Issues in helper.php (master) - Issues in master - splitbrain/dokuwiki - Measure and Improve Code Quality continuously with Scrutinizer

Issues (847)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

lib/plugins/popularity/helper.php (1 issue)

Labels

Bug 1

Severity

Major 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

use dokuwiki\HTTP\DokuHTTPClient;
.
|-- OtherDir
|   |-- Bar.php
|   `-- Foo.php
`-- SomeDir
    `-- Foo.php
use dokuwiki\Extension\Event;

/**
 * Popularity Feedback Plugin
 *
 * @license    GPL 2 (http://www.gnu.org/licenses/gpl.html)
 */
class helper_plugin_popularity extends Dokuwiki_Plugin
{
    /**
     * The url where the data should be sent
     */
    public $submitUrl = 'https://update.dokuwiki.org/popularity.php';

    /**
     * Name of the file which determine if the the autosubmit is enabled,
     * and when it was submited for the last time
     */
    public $autosubmitFile;

    /**
     * File where the last error which happened when we tried to autosubmit, will be log
     */
    public $autosubmitErrorFile;

    /**
     * Name of the file which determine when the popularity data was manually
     * submitted for the last time
     * (If this file doesn't exist, the data has never been sent)
     */
    public $popularityLastSubmitFile;

    /**
     * helper_plugin_popularity constructor.
     */
    public function __construct()
    {
        global $conf;
        $this->autosubmitFile = $conf['cachedir'].'/autosubmit.txt';
        $this->autosubmitErrorFile = $conf['cachedir'].'/autosubmitError.txt';
        $this->popularityLastSubmitFile = $conf['cachedir'].'/lastSubmitTime.txt';
    }

    /**
     * Check if autosubmit is enabled
     *
     * @return boolean TRUE if we should send data once a month, FALSE otherwise
     */
    public function isAutoSubmitEnabled()
    {
        return file_exists($this->autosubmitFile);
    }

    /**
     * Send the data, to the submit url
     *
     * @param string $data The popularity data
     * @return string An empty string if everything worked fine, a string describing the error otherwise
     */
    public function sendData($data)
    {
        $error = '';
        $httpClient = new DokuHTTPClient();
        $status = $httpClient->sendRequest($this->submitUrl, array('data' => $data), 'POST');
        if (! $status) {
            $error = $httpClient->error;
        }
        return $error;
    }

    /**
     * Compute the last time the data was sent. If it has never been sent, we return 0.
     *
     * @return int
     */
    public function lastSentTime()
    {
        $manualSubmission = @filemtime($this->popularityLastSubmitFile);
        $autoSubmission   = @filemtime($this->autosubmitFile);

        return max((int) $manualSubmission, (int) $autoSubmission);
    }

    /**
     * Gather all information
     *
     * @return string The popularity data as a string
     */
    public function gatherAsString()
    {
        $data = $this->gather();
        $string = '';
        foreach ($data as $key => $val) {
            if (is_array($val)) foreach ($val as $v) {
                $string .=  hsc($key)."\t".hsc($v)."\n";
            } else {
                $string .= hsc($key)."\t".hsc($val)."\n";
            }
        }
        return $string;
    }

    /**
     * Gather all information
     *
     * @return array The popularity data as an array
     */
    protected function gather()
    {
        global $conf;
        /** @var $auth DokuWiki_Auth_Plugin */
        global $auth;
        $data = array();
        $phptime = ini_get('max_execution_time');
        @set_time_limit(0);
        $pluginInfo = $this->getInfo();

        // version
        $data['anon_id'] = md5(auth_cookiesalt());
        $data['version'] = getVersion();
        $data['popversion'] = $pluginInfo['date'];
        $data['language'] = $conf['lang'];
        $data['now']      = time();
        $data['popauto']  = (int) $this->isAutoSubmitEnabled();

        // some config values
        $data['conf_useacl']   = $conf['useacl'];
        $data['conf_authtype'] = $conf['authtype'];
        $data['conf_template'] = $conf['template'];

        // number and size of pages
        $list = array();
        search($list, $conf['datadir'], array($this, 'searchCountCallback'), array('all'=>false), '');
        $data['page_count']    = $list['file_count'];
        $data['page_size']     = $list['file_size'];
        $data['page_biggest']  = $list['file_max'];
        $data['page_smallest'] = $list['file_min'];
        $data['page_nscount']  = $list['dir_count'];
        $data['page_nsnest']   = $list['dir_nest'];
        if ($list['file_count']) $data['page_avg'] = $list['file_size'] / $list['file_count'];
        $data['page_oldest']   = $list['file_oldest'];
        unset($list);

