Issues in TextContent.php (master) - Issues in master - wikimedia/mediawiki - Measure and Improve Code Quality continuously with Scrutinizer

Issues (4122)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

includes/content/TextContent.php (1 issue)

Labels

Bug 1

Severity

Major 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * Content object implementation for representing flat text.
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License along
 * with this program; if not, write to the Free Software Foundation, Inc.,
 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
 * http://www.gnu.org/copyleft/gpl.html
 *
 * @since 1.21
 *
 * @file
 * @ingroup Content
 *
 * @author Daniel Kinzler
 */

/**
 * Content object implementation for representing flat text.
 *
 * TextContent instances are immutable
 *
 * @ingroup Content
 */
class TextContent extends AbstractContent {

	/**
	 * @param string $text
	 * @param string $model_id
	 * @throws MWException
	 */
	public function __construct( $text, $model_id = CONTENT_MODEL_TEXT ) {
		parent::__construct( $model_id );

		if ( $text === null || $text === false ) {
			wfWarn( "TextContent constructed with \$text = " . var_export( $text, true ) . "! "
				. "This may indicate an error in the caller's scope.", 2 );

			$text = '';
		}

		if ( !is_string( $text ) ) {
			throw new MWException( "TextContent expects a string in the constructor." );
		}

		$this->mText = $text;
class MyClass { }

$x = new MyClass();
$x->foo = true;
	}

	/**
	 * @note Mutable subclasses MUST override this to return a copy!
	 *
	 * @return Content $this
	 */
	public function copy() {
		return $this; # NOTE: this is ok since TextContent are immutable.
	}

	public function getTextForSummary( $maxlength = 250 ) {
		global $wgContLang;

		$text = $this->getNativeData();

		$truncatedtext = $wgContLang->truncate(
			preg_replace( "/[\n\r]/", ' ', $text ),
			max( 0, $maxlength ) );

		return $truncatedtext;
	}

	/**
	 * Returns the text's size in bytes.
	 *
	 * @return int
	 */
	public function getSize() {
		$text = $this->getNativeData();

		return strlen( $text );
	}

	/**
	 * Returns true if this content is not a redirect, and $wgArticleCountMethod
	 * is "any".
	 *
	 * @param bool|null $hasLinks If it is known whether this content contains links,
	 * provide this information here, to avoid redundant parsing to find out.
	 *
	 * @return bool
	 */
	public function isCountable( $hasLinks = null ) {
		global $wgArticleCountMethod;

		if ( $this->isRedirect() ) {
			return false;
		}

		if ( $wgArticleCountMethod === 'any' ) {
			return true;
		}

		return false;
	}

	/**
	 * Returns the text represented by this Content object, as a string.
	 *
	 * @return string The raw text.
	 */
	public function getNativeData() {
		return $this->mText;
	}

	/**
	 * Returns the text represented by this Content object, as a string.
	 *
	 * @return string The raw text.
	 */
	public function getTextForSearchIndex() {
		return $this->getNativeData();
	}

	/**
	 * Returns attempts to convert this content object to wikitext,
	 * and then returns the text string. The conversion may be lossy.
	 *
	 * @note this allows any text-based content to be transcluded as if it was wikitext.
	 *
	 * @return string|bool The raw text, or false if the conversion failed.
	 */
	public function getWikitextForTransclusion() {
		$wikitext = $this->convert( CONTENT_MODEL_WIKITEXT, 'lossy' );

		if ( $wikitext ) {
			return $wikitext->getNativeData();
		} else {
			return false;
		}
	}

	/**
	 * Do a "\r\n" -> "\n" and "\r" -> "\n" transformation
	 * as well as trim trailing whitespace
	 *
	 * This was formerly part of Parser::preSaveTransform, but
	 * for non-wikitext content models they probably still want
	 * to normalize line endings without all of the other PST
	 * changes.
	 *
	 * @since 1.28
	 * @param $text
	 * @return string
	 */
	public static function normalizeLineEndings( $text ) {
		return str_replace( [ "\r\n", "\r" ], "\n", rtrim( $text ) );
	}

