Issues in FileLoggingHandler.php - Fixed Issues - Inspection of "Webmozart assertions" - simplesamlphp/simplesamlphp - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Pull Request — master (#1132)

by Tim

created 2020-02-14 20:55 UTC

lib/SimpleSAML/Logger/FileLoggingHandler.php (1 issue)

Labels

Security 1

Severity

Major 1

<?php

declare(strict_types=1);

namespace SimpleSAML\Logger;

use SimpleSAML\Configuration;
use SimpleSAML\Logger;
use SimpleSAML\Utils;

/**
 * A logging handler that dumps logs to files.
 *
 * @author Lasse Birnbaum Jensen, SDU.
 * @author Andreas Åkre Solberg, UNINETT AS. <[email protected]>
 * @package SimpleSAMLphp
 */
class FileLoggingHandler implements LoggingHandlerInterface
{
    /**
     * A string with the path to the file where we should log our messages.
     *
     * @var null|string
     */
    protected $logFile = null;

    /**
     * This array contains the mappings from syslog log levels to names. Copied more or less directly from
     * SimpleSAML\Logger\ErrorLogLoggingHandler.
     *
     * @var array
     */
    private static $levelNames = [
        Logger::EMERG   => 'EMERGENCY',
        Logger::ALERT   => 'ALERT',
        Logger::CRIT    => 'CRITICAL',
        Logger::ERR     => 'ERROR',
        Logger::WARNING => 'WARNING',
        Logger::NOTICE  => 'NOTICE',
        Logger::INFO    => 'INFO',
        Logger::DEBUG   => 'DEBUG',
    ];

    /** @var string|null */
    protected $processname = null;

    /** @var string */
    protected $format = "%b %d %H:%M:%S";


    /**
     * Build a new logging handler based on files.
     * @param \SimpleSAML\Configuration $config
     */
    public function __construct(Configuration $config)
    {
        // get the metadata handler option from the configuration
        $this->logFile = $config->getPathValue('loggingdir', 'log/') .
            $config->getString('logging.logfile', 'simplesamlphp.log');
        $this->processname = $config->getString('logging.processname', 'SimpleSAMLphp');

        if (@file_exists($this->logFile)) {
            if (!@is_writeable($this->logFile)) {
                throw new \Exception("Could not write to logfile: " . $this->logFile);
            }
        } else {
            if (!@touch($this->logFile)) {
                throw new \Exception(
                    "Could not create logfile: " . $this->logFile .
                    " The logging directory is not writable for the web server user."
                );
            }
        }

        Utils\Time::initTimezone();
    }


    /**
     * Set the format desired for the logs.
     *
     * @param string $format The format used for logs.
     * @return void
     */
    public function setLogFormat($format)
    {
        $this->format = $format;
    }


    /**
     * Log a message to the log file.
     *
     * @param int    $level The log level.
     * @param string $string The formatted message to log.
     * @return void
     */
    public function log($level, $string)
    {
        if (!is_null($this->logFile)) {
            // set human-readable log level. Copied from SimpleSAML\Logger\ErrorLogLoggingHandler.
            $levelName = sprintf('UNKNOWN%d', $level);
            if (array_key_exists($level, self::$levelNames)) {
                $levelName = self::$levelNames[$level];
            }

            $formats = ['%process', '%level'];
            $replacements = [$this->processname, $levelName];

            $matches = [];
            if (preg_match('/%date(?:\{([^\}]+)\})?/', $this->format, $matches)) {
                $format = "%b %d %H:%M:%S";
                if (isset($matches[1])) {
                    $format = $matches[1];
                }

                array_push($formats, $matches[0]);
                array_push($replacements, strftime($format));
            }

            $string = str_replace($formats, $replacements, $string);
            file_put_contents($this->logFile, $string . \PHP_EOL, FILE_APPEND);
if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) {
    throw new \InvalidArgumentException('This input is not allowed.');
}
        }
    }
}


