1 | <?php |
||
2 | |||
3 | declare(strict_types=1); |
||
4 | |||
5 | namespace SimpleSAML\Logger; |
||
6 | |||
7 | use SimpleSAML\Configuration; |
||
8 | use SimpleSAML\Logger; |
||
9 | use SimpleSAML\Utils; |
||
10 | |||
11 | /** |
||
12 | * A logging handler that dumps logs to files. |
||
13 | * |
||
14 | * @author Lasse Birnbaum Jensen, SDU. |
||
15 | * @author Andreas Åkre Solberg, UNINETT AS. <[email protected]> |
||
16 | * @package SimpleSAMLphp |
||
17 | */ |
||
18 | class FileLoggingHandler implements LoggingHandlerInterface |
||
19 | { |
||
20 | /** |
||
21 | * A string with the path to the file where we should log our messages. |
||
22 | * |
||
23 | * @var null|string |
||
24 | */ |
||
25 | protected $logFile = null; |
||
26 | |||
27 | /** |
||
28 | * This array contains the mappings from syslog log levels to names. Copied more or less directly from |
||
29 | * SimpleSAML\Logger\ErrorLogLoggingHandler. |
||
30 | * |
||
31 | * @var array |
||
32 | */ |
||
33 | private static $levelNames = [ |
||
34 | Logger::EMERG => 'EMERGENCY', |
||
35 | Logger::ALERT => 'ALERT', |
||
36 | Logger::CRIT => 'CRITICAL', |
||
37 | Logger::ERR => 'ERROR', |
||
38 | Logger::WARNING => 'WARNING', |
||
39 | Logger::NOTICE => 'NOTICE', |
||
40 | Logger::INFO => 'INFO', |
||
41 | Logger::DEBUG => 'DEBUG', |
||
42 | ]; |
||
43 | |||
44 | /** @var string|null */ |
||
45 | protected $processname = null; |
||
46 | |||
47 | /** @var string */ |
||
48 | protected $format = "%b %d %H:%M:%S"; |
||
49 | |||
50 | |||
51 | /** |
||
52 | * Build a new logging handler based on files. |
||
53 | * @param \SimpleSAML\Configuration $config |
||
54 | */ |
||
55 | public function __construct(Configuration $config) |
||
56 | { |
||
57 | // get the metadata handler option from the configuration |
||
58 | $this->logFile = $config->getPathValue('loggingdir', 'log/') . |
||
59 | $config->getString('logging.logfile', 'simplesamlphp.log'); |
||
60 | $this->processname = $config->getString('logging.processname', 'SimpleSAMLphp'); |
||
61 | |||
62 | if (@file_exists($this->logFile)) { |
||
63 | if (!@is_writeable($this->logFile)) { |
||
64 | throw new \Exception("Could not write to logfile: " . $this->logFile); |
||
65 | } |
||
66 | } else { |
||
67 | if (!@touch($this->logFile)) { |
||
68 | throw new \Exception( |
||
69 | "Could not create logfile: " . $this->logFile . |
||
70 | " The logging directory is not writable for the web server user." |
||
71 | ); |
||
72 | } |
||
73 | } |
||
74 | |||
75 | Utils\Time::initTimezone(); |
||
76 | } |
||
77 | |||
78 | |||
79 | /** |
||
80 | * Set the format desired for the logs. |
||
81 | * |
||
82 | * @param string $format The format used for logs. |
||
83 | * @return void |
||
84 | */ |
||
85 | public function setLogFormat($format) |
||
86 | { |
||
87 | $this->format = $format; |
||
88 | } |
||
89 | |||
90 | |||
91 | /** |
||
92 | * Log a message to the log file. |
||
93 | * |
||
94 | * @param int $level The log level. |
||
95 | * @param string $string The formatted message to log. |
||
96 | * @return void |
||
97 | */ |
||
98 | public function log($level, $string) |
||
99 | { |
||
100 | if (!is_null($this->logFile)) { |
||
101 | // set human-readable log level. Copied from SimpleSAML\Logger\ErrorLogLoggingHandler. |
||
102 | $levelName = sprintf('UNKNOWN%d', $level); |
||
103 | if (array_key_exists($level, self::$levelNames)) { |
||
104 | $levelName = self::$levelNames[$level]; |
||
105 | } |
||
106 | |||
107 | $formats = ['%process', '%level']; |
||
108 | $replacements = [$this->processname, $levelName]; |
||
109 | |||
