Issues in class-feed.php (master) - Issues in master - staylor/WordPress - Measure and Improve Code Quality continuously with Scrutinizer

Issues (2010)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

wp-includes/class-feed.php (3 issues)

Labels

Bug 3

Severity

Minor 3

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

if ( ! class_exists( 'SimplePie', false ) )
	require_once( ABSPATH . WPINC . '/class-simplepie.php' );

/**
 * Core class used to implement a feed cache.
 *
 * @since 2.8.0
 *
 * @see SimplePie_Cache
 */
class WP_Feed_Cache extends SimplePie_Cache {

	/**
	 * Creates a new SimplePie_Cache object.
	 *
	 * @since 2.8.0
	 * @access public
	 *
	 * @param string $location  URL location (scheme is used to determine handler).
	 * @param string $filename  Unique identifier for cache object.
	 * @param string $extension 'spi' or 'spc'.
	 * @return WP_Feed_Cache_Transient Feed cache handler object that uses transients.
	 */
	public function create($location, $filename, $extension) {
		return new WP_Feed_Cache_Transient($location, $filename, $extension);
	}
}

/**
 * Core class used to implement feed cache transients.
 *
 * @since 2.8.0
 */
class WP_Feed_Cache_Transient {

	/**
	 * Holds the transient name.
	 *
	 * @since 2.8.0
	 * @access public
	 * @var string
	 */
	public $name;

	/**
	 * Holds the transient mod name.
	 *
	 * @since 2.8.0
	 * @access public
	 * @var string
	 */
	public $mod_name;

	/**
	 * Holds the cache duration in seconds.
	 *
	 * Defaults to 43200 seconds (12 hours).
	 *
	 * @since 2.8.0
	 * @access public
	 * @var int
	 */
	public $lifetime = 43200;

	/**
	 * Constructor.
	 *
	 * @since 2.8.0
	 * @since 3.2.0 Updated to use a PHP5 constructor.
	 * @access public
	 *
	 * @param string $location  URL location (scheme is used to determine handler).
	 * @param string $filename  Unique identifier for cache object.
	 * @param string $extension 'spi' or 'spc'.
	 */
	public function __construct($location, $filename, $extension) {
		$this->name = 'feed_' . $filename;
		$this->mod_name = 'feed_mod_' . $filename;

		$lifetime = $this->lifetime;
		/**
		 * Filters the transient lifetime of the feed cache.
		 *
		 * @since 2.8.0
		 *
		 * @param int    $lifetime Cache duration in seconds. Default is 43200 seconds (12 hours).
		 * @param string $filename Unique identifier for the cache object.
		 */
		$this->lifetime = apply_filters( 'wp_feed_cache_transient_lifetime', $lifetime, $filename);
	}

	/**
	 * Sets the transient.
	 *
	 * @since 2.8.0
	 * @access public
	 *
	 * @param SimplePie $data Data to save.
	 * @return true Always true.
	 */
	public function save($data) {
		if ( $data instanceof SimplePie ) {
			$data = $data->data;
		}

		set_transient($this->name, $data, $this->lifetime);
		set_transient($this->mod_name, time(), $this->lifetime);
		return true;
	}

	/**
	 * Gets the transient.
	 *
	 * @since 2.8.0
	 * @access public
	 *
	 * @return mixed Transient value.
	 */
	public function load() {
		return get_transient($this->name);
	}

	/**
	 * Gets mod transient.
	 *
	 * @since 2.8.0
	 * @access public
	 *
	 * @return mixed Transient value.
	 */
	public function mtime() {
		return get_transient($this->mod_name);
	}

	/**
	 * Sets mod transient.
	 *
	 * @since 2.8.0
	 * @access public
	 *
	 * @return bool False if value was not set and true if value was set.
	 */
	public function touch() {
		return set_transient($this->mod_name, time(), $this->lifetime);
	}

	/**
	 * Deletes transients.
	 *
	 * @since 2.8.0
	 * @access public
	 *
	 * @return true Always true.
	 */
	public function unlink() {
		delete_transient($this->name);
		delete_transient($this->mod_name);
		return true;
	}
}