1			<?php
2
3			declare(strict_types=1);
4
5			namespace SimpleSAML\Logger;
6
7			use SimpleSAML\Configuration;
8			use SimpleSAML\Logger;
9			use SimpleSAML\Utils;
10
11			/**
12			* A logging handler that dumps logs to files.
13			*
14			* @author Lasse Birnbaum Jensen, SDU.
15			* @author Andreas Åkre Solberg, UNINETT AS. <[email protected]>
16			* @package SimpleSAMLphp
17			*/
18			class FileLoggingHandler implements LoggingHandlerInterface
19			{
20			/**
21			* A string with the path to the file where we should log our messages.
22			*
23			* @var null\|string
24			*/
25			protected $logFile = null;
26
27			/**
28			* This array contains the mappings from syslog log levels to names. Copied more or less directly from
29			* SimpleSAML\Logger\ErrorLogLoggingHandler.
30			*
31			* @var array
32			*/
33			private static $levelNames = [
34			Logger::EMERG => 'EMERGENCY',
35			Logger::ALERT => 'ALERT',
36			Logger::CRIT => 'CRITICAL',
37			Logger::ERR => 'ERROR',
38			Logger::WARNING => 'WARNING',
39			Logger::NOTICE => 'NOTICE',
40			Logger::INFO => 'INFO',
41			Logger::DEBUG => 'DEBUG',
42			];
43
44			/** @var string\|null */
45			protected $processname = null;
46
47			/** @var string */
48			protected $format = "%b %d %H:%M:%S";
49
50
51			/**
52			* Build a new logging handler based on files.
53			* @param \SimpleSAML\Configuration $config
54			*/
55			public function __construct(Configuration $config)
56			{
57			// get the metadata handler option from the configuration
58			$this->logFile = $config->getPathValue('loggingdir', 'log/') .
59			$config->getString('logging.logfile', 'simplesamlphp.log');
60			$this->processname = $config->getString('logging.processname', 'SimpleSAMLphp');
61
62			if (@file_exists($this->logFile)) {
63			if (!@is_writeable($this->logFile)) {
64			throw new \Exception("Could not write to logfile: " . $this->logFile);
65			}
66			} else {
67			if (!@touch($this->logFile)) {
68			throw new \Exception(
69			"Could not create logfile: " . $this->logFile .
70			" The logging directory is not writable for the web server user."
71			);
72			}
73			}
74
75			Utils\Time::initTimezone();
76			}
77
78
79			/**
80			* Set the format desired for the logs.
81			*
82			* @param string $format The format used for logs.
83			* @return void
84			*/
85			public function setLogFormat($format)
86			{
87			$this->format = $format;
88			}
89
90
91			/**
92			* Log a message to the log file.
93			*
94			* @param int $level The log level.
95			* @param string $string The formatted message to log.
96			* @return void
97			*/
98			public function log($level, $string)
99			{
100			if (!is_null($this->logFile)) {
101			// set human-readable log level. Copied from SimpleSAML\Logger\ErrorLogLoggingHandler.
102			$levelName = sprintf('UNKNOWN%d', $level);
103			if (array_key_exists($level, self::$levelNames)) {
104			$levelName = self::$levelNames[$level];
105			}
106
107			$formats = ['%process', '%level'];
108			$replacements = [$this->processname, $levelName];
109
110			$matches = [];
111			if (preg_match('/%date(?:\{([^\}]+)\})?/', $this->format, $matches)) {
112			$format = "%b %d %H:%M:%S";
113			if (isset($matches[1])) {
114			$format = $matches[1];
115			}
116
117			array_push($formats, $matches[0]);
118			array_push($replacements, strftime($format));
119			}
120
121			$string = str_replace($formats, $replacements, $string);
122			file_put_contents($this->logFile, $string . \PHP_EOL, FILE_APPEND);