	/**
	 * Returns a Content object with pre-save transformations applied.
	 *
	 * At a minimum, subclasses should make sure to call TextContent::normalizeLineEndings()
	 * either directly or part of Parser::preSaveTransform().
	 *
	 * @param Title $title
	 * @param User $user
	 * @param ParserOptions $popts
	 *
	 * @return Content
	 */
	public function preSaveTransform( Title $title, User $user, ParserOptions $popts ) {
		$text = $this->getNativeData();
		$pst = self::normalizeLineEndings( $text );

		return ( $text === $pst ) ? $this : new static( $pst, $this->getModel() );
	}

	/**
	 * Diff this content object with another content object.
	 *
	 * @since 1.21
	 *
	 * @param Content $that The other content object to compare this content object to.
	 * @param Language $lang The language object to use for text segmentation.
	 *    If not given, $wgContentLang is used.
	 *
	 * @return Diff A diff representing the changes that would have to be
	 *    made to this content object to make it equal to $that.
	 */
	public function diff( Content $that, Language $lang = null ) {
		global $wgContLang;

		$this->checkModelID( $that->getModel() );

		// @todo could implement this in DifferenceEngine and just delegate here?

		if ( !$lang ) {
			$lang = $wgContLang;
		}

		$otext = $this->getNativeData();
		$ntext = $that->getNativeData();

		# Note: Use native PHP diff, external engines don't give us abstract output
		$ota = explode( "\n", $lang->segmentForDiff( $otext ) );
		$nta = explode( "\n", $lang->segmentForDiff( $ntext ) );

		$diff = new Diff( $ota, $nta );

		return $diff;
	}

	/**
	 * Fills the provided ParserOutput object with information derived from the content.
	 * Unless $generateHtml was false, this includes an HTML representation of the content
	 * provided by getHtml().
	 *
	 * For content models listed in $wgTextModelsToParse, this method will call the MediaWiki
	 * wikitext parser on the text to extract any (wikitext) links, magic words, etc.
	 *
	 * Subclasses may override this to provide custom content processing.
	 * For custom HTML generation alone, it is sufficient to override getHtml().
	 *
	 * @param Title $title Context title for parsing
	 * @param int $revId Revision ID (for {{REVISIONID}})
	 * @param ParserOptions $options Parser options
	 * @param bool $generateHtml Whether or not to generate HTML
	 * @param ParserOutput $output The output object to fill (reference).
	 */
	protected function fillParserOutput( Title $title, $revId,
		ParserOptions $options, $generateHtml, ParserOutput &$output
	) {
		global $wgParser, $wgTextModelsToParse;

		if ( in_array( $this->getModel(), $wgTextModelsToParse ) ) {
			// parse just to get links etc into the database, HTML is replaced below.
			$output = $wgParser->parse( $this->getNativeData(), $title, $options, true, true, $revId );
		}

		if ( $generateHtml ) {
			$html = $this->getHtml();
		} else {
			$html = '';
		}

		$output->setText( $html );
	}

	/**
	 * Generates an HTML version of the content, for display. Used by
	 * fillParserOutput() to provide HTML for the ParserOutput object.
	 *
	 * Subclasses may override this to provide a custom HTML rendering.
	 * If further information is to be derived from the content (such as
	 * categories), the fillParserOutput() method can be overridden instead.
	 *
	 * For backwards-compatibility, this default implementation just calls
	 * getHighlightHtml().
	 *
	 * @return string An HTML representation of the content
	 */
	protected function getHtml() {
		return $this->getHighlightHtml();
	}