/**
 * Core class for fetching remote files and reading local files with SimplePie.
 *
 * @since 2.8.0
 *
 * @see SimplePie_File
 */
class WP_SimplePie_File extends SimplePie_File {

	/**
	 * Constructor.
	 *
	 * @since 2.8.0
	 * @since 3.2.0 Updated to use a PHP5 constructor.
	 * @access public
	 *
	 * @param string       $url             Remote file URL.
	 * @param integer      $timeout         Optional. How long the connection should stay open in seconds.
	 *                                      Default 10.
	 * @param integer      $redirects       Optional. The number of allowed redirects. Default 5.
	 * @param string|array $headers         Optional. Array or string of headers to send with the request.
	 *                                      Default null.
	 * @param string       $useragent       Optional. User-agent value sent. Default null.
	 * @param boolean      $force_fsockopen Optional. Whether to force opening internet or unix domain socket
	 *                                      connection or not. Default false.
	 */
	public function __construct($url, $timeout = 10, $redirects = 5, $headers = null, $useragent = null, $force_fsockopen = false) {
		$this->url = $url;
		$this->timeout = $timeout;
		$this->redirects = $redirects;
		$this->headers = $headers;
		$this->useragent = $useragent;

		$this->method = SIMPLEPIE_FILE_SOURCE_REMOTE;

		if ( preg_match('/^http(s)?:\/\//i', $url) ) {
			$args = array(
				'timeout' => $this->timeout,
				'redirection' => $this->redirects,
			);

			if ( !empty($this->headers) )
				$args['headers'] = $this->headers;

			if ( SIMPLEPIE_USERAGENT != $this->useragent ) //Use default WP user agent unless custom has been specified
				$args['user-agent'] = $this->useragent;

			$res = wp_safe_remote_request($url, $args);

			if ( is_wp_error($res) ) {
				$this->error = 'WP HTTP Error: ' . $res->get_error_message();
				$this->success = false;
			} else {
				$this->headers = wp_remote_retrieve_headers( $res );
/**
 * @return array|string
 */
function returnsDifferentValues($x) {
    if ($x) {
        return 'foo';
    }

    return array();
}

$x = returnsDifferentValues($y);
if (is_array($x)) {
    // $x is an array.
}
				$this->body = wp_remote_retrieve_body( $res );
/**
 * @return array|string
 */
function returnsDifferentValues($x) {
    if ($x) {
        return 'foo';
    }

    return array();
}

$x = returnsDifferentValues($y);
if (is_array($x)) {
    // $x is an array.
}
				$this->status_code = wp_remote_retrieve_response_code( $res );
/**
 * @return array|string
 */
function returnsDifferentValues($x) {
    if ($x) {
        return 'foo';
    }

    return array();
}

$x = returnsDifferentValues($y);
if (is_array($x)) {
    // $x is an array.
}
			}
		} else {
			$this->error = '';
			$this->success = false;
		}
	}
}

/**
 * Core class used to implement SimpliePie feed sanitization.
 *
 * Extends the SimplePie_Sanitize class to use KSES, because
 * we cannot universally count on DOMDocument being available.
 *
 * @since 3.5.0
 *
 * @see SimplePie_Sanitize
 */
class WP_SimplePie_Sanitize_KSES extends SimplePie_Sanitize {