			0 ignored issues – show Security File Manipulation introduced 2020-02-12 19:29 UTC by Report Bug Copy Issue Report Show Similar Issues like this `$string . PHP_EOL` can contain request data and is used in file manipulation context(s) leading to a potential security vulnerability. 13 paths for user data to reach this point 1. Path: Read from `$_REQUEST,` and `$_REQUEST['username']` is assigned to `$username` in modules/core/www/loginuserpass.php on line 29 Read from `$_REQUEST,` and `$_REQUEST['username']` is assigned to `$username` in modules/core/www/loginuserpass.php on line 29 UserPassBase::handleLogin() is called in modules/core/www/loginuserpass.php on line 84 Enters via parameter `$username` in modules/core/lib/Auth/UserPassBase.php on line 292 Logger::stats() is called in modules/core/lib/Auth/UserPassBase.php on line 324 Enters via parameter `$string` in lib/SimpleSAML/Logger.php on line 258 Logger::log() is called in lib/SimpleSAML/Logger.php on line 260 Enters via parameter `$string` in lib/SimpleSAML/Logger.php on line 471 Logger::defer() is called in lib/SimpleSAML/Logger.php on line 514 Enters via parameter `$message` in lib/SimpleSAML/Logger.php on line 394 `array('level' => $level, 'string' => $message, 'statsLog' => $stats)` is assigned to property Logger::$earlyLog in lib/SimpleSAML/Logger.php on line 397 Read from property Logger::$earlyLog, and `self::earlyLog` is assigned to `$msg` in lib/SimpleSAML/Logger.php on line 306 Logger::log() is called in lib/SimpleSAML/Logger.php on line 307 Enters via parameter `$string` in lib/SimpleSAML/Logger.php on line 471 `array(self::trackid, $string, $_SERVER['REMOTE_ADDR'])` is assigned to `$replacements` in lib/SimpleSAML/Logger.php on line 504 Data is passed through `str_replace()`, and `str_replace($formats, $replacements, self::format)` is assigned to `$string` in lib/SimpleSAML/Logger.php on line 523 FileLoggingHandler::log() is called in lib/SimpleSAML/Logger.php on line 524 Enters via parameter `$string` in lib/SimpleSAML/Logger/FileLoggingHandler.php on line 98 Data is passed through `str_replace()`, and `str_replace($formats, $replacements, $string)` is assigned to `$string` in lib/SimpleSAML/Logger/FileLoggingHandler.php on line 121 2. Path: Read tainted data from array, and Logger::debug() is called in lib/SimpleSAML/XHTML/Template.php on line 618 Read tainted data from array, and Logger::debug() is called in lib/SimpleSAML/XHTML/Template.php on line 618 Enters via parameter `$string` in lib/SimpleSAML/Logger.php on line 246 Logger::log() is called in lib/SimpleSAML/Logger.php on line 248 Enters via parameter `$string` in lib/SimpleSAML/Logger.php on line 471 `array(self::trackid, $string, $_SERVER['REMOTE_ADDR'])` is assigned to `$replacements` in lib/SimpleSAML/Logger.php on line 504 Data is passed through `str_replace()`, and `str_replace($formats, $replacements, self::format)` is assigned to `$string` in lib/SimpleSAML/Logger.php on line 523 FileLoggingHandler::log() is called in lib/SimpleSAML/Logger.php on line 524 Enters via parameter `$string` in lib/SimpleSAML/Logger/FileLoggingHandler.php on line 98 Data is passed through `str_replace()`, and `str_replace($formats, $replacements, $string)` is assigned to `$string` in lib/SimpleSAML/Logger/FileLoggingHandler.php on line 121 3. Path: Read tainted data from array, and Logger::error() is called in lib/SimpleSAML/Locale/Translate.php on line 455 Read tainted data from array, and Logger::error() is called in lib/SimpleSAML/Locale/Translate.php on line 455 Enters via parameter `$string` in lib/SimpleSAML/Logger.php on line 197 Logger::log() is called in lib/SimpleSAML/Logger.php on line 199 Enters via parameter `$string` in lib/SimpleSAML/Logger.php on line 471 Logger::defer() is called in lib/SimpleSAML/Logger.php on line 514 Enters via parameter `$message` in lib/SimpleSAML/Logger.php on line 394 `array('level' => $level, 'string' => $message, 'statsLog' => $stats)` is assigned to property Logger::$earlyLog in lib/SimpleSAML/Logger.php on line 397 Read from property Logger::$earlyLog, and `self::earlyLog` is assigned to `$msg` in lib/SimpleSAML/Logger.php