	/**
	 * Generates an HTML version of the content, for display.
	 *
	 * This default implementation returns an HTML-escaped version
	 * of the raw text content.
	 *
	 * @note The functionality of this method should really be implemented
	 * in getHtml(), and subclasses should override getHtml() if needed.
	 * getHighlightHtml() is kept around for backward compatibility with
	 * extensions that already override it.
	 *
	 * @deprecated since 1.24. Use getHtml() instead. In particular, subclasses overriding
	 *     getHighlightHtml() should override getHtml() instead.
	 *
	 * @return string An HTML representation of the content
	 */
	protected function getHighlightHtml() {
		return htmlspecialchars( $this->getNativeData() );
	}

	/**
	 * This implementation provides lossless conversion between content models based
	 * on TextContent.
	 *
	 * @param string $toModel The desired content model, use the CONTENT_MODEL_XXX flags.
	 * @param string $lossy Flag, set to "lossy" to allow lossy conversion. If lossy conversion is not
	 *     allowed, full round-trip conversion is expected to work without losing information.
	 *
	 * @return Content|bool A content object with the content model $toModel, or false if that
	 *     conversion is not supported.
	 *
	 * @see Content::convert()
	 */
	public function convert( $toModel, $lossy = '' ) {
		$converted = parent::convert( $toModel, $lossy );

		if ( $converted !== false ) {
			return $converted;
		}

		$toHandler = ContentHandler::getForModelID( $toModel );

		if ( $toHandler instanceof TextContentHandler ) {
			// NOTE: ignore content serialization format - it's just text anyway.
			$text = $this->getNativeData();
			$converted = $toHandler->unserializeContent( $text );
		}