110 | $matches = []; |
||
111 | if (preg_match('/%date(?:\{([^\}]+)\})?/', $this->format, $matches)) { |
||
112 | $format = "%b %d %H:%M:%S"; |
||
113 | if (isset($matches[1])) { |
||
114 | $format = $matches[1]; |
||
115 | } |
||
116 | |||
117 | array_push($formats, $matches[0]); |
||
118 | array_push($replacements, strftime($format)); |
||
119 | } |
||
120 | |||
121 | $string = str_replace($formats, $replacements, $string); |
||
122 | file_put_contents($this->logFile, $string . \PHP_EOL, FILE_APPEND); |
||
0 ignored issues
–
show
|
|||
123 | } |
||
124 | } |
||
125 | } |
||
126 |
$string . PHP_EOL
can contain request data and is used in file manipulation context(s) leading to a potential security vulnerability.13 paths for user data to reach this point
$_REQUEST,
and$_REQUEST['username']
is assigned to$username
in modules/core/www/loginuserpass.php on line 29$_REQUEST,
and$_REQUEST['username']
is assigned to$username
in modules/core/www/loginuserpass.php on line 29
in modules/core/www/loginuserpass.php on line 84
$username
in modules/core/lib/Auth/UserPassBase.php on line 292
in modules/core/lib/Auth/UserPassBase.php on line 324
$string
in lib/SimpleSAML/Logger.php on line 258
in lib/SimpleSAML/Logger.php on line 260
$string
in lib/SimpleSAML/Logger.php on line 471
in lib/SimpleSAML/Logger.php on line 514
$message
in lib/SimpleSAML/Logger.php on line 394
array('level' => $level, 'string' => $message, 'statsLog' => $stats)
is assigned to property Logger::$earlyLogin lib/SimpleSAML/Logger.php on line 397
self::earlyLog
is assigned to$msg
in lib/SimpleSAML/Logger.php on line 306
in lib/SimpleSAML/Logger.php on line 307
$string
in lib/SimpleSAML/Logger.php on line 471
array(self::trackid, $string, $_SERVER['REMOTE_ADDR'])
is assigned to$replacements
in lib/SimpleSAML/Logger.php on line 504
str_replace()
, andstr_replace($formats, $replacements, self::format)
is assigned to$string
in lib/SimpleSAML/Logger.php on line 523
in lib/SimpleSAML/Logger.php on line 524
$string
in lib/SimpleSAML/Logger/FileLoggingHandler.php on line 98
str_replace()
, andstr_replace($formats, $replacements, $string)
is assigned to$string
in lib/SimpleSAML/Logger/FileLoggingHandler.php on line 121
in lib/SimpleSAML/XHTML/Template.php on line 618
$string
in lib/SimpleSAML/Logger.php on line 246
in lib/SimpleSAML/Logger.php on line 248
$string
in lib/SimpleSAML/Logger.php on line 471
array(self::trackid, $string, $_SERVER['REMOTE_ADDR'])
is assigned to$replacements
in lib/SimpleSAML/Logger.php on line 504
str_replace()
, andstr_replace($formats, $replacements, self::format)
is assigned to$string
in lib/SimpleSAML/Logger.php on line 523
in lib/SimpleSAML/Logger.php on line 524
$string
in lib/SimpleSAML/Logger/FileLoggingHandler.php on line 98
str_replace()
, andstr_replace($formats, $replacements, $string)
is assigned to$string
in lib/SimpleSAML/Logger/FileLoggingHandler.php on line 121
in lib/SimpleSAML/Locale/Translate.php on line 455
$string
in lib/SimpleSAML/Logger.php on line 197
in lib/SimpleSAML/Logger.php on line 199
$string
in lib/SimpleSAML/Logger.php on line 471
in lib/SimpleSAML/Logger.php on line 514
$message
in lib/SimpleSAML/Logger.php on line 394
array('level' => $level, 'string' => $message, 'statsLog' => $stats)
is assigned to property Logger::$earlyLogin lib/SimpleSAML/Logger.php on line 397
self::earlyLog
is assigned to$msg
in lib/SimpleSAML/Logger.php on line 306
in lib/SimpleSAML/Logger.php on line 307
$string
in lib/SimpleSAML/Logger.php on line 471
array(self::trackid, $string, $_SERVER['REMOTE_ADDR'])
is assigned to$replacements
