Issues in admin.php (master) - Issues in master - splitbrain/dokuwiki - Measure and Improve Code Quality continuously with Scrutinizer

Issues (847)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

lib/plugins/config/admin.php (1 issue)

Labels

Bug 1

Severity

Major 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * Configuration Manager admin plugin
 *
 * @license    GPL 2 (http://www.gnu.org/licenses/gpl.html)
 * @author     Christopher Smith <[email protected]>
 * @author     Ben Coburn <[email protected]>
 */

use dokuwiki\plugin\config\core\Configuration;
use dokuwiki\plugin\config\core\Setting\Setting;
.
|-- OtherDir
|   |-- Bar.php
|   `-- Foo.php
`-- SomeDir
    `-- Foo.php
use dokuwiki\plugin\config\core\Setting\SettingFieldset;
use dokuwiki\plugin\config\core\Setting\SettingHidden;

/**
 * All DokuWiki plugins to extend the admin function
 * need to inherit from this class
 */
class admin_plugin_config extends DokuWiki_Admin_Plugin {

    const IMGDIR = DOKU_BASE . 'lib/plugins/config/images/';

    /** @var Configuration */
    protected $configuration;

    /** @var bool were there any errors in the submitted data? */
    protected $hasErrors = false;

    /** @var bool have the settings translations been loaded? */
    protected $promptsLocalized = false;


    /**
     * handle user request
     */
    public function handle() {
        global $ID, $INPUT;

        // always initialize the configuration
        $this->configuration = new Configuration();

        if(!$INPUT->bool('save') || !checkSecurityToken()) {
            return;
        }

        // don't go any further if the configuration is locked
        if($this->configuration->isLocked()) return;

        // update settings and redirect of successful
        $ok = $this->configuration->updateSettings($INPUT->arr('config'));
        if($ok) { // no errors
            try {
                if($this->configuration->hasChanged()) {
                    $this->configuration->save();
                } else {
                    $this->configuration->touch();
                }
                msg($this->getLang('updated'), 1);
            } catch(Exception $e) {
                msg($this->getLang('error'), -1);
            }
            send_redirect(wl($ID, array('do' => 'admin', 'page' => 'config'), true, '&'));
        } else {
            $this->hasErrors = true;
        }
    }

    /**
     * output appropriate html
     */
    public function html() {
        $allow_debug = $GLOBALS['conf']['allowdebug']; // avoid global $conf; here.
        global $lang;
        global $ID;

        $this->setupLocale(true);

        echo $this->locale_xhtml('intro');

        echo '<div id="config__manager">';

        if($this->configuration->isLocked()) {
            echo '<div class="info">' . $this->getLang('locked') . '</div>';
        }

        // POST to script() instead of wl($ID) so config manager still works if
        // rewrite config is broken. Add $ID as hidden field to remember
        // current ID in most cases.
        echo '<form id="dw__configform" action="' . script() . '" method="post">';
        echo '<div class="no"><input type="hidden" name="id" value="' . $ID . '" /></div>';
        formSecurityToken();
        $this->printH1('dokuwiki_settings', $this->getLang('_header_dokuwiki'));

        $in_fieldset = false;
        $first_plugin_fieldset = true;
        $first_template_fieldset = true;
        foreach($this->configuration->getSettings() as $setting) {
            if(is_a($setting, SettingHidden::class)) {
                continue;
            } else if(is_a($setting, settingFieldset::class)) {
                // config setting group
                if($in_fieldset) {
                    echo '</table>';
                    echo '</div>';
                    echo '</fieldset>';
                } else {
                    $in_fieldset = true;
                }
                if($first_plugin_fieldset && $setting->getType() == 'plugin') {
                    $this->printH1('plugin_settings', $this->getLang('_header_plugin'));
                    $first_plugin_fieldset = false;
                } else if($first_template_fieldset && $setting->getType() == 'template') {
                    $this->printH1('template_settings', $this->getLang('_header_template'));
                    $first_template_fieldset = false;
                }
                echo '<fieldset id="' . $setting->getKey() . '">';
                echo '<legend>' . $setting->prompt($this) . '</legend>';
                echo '<div class="table">';
                echo '<table class="inline">';
            } else {
                // config settings
                list($label, $input) = $setting->html($this, $this->hasErrors);

