Issues (1378)

Security Analysis    not enabled

This project does not seem to handle request data directly as such no vulnerable execution paths were found.

  Cross-Site Scripting
Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.
  File Exposure
File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.
  File Manipulation
File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.
  Object Injection
Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.
  Code Injection
Code Injection enables an attacker to execute arbitrary code on the server.
  Response Splitting
Response Splitting can be used to send arbitrary responses.
  File Inclusion
File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.
  Command Injection
Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.
  SQL Injection
SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.
  XPath Injection
XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.
  LDAP Injection
LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.
  Header Injection
  Other Vulnerability
This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.
  Regex Injection
Regex Injection enables an attacker to execute arbitrary code in your PHP process.
  XML Injection
XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.
  Variable Injection
Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.
Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

includes/acf/fields/file.php (22 issues)

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

1
<?php
2
3
/*
4
*  ACF File Field Class
5
*
6
*  All the logic for this field type
7
*
8
*  @class 		acf_field_file
9
*  @extends		acf_field
10
*  @package		ACF
11
*  @subpackage	Fields
12
*/
13
14
if( ! class_exists('acf_field_file') ) :
15
16
class acf_field_file extends acf_field {
17
	
18
	
19
	/*
20
	*  __construct
21
	*
22
	*  This function will setup the field type data
23
	*
24
	*  @type	function
25
	*  @date	5/03/2014
26
	*  @since	5.0.0
27
	*
28
	*  @param	n/a
29
	*  @return	n/a
30
	*/
0 ignored issues
show
The doc-type n/a could not be parsed: Unknown type name "n/a" at position 0. (view supported doc-types)

This check marks PHPDoc comments that could not be parsed by our parser. To see which comment annotations we can parse, please refer to our documentation on supported doc-types.

Loading history...
31
	
32
	function __construct() {
0 ignored issues
show
It is generally recommended to explicitly declare the visibility for methods.

Adding explicit visibility (private, protected, or public) is generally recommend to communicate to other developers how, and from where this method is intended to be used.

Loading history...
33
		
34
		// vars
35
		$this->name = 'file';
36
		$this->label = __("File",'acf');
0 ignored issues
show
The property label does not exist. Did you maybe forget to declare it?

In PHP it is possible to write to properties without declaring them. For example, the following is perfectly valid PHP code:

class MyClass { }

$x = new MyClass();
$x->foo = true;

Generally, it is a good practice to explictly declare properties to avoid accidental typos and provide IDE auto-completion:

class MyClass {
    public $foo;
}

$x = new MyClass();
$x->foo = true;
Loading history...
37
		$this->category = 'content';
38
		$this->defaults = array(
39
			'return_format'	=> 'array',
40
			'library' 		=> 'all',
41
			'min_size'		=> 0,
42
			'max_size'		=> 0,
43
			'mime_types'	=> ''
44
		);
45
		$this->l10n = array(
46
			'select'		=> __("Select File",'acf'),
47
			'edit'			=> __("Edit File",'acf'),
48
			'update'		=> __("Update File",'acf'),
49
			'uploadedTo'	=> __("uploaded to this post",'acf'),
50
		);
51
		
52
		
53
		// filters
54
		add_filter('get_media_item_args',			array($this, 'get_media_item_args'));
55
		add_filter('wp_prepare_attachment_for_js',	array($this, 'wp_prepare_attachment_for_js'), 10, 3);
56
		
57
		
58
		// do not delete!
59
    	parent::__construct();
60
    	
61
	}
62
	
63
	
64
	/*
65
	*  render_field()
66
	*
67
	*  Create the HTML interface for your field
68
	*
69
	*  @param	$field - an array holding all the field's data
70
	*
71
	*  @type	action
72
	*  @since	3.6
73
	*  @date	23/01/13
74
	*/
75
	
76
	function render_field( $field ) {
0 ignored issues
show
It is generally recommended to explicitly declare the visibility for methods.

Adding explicit visibility (private, protected, or public) is generally recommend to communicate to other developers how, and from where this method is intended to be used.