in lib/SimpleSAML/Logger.php on line 504
str_replace()
, andstr_replace($formats, $replacements, self::format)
is assigned to$string
in lib/SimpleSAML/Logger.php on line 523
in lib/SimpleSAML/Logger.php on line 524
$string
in lib/SimpleSAML/Logger/FileLoggingHandler.php on line 98
str_replace()
, andstr_replace($formats, $replacements, $string)
is assigned to$string
in lib/SimpleSAML/Logger/FileLoggingHandler.php on line 121
$_REQUEST,
and$_REQUEST['username']
is assigned to$username
in modules/core/www/loginuserpassorg.php on line 32$_REQUEST,
and$_REQUEST['username']
is assigned to$username
in modules/core/www/loginuserpassorg.php on line 32
in modules/core/www/loginuserpassorg.php on line 106
$username
in modules/core/lib/Auth/UserPassOrgBase.php on line 276
in modules/core/lib/Auth/UserPassOrgBase.php on line 319
$string
in lib/SimpleSAML/Logger.php on line 258
in lib/SimpleSAML/Logger.php on line 260
$string
in lib/SimpleSAML/Logger.php on line 471
array(self::trackid, $string, $_SERVER['REMOTE_ADDR'])
is assigned to$replacements
in lib/SimpleSAML/Logger.php on line 504
str_replace()
, andstr_replace($formats, $replacements, self::format)
is assigned to$string
in lib/SimpleSAML/Logger.php on line 523
in lib/SimpleSAML/Logger.php on line 524
$string
in lib/SimpleSAML/Logger/FileLoggingHandler.php on line 98
str_replace()
, andstr_replace($formats, $replacements, $string)
is assigned to$string
in lib/SimpleSAML/Logger/FileLoggingHandler.php on line 121
$_REQUEST,
and$_REQUEST['reportId']
is assigned to$reportId
in www/errorreport.php on line 16$_REQUEST,
and$_REQUEST['reportId']
is assigned to$reportId
in www/errorreport.php on line 16
in www/errorreport.php on line 53
$string
in lib/SimpleSAML/Logger.php on line 197
in lib/SimpleSAML/Logger.php on line 199
$string
in lib/SimpleSAML/Logger.php on line 471
array(self::trackid, $string, $_SERVER['REMOTE_ADDR'])
is assigned to$replacements
in lib/SimpleSAML/Logger.php on line 504
str_replace()
, andstr_replace($formats, $replacements, self::format)
is assigned to$string
in lib/SimpleSAML/Logger.php on line 523
in lib/SimpleSAML/Logger.php on line 524
$string
in lib/SimpleSAML/Logger/FileLoggingHandler.php on line 98
str_replace()
, andstr_replace($formats, $replacements, $string)
is assigned to$string
in lib/SimpleSAML/Logger/FileLoggingHandler.php on line 121
$_REQUEST,
and$_REQUEST['organization']
is assigned to$organization
in modules/core/www/loginuserpassorg.php on line 48$_REQUEST,
and$_REQUEST['organization']
is assigned to$organization
in modules/core/www/loginuserpassorg.php on line 48
in modules/core/www/loginuserpassorg.php on line 108
$organization
in modules/core/lib/Auth/UserPassOrgBase.php on line 276
in modules/core/lib/Auth/UserPassOrgBase.php on line 319
$string
in lib/SimpleSAML/Logger.php on line 258
in lib/SimpleSAML/Logger.php on line 260
$string
in lib/SimpleSAML/Logger.php on line 471
array(self::trackid, $string, $_SERVER['REMOTE_ADDR'])
is assigned to$replacements
in lib/SimpleSAML/Logger.php on line 504
str_replace()
, andstr_replace($formats, $replacements, self::format)
is assigned to$string
in lib/SimpleSAML/Logger.php on line 523
in lib/SimpleSAML/Logger.php on line 524
$string
in lib/SimpleSAML/Logger/FileLoggingHandler.php on line 98
str_replace()
, andstr_replace($formats, $replacements, $string)
is assigned to$string
in lib/SimpleSAML/Logger/FileLoggingHandler.php on line 121
in vendor/symfony/http-foundation/ParameterBag.php on line 82
$request->server->get('PATH_INFO')
is assigned to$url
in lib/SimpleSAML/Module.php on line 138
substr()
, andsubstr($url, $modEnd + 1)