		return $converted;
	}

}


1			<?php
2			/**
3			* Content object implementation for representing flat text.
4			*
5			* This program is free software; you can redistribute it and/or modify
6			* it under the terms of the GNU General Public License as published by
7			* the Free Software Foundation; either version 2 of the License, or
8			* (at your option) any later version.
9			*
10			* This program is distributed in the hope that it will be useful,
11			* but WITHOUT ANY WARRANTY; without even the implied warranty of
12			* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13			* GNU General Public License for more details.
14			*
15			* You should have received a copy of the GNU General Public License along
16			* with this program; if not, write to the Free Software Foundation, Inc.,
17			* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
18			* http://www.gnu.org/copyleft/gpl.html
19			*
20			* @since 1.21
21			*
22			* @file
23			* @ingroup Content
24			*
25			* @author Daniel Kinzler
26			*/
27
28			/**
29			* Content object implementation for representing flat text.
30			*
31			* TextContent instances are immutable
32			*
33			* @ingroup Content
34			*/
35			class TextContent extends AbstractContent {
36
37			/**
38			* @param string $text
39			* @param string $model_id
40			* @throws MWException
41			*/
42			public function __construct( $text, $model_id = CONTENT_MODEL_TEXT ) {
43			parent::__construct( $model_id );
44
45			if ( $text === null \|\| $text === false ) {
46			wfWarn( "TextContent constructed with \$text = " . var_export( $text, true ) . "! "
47			. "This may indicate an error in the caller's scope.", 2 );
48
49			$text = '';
50			}
51
52			if ( !is_string( $text ) ) {
53			throw new MWException( "TextContent expects a string in the constructor." );
54			}
55
56			$this->mText = $text;
			0 ignored issues – show Bug introduced 2016-01-16 18:00 UTC by Report Bug Copy Issue Report Show Similar Issues like this The property `mText` does not exist. Did you maybe forget to declare it? In PHP it is possible to write to properties without declaring them. For example, the following is perfectly valid PHP code: class MyClass { } $x = new MyClass(); $x->foo = true; Generally, it is a good practice to explictly declare properties to avoid accidental typos and provide IDE auto-completion: class MyClass { public $foo; } $x = new MyClass(); $x->foo = true; Loading history...
57			}
58
59			/**
60			* @note Mutable subclasses MUST override this to return a copy!
61			*
62			* @return Content $this
63			*/
64			public function copy() {
65			return $this; # NOTE: this is ok since TextContent are immutable.
66			}
67
68			public function getTextForSummary( $maxlength = 250 ) {
69			global $wgContLang;
70
71			$text = $this->getNativeData();
72
73			$truncatedtext = $wgContLang->truncate(
74			preg_replace( "/[\n\r]/", ' ', $text ),
75			max( 0, $maxlength ) );
76
77			return $truncatedtext;
78			}
79
80			/**
81			* Returns the text's size in bytes.
82			*
83			* @return int
84			*/
85			public function getSize() {
86			$text = $this->getNativeData();
87
88			return strlen( $text );
89			}
90
91			/**
92			* Returns true if this content is not a redirect, and $wgArticleCountMethod
93			* is "any".
94			*
95			* @param bool\|null $hasLinks If it is known whether this content contains links,
96			* provide this information here, to avoid redundant parsing to find out.
97			*
98			* @return bool
99			*/
100			public function isCountable( $hasLinks = null ) {
101			global $wgArticleCountMethod;
102
103			if ( $this->isRedirect() ) {
104			return false;
105			}
106
107			if ( $wgArticleCountMethod === 'any' ) {
108			return true;
109			}
110
111			return false;
112			}
113
114			/**
115			* Returns the text represented by this Content object, as a string.
116			*
117			* @return string The raw text.
118			*/
119			public function getNativeData() {
120			return $this->mText;
121			}
122
123			/**
124			* Returns the text represented by this Content object, as a string.
125			*
126			* @return string The raw text.
127			*/
128			public function getTextForSearchIndex() {
129			return $this->getNativeData();
130			}
131
132			/**
133			* Returns attempts to convert this content object to wikitext,
134			* and then returns the text string. The conversion may be lossy.
135			*
136			* @note this allows any text-based content to be transcluded as if it was wikitext.
137			*
138			* @return string\|bool The raw text, or false if the conversion failed.
139			*/
140			public function getWikitextForTransclusion() {
141			$wikitext = $this->convert( CONTENT_MODEL_WIKITEXT, 'lossy' );
142
143			if ( $wikitext ) {
144			return $wikitext->getNativeData();
145			} else {
146			return false;
147			}
148			}
149
150			/**
151			* Do a "\r\n" -> "\n" and "\r" -> "\n" transformation
152			* as well as trim trailing whitespace
153			*
154			* This was formerly part of Parser::preSaveTransform, but
155			* for non-wikitext content models they probably still want
156			* to normalize line endings without all of the other PST
157			* changes.
158			*
159			* @since 1.28
160			* @param $text
161			* @return string
162			*/
163			public static function normalizeLineEndings( $text ) {
164			return str_replace( [ "\r\n", "\r" ], "\n", rtrim( $text ) );
165			}
166
167			/**