                $class = $setting->isDefault()
                    ? ' class="default"'
                    : ($setting->isProtected() ? ' class="protected"' : '');
                $error = $setting->hasError()
                    ? ' class="value error"'
                    : ' class="value"';
                $icon = $setting->caution()
                    ? '<img src="' . self::IMGDIR . $setting->caution() . '.png" ' .
                    'alt="' . $setting->caution() . '" title="' . $this->getLang($setting->caution()) . '" />'
                    : '';

                echo '<tr' . $class . '>';
                echo '<td class="label">';
                echo '<span class="outkey">' . $setting->getPrettyKey() . '</span>';
                echo $icon . $label;
                echo '</td>';
                echo '<td' . $error . '>' . $input . '</td>';
                echo '</tr>';
            }
        }

        echo '</table>';
        echo '</div>';
        if($in_fieldset) {
            echo '</fieldset>';
        }

        // show undefined settings list
        $undefined_settings = $this->configuration->getUndefined();
        if($allow_debug && !empty($undefined_settings)) {
            /**
             * Callback for sorting settings
             *
             * @param Setting $a
             * @param Setting $b
             * @return int if $a is lower/equal/higher than $b
             */
            function settingNaturalComparison($a, $b) {
                return strnatcmp($a->getKey(), $b->getKey());
            }

            usort($undefined_settings, 'settingNaturalComparison');
            $this->printH1('undefined_settings', $this->getLang('_header_undefined'));
            echo '<fieldset>';
            echo '<div class="table">';
            echo '<table class="inline">';
            foreach($undefined_settings as $setting) {
                list($label, $input) = $setting->html($this);
                echo '<tr>';
                echo '<td class="label">' . $label . '</td>';
                echo '<td>' . $input . '</td>';
                echo '</tr>';
            }
            echo '</table>';
            echo '</div>';
            echo '</fieldset>';
        }

        // finish up form
        echo '<p>';
        echo '<input type="hidden" name="do"     value="admin" />';
        echo '<input type="hidden" name="page"   value="config" />';

        if(!$this->configuration->isLocked()) {
            echo '<input type="hidden" name="save"   value="1" />';
            echo '<button type="submit" name="submit" accesskey="s">' . $lang['btn_save'] . '</button>';
            echo '<button type="reset">' . $lang['btn_reset'] . '</button>';
        }

        echo '</p>';

        echo '</form>';
        echo '</div>';
    }

    /**
     * @param bool $prompts
     */
    public function setupLocale($prompts = false) {
        parent::setupLocale();
        if(!$prompts || $this->promptsLocalized) return;
        $this->lang = array_merge($this->lang, $this->configuration->getLangs());
        $this->promptsLocalized = true;
    }

    /**
     * Generates a two-level table of contents for the config plugin.
     *
     * @author Ben Coburn <[email protected]>
     *
     * @return array
     */
    public function getTOC() {
        $this->setupLocale(true);

        $allow_debug = $GLOBALS['conf']['allowdebug']; // avoid global $conf; here.
        $toc = array();
        $check = false;

        // gather settings data into three sub arrays
        $labels = ['dokuwiki' => [], 'plugin' => [], 'template' => []];
        foreach($this->configuration->getSettings() as $setting) {
            if(is_a($setting, SettingFieldset::class)) {
                $labels[$setting->getType()][] = $setting;
            }
        }

        // top header
        $title = $this->getLang('_configuration_manager');
        $toc[] = html_mktocitem(sectionID($title, $check), $title, 1);

        // main entries
        foreach(['dokuwiki', 'plugin', 'template'] as $section) {
            if(empty($labels[$section])) continue; // no entries, skip