        // number and size of media
        $list = array();
        search($list, $conf['mediadir'], array($this, 'searchCountCallback'), array('all'=>true));
        $data['media_count']    = $list['file_count'];
        $data['media_size']     = $list['file_size'];
        $data['media_biggest']  = $list['file_max'];
        $data['media_smallest'] = $list['file_min'];
        $data['media_nscount']  = $list['dir_count'];
        $data['media_nsnest']   = $list['dir_nest'];
        if ($list['file_count']) $data['media_avg'] = $list['file_size'] / $list['file_count'];
        unset($list);

        // number and size of cache
        $list = array();
        search($list, $conf['cachedir'], array($this, 'searchCountCallback'), array('all'=>true));
        $data['cache_count']    = $list['file_count'];
        $data['cache_size']     = $list['file_size'];
        $data['cache_biggest']  = $list['file_max'];
        $data['cache_smallest'] = $list['file_min'];
        if ($list['file_count']) $data['cache_avg'] = $list['file_size'] / $list['file_count'];
        unset($list);

        // number and size of index
        $list = array();
        search($list, $conf['indexdir'], array($this, 'searchCountCallback'), array('all'=>true));
        $data['index_count']    = $list['file_count'];
        $data['index_size']     = $list['file_size'];
        $data['index_biggest']  = $list['file_max'];
        $data['index_smallest'] = $list['file_min'];
        if ($list['file_count']) $data['index_avg'] = $list['file_size'] / $list['file_count'];
        unset($list);

        // number and size of meta
        $list = array();
        search($list, $conf['metadir'], array($this, 'searchCountCallback'), array('all'=>true));
        $data['meta_count']    = $list['file_count'];
        $data['meta_size']     = $list['file_size'];
        $data['meta_biggest']  = $list['file_max'];
        $data['meta_smallest'] = $list['file_min'];
        if ($list['file_count']) $data['meta_avg'] = $list['file_size'] / $list['file_count'];
        unset($list);

        // number and size of attic
        $list = array();
        search($list, $conf['olddir'], array($this, 'searchCountCallback'), array('all'=>true));
        $data['attic_count']    = $list['file_count'];
        $data['attic_size']     = $list['file_size'];
        $data['attic_biggest']  = $list['file_max'];
        $data['attic_smallest'] = $list['file_min'];
        if ($list['file_count']) $data['attic_avg'] = $list['file_size'] / $list['file_count'];
        $data['attic_oldest']   = $list['file_oldest'];
        unset($list);

        // user count
        if ($auth && $auth->canDo('getUserCount')) {
            $data['user_count'] = $auth->getUserCount();
        }

        // calculate edits per day
        $list = @file($conf['metadir'].'/_dokuwiki.changes');
        $count = count($list);
        if ($count > 2) {
            $first = (int) substr(array_shift($list), 0, 10);
            $last  = (int) substr(array_pop($list), 0, 10);
            $dur = ($last - $first)/(60*60*24); // number of days in the changelog
            $data['edits_per_day'] = $count/$dur;
        }
        unset($list);

        // plugins
        $data['plugin'] = plugin_list();

        // pcre info
        if (defined('PCRE_VERSION')) $data['pcre_version'] = PCRE_VERSION;
        $data['pcre_backtrack'] = ini_get('pcre.backtrack_limit');
        $data['pcre_recursion'] = ini_get('pcre.recursion_limit');

        // php info
        $data['os'] = PHP_OS;
        $data['webserver'] = $_SERVER['SERVER_SOFTWARE'];
        $data['php_version'] = phpversion();
        $data['php_sapi'] = php_sapi_name();
        $data['php_memory'] = php_to_byte(ini_get('memory_limit'));
        $data['php_exectime'] = $phptime;
        $data['php_extension'] = get_loaded_extensions();

        // plugin usage data
        $this->addPluginUsageData($data);

        return $data;
    }

    /**
     * Triggers event to let plugins add their own data
     *
     * @param $data
     */
    protected function addPluginUsageData(&$data)
    {
        $pluginsData = array();
        Event::createAndTrigger('PLUGIN_POPULARITY_DATA_SETUP', $pluginsData);
        foreach ($pluginsData as $plugin => $d) {
            if (is_array($d)) {
                foreach ($d as $key => $value) {
                    $data['plugin_' . $plugin . '_' . $key] = $value;
                }
            } else {
                $data['plugin_' . $plugin] = $d;
            }
        }
    }

