path("admin/updates/{$version}.php");
			
			
			// load version
			if( !file_exists($path) ) {
			
				wp_send_json_error(array(
					'message' => 'Error loading update'
				));	
				
			}
			
			
			// load any errors / feedback from update
			ob_start();
			
			
			// action for 3rd party
			do_action('acf/upgrade_start/' . $version );
			
			
			// include
			include( $path );
			
			
			// action for 3rd party
			do_action('acf/upgrade_finish/' . $version );
			
			
			// get feedback
			$message .= ob_get_clean();
			
			
			// update successful
			update_option('acf_version', $version );
		
		}
		
		
		// updates complete
		update_option('acf_version', acf_get_setting('version'));
		
		
		// return
		wp_send_json_success(array(
			'message' => $message
		));
		
	}
	
	
	/*
	*  inject_downgrade
	*
	*  description
	*
	*  @type	function
	*  @date	16/01/2014
	*  @since	5.0.0
	*
	*  @param	$post_id (int)
	*  @return	$post_id (int)
	*/
	
/*
	function inject_downgrade( $transient ) {
		
		// bail early if no plugins are being checked
	    if( empty($transient->checked) )  {
	    
            return $transient;
            
        }
		
		
		// bail early if no nonce
		if( empty($_GET['_acfrollback']) ) {
			
			return $transient;
			
		}
		
		
		// vars
		$rollback = get_option('acf_version');
		
		
		// bail early if nonce is not correct
		if( !wp_verify_nonce( $_GET['_acfrollback'], 'rollback-acf_' . $rollback ) ) {
			
			return $transient;
			
		}
		
		
		// create new object for update
        $obj = new stdClass();
        $obj->slug = $_GET['plugin'];
        $obj->new_version = $rollback;
        $obj->url = 'https://wordpress.org/plugins/advanced-custom-fields';
        $obj->package = 'http://downloads.wordpress.org/plugin/advanced-custom-fields.' . $rollback . '.zip';;
        
        
        // add to transient
        $transient->response[ $_GET['plugin'] ] = $obj;
        
		
		// return 
        return $transient;
	}
*/
			
}

// initialize
new acf_admin_update();

endif;

