Issues in class-wp-hydra.php (master) - Issues in master - tyxla/WP-Hydra - Measure and Improve Code Quality continuously with Scrutinizer

Issues (1)

Security Analysis no vulnerabilities found

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

class-wp-hydra.php (1 issue)

Severity

Unknown 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * Contains the main class.
 *
 * Responsible for the core plugin functionality.
 *
 * @package wp-hydra
 */

/**
 * Main WP_Hydra class.
 *
 * Replaces the original domain with the current domain, where necessary.
 * All of the magic is hooked upon WP_Hydra object initialization.
 */
class WP_Hydra {

	/**
	 * Constructor.
	 *
	 * Hooks all of the domain replacement functionality.
	 *
	 * @access public
	 */
	public function __construct() {
		// Modify domain where necessary.
		add_filter( 'option_blogname', array( $this, 'setup_domain' ), 1 );
		add_filter( 'option_siteurl', array( $this, 'setup_domain' ), 1 );
		add_filter( 'option_home', array( $this, 'setup_domain' ), 1 );
		add_filter( 'stylesheet_uri', array( $this, 'setup_domain' ), 1 );
		add_filter( 'stylesheet_directory_uri', array( $this, 'setup_domain' ), 1 );
		add_filter( 'template_directory_uri', array( $this, 'setup_domain' ), 1 );
		add_filter( 'plugins_url', array( $this, 'setup_domain' ), 1 );

		// Replace various occurences.
		add_filter( 'the_content', array( $this, 'setup_content' ) ); // In oost content.
		add_filter( 'widget_text', array( $this, 'setup_content' ) ); // In Widget text.
		add_filter( 'upload_dir', array( $this, 'setup_upload_dir' ) ); // In wp_upload_dir().

		// Allow developers to support multiple domains in fields that contain only a site URL.
		add_filter( 'wp_hydra_domain', array( $this, 'setup_domain' ) );

		// Allow developers to support URLs with multiple domains in their content.
		add_filter( 'wp_hydra_content', array( $this, 'setup_content' ) );
	}

	/**
	 * Replaces original domain with current domain in simple fields.
	 *
	 * @access public
	 *
	 * @param string $url The current URL.
	 * @return string $url The URL with the (maybe) replaced domain.
	 */
	public function setup_domain( $url ) {
		// Parse current URL.
		$original_domain_parts = parse_url( $url );

		// If unable to retrieve the host, skip.
		if ( empty( $original_domain_parts['host'] ) || ! isset( $_SERVER['HTTP_HOST'] ) ) {
			return $url;
		}

		// Get original and current domain.
		$original_domain = $original_domain_parts['host'];
		$current_domain  = $_SERVER['HTTP_HOST'];


		// If original and current domain match, skip.
		if ( $original_domain == $current_domain ) {
			return $url;
		}

		return $this->replace_domain( $url, $original_domain, $current_domain );
	}

	/**
	 * Replace the old domain with a new domain in a specific URL.
	 *
	 * @access protected
	 *
	 * @param string $url The current URL.
	 * @param string $old_domain The old domain.
	 * @param string $new_domain The new domain.
	 * @return string $url The new URL.
	 */
	protected function replace_domain( $url, $old_domain, $new_domain ) {
		// Prepare original domain and current domain with the current protocol.
		$protocols        = array( 'http://', 'https://' );
		$current_protocol = ( $this->is_ssl() ? 'https' : 'http' ) . '://';

		foreach ( $protocols as $protocol ) {
			$original_base = $protocol . $old_domain;
			$new_base      = $current_protocol . $new_domain;

			// Replace original domain with current domain.
			$url = str_replace( $original_base, $new_base, $url );
		}

		return $url;
	}

	/**
	 * Replaces original domain with current domain in content.
	 *
	 * @access public
	 *
	 * @param string $content The current content with the original domain.
	 * @return string $content The content with the new domain.
	 */
	public function setup_content( $content ) {
		// Get original home URL.
		remove_filter( 'option_home', array( $this, 'setup_domain' ), 1 );
		$original_home = home_url( '/' );
		add_filter( 'option_home', array( $this, 'setup_domain' ), 1 );

		// Get current home URL.
		$current_home = home_url( '/' );

		// Replace occurences of original URL with current home URL.
		$content = str_replace( $original_home, $current_home, $content );

		return $content;
	}

	/**
	 * Replaces original domain with current domain in wp_upload_dir().
	 *
	 * @access public
	 *
	 * @param array $upload_dir The current upload dir settings with the original domain.
	 * @return array $upload_dir The upload dir settings with the new domain.
	 */
	public function setup_upload_dir( $upload_dir ) {
		// Keys of array element that we'll be updating.
		$keys_to_update = array(
			'url',
			'baseurl',
		);

		// Fix all targeted array elements.
		foreach ( $keys_to_update as $key ) {
			$upload_dir[ $key ] = apply_filters( 'wp_hydra_domain', $upload_dir[ $key ] );
		}

		return $upload_dir;
	}

	/**
	 * Determine if SSL is used.
	 *
	 * @access public
	 *
	 * @return bool True if SSL, false if not used.
	 */
	public function is_ssl() {
		return is_ssl();
	}