is assigned to$url
in lib/SimpleSAML/Module.php on line 153
$moduleDir . $url
is assigned to$path
in lib/SimpleSAML/Module.php on line 228
in lib/SimpleSAML/Module.php on line 289
$string
in lib/SimpleSAML/Logger.php on line 209
in lib/SimpleSAML/Logger.php on line 211
$string
in lib/SimpleSAML/Logger.php on line 471
array(self::trackid, $string, $_SERVER['REMOTE_ADDR'])
is assigned to$replacements
in lib/SimpleSAML/Logger.php on line 504
str_replace()
, andstr_replace($formats, $replacements, self::format)
is assigned to$string
in lib/SimpleSAML/Logger.php on line 523
in lib/SimpleSAML/Logger.php on line 524
$string
in lib/SimpleSAML/Logger/FileLoggingHandler.php on line 98
str_replace()
, andstr_replace($formats, $replacements, $string)
is assigned to$string
in lib/SimpleSAML/Logger/FileLoggingHandler.php on line 121
$_COOKIE,
and$_COOKIE[$source->getAuthId() . '-username']
is assigned to$username
in modules/core/www/loginuserpassorg.php on line 34$_COOKIE,
and$_COOKIE[$source->getAuthId() . '-username']
is assigned to$username
in modules/core/www/loginuserpassorg.php on line 34
in modules/core/www/loginuserpassorg.php on line 106
$username
in modules/core/lib/Auth/UserPassOrgBase.php on line 276
in modules/core/lib/Auth/UserPassOrgBase.php on line 319
$string
in lib/SimpleSAML/Logger.php on line 258
in lib/SimpleSAML/Logger.php on line 260
$string
in lib/SimpleSAML/Logger.php on line 471
array(self::trackid, $string, $_SERVER['REMOTE_ADDR'])
is assigned to$replacements
in lib/SimpleSAML/Logger.php on line 504
str_replace()
, andstr_replace($formats, $replacements, self::format)
is assigned to$string
in lib/SimpleSAML/Logger.php on line 523
in lib/SimpleSAML/Logger.php on line 524
$string
in lib/SimpleSAML/Logger/FileLoggingHandler.php on line 98
str_replace()
, andstr_replace($formats, $replacements, $string)
is assigned to$string
in lib/SimpleSAML/Logger/FileLoggingHandler.php on line 121
in lib/SimpleSAML/Locale/Localization.php on line 264
$string
in lib/SimpleSAML/Logger.php on line 246
in lib/SimpleSAML/Logger.php on line 248
$string
in lib/SimpleSAML/Logger.php on line 471
array(self::trackid, $string, $_SERVER['REMOTE_ADDR'])
is assigned to$replacements
in lib/SimpleSAML/Logger.php on line 504
str_replace()
, andstr_replace($formats, $replacements, self::format)
is assigned to$string
in lib/SimpleSAML/Logger.php on line 523
in lib/SimpleSAML/Logger.php on line 524
$string
in lib/SimpleSAML/Logger/FileLoggingHandler.php on line 98
str_replace()
, andstr_replace($formats, $replacements, $string)
is assigned to$string
in lib/SimpleSAML/Logger/FileLoggingHandler.php on line 121
in lib/SimpleSAML/Locale/Localization.php on line 249
$string
in lib/SimpleSAML/Logger.php on line 246
in lib/SimpleSAML/Logger.php on line 248
$string
in lib/SimpleSAML/Logger.php on line 471
in lib/SimpleSAML/Logger.php on line 514
$message
in lib/SimpleSAML/Logger.php on line 394
array('level' => $level, 'string' => $message, 'statsLog' => $stats)
is assigned to property Logger::$earlyLogin lib/SimpleSAML/Logger.php on line 397
self::earlyLog
is assigned to$msg
in lib/SimpleSAML/Logger.php on line 306
in lib/SimpleSAML/Logger.php on line 307
$string
in lib/SimpleSAML/Logger.php on line 471
array(self::trackid, $string, $_SERVER['REMOTE_ADDR'])
is assigned to$replacements
in lib/SimpleSAML/Logger.php on line 504
str_replace()
, andstr_replace($formats, $replacements, self::format)
is assigned to$string
in lib/SimpleSAML/Logger.php on line 523
in lib/SimpleSAML/Logger.php on line 524
$string
in lib/SimpleSAML/Logger/FileLoggingHandler.php on line 98