?>



1		<?php
2
3		/*
4		* ACF Admin Update Class
5		*
6		* All the logic for updates
7		*
8		* @class acf_admin_update
9		* @package ACF
10		* @subpackage Admin
11		*/
12
13		if( ! class_exists('acf_admin_update') ) :
14
15		class acf_admin_update {
16
17		/*
18		* __construct
19		*
20		* A good place to add actions / filters
21		*
22		* @type function
23		* @date 11/08/13
24		*
25		* @param N/A
26		* @return N/A
27		*/
		0 ignored issues – show Documentation introduced 2016-02-10 19:57 UTC by Report Bug Copy Issue Report Show Similar Issues like this The doc-type `N/A` could not be parsed: Unknown type name "N/A" at position 0. (view supported doc-types) This check marks PHPDoc comments that could not be parsed by our parser. To see which comment annotations we can parse, please refer to our documentation on supported doc-types. Loading history...
28
29		function __construct() {
		0 ignored issues – show Best Practice introduced 2016-02-10 19:57 UTC by Report Bug Copy Issue Report Show Similar Issues like this It is generally recommended to explicitly declare the visibility for methods. Adding explicit visibility (`private`, `protected`, or `public`) is generally recommend to communicate to other developers how, and from where this method is intended to be used. Loading history...
30
31		// actions
32		add_action('admin_menu', array($this,'admin_menu'), 20);
33		add_action('network_admin_menu', array($this,'network_admin_menu'), 20);
34
35
36		// ajax
37		add_action('wp_ajax_acf/admin/data_upgrade', array($this, 'ajax_upgrade'));
38
39		}
40
41
42		/*
43		* network_admin_menu
44		*
45		* This function will chck for available updates and add actions if needed
46		*
47		* @type function
48		* @date 2/04/2015
49		* @since 5.1.5
50		*
51		* @param n/a
52		* @return n/a
53		*/
		0 ignored issues – show Documentation introduced 2016-02-10 19:57 UTC by Report Bug Copy Issue Report Show Similar Issues like this The doc-type `n/a` could not be parsed: Unknown type name "n/a" at position 0. (view supported doc-types) This check marks PHPDoc comments that could not be parsed by our parser. To see which comment annotations we can parse, please refer to our documentation on supported doc-types. Loading history...
54
55		function network_admin_menu() {
		0 ignored issues – show Best Practice introduced 2016-02-10 19:57 UTC by Report Bug Copy Issue Report Show Similar Issues like this It is generally recommended to explicitly declare the visibility for methods. Adding explicit visibility (`private`, `protected`, or `public`) is generally recommend to communicate to other developers how, and from where this method is intended to be used. Loading history...
56
57		// bail early if no show_admin
58		if( !acf_get_setting('show_admin') ) {
59
60		return;
61
62		}
63
64
65		// vars
66		$prompt = false;
67
68
69		// loop through sites and find updates
70		$sites = wp_get_sites();
71
72		if( $sites ) {
73
74		foreach( $sites as $site ) {
75
76		// switch blog
77		switch_to_blog( $site['blog_id'] );
78
79
80		// get site updates
81		$updates = acf_get_updates();
82
83
84		// restore
85		restore_current_blog();
86
87
88		if( $updates ) {
89
90		$prompt = true;
91		break;
92
93		}
94
95		}
96
97		}
98
99
100		// bail if no prompt
101		if( !$prompt ) {
102
103		return;
104
105		}
106
107
108		// actions
109		add_action('network_admin_notices', array($this, 'network_admin_notices'), 1);
110
111
112		// add page
113		add_submenu_page('update-core.php', __('Upgrade ACF','acf'), __('Upgrade ACF','acf'), acf_get_setting('capability'),'acf-upgrade', array($this,'network_html'));
114
115		}
116
117
118		/*
119		* network_admin_notices
120		*
121		* This function will render the update notice
122		*
123		* @type function
124		* @date 2/04/2015
125		* @since 5.1.5
126		*
127		* @param n/a
128		* @return n/a
129		*/
		0 ignored issues – show Documentation introduced 2016-02-10 19:57 UTC by Report Bug Copy Issue Report Show Similar Issues like this The doc-type `n/a` could not be parsed: Unknown type name "n/a" at position 0. (view supported doc-types) This check marks PHPDoc comments that could not be parsed by our parser. To see which comment annotations we can parse, please refer to our documentation on supported doc-types. Loading history...
130
131	View Code Duplication	function network_admin_notices() {