on line 306 Logger::log() is called in lib/SimpleSAML/Logger.php on line 307 Enters via parameter `$string` in lib/SimpleSAML/Logger.php on line 471 `array(self::trackid, $string, $_SERVER['REMOTE_ADDR'])` is assigned to `$replacements` in lib/SimpleSAML/Logger.php on line 504 Data is passed through `str_replace()`, and `str_replace($formats, $replacements, self::format)` is assigned to `$string` in lib/SimpleSAML/Logger.php on line 523 FileLoggingHandler::log() is called in lib/SimpleSAML/Logger.php on line 524 Enters via parameter `$string` in lib/SimpleSAML/Logger/FileLoggingHandler.php on line 98 Data is passed through `str_replace()`, and `str_replace($formats, $replacements, $string)` is assigned to `$string` in lib/SimpleSAML/Logger/FileLoggingHandler.php on line 121 4. Path: Read from `$_REQUEST,` and `$_REQUEST['username']` is assigned to `$username` in modules/core/www/loginuserpassorg.php on line 32 Read from `$_REQUEST,` and `$_REQUEST['username']` is assigned to `$username` in modules/core/www/loginuserpassorg.php on line 32 UserPassOrgBase::handleLogin() is called in modules/core/www/loginuserpassorg.php on line 106 Enters via parameter `$username` in modules/core/lib/Auth/UserPassOrgBase.php on line 276 Logger::stats() is called in modules/core/lib/Auth/UserPassOrgBase.php on line 319 Enters via parameter `$string` in lib/SimpleSAML/Logger.php on line 258 Logger::log() is called in lib/SimpleSAML/Logger.php on line 260 Enters via parameter `$string` in lib/SimpleSAML/Logger.php on line 471 `array(self::trackid, $string, $_SERVER['REMOTE_ADDR'])` is assigned to `$replacements` in lib/SimpleSAML/Logger.php on line 504 Data is passed through `str_replace()`, and `str_replace($formats, $replacements, self::format)` is assigned to `$string` in lib/SimpleSAML/Logger.php on line 523 FileLoggingHandler::log() is called in lib/SimpleSAML/Logger.php on line 524 Enters via parameter `$string` in lib/SimpleSAML/Logger/FileLoggingHandler.php on line 98 Data is passed through `str_replace()`, and `str_replace($formats, $replacements, $string)` is assigned to `$string` in lib/SimpleSAML/Logger/FileLoggingHandler.php on line 121 5. Path: Read from `$_REQUEST,` and `$_REQUEST['reportId']` is assigned to `$reportId` in www/errorreport.php on line 16 Read from `$_REQUEST,` and `$_REQUEST['reportId']` is assigned to `$reportId` in www/errorreport.php on line 16 Logger::error() is called in www/errorreport.php on line 53 Enters via parameter `$string` in lib/SimpleSAML/Logger.php on line 197 Logger::log() is called in lib/SimpleSAML/Logger.php on line 199 Enters via parameter `$string` in lib/SimpleSAML/Logger.php on line 471 `array(self::trackid, $string, $_SERVER['REMOTE_ADDR'])` is assigned to `$replacements` in lib/SimpleSAML/Logger.php on line 504 Data is passed through `str_replace()`, and `str_replace($formats, $replacements, self::format)` is assigned to `$string` in lib/SimpleSAML/Logger.php on line 523 FileLoggingHandler::log() is called in lib/SimpleSAML/Logger.php on line 524 Enters via parameter `$string` in lib/SimpleSAML/Logger/FileLoggingHandler.php on line 98 Data is passed through `str_replace()`, and `str_replace($formats, $replacements, $string)` is assigned to `$string` in lib/SimpleSAML/Logger/FileLoggingHandler.php on line 121 6. Path: Read from `$_REQUEST,` and `$_REQUEST['organization']` is assigned to `$organization` in modules/core/www/loginuserpassorg.php on line 48 Read from `$_REQUEST,` and `$_REQUEST['organization']` is assigned to `$organization` in modules/core/www/loginuserpassorg.php on line 48 UserPassOrgBase::handleLogin() is called in modules/core/www/loginuserpassorg.php on line 108 Enters via parameter `$organization` in modules/core/lib/Auth/UserPassOrgBase.php on line 276 Logger::stats() is called in