            // create main header
            $toc[] = html_mktocitem(
                $section . '_settings',
                $this->getLang('_header_' . $section),
                1
            );

            // create sub headers
            foreach($labels[$section] as $setting) {
                /** @var SettingFieldset $setting */
                $name = $setting->prompt($this);
                $toc[] = html_mktocitem($setting->getKey(), $name, 2);
            }
        }

        // undefined settings if allowed
        if(count($this->configuration->getUndefined()) && $allow_debug) {
            $toc[] = html_mktocitem('undefined_settings', $this->getLang('_header_undefined'), 1);
        }

        return $toc;
    }

    /**
     * @param string $id
     * @param string $text
     */
    protected function printH1($id, $text) {
        echo '<h1 id="' . $id . '">' . $text . '</h1>';
    }

    /**
     * Adds a translation to this plugin's language array
     *
     * Used by some settings to set up dynamic translations
     *
     * @param string $key
     * @param string $value
     */
    public function addLang($key, $value) {
        if(!$this->localised) $this->setupLocale();
        $this->lang[$key] = $value;
    }
}


1			<?php
2			/**
3			* Configuration Manager admin plugin
4			*
5			* @license GPL 2 (http://www.gnu.org/licenses/gpl.html)
6			* @author Christopher Smith <[email protected]>
7			* @author Ben Coburn <[email protected]>
8			*/
9
10			use dokuwiki\plugin\config\core\Configuration;
11			use dokuwiki\plugin\config\core\Setting\Setting;
			0 ignored issues – show Bug introduced 2018-06-01 09:33 UTC by Report Bug Copy Issue Report Show Similar Issues like this This use statement conflicts with another class in this namespace, `Setting`. Let’s assume that you have a directory layout like this: . \|-- OtherDir \| \|-- Bar.php \| `-- Foo.php `-- SomeDir `-- Foo.php and let’s assume the following content of `Bar.php`: // Bar.php namespace OtherDir; use SomeDir\Foo; // This now conflicts the class OtherDir\Foo If both files `OtherDir/Foo.php` and `SomeDir/Foo.php` are loaded in the same runtime, you will see a PHP error such as the following: PHP Fatal error: Cannot use SomeDir\Foo as Foo because the name is already in use in OtherDir/Foo.php However, as `OtherDir/Foo.php` does not necessarily have to be loaded and the error is only triggered if it is loaded before `OtherDir/Bar.php`, this problem might go unnoticed for a while. In order to prevent this error from surfacing, you must import the namespace with a different alias: // Bar.php namespace OtherDir; use SomeDir\Foo as SomeDirFoo; // There is no conflict anymore. Loading history...
12			use dokuwiki\plugin\config\core\Setting\SettingFieldset;
13			use dokuwiki\plugin\config\core\Setting\SettingHidden;
14
15			/**
16			* All DokuWiki plugins to extend the admin function
17			* need to inherit from this class
18			*/
19			class admin_plugin_config extends DokuWiki_Admin_Plugin {
20
21			const IMGDIR = DOKU_BASE . 'lib/plugins/config/images/';
22
23			/** @var Configuration */
24			protected $configuration;
25
26			/** @var bool were there any errors in the submitted data? */
27			protected $hasErrors = false;
28
29			/** @var bool have the settings translations been loaded? */
30			protected $promptsLocalized = false;
31
32
33			/**
34			* handle user request
35			*/
36			public function handle() {
37			global $ID, $INPUT;
38
39			// always initialize the configuration
40			$this->configuration = new Configuration();
41
42			if(!$INPUT->bool('save') \|\| !checkSecurityToken()) {
43			return;
44			}
45
46			// don't go any further if the configuration is locked
47			if($this->configuration->isLocked()) return;
48
49			// update settings and redirect of successful