Loading history...
77
		
78
		// vars
79
		$uploader = acf_get_setting('uploader');
80
		
81
		
82
		// enqueue
83
		if( $uploader == 'wp' ) {
84
			
85
			acf_enqueue_uploader();
86
			
87
		}
88
		
89
		
90
		// vars
91
		$o = array(
92
			'icon'		=> '',
93
			'title'		=> '',
94
			'size'		=> '',
95
			'url'		=> '',
96
			'name'		=> '',
97
		);
98
		
99
		$div = array(
100
			'class'				=> 'acf-file-uploader acf-cf',
101
			'data-library' 		=> $field['library'],
102
			'data-mime_types'	=> $field['mime_types'],
103
			'data-uploader'		=> $uploader
104
		);
105
		
106
		
107
		// has value
108
		if( $field['value'] && is_numeric($field['value']) ) {
109
			
110
			$file = get_post( $field['value'] );
111
			
112
			if( $file ) {
113
				
114
				$div['class'] .= ' has-value';
115
				
116
				$o['icon'] = wp_mime_type_icon( $file->ID );
117
				$o['title']	= $file->post_title;
118
				$o['size'] = @size_format(filesize( get_attached_file( $file->ID ) ));
119
				$o['url'] = wp_get_attachment_url( $file->ID );
120
				
121
				$explode = explode('/', $o['url']);
122
				$o['name'] = end( $explode );	
123
							
124
			}
125
			
126
		}
127
				
128
?>
129
<div <?php acf_esc_attr_e($div); ?>>
130
	<div class="acf-hidden">
131
		<?php acf_hidden_input(array( 'name' => $field['name'], 'value' => $field['value'], 'data-name' => 'id' )); ?>
132
	</div>
133
	<div class="show-if-value file-wrap acf-soh">
134
		<div class="file-icon">
135
			<img data-name="icon" src="<?php echo $o['icon']; ?>" alt=""/>
136
		</div>
137
		<div class="file-info">
138
			<p>
139
				<strong data-name="title"><?php echo $o['title']; ?></strong>
140
			</p>
141
			<p>
142
				<strong><?php _e('File Name', 'acf'); ?>:</strong>
143
				<a data-name="name" href="<?php echo $o['url']; ?>" target="_blank"><?php echo $o['name']; ?></a>
144
			</p>
145
			<p>
146
				<strong><?php _e('File Size', 'acf'); ?>:</strong>
147
				<span data-name="size"><?php echo $o['size']; ?></span>
148
			</p>
149
			
150
			<ul class="acf-hl acf-soh-target">
151
				<?php if( $uploader != 'basic' ): ?>
152
					<li><a class="acf-icon -pencil dark" data-name="edit" href="#"></a></li>
153
				<?php endif; ?>
154
				<li><a class="acf-icon -cancel dark" data-name="remove" href="#"></a></li>
155
			</ul>
156
		</div>
157
	</div>
158
	<div class="hide-if-value">
159 View Code Duplication
		<?php if( $uploader == 'basic' ): ?>
0 ignored issues
show
This code seems to be duplicated across your project.

Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation.

You can also find more detailed suggestions in the “Code” section of your repository.

Loading history...
160
			
161
			<?php if( $field['value'] && !is_numeric($field['value']) ): ?>
162
				<div class="acf-error-message"><p><?php echo $field['value']; ?></p></div>
163
			<?php endif; ?>
164
			
165
			<input type="file" name="<?php echo $field['name']; ?>" id="<?php echo $field['id']; ?>" />
166
			
167
		<?php else: ?>
168
			
169
			<p style="margin:0;"><?php _e('No File selected','acf'); ?> <a data-name="add" class="acf-button" href="#"><?php _e('Add File','acf'); ?></a></p>
170
			
171
		<?php endif; ?>
172
		
173
	</div>
174
</div>
175
<?php
176
		
177
	}
178
	
179
	
180
	/*
181
	*  render_field_settings()
182
	*
183
	*  Create extra options for your field. This is rendered when editing a field.
184
	*  The value of $field['name'] can be used (like bellow) to save extra data to the $field
185
	*
186
	*  @type	action
187
	*  @since	3.6
188
	*  @date	23/01/13
189
	*
190
	*  @param	$field	- an array holding all the field's data
191
	*/
192
	
193
	function render_field_settings( $field ) {
0 ignored issues
show
It is generally recommended to explicitly declare the visibility for methods.

Adding explicit visibility (private, protected, or public) is generally recommend to communicate to other developers how, and from where this method is intended to be used.