modules/core/lib/Auth/UserPassOrgBase.php on line 319 Enters via parameter `$string` in lib/SimpleSAML/Logger.php on line 258 Logger::log() is called in lib/SimpleSAML/Logger.php on line 260 Enters via parameter `$string` in lib/SimpleSAML/Logger.php on line 471 `array(self::trackid, $string, $_SERVER['REMOTE_ADDR'])` is assigned to `$replacements` in lib/SimpleSAML/Logger.php on line 504 Data is passed through `str_replace()`, and `str_replace($formats, $replacements, self::format)` is assigned to `$string` in lib/SimpleSAML/Logger.php on line 523 FileLoggingHandler::log() is called in lib/SimpleSAML/Logger.php on line 524 Enters via parameter `$string` in lib/SimpleSAML/Logger/FileLoggingHandler.php on line 98 Data is passed through `str_replace()`, and `str_replace($formats, $replacements, $string)` is assigned to `$string` in lib/SimpleSAML/Logger/FileLoggingHandler.php on line 121 7. Path: ParameterBag::get() returns request data in vendor/symfony/http-foundation/ParameterBag.php on line 82 ParameterBag::get() returns request data in vendor/symfony/http-foundation/ParameterBag.php on line 82 `$request->server->get('PATH_INFO')` is assigned to `$url` in lib/SimpleSAML/Module.php on line 138 Data is passed through `substr()`, and `substr($url, $modEnd + 1)` is assigned to `$url` in lib/SimpleSAML/Module.php on line 153 `$moduleDir . $url` is assigned to `$path` in lib/SimpleSAML/Module.php on line 228 Logger::warning() is called in lib/SimpleSAML/Module.php on line 289 Enters via parameter `$string` in lib/SimpleSAML/Logger.php on line 209 Logger::log() is called in lib/SimpleSAML/Logger.php on line 211 Enters via parameter `$string` in lib/SimpleSAML/Logger.php on line 471 `array(self::trackid, $string, $_SERVER['REMOTE_ADDR'])` is assigned to `$replacements` in lib/SimpleSAML/Logger.php on line 504 Data is passed through `str_replace()`, and `str_replace($formats, $replacements, self::format)` is assigned to `$string` in lib/SimpleSAML/Logger.php on line 523 FileLoggingHandler::log() is called in lib/SimpleSAML/Logger.php on line 524 Enters via parameter `$string` in lib/SimpleSAML/Logger/FileLoggingHandler.php on line 98 Data is passed through `str_replace()`, and `str_replace($formats, $replacements, $string)` is assigned to `$string` in lib/SimpleSAML/Logger/FileLoggingHandler.php on line 121 8. Path: Read from `$_COOKIE,` and `$_COOKIE[$source->getAuthId() . '-username']` is assigned to `$username` in modules/core/www/loginuserpassorg.php on line 34 Read from `$_COOKIE,` and `$_COOKIE[$source->getAuthId() . '-username']` is assigned to `$username` in modules/core/www/loginuserpassorg.php on line 34 UserPassOrgBase::handleLogin() is called in modules/core/www/loginuserpassorg.php on line 106 Enters via parameter `$username` in modules/core/lib/Auth/UserPassOrgBase.php on line 276 Logger::stats() is called in modules/core/lib/Auth/UserPassOrgBase.php on line 319 Enters via parameter `$string` in lib/SimpleSAML/Logger.php on line 258 Logger::log() is called in lib/SimpleSAML/Logger.php on line 260 Enters via parameter `$string` in lib/SimpleSAML/Logger.php on line 471 `array(self::trackid, $string, $_SERVER['REMOTE_ADDR'])` is assigned to `$replacements` in lib/SimpleSAML/Logger.php on line 504 Data is passed through `str_replace()`, and `str_replace($formats, $replacements, self::format)` is assigned to `$string` in lib/SimpleSAML/Logger.php on line 523 FileLoggingHandler::log() is called in lib/SimpleSAML/Logger.php on line 524 Enters via parameter `$string` in lib/SimpleSAML/Logger/FileLoggingHandler.php on line 98 Data is passed through `str_replace()`, and `str_replace($formats, $replacements, $string)` is assigned to `$string` in lib/SimpleSAML/Logger/FileLoggingHandler.php on line 121 9. Path: Read tainted data from array, and Logger::debug() is