	/**
	 * WordPress SimplePie sanitization using KSES.
	 *
	 * Sanitizes the incoming data, to ensure that it matches the type of data expected, using KSES.
	 *
	 * @since 3.5.0
	 * @access public
	 *
	 * @param mixed   $data The data that needs to be sanitized.
	 * @param integer $type The type of data that it's supposed to be.
	 * @param string  $base Optional. The `xml:base` value to use when converting relative
	 *                      URLs to absolute ones. Default empty.
	 * @return mixed Sanitized data.
	 */
	public function sanitize( $data, $type, $base = '' ) {
		$data = trim( $data );
		if ( $type & SIMPLEPIE_CONSTRUCT_MAYBE_HTML ) {
			if (preg_match('/(&(#(x[0-9a-fA-F]+|[0-9]+)|[a-zA-Z0-9]+)|<\/[A-Za-z][^\x09\x0A\x0B\x0C\x0D\x20\x2F\x3E]*' . SIMPLEPIE_PCRE_HTML_ATTRIBUTE . '>)/', $data)) {
				$type |= SIMPLEPIE_CONSTRUCT_HTML;
			}
			else {
				$type |= SIMPLEPIE_CONSTRUCT_TEXT;
			}
		}
		if ( $type & SIMPLEPIE_CONSTRUCT_BASE64 ) {
			$data = base64_decode( $data );
		}
		if ( $type & ( SIMPLEPIE_CONSTRUCT_HTML | SIMPLEPIE_CONSTRUCT_XHTML ) ) {
			$data = wp_kses_post( $data );
			if ( $this->output_encoding !== 'UTF-8' ) {
				$data = $this->registry->call( 'Misc', 'change_encoding', array( $data, 'UTF-8', $this->output_encoding ) );
			}
			return $data;
		} else {
			return parent::sanitize( $data, $type, $base );
		}
	}
}