Loading history...
194
		
195
		// clear numeric settings
196
		$clear = array(
197
			'min_size',
198
			'max_size'
199
		);
200
		
201
		foreach( $clear as $k ) {
202
			
203
			if( empty($field[$k]) ) {
204
				
205
				$field[$k] = '';
206
				
207
			}
208
			
209
		}
210
		
211
		
212
		// return_format
213
		acf_render_field_setting( $field, array(
214
			'label'			=> __('Return Value','acf'),
215
			'instructions'	=> __('Specify the returned value on front end','acf'),
216
			'type'			=> 'radio',
217
			'name'			=> 'return_format',
218
			'layout'		=> 'horizontal',
219
			'choices'		=> array(
220
				'array'			=> __("File Array",'acf'),
221
				'url'			=> __("File URL",'acf'),
222
				'id'			=> __("File ID",'acf')
223
			)
224
		));
225
		
226
		
227
		// library
228
		acf_render_field_setting( $field, array(
229
			'label'			=> __('Library','acf'),
230
			'instructions'	=> __('Limit the media library choice','acf'),
231
			'type'			=> 'radio',
232
			'name'			=> 'library',
233
			'layout'		=> 'horizontal',
234
			'choices' 		=> array(
235
				'all'			=> __('All', 'acf'),
236
				'uploadedTo'	=> __('Uploaded to post', 'acf')
237
			)
238
		));
239
		
240
		
241
		// min
242
		acf_render_field_setting( $field, array(
243
			'label'			=> __('Minimum','acf'),
244
			'instructions'	=> __('Restrict which files can be uploaded','acf'),
245
			'type'			=> 'text',
246
			'name'			=> 'min_size',
247
			'prepend'		=> __('File size', 'acf'),
248
			'append'		=> 'MB',
249
		));
250
		
251
		
252
		// max
253
		acf_render_field_setting( $field, array(
254
			'label'			=> __('Maximum','acf'),
255
			'instructions'	=> __('Restrict which files can be uploaded','acf'),
256
			'type'			=> 'text',
257
			'name'			=> 'max_size',
258
			'prepend'		=> __('File size', 'acf'),
259
			'append'		=> 'MB',
260
		));
261
		
262
		
263
		// allowed type
264
		acf_render_field_setting( $field, array(
265
			'label'			=> __('Allowed file types','acf'),
266
			'instructions'	=> __('Comma separated list. Leave blank for all types','acf'),
267
			'type'			=> 'text',
268
			'name'			=> 'mime_types',
269
		));
270
		
271
	}
272
	
273
	
274
	/*
275
	*  format_value()
276
	*
277
	*  This filter is appied to the $value after it is loaded from the db and before it is returned to the template
278
	*
279
	*  @type	filter
280
	*  @since	3.6
281
	*  @date	23/01/13
282
	*
283
	*  @param	$value (mixed) the value which was loaded from the database
284
	*  @param	$post_id (mixed) the $post_id from which the value was loaded
285
	*  @param	$field (array) the field array holding all the field options
286
	*
287
	*  @return	$value (mixed) the modified value
288
	*/
0 ignored issues
show
The doc-type $value could not be parsed: Unknown type name "$value" at position 0. (view supported doc-types)

This check marks PHPDoc comments that could not be parsed by our parser. To see which comment annotations we can parse, please refer to our documentation on supported doc-types.

Loading history...
289
	
290 View Code Duplication
	function format_value( $value, $post_id, $field ) {
0 ignored issues
show
The parameter $post_id is not used and could be removed.

This check looks from parameters that have been defined for a function or method, but which are not used in the method body.

Loading history...
It is generally recommended to explicitly declare the visibility for methods.

Adding explicit visibility (private, protected, or public) is generally recommend to communicate to other developers how, and from where this method is intended to be used.

Loading history...
This method seems to be duplicated in your project.

Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation.

You can also find more detailed suggestions in the “Code” section of your repository.

Loading history...
291
		
292
		// bail early if no value
293
		if( empty($value) ) {
294
		
295
			return false;
296
			
297
		}
298
		
299
		
300
		// bail early if not numeric (error message)
301
		if( !is_numeric($value) ) {
302
			
303
			return false;
304
				
305
		}
306
		
307
		
308
		// convert to int
309
		$value = intval($value);
310
		
311
		
312
		// format
313
		if( $field['return_format'] == 'url' ) {
314
		
315
			return wp_get_attachment_url($value);
316
			
317
		} elseif( $field['return_format'] == 'array' ) {
318
			
319
			return acf_get_attachment( $value );
320
		}
321
		
322
		
323
		// return
324
		return $value;
325
	}
326
	
327
	
328
	/*
329
	*  get_media_item_args
330
	*
331
	*  description
332
	*
333
	*  @type	function
334
	*  @date	27/01/13
335
	*  @since	3.6.0
336
	*
337
	*  @param	$vars (array)
338
	*  @return	$vars
339
	*/
0 ignored issues
show
The doc-type $vars could not be parsed: Unknown type name "$vars" at position 0. (view supported doc-types)

This check marks PHPDoc comments that could not be parsed by our parser. To see which comment annotations we can parse, please refer to our documentation on supported doc-types.