50			$ok = $this->configuration->updateSettings($INPUT->arr('config'));
51			if($ok) { // no errors
52			try {
53			if($this->configuration->hasChanged()) {
54			$this->configuration->save();
55			} else {
56			$this->configuration->touch();
57			}
58			msg($this->getLang('updated'), 1);
59			} catch(Exception $e) {
60			msg($this->getLang('error'), -1);
61			}
62			send_redirect(wl($ID, array('do' => 'admin', 'page' => 'config'), true, '&'));
63			} else {
64			$this->hasErrors = true;
65			}
66			}
67
68			/**
69			* output appropriate html
70			*/
71			public function html() {
72			$allow_debug = $GLOBALS['conf']['allowdebug']; // avoid global $conf; here.
73			global $lang;
74			global $ID;
75
76			$this->setupLocale(true);
77
78			echo $this->locale_xhtml('intro');
79
80			echo '<div id="config__manager">';
81
82			if($this->configuration->isLocked()) {
83			echo '<div class="info">' . $this->getLang('locked') . '</div>';
84			}
85
86			// POST to script() instead of wl($ID) so config manager still works if
87			// rewrite config is broken. Add $ID as hidden field to remember
88			// current ID in most cases.
89			echo '<form id="dw__configform" action="' . script() . '" method="post">';
90			echo '<div class="no"><input type="hidden" name="id" value="' . $ID . '" /></div>';
91			formSecurityToken();
92			$this->printH1('dokuwiki_settings', $this->getLang('_header_dokuwiki'));
93
94			$in_fieldset = false;
95			$first_plugin_fieldset = true;
96			$first_template_fieldset = true;
97			foreach($this->configuration->getSettings() as $setting) {
98			if(is_a($setting, SettingHidden::class)) {
99			continue;
100			} else if(is_a($setting, settingFieldset::class)) {
101			// config setting group
102			if($in_fieldset) {
103			echo '</table>';
104			echo '</div>';
105			echo '</fieldset>';
106			} else {
107			$in_fieldset = true;
108			}
109			if($first_plugin_fieldset && $setting->getType() == 'plugin') {
110			$this->printH1('plugin_settings', $this->getLang('_header_plugin'));
111			$first_plugin_fieldset = false;
112			} else if($first_template_fieldset && $setting->getType() == 'template') {
113			$this->printH1('template_settings', $this->getLang('_header_template'));
114			$first_template_fieldset = false;
115			}
116			echo '<fieldset id="' . $setting->getKey() . '">';
117			echo '<legend>' . $setting->prompt($this) . '</legend>';
118			echo '<div class="table">';
119			echo '<table class="inline">';
120			} else {
121			// config settings
122			list($label, $input) = $setting->html($this, $this->hasErrors);
123
124			$class = $setting->isDefault()
125			? ' class="default"'
126			: ($setting->isProtected() ? ' class="protected"' : '');
127			$error = $setting->hasError()
128			? ' class="value error"'
129			: ' class="value"';
130			$icon = $setting->caution()
131			? '<img src="' . self::IMGDIR . $setting->caution() . '.png" ' .
132			'alt="' . $setting->caution() . '" title="' . $this->getLang($setting->caution()) . '" />'
133			: '';
134
135			echo '<tr' . $class . '>';
136			echo '<td class="label">';
137			echo '<span class="outkey">' . $setting->getPrettyKey() . '</span>';
138			echo $icon . $label;
139			echo '</td>';
140			echo '<td' . $error . '>' . $input . '</td>';
141			echo '</tr>';
142			}
143			}
144
145			echo '</table>';
146			echo '</div>';
147			if($in_fieldset) {
148			echo '</fieldset>';
149			}
150
151			// show undefined settings list
152			$undefined_settings = $this->configuration->getUndefined();
153			if($allow_debug && !empty($undefined_settings)) {
154			/**
155			* Callback for sorting settings
156			*
157			* @param Setting $a
158			* @param Setting $b
159			* @return int if $a is lower/equal/higher than $b
160			*/
161			function settingNaturalComparison($a, $b) {