		0 ignored issues – show Best Practice introduced 2016-02-10 19:57 UTC by Report Bug Copy Issue Report Show Similar Issues like this It is generally recommended to explicitly declare the visibility for methods. Adding explicit visibility (`private`, `protected`, or `public`) is generally recommend to communicate to other developers how, and from where this method is intended to be used. Loading history... Duplication introduced 2016-02-10 19:57 UTC by Report Bug Copy Issue Report Show Similar Issues like this This method seems to be duplicated in your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
132
133		// bail ealry if already on update page
134		if( acf_is_screen('admin_page_acf-upgrade-network') ) {
135
136		return;
137
138		}
139
140
141		// view
142		$view = array(
143		'button_text' => __("Review sites & upgrade", 'acf'),
144		'button_url' => network_admin_url('update-core.php?page=acf-upgrade'),
145		'confirm' => false
146		);
147
148
149		// load view
150		acf_get_view('update-notice', $view);
151
152		}
153
154
155		/*
156		* network_html
157		*
158		* This function will render the HTML for the network upgrade page
159		*
160		* @type function
161		* @date 19/02/2014
162		* @since 5.0.0
163		*
164		* @param n/a
165		* @return n/a
166		*/
		0 ignored issues – show Documentation introduced 2016-02-10 19:57 UTC by Report Bug Copy Issue Report Show Similar Issues like this The doc-type `n/a` could not be parsed: Unknown type name "n/a" at position 0. (view supported doc-types) This check marks PHPDoc comments that could not be parsed by our parser. To see which comment annotations we can parse, please refer to our documentation on supported doc-types. Loading history...
167
168		function network_html() {
		0 ignored issues – show Best Practice introduced 2016-02-10 19:57 UTC by Report Bug Copy Issue Report Show Similar Issues like this It is generally recommended to explicitly declare the visibility for methods. Adding explicit visibility (`private`, `protected`, or `public`) is generally recommend to communicate to other developers how, and from where this method is intended to be used. Loading history...
169
170		// vars
171		$plugin_version = acf_get_setting('version');
172
173
174		// loop through sites and find updates
175		$sites = wp_get_sites();
176
177		if( $sites ) {
178
179		foreach( $sites as $i => $site ) {
180
181		// switch blog
182		switch_to_blog( $site['blog_id'] );
183
184
185		// extra info
186		$site['name'] = get_bloginfo('name');
187		$site['url'] = home_url();
188
189
190		// get site updates
191		$site['updates'] = acf_get_updates();
192
193
194		// get site version
195		$site['acf_version'] = get_option('acf_version');
196
197
198		// no value equals new instal
199		if( !$site['acf_version'] ) {
200
201		$site['acf_version'] = $plugin_version;
202
203		}
204
205
206		// update
207		$sites[ $i ] = $site;
208
209
210		// restore
211		restore_current_blog();
212
213		}
214
215		}
216
217
218		// view
219		$view = array(
220		'sites' => $sites,
221		'plugin_version' => $plugin_version
222		);
223
224
225		// enqueue
226		acf_enqueue_scripts();
227
228
229		// load view
230		acf_get_view('update-network', $view);
231
232		}
233
234
235		/*
236		* admin_menu
237		*
238		* This function will chck for available updates and add actions if needed
239		*
240		* @type function
241		* @date 19/02/2014
242		* @since 5.0.0
243		*
244		* @param n/a
245		* @return n/a
246		*/
		0 ignored issues – show Documentation introduced 2016-02-10 19:57 UTC by Report Bug Copy Issue Report Show Similar Issues like this The doc-type `n/a` could not be parsed: Unknown type name "n/a" at position 0. (view supported doc-types) This check marks PHPDoc comments that could not be parsed by our parser. To see which comment annotations we can parse, please refer to our documentation on supported doc-types. Loading history...
247
248		function admin_menu() {
		0 ignored issues – show Best Practice introduced 2016-02-10 19:57 UTC by Report Bug Copy Issue Report Show Similar Issues like this It is generally recommended to explicitly declare the visibility for methods. Adding explicit visibility (`private`, `protected`, or `public`) is generally recommend to communicate to other developers how, and from where this method is intended to be used. Loading history...
249
250		// vars
251		$plugin_version = acf_get_setting('version');
252		$acf_version = get_option('acf_version');
253
254
255		// bail early if a new install
256		if( !$acf_version ) {
257
258		update_option('acf_version', $plugin_version );
259		return;
260
261		}
262
263
264		// bail early if $acf_version is >= $plugin_version
265		if( version_compare( $acf_version, $plugin_version, '>=') ) {
266
267		return;
268
269		}
270
271
272		// vars
273		$updates = acf_get_updates();
274
275
276		// bail early if no updates available
277		if( empty($updates) ) {
278