Loading history...
340
	
341
	function get_media_item_args( $vars ) {
0 ignored issues
show
It is generally recommended to explicitly declare the visibility for methods.

Adding explicit visibility (private, protected, or public) is generally recommend to communicate to other developers how, and from where this method is intended to be used.

Loading history...
342
	
343
	    $vars['send'] = true;
344
	    return($vars);
345
	    
346
	}
347
	   	
348
	
349
	/*
350
	*  update_value()
351
	*
352
	*  This filter is appied to the $value before it is updated in the db
353
	*
354
	*  @type	filter
355
	*  @since	3.6
356
	*  @date	23/01/13
357
	*
358
	*  @param	$value - the value which will be saved in the database
359
	*  @param	$post_id - the $post_id of which the value will be saved
360
	*  @param	$field - the field array holding all the field options
361
	*
362
	*  @return	$value - the modified value
363
	*/
0 ignored issues
show
The doc-type $value could not be parsed: Unknown type name "$value" at position 0. (view supported doc-types)

This check marks PHPDoc comments that could not be parsed by our parser. To see which comment annotations we can parse, please refer to our documentation on supported doc-types.

Loading history...
364
	
365 View Code Duplication
	function update_value( $value, $post_id, $field ) {
0 ignored issues
show
The parameter $post_id is not used and could be removed.

This check looks from parameters that have been defined for a function or method, but which are not used in the method body.

Loading history...
The parameter $field is not used and could be removed.

This check looks from parameters that have been defined for a function or method, but which are not used in the method body.

Loading history...
It is generally recommended to explicitly declare the visibility for methods.

Adding explicit visibility (private, protected, or public) is generally recommend to communicate to other developers how, and from where this method is intended to be used.

Loading history...
This method seems to be duplicated in your project.

Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation.

You can also find more detailed suggestions in the “Code” section of your repository.

Loading history...
366
		
367
		// array?
368
		if( is_array($value) && isset($value['ID']) ) {
369
		
370
			return $value['ID'];	
371
			
372
		}
373
		
374
		
375
		// object?
376
		if( is_object($value) && isset($value->ID) ) {
377
		
378
			return $value->ID;
379
			
380
		}
381
		
382
		
383
		// return
384
		return $value;
385
	}
386
	
387
	
388
	/*
389
	*  wp_prepare_attachment_for_js
390
	*
391
	*  this filter allows ACF to add in extra data to an attachment JS object
392
	*
393
	*  @type	function
394
	*  @date	1/06/13
395
	*
396
	*  @param	{int}	$post_id
397
	*  @return	{int}	$post_id
0 ignored issues
show
The doc-type {int} could not be parsed: Unknown type name "{int}" at position 0. (view supported doc-types)

This check marks PHPDoc comments that could not be parsed by our parser. To see which comment annotations we can parse, please refer to our documentation on supported doc-types.

Loading history...
There is no parameter named $post_id. Was it maybe removed?

This check looks for PHPDoc comments describing methods or function parameters that do not exist on the corresponding method or function.

Consider the following example. The parameter $italy is not defined by the method finale(...).

/**
 * @param array $germany
 * @param array $island
 * @param array $italy
 */
function finale($germany, $island) {
    return "2:1";
}

The most likely cause is that the parameter was removed, but the annotation was not.

Loading history...
398
	*/
0 ignored issues
show
The doc-type {int} could not be parsed: Unknown type name "{int}" at position 0. (view supported doc-types)

This check marks PHPDoc comments that could not be parsed by our parser. To see which comment annotations we can parse, please refer to our documentation on supported doc-types.

Loading history...
399
	
400
	function wp_prepare_attachment_for_js( $response, $attachment, $meta ) {
0 ignored issues
show
The parameter $meta is not used and could be removed.

This check looks from parameters that have been defined for a function or method, but which are not used in the method body.

Loading history...
It is generally recommended to explicitly declare the visibility for methods.

Adding explicit visibility (private, protected, or public) is generally recommend to communicate to other developers how, and from where this method is intended to be used.

Loading history...
401
		
402
		// default
403
		$fs = '0 kb';
404
		
405
		
406
		// supress PHP warnings caused by corrupt images
407
		if( $i = @filesize( get_attached_file( $attachment->ID ) ) ) {
408
		
409
			$fs = size_format( $i );
410
			
411
		}
412
		
413
		
414
		// update JSON
415
		$response['filesize'] = $fs;
416
		
417
		
418
		// return
419
		return $response;
420
		
421
	}
422
	
423
}
424
425
new acf_field_file();
426
427
endif;
428
429
?>
430