Issues in Emitter.php (master) - Issues in master - vakata/http - Measure and Improve Code Quality continuously with Scrutinizer

Issues (2)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Emitter.php (2 issues)

Labels

Unused Code 2

Severity

Minor 2

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

namespace vakata\http;

use RuntimeException;
use Laminas\Diactoros\Response as PSRResponse;

use function ob_get_length;
use function ob_get_level;
use function sprintf;
use function str_replace;
use function ucwords;

class Emitter
{
    /**
     * Checks to see if content has previously been sent.
     *
     * If either headers have been sent or the output buffer contains content,
     * raises an exception.
     *
     * @throws RuntimeException if headers have already been sent.
     * @throws RuntimeException if output is present in the output buffer.
     */
    private function assertNoPreviousOutput()
    {
        if (headers_sent()) {
            throw new RuntimeException('Unable to emit response; headers already sent');
        }

        if (ob_get_level() > 0 && ob_get_length() > 0) {
            throw new RuntimeException('Output has been emitted previously; cannot emit response');
        }
    }

    /**
     * Emit the status line.
     *
     * Emits the status line using the protocol version and status code from
     * the response; if a reason phrase is available, it, too, is emitted.
     *
     * It is important to mention that this method should be called after
     * `emitHeaders()` in order to prevent PHP from changing the status code of
     * the emitted response.
     *
     * @param PSRResponse $response
     *
     * @see \Laminas\Diactoros\Response\SapiEmitterTrait::emitHeaders()
     */
    private function emitStatusLine(PSRResponse $response)
    {
        $reasonPhrase = $response->getReasonPhrase();
        $statusCode   = $response->getStatusCode();

        header(sprintf(
            'HTTP/%s %d%s',
            $response->getProtocolVersion(),
            $statusCode,
            ($reasonPhrase ? ' ' . $reasonPhrase : '')
        ), true, $statusCode);
    }

    /**
     * Emit response headers.
     *
     * Loops through each header, emitting each; if the header value
     * is an array with multiple values, ensures that each is sent
     * in such a way as to create aggregate headers (instead of replace
     * the previous).
     *
     * @param PSRResponse $response
     */
    private function emitHeaders(PSRResponse $response)
    {
        $statusCode = $response->getStatusCode();

        foreach ($response->getHeaders() as $header => $values) {
            $name  = $this->filterHeader($header);
            $first = $name === 'Set-Cookie' ? false : true;
            foreach ($values as $value) {
                header(sprintf(
                    '%s: %s',
                    $name,
                    $value
                ), $first, $statusCode);
                $first = false;
            }
        }
    }

    /**
     * Filter a header name to wordcase
     *
     * @param string $header
     * @return string
     */
    private function filterHeader($header)
    {
        $filtered = str_replace('-', ' ', $header);
        $filtered = ucwords($filtered);
        return str_replace(' ', '-', $filtered);
    }

    /**
     * Emits a response for a PHP SAPI environment.
     *
     * Emits the status line and headers via the header() function, and the
     * body content via the output buffer.
     *
     * @param PSRResponse $response
     */
    public function emit(PSRResponse $response, $maxBufferLength = 8192)
    {
        $this->assertNoPreviousOutput();

        $this->emitHeaders($response);
        $this->emitStatusLine($response);
        
        if (($response instanceof Response) && $response->hasCallback()) {
            call_user_func($response->getCallback());
        } elseif ($response->hasHeader('Accept-Ranges')) {
            $range = $this->parseContentRange($response->getHeaderLine('Content-Range'));
            if (is_array($range) && $range[0] === 'bytes') {
                $this->emitBodyRange($range, $response, $maxBufferLength);
            } else {
                $body = $response->getBody();
                if ($body->isSeekable()) {
                    $body->rewind();
                }
                if (!$body->isReadable()) {
                    echo $body;
                } else {
                    while (!$body->eof()) {
                        echo $body->read($maxBufferLength);
                    }
                }
            }
        } else {
            echo $response->getBody();
        }
    }