279		update_option('acf_version', $plugin_version );
280		return;
281
282		}
283
284
285		// bail early if no show_admin
286		if( !acf_get_setting('show_admin') ) {
287
288		return;
289
290		}
291
292
293		// actions
294		add_action('admin_notices', array($this, 'admin_notices'), 1);
295
296
297		// add page
298		add_submenu_page('edit.php?post_type=acf-field-group', __('Upgrade','acf'), __('Upgrade','acf'), acf_get_setting('capability'),'acf-upgrade', array($this,'html') );
299
300		}
301
302
303		/*
304		* admin_notices
305		*
306		* This function will render any admin notices
307		*
308		* @type function
309		* @date 17/10/13
310		* @since 5.0.0
311		*
312		* @param n/a
313		* @return n/a
314		*/
		0 ignored issues – show Documentation introduced 2016-02-10 19:57 UTC by Report Bug Copy Issue Report Show Similar Issues like this The doc-type `n/a` could not be parsed: Unknown type name "n/a" at position 0. (view supported doc-types) This check marks PHPDoc comments that could not be parsed by our parser. To see which comment annotations we can parse, please refer to our documentation on supported doc-types. Loading history...
315
316	View Code Duplication	function admin_notices() {
		0 ignored issues – show Best Practice introduced 2016-02-10 19:57 UTC by Report Bug Copy Issue Report Show Similar Issues like this It is generally recommended to explicitly declare the visibility for methods. Adding explicit visibility (`private`, `protected`, or `public`) is generally recommend to communicate to other developers how, and from where this method is intended to be used. Loading history... Duplication introduced 2016-02-10 19:57 UTC by Report Bug Copy Issue Report Show Similar Issues like this This method seems to be duplicated in your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
317
318		// bail ealry if already on update page
319		if( acf_is_screen('custom-fields_page_acf-upgrade') ) {
320
321		return;
322
323		}
324
325
326		// view
327		$view = array(
328		'button_text' => __("Upgrade Database", 'acf'),
329		'button_url' => admin_url('edit.php?post_type=acf-field-group&page=acf-upgrade')
330		);
331
332
333		// load view
334		acf_get_view('update-notice', $view);
335
336		}
337
338
339		/*
340		* html
341		*
342		* description
343		*
344		* @type function
345		* @date 19/02/2014
346		* @since 5.0.0
347		*
348		* @param $post_id (int)
349		* @return $post_id (int)
350		*/
		0 ignored issues – show Documentation introduced 2016-02-10 19:57 UTC by Report Bug Copy Issue Report Show Similar Issues like this The doc-type `$post_id` could not be parsed: Unknown type name "$post_id" at position 0. (view supported doc-types) This check marks PHPDoc comments that could not be parsed by our parser. To see which comment annotations we can parse, please refer to our documentation on supported doc-types. Loading history...
351
352		function html() {
		0 ignored issues – show Best Practice introduced 2016-02-10 19:57 UTC by Report Bug Copy Issue Report Show Similar Issues like this It is generally recommended to explicitly declare the visibility for methods. Adding explicit visibility (`private`, `protected`, or `public`) is generally recommend to communicate to other developers how, and from where this method is intended to be used. Loading history...
353
354		// view
355		$view = array(
356		'updates' => acf_get_updates(),
357		'plugin_version' => acf_get_setting('version')
358		);
359
360
361		// enqueue
362		acf_enqueue_scripts();
363
364
365		// load view
366		acf_get_view('update', $view);
367
368		}
369
370
371		/*
372		* ajax_upgrade
373		*
374		* description
375		*
376		* @type function
377		* @date 24/10/13
378		* @since 5.0.0
379		*
380		* @param $post_id (int)
381		* @return $post_id (int)
382		*/
		0 ignored issues – show Documentation introduced 2016-02-10 19:57 UTC by Report Bug Copy Issue Report Show Similar Issues like this The doc-type `$post_id` could not be parsed: Unknown type name "$post_id" at position 0. (view supported doc-types) This check marks PHPDoc comments that could not be parsed by our parser. To see which comment annotations we can parse, please refer to our documentation on supported doc-types. Loading history...
383
384		function ajax_upgrade() {
		0 ignored issues – show Best Practice introduced 2016-02-10 19:57 UTC by Report Bug Copy Issue Report Show Similar Issues like this It is generally recommended to explicitly declare the visibility for methods. Adding explicit visibility (`private`, `protected`, or `public`) is generally recommend to communicate to other developers how, and from where this method is intended to be used. Loading history...