162			return strnatcmp($a->getKey(), $b->getKey());
163			}
164
165			usort($undefined_settings, 'settingNaturalComparison');
166			$this->printH1('undefined_settings', $this->getLang('_header_undefined'));
167			echo '<fieldset>';
168			echo '<div class="table">';
169			echo '<table class="inline">';
170			foreach($undefined_settings as $setting) {
171			list($label, $input) = $setting->html($this);
172			echo '<tr>';
173			echo '<td class="label">' . $label . '</td>';
174			echo '<td>' . $input . '</td>';
175			echo '</tr>';
176			}
177			echo '</table>';
178			echo '</div>';
179			echo '</fieldset>';
180			}
181
182			// finish up form
183			echo '<p>';
184			echo '<input type="hidden" name="do" value="admin" />';
185			echo '<input type="hidden" name="page" value="config" />';
186
187			if(!$this->configuration->isLocked()) {
188			echo '<input type="hidden" name="save" value="1" />';
189			echo '<button type="submit" name="submit" accesskey="s">' . $lang['btn_save'] . '</button>';
190			echo '<button type="reset">' . $lang['btn_reset'] . '</button>';
191			}
192
193			echo '</p>';
194
195			echo '</form>';
196			echo '</div>';
197			}
198
199			/**
200			* @param bool $prompts
201			*/
202			public function setupLocale($prompts = false) {
203			parent::setupLocale();
204			if(!$prompts \|\| $this->promptsLocalized) return;
205			$this->lang = array_merge($this->lang, $this->configuration->getLangs());
206			$this->promptsLocalized = true;
207			}
208
209			/**
210			* Generates a two-level table of contents for the config plugin.
211			*
212			* @author Ben Coburn <[email protected]>
213			*
214			* @return array
215			*/
216			public function getTOC() {
217			$this->setupLocale(true);
218
219			$allow_debug = $GLOBALS['conf']['allowdebug']; // avoid global $conf; here.
220			$toc = array();
221			$check = false;
222
223			// gather settings data into three sub arrays
224			$labels = ['dokuwiki' => [], 'plugin' => [], 'template' => []];
225			foreach($this->configuration->getSettings() as $setting) {
226			if(is_a($setting, SettingFieldset::class)) {
227			$labels[$setting->getType()][] = $setting;
228			}
229			}
230
231			// top header
232			$title = $this->getLang('_configuration_manager');
233			$toc[] = html_mktocitem(sectionID($title, $check), $title, 1);
234
235			// main entries
236			foreach(['dokuwiki', 'plugin', 'template'] as $section) {
237			if(empty($labels[$section])) continue; // no entries, skip
238
239			// create main header
240			$toc[] = html_mktocitem(
241			$section . '_settings',
242			$this->getLang('_header_' . $section),
243			1
244			);
245
246			// create sub headers
247			foreach($labels[$section] as $setting) {
248			/** @var SettingFieldset $setting */
249			$name = $setting->prompt($this);
250			$toc[] = html_mktocitem($setting->getKey(), $name, 2);
251			}
252			}
253
254			// undefined settings if allowed
255			if(count($this->configuration->getUndefined()) && $allow_debug) {
256			$toc[] = html_mktocitem('undefined_settings', $this->getLang('_header_undefined'), 1);
257			}
258
259			return $toc;
260			}
261
262			/**
263			* @param string $id
264			* @param string $text
265			*/
266			protected function printH1($id, $text) {
267			echo '<h1 id="' . $id . '">' . $text . '</h1>';
268			}
269
270			/**
271			* Adds a translation to this plugin's language array
272			*
273			* Used by some settings to set up dynamic translations
274			*
275			* @param string $key
276			* @param string $value
277			*/
278			public function addLang($key, $value) {
279			if(!$this->localised) $this->setupLocale();
280			$this->lang[$key] = $value;
281			}
282			}
283

splitbrain / dokuwiki

Issues (847)

Security Analysis not enabled

lib/plugins/config/admin.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like