called in lib/SimpleSAML/Locale/Localization.php on line 264 Read tainted data from array, and Logger::debug() is called in lib/SimpleSAML/Locale/Localization.php on line 264 Enters via parameter `$string` in lib/SimpleSAML/Logger.php on line 246 Logger::log() is called in lib/SimpleSAML/Logger.php on line 248 Enters via parameter `$string` in lib/SimpleSAML/Logger.php on line 471 `array(self::trackid, $string, $_SERVER['REMOTE_ADDR'])` is assigned to `$replacements` in lib/SimpleSAML/Logger.php on line 504 Data is passed through `str_replace()`, and `str_replace($formats, $replacements, self::format)` is assigned to `$string` in lib/SimpleSAML/Logger.php on line 523 FileLoggingHandler::log() is called in lib/SimpleSAML/Logger.php on line 524 Enters via parameter `$string` in lib/SimpleSAML/Logger/FileLoggingHandler.php on line 98 Data is passed through `str_replace()`, and `str_replace($formats, $replacements, $string)` is assigned to `$string` in lib/SimpleSAML/Logger/FileLoggingHandler.php on line 121 10. Path: Read tainted data from array, and Logger::debug() is called in lib/SimpleSAML/Locale/Localization.php on line 249 Read tainted data from array, and Logger::debug() is called in lib/SimpleSAML/Locale/Localization.php on line 249 Enters via parameter `$string` in lib/SimpleSAML/Logger.php on line 246 Logger::log() is called in lib/SimpleSAML/Logger.php on line 248 Enters via parameter `$string` in lib/SimpleSAML/Logger.php on line 471 Logger::defer() is called in lib/SimpleSAML/Logger.php on line 514 Enters via parameter `$message` in lib/SimpleSAML/Logger.php on line 394 `array('level' => $level, 'string' => $message, 'statsLog' => $stats)` is assigned to property Logger::$earlyLog in lib/SimpleSAML/Logger.php on line 397 Read from property Logger::$earlyLog, and `self::earlyLog` is assigned to `$msg` in lib/SimpleSAML/Logger.php on line 306 Logger::log() is called in lib/SimpleSAML/Logger.php on line 307 Enters via parameter `$string` in lib/SimpleSAML/Logger.php on line 471 `array(self::trackid, $string, $_SERVER['REMOTE_ADDR'])` is assigned to `$replacements` in lib/SimpleSAML/Logger.php on line 504 Data is passed through `str_replace()`, and `str_replace($formats, $replacements, self::format)` is assigned to `$string` in lib/SimpleSAML/Logger.php on line 523 FileLoggingHandler::log() is called in lib/SimpleSAML/Logger.php on line 524 Enters via parameter `$string` in lib/SimpleSAML/Logger/FileLoggingHandler.php on line 98 Data is passed through `str_replace()`, and `str_replace($formats, $replacements, $string)` is assigned to `$string` in lib/SimpleSAML/Logger/FileLoggingHandler.php on line 121 11. Path: Read from `$_COOKIE,` and `$_COOKIE[$source->getAuthId() . '-username']` is assigned to `$username` in modules/core/www/loginuserpass.php on line 31 Read from `$_COOKIE,` and `$_COOKIE[$source->getAuthId() . '-username']` is assigned to `$username` in modules/core/www/loginuserpass.php on line 31 UserPassBase::handleLogin() is called in modules/core/www/loginuserpass.php on line 84 Enters via parameter `$username` in modules/core/lib/Auth/UserPassBase.php on line 292 Logger::stats() is called in modules/core/lib/Auth/UserPassBase.php on line 324 Enters via parameter `$string` in lib/SimpleSAML/Logger.php on line 258 Logger::log() is called in lib/SimpleSAML/Logger.php on line 260 Enters via parameter `$string` in lib/SimpleSAML/Logger.php on line 471 `array(self::trackid, $string, $_SERVER['REMOTE_ADDR'])` is assigned to `$replacements` in lib/SimpleSAML/Logger.php on line 504 Data is passed through `str_replace()`, and `str_replace($formats, $replacements, self::format)` is assigned to `$string` in lib/SimpleSAML/Logger.php on line 523 FileLoggingHandler::log() is called in lib/SimpleSAML/Logger.php on line 524 Enters via