    /**
     * Callback to search and count the content of directories in DokuWiki
     *
     * @param array &$data  Reference to the result data structure
     * @param string $base  Base usually $conf['datadir']
     * @param string $file  current file or directory relative to $base
     * @param string $type  Type either 'd' for directory or 'f' for file
     * @param int    $lvl   Current recursion depht
     * @param array  $opts  option array as given to search()
     * @return bool
     */
    public function searchCountCallback(&$data, $base, $file, $type, $lvl, $opts)
    {
        // traverse
        if ($type == 'd') {
            if ($data['dir_nest'] < $lvl) $data['dir_nest'] = $lvl;
            $data['dir_count']++;
            return true;
        }

        //only search txt files if 'all' option not set
        if ($opts['all'] || substr($file, -4) == '.txt') {
            $size = filesize($base.'/'.$file);
            $date = filemtime($base.'/'.$file);
            $data['file_count']++;
            $data['file_size'] += $size;
            if (!isset($data['file_min']) || $data['file_min'] > $size) $data['file_min'] = $size;
            if ($data['file_max'] < $size) $data['file_max'] = $size;
            if (!isset($data['file_oldest']) || $data['file_oldest'] > $date) $data['file_oldest'] = $date;
        }

        return false;
    }
}


1			<?php
2
3			use dokuwiki\HTTP\DokuHTTPClient;
			0 ignored issues – show Bug introduced 2019-03-26 23:08 UTC by Report Bug Copy Issue Report Show Similar Issues like this This use statement conflicts with another class in this namespace, `DokuHTTPClient`. Let’s assume that you have a directory layout like this: . \|-- OtherDir \| \|-- Bar.php \| `-- Foo.php `-- SomeDir `-- Foo.php and let’s assume the following content of `Bar.php`: // Bar.php namespace OtherDir; use SomeDir\Foo; // This now conflicts the class OtherDir\Foo If both files `OtherDir/Foo.php` and `SomeDir/Foo.php` are loaded in the same runtime, you will see a PHP error such as the following: PHP Fatal error: Cannot use SomeDir\Foo as Foo because the name is already in use in OtherDir/Foo.php However, as `OtherDir/Foo.php` does not necessarily have to be loaded and the error is only triggered if it is loaded before `OtherDir/Bar.php`, this problem might go unnoticed for a while. In order to prevent this error from surfacing, you must import the namespace with a different alias: // Bar.php namespace OtherDir; use SomeDir\Foo as SomeDirFoo; // There is no conflict anymore. Loading history...
4			use dokuwiki\Extension\Event;
5
6			/**
7			* Popularity Feedback Plugin
8			*
9			* @license GPL 2 (http://www.gnu.org/licenses/gpl.html)
10			*/
11			class helper_plugin_popularity extends Dokuwiki_Plugin
12			{
13			/**
14			* The url where the data should be sent
15			*/
16			public $submitUrl = 'https://update.dokuwiki.org/popularity.php';
17
18			/**
19			* Name of the file which determine if the the autosubmit is enabled,
20			* and when it was submited for the last time
21			*/
22			public $autosubmitFile;
23
24			/**
25			* File where the last error which happened when we tried to autosubmit, will be log
26			*/
27			public $autosubmitErrorFile;
28
29			/**
30			* Name of the file which determine when the popularity data was manually
31			* submitted for the last time
32			* (If this file doesn't exist, the data has never been sent)
33			*/
34			public $popularityLastSubmitFile;
35
36			/**
37			* helper_plugin_popularity constructor.
38			*/
39			public function __construct()
40			{
41			global $conf;
42			$this->autosubmitFile = $conf['cachedir'].'/autosubmit.txt';
43			$this->autosubmitErrorFile = $conf['cachedir'].'/autosubmitError.txt';
44			$this->popularityLastSubmitFile = $conf['cachedir'].'/lastSubmitTime.txt';
45			}
46
47			/**
48			* Check if autosubmit is enabled
49			*
50			* @return boolean TRUE if we should send data once a month, FALSE otherwise
51			*/
52			public function isAutoSubmitEnabled()
53			{
54			return file_exists($this->autosubmitFile);
55			}
56
57			/**
58			* Send the data, to the submit url
59			*
60			* @param string $data The popularity data