    /**
     * Parse content-range header
     * http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.16
     *
     * @param string $header
     * @return false|array [unit, first, last, length]; returns false if no
     *     content range or an invalid content range is provided
     */
    private function parseContentRange($header)
    {
        if (preg_match('/(?P<unit>[\w]+)\s+(?P<first>\d+)-(?P<last>\d+)\/(?P<length>\d+|\*)/', $header, $matches)) {
            return [
                $matches['unit'],
                (int) $matches['first'],
                (int) $matches['last'],
                $matches['length'] === '*' ? '*' : (int) $matches['length'],
            ];
        }
        return false;
    }
    /**
     * Emit a range of the message body.
     *
     * @param array $range
     * @param PSRResponse $response
     * @param int $maxBufferLength
     */
    private function emitBodyRange(array $range, PSRResponse $response, $maxBufferLength)
    {
        list($unit, $first, $last, $length) = $range;
<?php

function returnThreeValues() {
    return array('a', 'b', 'c');
}

list($a, $b, $c) = returnThreeValues();

print $a . " - " . $c;

        $body = $response->getBody();

        $length = $last - $first + 1;

        if ($body->isSeekable()) {
            $body->seek($first);

            $first = 0;
        }

        if (! $body->isReadable()) {
            echo substr($body->getContents(), $first, $length);
            return;
        }

        $remaining = $length;

        while ($remaining >= $maxBufferLength && ! $body->eof()) {
            $contents   = $body->read($maxBufferLength);
            $remaining -= strlen($contents);

            echo $contents;
        }

        if ($remaining > 0 && ! $body->eof()) {
            echo $body->read($remaining);
        }
    }
}