385
386		// options
387		$options = wp_parse_args( $_POST, array(
388		'nonce' => '',
389		'blog_id' => '',
390		));
391
392
393		// validate
394		if( !wp_verify_nonce($options['nonce'], 'acf_upgrade') ) {
395
396		wp_send_json_error();
397
398		}
399
400
401		// switch blog
402		if( $options['blog_id'] ) {
403
404		switch_to_blog( $options['blog_id'] );
405
406		}
407
408
409		// vars
410		$updates = acf_get_updates();
411		$message = '';
412
413
414		// bail early if no updates
415		if( empty($updates) ) {
416
417		wp_send_json_error(array(
418		'message' => 'No updates available'
419		));
420
421		}
422
423
424		// install updates
425		foreach( $updates as $version ) {
		0 ignored issues – show Bug introduced 2016-02-10 19:57 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `$updates` of type `false\|array` is not guaranteed to be traversable. How about adding an additional type check? There are different options of fixing this problem. If you want to be on the safe side, you can add an additional type-check: $collection = json_decode($data, true); if ( ! is_array($collection)) { throw new \RuntimeException('$collection must be an array.'); } foreach ($collection as $item) { /** ... / } If you are sure that the expression is traversable, you might want to add a doc comment cast* to improve IDE auto-completion and static analysis: /** @var array $collection / $collection = json_decode($data, true); foreach ($collection as $item) { /* .. / } Mark the issue as a false-positive*: Just hover the remove button, in the top-right corner of this issue for more options. Loading history...
426
427		// get path
428		$path = acf_get_path("admin/updates/{$version}.php");
429
430
431		// load version
432		if( !file_exists($path) ) {
433
434		wp_send_json_error(array(
435		'message' => 'Error loading update'
436		));
437
438		}
439
440
441		// load any errors / feedback from update
442		ob_start();
443
444
445		// action for 3rd party
446		do_action('acf/upgrade_start/' . $version );
447
448
449		// include
450		include( $path );
451
452
453		// action for 3rd party
454		do_action('acf/upgrade_finish/' . $version );
455
456
457		// get feedback
458		$message .= ob_get_clean();
459
460
461		// update successful
462		update_option('acf_version', $version );
463
464		}
465
466
467		// updates complete
468		update_option('acf_version', acf_get_setting('version'));
469
470
471		// return
472		wp_send_json_success(array(
473		'message' => $message
474		));
475
476		}
477
478
479		/*
480		* inject_downgrade
481		*
482		* description
483		*
484		* @type function
485		* @date 16/01/2014
486		* @since 5.0.0
487		*
488		* @param $post_id (int)
489		* @return $post_id (int)
490		*/
491
492		/*
493		function inject_downgrade( $transient ) {
494
495		// bail early if no plugins are being checked
496		if( empty($transient->checked) ) {
497
498		return $transient;
499
500		}
501
502
503		// bail early if no nonce
504		if( empty($_GET['_acfrollback']) ) {
505
506		return $transient;
507
508		}
509
510
511		// vars
512		$rollback = get_option('acf_version');
513
514
515		// bail early if nonce is not correct
516		if( !wp_verify_nonce( $_GET['_acfrollback'], 'rollback-acf_' . $rollback ) ) {
517
518		return $transient;
519
520		}
521
522
523		// create new object for update
524		$obj = new stdClass();
525		$obj->slug = $_GET['plugin'];
526		$obj->new_version = $rollback;
527		$obj->url = 'https://wordpress.org/plugins/advanced-custom-fields';
528		$obj->package = 'http://downloads.wordpress.org/plugin/advanced-custom-fields.' . $rollback . '.zip';;
529
530
531		// add to transient
532		$transient->response[ $_GET['plugin'] ] = $obj;
533
534
535		// return
536		return $transient;
537		}
538		*/
539
540		}
541
542		// initialize
543		new acf_admin_update();
544
545		endif;
546
547		?>
		0 ignored issues – show Best Practice introduced 2016-02-10 19:57 UTC by Report Bug Copy Issue Report Show Similar Issues like this It is not recommended to use PHP's closing tag `?>` in files other than templates. Using a closing tag in PHP files that only contain PHP code is not recommended as you might accidentally add whitespace after the closing tag which would then be output by PHP. This can cause severe problems, for example headers cannot be sent anymore. A simple precaution is to leave off the closing tag as it is not required, and it also has no negative effects whatsoever. Loading history...
548

rousnay / lighthouse

Issues (1378)

Security Analysis not enabled

includes/acf/admin/update.php (20 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like