1			<?php
2
3			if ( ! class_exists( 'SimplePie', false ) )
4			require_once( ABSPATH . WPINC . '/class-simplepie.php' );
5
6			/**
7			* Core class used to implement a feed cache.
8			*
9			* @since 2.8.0
10			*
11			* @see SimplePie_Cache
12			*/
13			class WP_Feed_Cache extends SimplePie_Cache {
14
15			/**
16			* Creates a new SimplePie_Cache object.
17			*
18			* @since 2.8.0
19			* @access public
20			*
21			* @param string $location URL location (scheme is used to determine handler).
22			* @param string $filename Unique identifier for cache object.
23			* @param string $extension 'spi' or 'spc'.
24			* @return WP_Feed_Cache_Transient Feed cache handler object that uses transients.
25			*/
26			public function create($location, $filename, $extension) {
27			return new WP_Feed_Cache_Transient($location, $filename, $extension);
28			}
29			}
30
31			/**
32			* Core class used to implement feed cache transients.
33			*
34			* @since 2.8.0
35			*/
36			class WP_Feed_Cache_Transient {
37
38			/**
39			* Holds the transient name.
40			*
41			* @since 2.8.0
42			* @access public
43			* @var string
44			*/
45			public $name;
46
47			/**
48			* Holds the transient mod name.
49			*
50			* @since 2.8.0
51			* @access public
52			* @var string
53			*/
54			public $mod_name;
55
56			/**
57			* Holds the cache duration in seconds.
58			*
59			* Defaults to 43200 seconds (12 hours).
60			*
61			* @since 2.8.0
62			* @access public
63			* @var int
64			*/
65			public $lifetime = 43200;
66
67			/**
68			* Constructor.
69			*
70			* @since 2.8.0
71			* @since 3.2.0 Updated to use a PHP5 constructor.
72			* @access public
73			*
74			* @param string $location URL location (scheme is used to determine handler).
75			* @param string $filename Unique identifier for cache object.
76			* @param string $extension 'spi' or 'spc'.
77			*/
78			public function __construct($location, $filename, $extension) {
79			$this->name = 'feed_' . $filename;
80			$this->mod_name = 'feed_mod_' . $filename;
81
82			$lifetime = $this->lifetime;
83			/**
84			* Filters the transient lifetime of the feed cache.
85			*
86			* @since 2.8.0
87			*
88			* @param int $lifetime Cache duration in seconds. Default is 43200 seconds (12 hours).
89			* @param string $filename Unique identifier for the cache object.
90			*/
91			$this->lifetime = apply_filters( 'wp_feed_cache_transient_lifetime', $lifetime, $filename);
92			}
93
94			/**
95			* Sets the transient.
96			*
97			* @since 2.8.0
98			* @access public
99			*
100			* @param SimplePie $data Data to save.
101			* @return true Always true.
102			*/
103			public function save($data) {
104			if ( $data instanceof SimplePie ) {
105			$data = $data->data;
106			}
107
108			set_transient($this->name, $data, $this->lifetime);
109			set_transient($this->mod_name, time(), $this->lifetime);
110			return true;
111			}
112
113			/**
114			* Gets the transient.
115			*
116			* @since 2.8.0
117			* @access public
118			*
119			* @return mixed Transient value.
120			*/
121			public function load() {
122			return get_transient($this->name);
123			}
124
125			/**
126			* Gets mod transient.
127			*
128			* @since 2.8.0
129			* @access public
130			*
131			* @return mixed Transient value.
132			*/
133			public function mtime() {
134			return get_transient($this->mod_name);
135			}
136
137			/**
138			* Sets mod transient.
139			*
140			* @since 2.8.0
141			* @access public
142			*
143			* @return bool False if value was not set and true if value was set.
144			*/
145			public function touch() {
146			return set_transient($this->mod_name, time(), $this->lifetime);
147			}
148
149			/**
150			* Deletes transients.
151			*
152			* @since 2.8.0
153			* @access public
154			*
155			* @return true Always true.
156			*/
157			public function unlink() {
158			delete_transient($this->name);
159			delete_transient($this->mod_name);
160			return true;
161			}
162			}
163
164			/**
165			* Core class for fetching remote files and reading local files with SimplePie.
166			*
167			* @since 2.8.0
168			*
169			* @see SimplePie_File
170			*/
171			class WP_SimplePie_File extends SimplePie_File {
172
173			/**
174			* Constructor.
175			*
176			* @since 2.8.0
177			* @since 3.2.0 Updated to use a PHP5 constructor.
178			* @access public
179			*
180			* @param string $url Remote file URL.
181			* @param integer $timeout Optional. How long the connection should stay open in seconds.
182			* Default 10.
183			* @param integer $redirects Optional. The number of allowed redirects. Default 5.
184			* @param string\|array $headers Optional. Array or string of headers to send with the request.
185			* Default null.
186			* @param string $useragent Optional. User-agent value sent. Default null.
187			* @param boolean $force_fsockopen Optional. Whether to force opening internet or unix domain socket
188			* connection or not. Default false.
189			*/
190			public function __construct($url, $timeout = 10, $redirects = 5, $headers = null, $useragent = null, $force_fsockopen = false) {
191			$this->url = $url;
192			$this->timeout = $timeout;
193			$this->redirects = $redirects;
194			$this->headers = $headers;
195			$this->useragent = $useragent;
196
197			$this->method = SIMPLEPIE_FILE_SOURCE_REMOTE;
198
199			if ( preg_match('/^http(s)?:\/\//i', $url) ) {
200			$args = array(
201			'timeout' => $this->timeout,
202			'redirection' => $this->redirects,
203			);
204
205			if ( !empty($this->headers) )
206			$args['headers'] = $this->headers;
207
208			if ( SIMPLEPIE_USERAGENT != $this->useragent ) //Use default WP user agent unless custom has been specified
209			$args['user-agent'] = $this->useragent;
210
211			$res = wp_safe_remote_request($url, $args);
212
213			if ( is_wp_error($res) ) {
214			$this->error = 'WP HTTP Error: ' . $res->get_error_message();
215			$this->success = false;
216			} else {
217			$this->headers = wp_remote_retrieve_headers( $res );
			0 ignored issues – show Bug introduced 2016-08-19 16:16 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `$res` defined by `wp_safe_remote_request($url, $args)` on line `211` can also be of type `object<WP_Error>`; however, `wp_remote_retrieve_headers()` does only seem to accept `array`, maybe add an additional type check? If a method or function can return multiple different values and unless you are sure that you only can receive a single value in this context, we recommend to add an additional type check: /** * @return array\|string */ function returnsDifferentValues($x) { if ($x) { return 'foo'; } return array(); } $x = returnsDifferentValues($y); if (is_array($x)) { // $x is an array. } If this a common case that PHP Analyzer should handle natively, please let us know by opening an issue. Loading history...
218			$this->body = wp_remote_retrieve_body( $res );
			0 ignored issues – show Bug introduced 2016-08-19 16:16 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `$res` defined by `wp_safe_remote_request($url, $args)` on line `211` can also be of type `object<WP_Error>`; however, `wp_remote_retrieve_body()` does only seem to accept `array`, maybe add an additional type check? If a method or function can return multiple different values and unless you are sure that you only can receive a single value in this context, we recommend to add an additional type check: /** * @return array\|string */ function returnsDifferentValues($x) { if ($x) { return 'foo'; } return array(); } $x = returnsDifferentValues($y); if (is_array($x)) { // $x is an array. } If this a common case that PHP Analyzer should handle natively, please let us know by opening an issue. Loading history...
219			$this->status_code = wp_remote_retrieve_response_code( $res );
			0 ignored issues – show Bug introduced 2016-08-19 16:16 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `$res` defined by `wp_safe_remote_request($url, $args)` on line `211` can also be of type `object<WP_Error>`; however, `wp_remote_retrieve_response_code()` does only seem to accept `array`, maybe add an additional type check? If a method or function can return multiple different values and unless you are sure that you only can receive a single value in this context, we recommend to add an additional type check: /** * @return array\|string */ function returnsDifferentValues($x) { if ($x) { return 'foo'; } return array(); } $x = returnsDifferentValues($y); if (is_array($x)) { // $x is an array. } If this a common case that PHP Analyzer should handle natively, please let us know by opening an issue. Loading history...
220			}
221			} else {
222			$this->error = '';
223			$this->success = false;
224			}
225			}
226			}
227
228			/**
229			* Core class used to implement SimpliePie feed sanitization.
230			*
231			* Extends the SimplePie_Sanitize class to use KSES, because
232			* we cannot universally count on DOMDocument being available.
233			*
234			* @since 3.5.0
235			*
236			* @see SimplePie_Sanitize
237			*/
238			class WP_SimplePie_Sanitize_KSES extends SimplePie_Sanitize {
239
240			/**
241			* WordPress SimplePie sanitization using KSES.
242			*
243			* Sanitizes the incoming data, to ensure that it matches the type of data expected, using KSES.
244			*
245			* @since 3.5.0
246			* @access public
247			*
248			* @param mixed $data The data that needs to be sanitized.
249			* @param integer $type The type of data that it's supposed to be.
250			* @param string $base Optional. The `xml:base` value to use when converting relative
251			* URLs to absolute ones. Default empty.
252			* @return mixed Sanitized data.
253			*/
254			public function sanitize( $data, $type, $base = '' ) {
255			$data = trim( $data );
256			if ( $type & SIMPLEPIE_CONSTRUCT_MAYBE_HTML ) {
257			if (preg_match('/(&(#(x[0-9a-fA-F]+\|[0-9]+)\|[a-zA-Z0-9]+)\|<\/[A-Za-z][^\x09\x0A\x0B\x0C\x0D\x20\x2F\x3E]*' . SIMPLEPIE_PCRE_HTML_ATTRIBUTE . '>)/', $data)) {
258			$type \|= SIMPLEPIE_CONSTRUCT_HTML;
259			}
260			else {
261			$type \|= SIMPLEPIE_CONSTRUCT_TEXT;
262			}
263			}
264			if ( $type & SIMPLEPIE_CONSTRUCT_BASE64 ) {
265			$data = base64_decode( $data );
266			}
267			if ( $type & ( SIMPLEPIE_CONSTRUCT_HTML \| SIMPLEPIE_CONSTRUCT_XHTML ) ) {
268			$data = wp_kses_post( $data );
269			if ( $this->output_encoding !== 'UTF-8' ) {
270			$data = $this->registry->call( 'Misc', 'change_encoding', array( $data, 'UTF-8', $this->output_encoding ) );
271			}
272			return $data;
273			} else {
274			return parent::sanitize( $data, $type, $base );
275			}
276			}
277			}
278

staylor / WordPress

Issues (2010)

Security Analysis not enabled

wp-includes/class-feed.php (3 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like