61			* @return string An empty string if everything worked fine, a string describing the error otherwise
62			*/
63			public function sendData($data)
64			{
65			$error = '';
66			$httpClient = new DokuHTTPClient();
67			$status = $httpClient->sendRequest($this->submitUrl, array('data' => $data), 'POST');
68			if (! $status) {
69			$error = $httpClient->error;
70			}
71			return $error;
72			}
73
74			/**
75			* Compute the last time the data was sent. If it has never been sent, we return 0.
76			*
77			* @return int
78			*/
79			public function lastSentTime()
80			{
81			$manualSubmission = @filemtime($this->popularityLastSubmitFile);
82			$autoSubmission = @filemtime($this->autosubmitFile);
83
84			return max((int) $manualSubmission, (int) $autoSubmission);
85			}
86
87			/**
88			* Gather all information
89			*
90			* @return string The popularity data as a string
91			*/
92			public function gatherAsString()
93			{
94			$data = $this->gather();
95			$string = '';
96			foreach ($data as $key => $val) {
97			if (is_array($val)) foreach ($val as $v) {
98			$string .= hsc($key)."\t".hsc($v)."\n";
99			} else {
100			$string .= hsc($key)."\t".hsc($val)."\n";
101			}
102			}
103			return $string;
104			}
105
106			/**
107			* Gather all information
108			*
109			* @return array The popularity data as an array
110			*/
111			protected function gather()
112			{
113			global $conf;
114			/** @var $auth DokuWiki_Auth_Plugin */
115			global $auth;
116			$data = array();
117			$phptime = ini_get('max_execution_time');
118			@set_time_limit(0);
119			$pluginInfo = $this->getInfo();
120
121			// version
122			$data['anon_id'] = md5(auth_cookiesalt());
123			$data['version'] = getVersion();
124			$data['popversion'] = $pluginInfo['date'];
125			$data['language'] = $conf['lang'];
126			$data['now'] = time();
127			$data['popauto'] = (int) $this->isAutoSubmitEnabled();
128
129			// some config values
130			$data['conf_useacl'] = $conf['useacl'];
131			$data['conf_authtype'] = $conf['authtype'];
132			$data['conf_template'] = $conf['template'];
133
134			// number and size of pages
135			$list = array();
136			search($list, $conf['datadir'], array($this, 'searchCountCallback'), array('all'=>false), '');
137			$data['page_count'] = $list['file_count'];
138			$data['page_size'] = $list['file_size'];
139			$data['page_biggest'] = $list['file_max'];
140			$data['page_smallest'] = $list['file_min'];
141			$data['page_nscount'] = $list['dir_count'];
142			$data['page_nsnest'] = $list['dir_nest'];
143			if ($list['file_count']) $data['page_avg'] = $list['file_size'] / $list['file_count'];
144			$data['page_oldest'] = $list['file_oldest'];
145			unset($list);
146
147			// number and size of media
148			$list = array();
149			search($list, $conf['mediadir'], array($this, 'searchCountCallback'), array('all'=>true));
150			$data['media_count'] = $list['file_count'];
151			$data['media_size'] = $list['file_size'];
152			$data['media_biggest'] = $list['file_max'];
153			$data['media_smallest'] = $list['file_min'];
154			$data['media_nscount'] = $list['dir_count'];
155			$data['media_nsnest'] = $list['dir_nest'];
156			if ($list['file_count']) $data['media_avg'] = $list['file_size'] / $list['file_count'];
157			unset($list);
158
159			// number and size of cache
160			$list = array();
161			search($list, $conf['cachedir'], array($this, 'searchCountCallback'), array('all'=>true));
162			$data['cache_count'] = $list['file_count'];
163			$data['cache_size'] = $list['file_size'];
164			$data['cache_biggest'] = $list['file_max'];
165			$data['cache_smallest'] = $list['file_min'];
166			if ($list['file_count']) $data['cache_avg'] = $list['file_size'] / $list['file_count'];
167			unset($list);
168
169			// number and size of index
170			$list = array();
171			search($list, $conf['indexdir'], array($this, 'searchCountCallback'), array('all'=>true));
172			$data['index_count'] = $list['file_count'];
173			$data['index_size'] = $list['file_size'];
174			$data['index_biggest'] = $list['file_max'];
175			$data['index_smallest'] = $list['file_min'];
176			if ($list['file_count']) $data['index_avg'] = $list['file_size'] / $list['file_count'];
177			unset($list);
178
179			// number and size of meta
180			$list = array();