}


1			<?php
2			/**
3			* Contains the main class.
4			*
5			* Responsible for the core plugin functionality.
6			*
7			* @package wp-hydra
8			*/
9
10			/**
11			* Main WP_Hydra class.
12			*
13			* Replaces the original domain with the current domain, where necessary.
14			* All of the magic is hooked upon WP_Hydra object initialization.
15			*/
16			class WP_Hydra {
17
18			/**
19			* Constructor.
20			*
21			* Hooks all of the domain replacement functionality.
22			*
23			* @access public
24			*/
25			public function __construct() {
26			// Modify domain where necessary.
27			add_filter( 'option_blogname', array( $this, 'setup_domain' ), 1 );
28			add_filter( 'option_siteurl', array( $this, 'setup_domain' ), 1 );
29			add_filter( 'option_home', array( $this, 'setup_domain' ), 1 );
30			add_filter( 'stylesheet_uri', array( $this, 'setup_domain' ), 1 );
31			add_filter( 'stylesheet_directory_uri', array( $this, 'setup_domain' ), 1 );
32			add_filter( 'template_directory_uri', array( $this, 'setup_domain' ), 1 );
33			add_filter( 'plugins_url', array( $this, 'setup_domain' ), 1 );
34
35			// Replace various occurences.
36			add_filter( 'the_content', array( $this, 'setup_content' ) ); // In oost content.
37			add_filter( 'widget_text', array( $this, 'setup_content' ) ); // In Widget text.
38			add_filter( 'upload_dir', array( $this, 'setup_upload_dir' ) ); // In wp_upload_dir().
39
40			// Allow developers to support multiple domains in fields that contain only a site URL.
41			add_filter( 'wp_hydra_domain', array( $this, 'setup_domain' ) );
42
43			// Allow developers to support URLs with multiple domains in their content.
44			add_filter( 'wp_hydra_content', array( $this, 'setup_content' ) );
45			}
46
47			/**
48			* Replaces original domain with current domain in simple fields.
49			*
50			* @access public
51			*
52			* @param string $url The current URL.
53			* @return string $url The URL with the (maybe) replaced domain.
54			*/
55			public function setup_domain( $url ) {
56			// Parse current URL.
57			$original_domain_parts = parse_url( $url );
58
59			// If unable to retrieve the host, skip.
60			if ( empty( $original_domain_parts['host'] ) \|\| ! isset( $_SERVER['HTTP_HOST'] ) ) {
61			return $url;
62			}
63
64			// Get original and current domain.
65			$original_domain = $original_domain_parts['host'];
66			$current_domain = $_SERVER['HTTP_HOST'];
			0 ignored issues – show introduced 2016-02-09 17:25 UTC by Report Bug Copy Issue Report Show Similar Issues like this Detected usage of a non-sanitized input variable: $_SERVER Loading history...
67
68			// If original and current domain match, skip.
69			if ( $original_domain == $current_domain ) {
70			return $url;
71			}
72
73			return $this->replace_domain( $url, $original_domain, $current_domain );
74			}
75
76			/**
77			* Replace the old domain with a new domain in a specific URL.
78			*
79			* @access protected
80			*
81			* @param string $url The current URL.
82			* @param string $old_domain The old domain.
83			* @param string $new_domain The new domain.
84			* @return string $url The new URL.
85			*/
86			protected function replace_domain( $url, $old_domain, $new_domain ) {
87			// Prepare original domain and current domain with the current protocol.
88			$protocols = array( 'http://', 'https://' );
89			$current_protocol = ( $this->is_ssl() ? 'https' : 'http' ) . '://';
90
91			foreach ( $protocols as $protocol ) {
92			$original_base = $protocol . $old_domain;
93			$new_base = $current_protocol . $new_domain;
94
95			// Replace original domain with current domain.
96			$url = str_replace( $original_base, $new_base, $url );
97			}
98
99			return $url;
100			}
101
102			/**
103			* Replaces original domain with current domain in content.
104			*
105			* @access public
106			*
107			* @param string $content The current content with the original domain.
108			* @return string $content The content with the new domain.
109			*/
110			public function setup_content( $content ) {
111			// Get original home URL.
112			remove_filter( 'option_home', array( $this, 'setup_domain' ), 1 );
113			$original_home = home_url( '/' );
114			add_filter( 'option_home', array( $this, 'setup_domain' ), 1 );
115
116			// Get current home URL.
117			$current_home = home_url( '/' );
118
119			// Replace occurences of original URL with current home URL.
120			$content = str_replace( $original_home, $current_home, $content );
121
122			return $content;
123			}
124
125			/**
126			* Replaces original domain with current domain in wp_upload_dir().
127			*
128			* @access public
129			*
130			* @param array $upload_dir The current upload dir settings with the original domain.
131			* @return array $upload_dir The upload dir settings with the new domain.
132			*/
133			public function setup_upload_dir( $upload_dir ) {
134			// Keys of array element that we'll be updating.
135			$keys_to_update = array(
136			'url',
137			'baseurl',
138			);
139
140			// Fix all targeted array elements.
141			foreach ( $keys_to_update as $key ) {
142			$upload_dir[ $key ] = apply_filters( 'wp_hydra_domain', $upload_dir[ $key ] );
143			}
144
145			return $upload_dir;
146			}
147
148			/**
149			* Determine if SSL is used.
150			*
151			* @access public
152			*
153			* @return bool True if SSL, false if not used.
154			*/
155			public function is_ssl() {
156			return is_ssl();
157			}
158
159			}
160

tyxla / WP-Hydra

Issues (1)

Security Analysis no vulnerabilities found

class-wp-hydra.php (1 issue)

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like