parameter `$string` in lib/SimpleSAML/Logger/FileLoggingHandler.php on line 98 Data is passed through `str_replace()`, and `str_replace($formats, $replacements, $string)` is assigned to `$string` in lib/SimpleSAML/Logger/FileLoggingHandler.php on line 121 12. Path: Read from `$_COOKIE,` and `$_COOKIE[$source->getAuthId() . '-organization']` is assigned to `$organization` in modules/core/www/loginuserpassorg.php on line 53 Read from `$_COOKIE,` and `$_COOKIE[$source->getAuthId() . '-organization']` is assigned to `$organization` in modules/core/www/loginuserpassorg.php on line 53 UserPassOrgBase::handleLogin() is called in modules/core/www/loginuserpassorg.php on line 108 Enters via parameter `$organization` in modules/core/lib/Auth/UserPassOrgBase.php on line 276 Logger::stats() is called in modules/core/lib/Auth/UserPassOrgBase.php on line 319 Enters via parameter `$string` in lib/SimpleSAML/Logger.php on line 258 Logger::log() is called in lib/SimpleSAML/Logger.php on line 260 Enters via parameter `$string` in lib/SimpleSAML/Logger.php on line 471 `array(self::trackid, $string, $_SERVER['REMOTE_ADDR'])` is assigned to `$replacements` in lib/SimpleSAML/Logger.php on line 504 Data is passed through `str_replace()`, and `str_replace($formats, $replacements, self::format)` is assigned to `$string` in lib/SimpleSAML/Logger.php on line 523 FileLoggingHandler::log() is called in lib/SimpleSAML/Logger.php on line 524 Enters via parameter `$string` in lib/SimpleSAML/Logger/FileLoggingHandler.php on line 98 Data is passed through `str_replace()`, and `str_replace($formats, $replacements, $string)` is assigned to `$string` in lib/SimpleSAML/Logger/FileLoggingHandler.php on line 121 13. Path: Logger::log() is called in lib/SimpleSAML/Logger.php on line 307 Logger::log() is called in lib/SimpleSAML/Logger.php on line 307 Enters via parameter `$string` in lib/SimpleSAML/Logger.php on line 471 Logger::defer() is called in lib/SimpleSAML/Logger.php on line 514 Enters via parameter `$message` in lib/SimpleSAML/Logger.php on line 394 `array('level' => $level, 'string' => $message, 'statsLog' => $stats)` is assigned to property Logger::$earlyLog in lib/SimpleSAML/Logger.php on line 397 Read from property Logger::$earlyLog, and `self::earlyLog` is assigned to `$msg` in lib/SimpleSAML/Logger.php on line 306 Logger::log() is called in lib/SimpleSAML/Logger.php on line 307 Enters via parameter `$string` in lib/SimpleSAML/Logger.php on line 471 `array(self::trackid, $string, $_SERVER['REMOTE_ADDR'])` is assigned to `$replacements` in lib/SimpleSAML/Logger.php on line 504 Data is passed through `str_replace()`, and `str_replace($formats, $replacements, self::format)` is assigned to `$string` in lib/SimpleSAML/Logger.php on line 523 FileLoggingHandler::log() is called in lib/SimpleSAML/Logger.php on line 524 Enters via parameter `$string` in lib/SimpleSAML/Logger/FileLoggingHandler.php on line 98 Data is passed through `str_replace()`, and `str_replace($formats, $replacements, $string)` is assigned to `$string` in lib/SimpleSAML/Logger/FileLoggingHandler.php on line 121 General Strategies to prevent injection In general, it is advisable to prevent any user-data to reach this point. This can be done by white-listing certain values: if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) { throw new \InvalidArgumentException('This input is not allowed.'); } For numeric data, we recommend to explicitly cast the data: $sanitized = (integer) $tainted; Loading history...
123			}
124			}
125			}
126

simplesamlphp / simplesamlphp

Pull Request — master (#1132)

lib/SimpleSAML/Logger/FileLoggingHandler.php (1 issue)

Labels

Severity

Introduced By

13 paths for user data to reach this point

General Strategies to prevent injection

Duplication Side-by-Side

Filter issues like