181			search($list, $conf['metadir'], array($this, 'searchCountCallback'), array('all'=>true));
182			$data['meta_count'] = $list['file_count'];
183			$data['meta_size'] = $list['file_size'];
184			$data['meta_biggest'] = $list['file_max'];
185			$data['meta_smallest'] = $list['file_min'];
186			if ($list['file_count']) $data['meta_avg'] = $list['file_size'] / $list['file_count'];
187			unset($list);
188
189			// number and size of attic
190			$list = array();
191			search($list, $conf['olddir'], array($this, 'searchCountCallback'), array('all'=>true));
192			$data['attic_count'] = $list['file_count'];
193			$data['attic_size'] = $list['file_size'];
194			$data['attic_biggest'] = $list['file_max'];
195			$data['attic_smallest'] = $list['file_min'];
196			if ($list['file_count']) $data['attic_avg'] = $list['file_size'] / $list['file_count'];
197			$data['attic_oldest'] = $list['file_oldest'];
198			unset($list);
199
200			// user count
201			if ($auth && $auth->canDo('getUserCount')) {
202			$data['user_count'] = $auth->getUserCount();
203			}
204
205			// calculate edits per day
206			$list = @file($conf['metadir'].'/_dokuwiki.changes');
207			$count = count($list);
208			if ($count > 2) {
209			$first = (int) substr(array_shift($list), 0, 10);
210			$last = (int) substr(array_pop($list), 0, 10);
211			$dur = ($last - $first)/(606024); // number of days in the changelog
212			$data['edits_per_day'] = $count/$dur;
213			}
214			unset($list);
215
216			// plugins
217			$data['plugin'] = plugin_list();
218
219			// pcre info
220			if (defined('PCRE_VERSION')) $data['pcre_version'] = PCRE_VERSION;
221			$data['pcre_backtrack'] = ini_get('pcre.backtrack_limit');
222			$data['pcre_recursion'] = ini_get('pcre.recursion_limit');
223
224			// php info
225			$data['os'] = PHP_OS;
226			$data['webserver'] = $_SERVER['SERVER_SOFTWARE'];
227			$data['php_version'] = phpversion();
228			$data['php_sapi'] = php_sapi_name();
229			$data['php_memory'] = php_to_byte(ini_get('memory_limit'));
230			$data['php_exectime'] = $phptime;
231			$data['php_extension'] = get_loaded_extensions();
232
233			// plugin usage data
234			$this->addPluginUsageData($data);
235
236			return $data;
237			}
238
239			/**
240			* Triggers event to let plugins add their own data
241			*
242			* @param $data
243			*/
244			protected function addPluginUsageData(&$data)
245			{
246			$pluginsData = array();
247			Event::createAndTrigger('PLUGIN_POPULARITY_DATA_SETUP', $pluginsData);
248			foreach ($pluginsData as $plugin => $d) {
249			if (is_array($d)) {
250			foreach ($d as $key => $value) {
251			$data['plugin_' . $plugin . '_' . $key] = $value;
252			}
253			} else {
254			$data['plugin_' . $plugin] = $d;
255			}
256			}
257			}
258
259			/**
260			* Callback to search and count the content of directories in DokuWiki
261			*
262			* @param array &$data Reference to the result data structure
263			* @param string $base Base usually $conf['datadir']
264			* @param string $file current file or directory relative to $base
265			* @param string $type Type either 'd' for directory or 'f' for file
266			* @param int $lvl Current recursion depht
267			* @param array $opts option array as given to search()
268			* @return bool
269			*/
270			public function searchCountCallback(&$data, $base, $file, $type, $lvl, $opts)
271			{
272			// traverse
273			if ($type == 'd') {
274			if ($data['dir_nest'] < $lvl) $data['dir_nest'] = $lvl;
275			$data['dir_count']++;
276			return true;
277			}
278
279			//only search txt files if 'all' option not set
280			if ($opts['all'] \|\| substr($file, -4) == '.txt') {
281			$size = filesize($base.'/'.$file);
282			$date = filemtime($base.'/'.$file);
283			$data['file_count']++;
284			$data['file_size'] += $size;
285			if (!isset($data['file_min']) \|\| $data['file_min'] > $size) $data['file_min'] = $size;
286			if ($data['file_max'] < $size) $data['file_max'] = $size;
287			if (!isset($data['file_oldest']) \|\| $data['file_oldest'] > $date) $data['file_oldest'] = $date;
288			}
289
290			return false;
291			}
292			}
293

splitbrain / dokuwiki

Issues (847)

Security Analysis not enabled

lib/plugins/popularity/helper.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like