str_replace()
, andstr_replace($formats, $replacements, $string)
is assigned to$string
in lib/SimpleSAML/Logger/FileLoggingHandler.php on line 121
$_COOKIE,
and$_COOKIE[$source->getAuthId() . '-username']
is assigned to$username
in modules/core/www/loginuserpass.php on line 31$_COOKIE,
and$_COOKIE[$source->getAuthId() . '-username']
is assigned to$username
in modules/core/www/loginuserpass.php on line 31
in modules/core/www/loginuserpass.php on line 84
$username
in modules/core/lib/Auth/UserPassBase.php on line 292
in modules/core/lib/Auth/UserPassBase.php on line 324
$string
in lib/SimpleSAML/Logger.php on line 258
in lib/SimpleSAML/Logger.php on line 260
$string
in lib/SimpleSAML/Logger.php on line 471
array(self::trackid, $string, $_SERVER['REMOTE_ADDR'])
is assigned to$replacements
in lib/SimpleSAML/Logger.php on line 504
str_replace()
, andstr_replace($formats, $replacements, self::format)
is assigned to$string
in lib/SimpleSAML/Logger.php on line 523
in lib/SimpleSAML/Logger.php on line 524
$string
in lib/SimpleSAML/Logger/FileLoggingHandler.php on line 98
str_replace()
, andstr_replace($formats, $replacements, $string)
is assigned to$string
in lib/SimpleSAML/Logger/FileLoggingHandler.php on line 121
$_COOKIE,
and$_COOKIE[$source->getAuthId() . '-organization']
is assigned to$organization
in modules/core/www/loginuserpassorg.php on line 53$_COOKIE,
and$_COOKIE[$source->getAuthId() . '-organization']
is assigned to$organization
in modules/core/www/loginuserpassorg.php on line 53
in modules/core/www/loginuserpassorg.php on line 108
$organization
in modules/core/lib/Auth/UserPassOrgBase.php on line 276
in modules/core/lib/Auth/UserPassOrgBase.php on line 319
$string
in lib/SimpleSAML/Logger.php on line 258
in lib/SimpleSAML/Logger.php on line 260
$string
in lib/SimpleSAML/Logger.php on line 471
array(self::trackid, $string, $_SERVER['REMOTE_ADDR'])
is assigned to$replacements
in lib/SimpleSAML/Logger.php on line 504
str_replace()
, andstr_replace($formats, $replacements, self::format)
is assigned to$string
in lib/SimpleSAML/Logger.php on line 523
in lib/SimpleSAML/Logger.php on line 524
$string
in lib/SimpleSAML/Logger/FileLoggingHandler.php on line 98
str_replace()
, andstr_replace($formats, $replacements, $string)
is assigned to$string
in lib/SimpleSAML/Logger/FileLoggingHandler.php on line 121
in lib/SimpleSAML/Logger.php on line 307
$string
in lib/SimpleSAML/Logger.php on line 471
in lib/SimpleSAML/Logger.php on line 514
$message
in lib/SimpleSAML/Logger.php on line 394
array('level' => $level, 'string' => $message, 'statsLog' => $stats)
is assigned to property Logger::$earlyLogin lib/SimpleSAML/Logger.php on line 397
self::earlyLog
is assigned to$msg
in lib/SimpleSAML/Logger.php on line 306
in lib/SimpleSAML/Logger.php on line 307
$string
in lib/SimpleSAML/Logger.php on line 471
array(self::trackid, $string, $_SERVER['REMOTE_ADDR'])
is assigned to$replacements
in lib/SimpleSAML/Logger.php on line 504
str_replace()
, andstr_replace($formats, $replacements, self::format)
is assigned to$string
in lib/SimpleSAML/Logger.php on line 523
in lib/SimpleSAML/Logger.php on line 524
$string
in lib/SimpleSAML/Logger/FileLoggingHandler.php on line 98
str_replace()
, andstr_replace($formats, $replacements, $string)
is assigned to$string
in lib/SimpleSAML/Logger/FileLoggingHandler.php on line 121
General Strategies to prevent injection
In general, it is advisable to prevent any user-data to reach this point. This can be done by white-listing certain values:
For numeric data, we recommend to explicitly cast the data: