Issues in class-wp-http-cookie.php (master) - Issues in master - staylor/WordPress - Measure and Improve Code Quality continuously with Scrutinizer

Issues (2010)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

wp-includes/class-wp-http-cookie.php (2 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * HTTP API: WP_Http_Cookie class
 *
 * @package WordPress
 * @subpackage HTTP
 * @since 4.4.0
 */

/**
 * Core class used to encapsulate a single cookie object for internal use.
 *
 * Returned cookies are represented using this class, and when cookies are set, if they are not
 * already a WP_Http_Cookie() object, then they are turned into one.
 *
 * @todo The WordPress convention is to use underscores instead of camelCase for function and method
 * names. Need to switch to use underscores instead for the methods.
 *
 * @since 2.8.0
 */
class WP_Http_Cookie {

	/**
	 * Cookie name.
	 *
	 * @since 2.8.0
	 * @var string
	 */
	public $name;

	/**
	 * Cookie value.
	 *
	 * @since 2.8.0
	 * @var string
	 */
	public $value;

	/**
	 * When the cookie expires.
	 *
	 * @since 2.8.0
	 * @var string
	 */
	public $expires;

	/**
	 * Cookie URL path.
	 *
	 * @since 2.8.0
	 * @var string
	 */
	public $path;

	/**
	 * Cookie Domain.
	 *
	 * @since 2.8.0
	 * @var string
	 */
	public $domain;

	/**
	 * Sets up this cookie object.
	 *
	 * The parameter $data should be either an associative array containing the indices names below
	 * or a header string detailing it.
	 *
	 * @since 2.8.0
	 * @access public
	 *
	 * @param string|array $data {
	 *     Raw cookie data as header string or data array.
	 *
	 *     @type string     $name    Cookie name.
	 *     @type mixed      $value   Value. Should NOT already be urlencoded.
	 *     @type string|int $expires Optional. Unix timestamp or formatted date. Default null.
	 *     @type string     $path    Optional. Path. Default '/'.
	 *     @type string     $domain  Optional. Domain. Default host of parsed $requested_url.
	 *     @type int        $port    Optional. Port. Default null.
	 * }
	 * @param string       $requested_url The URL which the cookie was set on, used for default $domain
	 *                                    and $port values.
	 */
	public function __construct( $data, $requested_url = '' ) {
		if ( $requested_url )
			$arrURL = @parse_url( $requested_url );
		if ( isset( $arrURL['host'] ) )
			$this->domain = $arrURL['host'];
		$this->path = isset( $arrURL['path'] ) ? $arrURL['path'] : '/';
		if (  '/' != substr( $this->path, -1 ) )
			$this->path = dirname( $this->path ) . '/';

		if ( is_string( $data ) ) {
			// Assume it's a header string direct from a previous request.
			$pairs = explode( ';', $data );

			// Special handling for first pair; name=value. Also be careful of "=" in value.
			$name  = trim( substr( $pairs[0], 0, strpos( $pairs[0], '=' ) ) );
			$value = substr( $pairs[0], strpos( $pairs[0], '=' ) + 1 );
			$this->name  = $name;
			$this->value = urldecode( $value );

			// Removes name=value from items.
			array_shift( $pairs );

			// Set everything else as a property.
			foreach ( $pairs as $pair ) {
				$pair = rtrim($pair);

				// Handle the cookie ending in ; which results in a empty final pair.
				if ( empty($pair) )
					continue;

				list( $key, $val ) = strpos( $pair, '=' ) ? explode( '=', $pair ) : array( $pair, '' );
				$key = strtolower( trim( $key ) );
				if ( 'expires' == $key )
					$val = strtotime( $val );
				$this->$key = $val;
			}
		} else {
			if ( !isset( $data['name'] ) )
				return;

			// Set properties based directly on parameters.
			foreach ( array( 'name', 'value', 'path', 'domain', 'port' ) as $field ) {
				if ( isset( $data[ $field ] ) )
					$this->$field = $data[ $field ];
			}

			if ( isset( $data['expires'] ) )
				$this->expires = is_int( $data['expires'] ) ? $data['expires'] : strtotime( $data['expires'] );
$answer = 42;

$correct = false;

$correct = (bool) $answer;
			else
				$this->expires = null;
		}
	}

	/**
	 * Confirms that it's OK to send this cookie to the URL checked against.
	 *
	 * Decision is based on RFC 2109/2965, so look there for details on validity.
	 *
	 * @access public
	 * @since 2.8.0
	 *
	 * @param string $url URL you intend to send this cookie to
	 * @return bool true if allowed, false otherwise.
	 */
	public function test( $url ) {
		if ( is_null( $this->name ) )
			return false;

		// Expires - if expired then nothing else matters.
		if ( isset( $this->expires ) && time() > $this->expires )
			return false;

		// Get details on the URL we're thinking about sending to.
		$url = parse_url( $url );
		$url['port'] = isset( $url['port'] ) ? $url['port'] : ( 'https' == $url['scheme'] ? 443 : 80 );
		$url['path'] = isset( $url['path'] ) ? $url['path'] : '/';

		// Values to use for comparison against the URL.
		$path   = isset( $this->path )   ? $this->path   : '/';
		$port   = isset( $this->port )   ? $this->port   : null;
class MyClass { }

$x = new MyClass();
$x->foo = true;
		$domain = isset( $this->domain ) ? strtolower( $this->domain ) : strtolower( $url['host'] );
		if ( false === stripos( $domain, '.' ) )
			$domain .= '.local';

		// Host - very basic check that the request URL ends with the domain restriction (minus leading dot).
		$domain = substr( $domain, 0, 1 ) == '.' ? substr( $domain, 1 ) : $domain;
		if ( substr( $url['host'], -strlen( $domain ) ) != $domain )
			return false;

		// Port - supports "port-lists" in the format: "80,8000,8080".
		if ( !empty( $port ) && !in_array( $url['port'], explode( ',', $port) ) )
			return false;

		// Path - request path must start with path restriction.
		if ( substr( $url['path'], 0, strlen( $path ) ) != $path )
			return false;

		return true;
	}

	/**
	 * Convert cookie name and value back to header string.
	 *
	 * @access public
	 * @since 2.8.0
	 *
	 * @return string Header encoded cookie name and value.
	 */
	public function getHeaderValue() {
		if ( ! isset( $this->name ) || ! isset( $this->value ) )
			return '';

		/**
		 * Filters the header-encoded cookie value.
		 *
		 * @since 3.4.0
		 *
		 * @param string $value The cookie value.
		 * @param string $name  The cookie name.
		 */
		return $this->name . '=' . apply_filters( 'wp_http_cookie_value', $this->value, $this->name );
	}

	/**
	 * Retrieve cookie header for usage in the rest of the WordPress HTTP API.
	 *
	 * @access public
	 * @since 2.8.0
	 *
	 * @return string
	 */
	public function getFullHeader() {
		return 'Cookie: ' . $this->getHeaderValue();
	}

	/**
	 * Retrieves cookie attributes.
	 *
	 * @since 4.6.0
	 * @access public
	 *
	 * @return array {
	 *    List of attributes.
	 *
	 *    @type string $expires When the cookie expires.
	 *    @type string $path    Cookie URL path.
	 *    @type string $domain  Cookie domain.
	 * }
	 */
	public function get_attributes() {
		return array(
			'expires' => $this->expires,
			'path'    => $this->path,
			'domain'  => $this->domain,
		);
	}
}


1			<?php
2			/**
3			* HTTP API: WP_Http_Cookie class
4			*
5			* @package WordPress
6			* @subpackage HTTP
7			* @since 4.4.0
8			*/
9
10			/**
11			* Core class used to encapsulate a single cookie object for internal use.
12			*
13			* Returned cookies are represented using this class, and when cookies are set, if they are not
14			* already a WP_Http_Cookie() object, then they are turned into one.
15			*
16			* @todo The WordPress convention is to use underscores instead of camelCase for function and method
17			* names. Need to switch to use underscores instead for the methods.
18			*
19			* @since 2.8.0
20			*/
21			class WP_Http_Cookie {
22
23			/**
24			* Cookie name.
25			*
26			* @since 2.8.0
27			* @var string
28			*/
29			public $name;
30
31			/**
32			* Cookie value.
33			*
34			* @since 2.8.0
35			* @var string
36			*/
37			public $value;
38
39			/**
40			* When the cookie expires.
41			*
42			* @since 2.8.0
43			* @var string
44			*/
45			public $expires;
46
47			/**
48			* Cookie URL path.
49			*
50			* @since 2.8.0
51			* @var string
52			*/
53			public $path;
54
55			/**
56			* Cookie Domain.
57			*
58			* @since 2.8.0
59			* @var string
60			*/
61			public $domain;
62
63			/**
64			* Sets up this cookie object.
65			*
66			* The parameter $data should be either an associative array containing the indices names below
67			* or a header string detailing it.
68			*
69			* @since 2.8.0
70			* @access public
71			*
72			* @param string\|array $data {
73			* Raw cookie data as header string or data array.
74			*
75			* @type string $name Cookie name.
76			* @type mixed $value Value. Should NOT already be urlencoded.
77			* @type string\|int $expires Optional. Unix timestamp or formatted date. Default null.
78			* @type string $path Optional. Path. Default '/'.
79			* @type string $domain Optional. Domain. Default host of parsed $requested_url.
80			* @type int $port Optional. Port. Default null.
81			* }
82			* @param string $requested_url The URL which the cookie was set on, used for default $domain
83			* and $port values.
84			*/
85			public function __construct( $data, $requested_url = '' ) {
86			if ( $requested_url )
87			$arrURL = @parse_url( $requested_url );
88			if ( isset( $arrURL['host'] ) )
89			$this->domain = $arrURL['host'];
90			$this->path = isset( $arrURL['path'] ) ? $arrURL['path'] : '/';
91			if ( '/' != substr( $this->path, -1 ) )
92			$this->path = dirname( $this->path ) . '/';
93
94			if ( is_string( $data ) ) {
95			// Assume it's a header string direct from a previous request.
96			$pairs = explode( ';', $data );
97
98			// Special handling for first pair; name=value. Also be careful of "=" in value.
99			$name = trim( substr( $pairs[0], 0, strpos( $pairs[0], '=' ) ) );
100			$value = substr( $pairs[0], strpos( $pairs[0], '=' ) + 1 );
101			$this->name = $name;
102			$this->value = urldecode( $value );
103
104			// Removes name=value from items.
105			array_shift( $pairs );
106
107			// Set everything else as a property.
108			foreach ( $pairs as $pair ) {
109			$pair = rtrim($pair);
110
111			// Handle the cookie ending in ; which results in a empty final pair.
112			if ( empty($pair) )
113			continue;
114
115			list( $key, $val ) = strpos( $pair, '=' ) ? explode( '=', $pair ) : array( $pair, '' );
116			$key = strtolower( trim( $key ) );
117			if ( 'expires' == $key )
118			$val = strtotime( $val );
119			$this->$key = $val;
120			}
121			} else {
122			if ( !isset( $data['name'] ) )
123			return;
124
125			// Set properties based directly on parameters.
126			foreach ( array( 'name', 'value', 'path', 'domain', 'port' ) as $field ) {
127			if ( isset( $data[ $field ] ) )
128			$this->$field = $data[ $field ];
129			}
130
131			if ( isset( $data['expires'] ) )
132			$this->expires = is_int( $data['expires'] ) ? $data['expires'] : strtotime( $data['expires'] );
			0 ignored issues – show Documentation Bug introduced 2016-08-19 16:16 UTC by Report Bug Copy Issue Report Show Similar Issues like this The property `$expires` was declared of type `string`, but `is_int($data['expires'])...otime($data['expires'])` is of type `integer`. Maybe add a type cast? This check looks for assignments to scalar types that may be of the wrong type. To ensure the code behaves as expected, it may be a good idea to add an explicit type cast. $answer = 42; $correct = false; $correct = (bool) $answer; Loading history...
133			else
134			$this->expires = null;
135			}
136			}
137
138			/**
139			* Confirms that it's OK to send this cookie to the URL checked against.
140			*
141			* Decision is based on RFC 2109/2965, so look there for details on validity.
142			*
143			* @access public
144			* @since 2.8.0
145			*
146			* @param string $url URL you intend to send this cookie to
147			* @return bool true if allowed, false otherwise.
148			*/
149			public function test( $url ) {
150			if ( is_null( $this->name ) )
151			return false;
152
153			// Expires - if expired then nothing else matters.
154			if ( isset( $this->expires ) && time() > $this->expires )
155			return false;
156
157			// Get details on the URL we're thinking about sending to.
158			$url = parse_url( $url );
159			$url['port'] = isset( $url['port'] ) ? $url['port'] : ( 'https' == $url['scheme'] ? 443 : 80 );
160			$url['path'] = isset( $url['path'] ) ? $url['path'] : '/';
161
162			// Values to use for comparison against the URL.
163			$path = isset( $this->path ) ? $this->path : '/';
164			$port = isset( $this->port ) ? $this->port : null;
			0 ignored issues – show Bug introduced 2016-08-19 16:16 UTC by Report Bug Copy Issue Report Show Similar Issues like this The property `port` does not exist. Did you maybe forget to declare it? In PHP it is possible to write to properties without declaring them. For example, the following is perfectly valid PHP code: class MyClass { } $x = new MyClass(); $x->foo = true; Generally, it is a good practice to explictly declare properties to avoid accidental typos and provide IDE auto-completion: class MyClass { public $foo; } $x = new MyClass(); $x->foo = true; Loading history...
165			$domain = isset( $this->domain ) ? strtolower( $this->domain ) : strtolower( $url['host'] );
166			if ( false === stripos( $domain, '.' ) )
167			$domain .= '.local';
168
169			// Host - very basic check that the request URL ends with the domain restriction (minus leading dot).
170			$domain = substr( $domain, 0, 1 ) == '.' ? substr( $domain, 1 ) : $domain;
171			if ( substr( $url['host'], -strlen( $domain ) ) != $domain )
172			return false;
173
174			// Port - supports "port-lists" in the format: "80,8000,8080".
175			if ( !empty( $port ) && !in_array( $url['port'], explode( ',', $port) ) )
176			return false;
177
178			// Path - request path must start with path restriction.
179			if ( substr( $url['path'], 0, strlen( $path ) ) != $path )
180			return false;
181
182			return true;
183			}
184
185			/**
186			* Convert cookie name and value back to header string.
187			*
188			* @access public
189			* @since 2.8.0
190			*
191			* @return string Header encoded cookie name and value.
192			*/
193			public function getHeaderValue() {
194			if ( ! isset( $this->name ) \|\| ! isset( $this->value ) )
195			return '';
196
197			/**
198			* Filters the header-encoded cookie value.
199			*
200			* @since 3.4.0
201			*
202			* @param string $value The cookie value.
203			* @param string $name The cookie name.
204			*/
205			return $this->name . '=' . apply_filters( 'wp_http_cookie_value', $this->value, $this->name );
206			}
207
208			/**
209			* Retrieve cookie header for usage in the rest of the WordPress HTTP API.
210			*
211			* @access public
212			* @since 2.8.0
213			*
214			* @return string
215			*/
216			public function getFullHeader() {
217			return 'Cookie: ' . $this->getHeaderValue();
218			}
219
220			/**
221			* Retrieves cookie attributes.
222			*
223			* @since 4.6.0
224			* @access public
225			*
226			* @return array {
227			* List of attributes.
228			*
229			* @type string $expires When the cookie expires.
230			* @type string $path Cookie URL path.
231			* @type string $domain Cookie domain.
232			* }
233			*/
234			public function get_attributes() {
235			return array(
236			'expires' => $this->expires,
237			'path' => $this->path,
238			'domain' => $this->domain,
239			);
240			}
241			}
242

staylor / WordPress

Issues (2010)

Security Analysis not enabled

wp-includes/class-wp-http-cookie.php (2 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like