1			<?php
2
3			namespace vakata\http;
4
5			use RuntimeException;
6			use Laminas\Diactoros\Response as PSRResponse;
7
8			use function ob_get_length;
9			use function ob_get_level;
10			use function sprintf;
11			use function str_replace;
12			use function ucwords;
13
14			class Emitter
15			{
16			/**
17			* Checks to see if content has previously been sent.
18			*
19			* If either headers have been sent or the output buffer contains content,
20			* raises an exception.
21			*
22			* @throws RuntimeException if headers have already been sent.
23			* @throws RuntimeException if output is present in the output buffer.
24			*/
25			private function assertNoPreviousOutput()
26			{
27			if (headers_sent()) {
28			throw new RuntimeException('Unable to emit response; headers already sent');
29			}
30
31			if (ob_get_level() > 0 && ob_get_length() > 0) {
32			throw new RuntimeException('Output has been emitted previously; cannot emit response');
33			}
34			}
35
36			/**
37			* Emit the status line.
38			*
39			* Emits the status line using the protocol version and status code from
40			* the response; if a reason phrase is available, it, too, is emitted.
41			*
42			* It is important to mention that this method should be called after
43			* `emitHeaders()` in order to prevent PHP from changing the status code of
44			* the emitted response.
45			*
46			* @param PSRResponse $response
47			*
48			* @see \Laminas\Diactoros\Response\SapiEmitterTrait::emitHeaders()
49			*/
50			private function emitStatusLine(PSRResponse $response)
51			{
52			$reasonPhrase = $response->getReasonPhrase();
53			$statusCode = $response->getStatusCode();
54
55			header(sprintf(
56			'HTTP/%s %d%s',
57			$response->getProtocolVersion(),
58			$statusCode,
59			($reasonPhrase ? ' ' . $reasonPhrase : '')
60			), true, $statusCode);
61			}
62
63			/**
64			* Emit response headers.
65			*
66			* Loops through each header, emitting each; if the header value
67			* is an array with multiple values, ensures that each is sent
68			* in such a way as to create aggregate headers (instead of replace
69			* the previous).
70			*
71			* @param PSRResponse $response
72			*/
73			private function emitHeaders(PSRResponse $response)
74			{
75			$statusCode = $response->getStatusCode();
76
77			foreach ($response->getHeaders() as $header => $values) {
78			$name = $this->filterHeader($header);
79			$first = $name === 'Set-Cookie' ? false : true;
80			foreach ($values as $value) {
81			header(sprintf(
82			'%s: %s',
83			$name,
84			$value
85			), $first, $statusCode);
86			$first = false;
87			}
88			}
89			}
90
91			/**
92			* Filter a header name to wordcase
93			*
94			* @param string $header
95			* @return string
96			*/
97			private function filterHeader($header)
98			{
99			$filtered = str_replace('-', ' ', $header);
100			$filtered = ucwords($filtered);
101			return str_replace(' ', '-', $filtered);
102			}
103
104			/**
105			* Emits a response for a PHP SAPI environment.
106			*
107			* Emits the status line and headers via the header() function, and the
108			* body content via the output buffer.
109			*
110			* @param PSRResponse $response
111			*/
112			public function emit(PSRResponse $response, $maxBufferLength = 8192)
113			{
114			$this->assertNoPreviousOutput();
115
116			$this->emitHeaders($response);
117			$this->emitStatusLine($response);
118
119			if (($response instanceof Response) && $response->hasCallback()) {
120			call_user_func($response->getCallback());
121			} elseif ($response->hasHeader('Accept-Ranges')) {
122			$range = $this->parseContentRange($response->getHeaderLine('Content-Range'));
123			if (is_array($range) && $range[0] === 'bytes') {
124			$this->emitBodyRange($range, $response, $maxBufferLength);
125			} else {
126			$body = $response->getBody();
127			if ($body->isSeekable()) {
128			$body->rewind();
129			}
130			if (!$body->isReadable()) {
131			echo $body;
132			} else {
133			while (!$body->eof()) {
134			echo $body->read($maxBufferLength);
135			}
136			}
137			}
138			} else {
139			echo $response->getBody();
140			}
141			}
142
143			/**
144			* Parse content-range header
145			* http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.16
146			*
147			* @param string $header
148			* @return false\|array [unit, first, last, length]; returns false if no
149			* content range or an invalid content range is provided
150			*/
151			private function parseContentRange($header)
152			{
153			if (preg_match('/(?P<unit>[\w]+)\s+(?P<first>\d+)-(?P<last>\d+)\/(?P<length>\d+\|\*)/', $header, $matches)) {
154			return [
155			$matches['unit'],
156			(int) $matches['first'],
157			(int) $matches['last'],
158			$matches['length'] === '' ? '' : (int) $matches['length'],
159			];
160			}
161			return false;
162			}
163			/**
164			* Emit a range of the message body.
165			*
166			* @param array $range
167			* @param PSRResponse $response
168			* @param int $maxBufferLength
169			*/
170			private function emitBodyRange(array $range, PSRResponse $response, $maxBufferLength)
171			{
172			list($unit, $first, $last, $length) = $range;
			0 ignored issues – show Unused Code introduced 2018-08-31 09:04 UTC by Report Bug Copy Issue Report Show Similar Issues like this The assignment to `$unit` is unused. Consider omitting it like so `list($first,,$third)`. This checks looks for assignemnts to variables using the `list(...)` function, where not all assigned variables are subsequently used. Consider the following code example. <?php function returnThreeValues() { return array('a', 'b', 'c'); } list($a, $b, $c) = returnThreeValues(); print $a . " - " . $c; Only the variables `$a` and `$c` are used. There was no need to assign `$b`. Instead, the list call could have been. list($a,, $c) = returnThreeValues(); Loading history... Unused Code introduced 2018-08-31 09:04 UTC by Report Bug Copy Issue Report Show Similar Issues like this The assignment to `$length` is unused. Consider omitting it like so `list($first,,$third)`. This checks looks for assignemnts to variables using the `list(...)` function, where not all assigned variables are subsequently used. Consider the following code example. <?php function returnThreeValues() { return array('a', 'b', 'c'); } list($a, $b, $c) = returnThreeValues(); print $a . " - " . $c; Only the variables `$a` and `$c` are used. There was no need to assign `$b`. Instead, the list call could have been. list($a,, $c) = returnThreeValues(); Loading history...
173
174			$body = $response->getBody();
175
176			$length = $last - $first + 1;
177
178			if ($body->isSeekable()) {
179			$body->seek($first);
180
181			$first = 0;
182			}
183
184			if (! $body->isReadable()) {
185			echo substr($body->getContents(), $first, $length);
186			return;
187			}
188
189			$remaining = $length;
190
191			while ($remaining >= $maxBufferLength && ! $body->eof()) {
192			$contents = $body->read($maxBufferLength);
193			$remaining -= strlen($contents);
194
195			echo $contents;
196			}
197
198			if ($remaining > 0 && ! $body->eof()) {
199			echo $body->read($remaining);
200			}
201			}
202			}
203

vakata / http

Issues (2)

Security Analysis not enabled

src/Emitter.php (2 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like