168			* Returns a Content object with pre-save transformations applied.
169			*
170			* At a minimum, subclasses should make sure to call TextContent::normalizeLineEndings()
171			* either directly or part of Parser::preSaveTransform().
172			*
173			* @param Title $title
174			* @param User $user
175			* @param ParserOptions $popts
176			*
177			* @return Content
178			*/
179			public function preSaveTransform( Title $title, User $user, ParserOptions $popts ) {
180			$text = $this->getNativeData();
181			$pst = self::normalizeLineEndings( $text );
182
183			return ( $text === $pst ) ? $this : new static( $pst, $this->getModel() );
184			}
185
186			/**
187			* Diff this content object with another content object.
188			*
189			* @since 1.21
190			*
191			* @param Content $that The other content object to compare this content object to.
192			* @param Language $lang The language object to use for text segmentation.
193			* If not given, $wgContentLang is used.
194			*
195			* @return Diff A diff representing the changes that would have to be
196			* made to this content object to make it equal to $that.
197			*/
198			public function diff( Content $that, Language $lang = null ) {
199			global $wgContLang;
200
201			$this->checkModelID( $that->getModel() );
202
203			// @todo could implement this in DifferenceEngine and just delegate here?
204
205			if ( !$lang ) {
206			$lang = $wgContLang;
207			}
208
209			$otext = $this->getNativeData();
210			$ntext = $that->getNativeData();
211
212			# Note: Use native PHP diff, external engines don't give us abstract output
213			$ota = explode( "\n", $lang->segmentForDiff( $otext ) );
214			$nta = explode( "\n", $lang->segmentForDiff( $ntext ) );
215
216			$diff = new Diff( $ota, $nta );
217
218			return $diff;
219			}
220
221			/**
222			* Fills the provided ParserOutput object with information derived from the content.
223			* Unless $generateHtml was false, this includes an HTML representation of the content
224			* provided by getHtml().
225			*
226			* For content models listed in $wgTextModelsToParse, this method will call the MediaWiki
227			* wikitext parser on the text to extract any (wikitext) links, magic words, etc.
228			*
229			* Subclasses may override this to provide custom content processing.
230			* For custom HTML generation alone, it is sufficient to override getHtml().
231			*
232			* @param Title $title Context title for parsing
233			* @param int $revId Revision ID (for {{REVISIONID}})
234			* @param ParserOptions $options Parser options
235			* @param bool $generateHtml Whether or not to generate HTML
236			* @param ParserOutput $output The output object to fill (reference).
237			*/
238			protected function fillParserOutput( Title $title, $revId,
239			ParserOptions $options, $generateHtml, ParserOutput &$output
240			) {
241			global $wgParser, $wgTextModelsToParse;
242
243			if ( in_array( $this->getModel(), $wgTextModelsToParse ) ) {
244			// parse just to get links etc into the database, HTML is replaced below.
245			$output = $wgParser->parse( $this->getNativeData(), $title, $options, true, true, $revId );
246			}
247
248			if ( $generateHtml ) {
249			$html = $this->getHtml();
250			} else {
251			$html = '';
252			}
253
254			$output->setText( $html );
255			}
256
257			/**
258			* Generates an HTML version of the content, for display. Used by
259			* fillParserOutput() to provide HTML for the ParserOutput object.
260			*
261			* Subclasses may override this to provide a custom HTML rendering.
262			* If further information is to be derived from the content (such as
263			* categories), the fillParserOutput() method can be overridden instead.
264			*
265			* For backwards-compatibility, this default implementation just calls
266			* getHighlightHtml().
267			*
268			* @return string An HTML representation of the content
269			*/
270			protected function getHtml() {
271			return $this->getHighlightHtml();
272			}
273
274			/**
275			* Generates an HTML version of the content, for display.
276			*
277			* This default implementation returns an HTML-escaped version
278			* of the raw text content.
279			*
280			* @note The functionality of this method should really be implemented
281			* in getHtml(), and subclasses should override getHtml() if needed.
282			* getHighlightHtml() is kept around for backward compatibility with
283			* extensions that already override it.
284			*
285			* @deprecated since 1.24. Use getHtml() instead. In particular, subclasses overriding
286			* getHighlightHtml() should override getHtml() instead.
287			*
288			* @return string An HTML representation of the content
289			*/
290			protected function getHighlightHtml() {
291			return htmlspecialchars( $this->getNativeData() );
292			}
293
294			/**
295			* This implementation provides lossless conversion between content models based
296			* on TextContent.
297			*
298			* @param string $toModel The desired content model, use the CONTENT_MODEL_XXX flags.
299			* @param string $lossy Flag, set to "lossy" to allow lossy conversion. If lossy conversion is not
300			* allowed, full round-trip conversion is expected to work without losing information.
301			*
302			* @return Content\|bool A content object with the content model $toModel, or false if that
303			* conversion is not supported.
304			*
305			* @see Content::convert()
306			*/
307			public function convert( $toModel, $lossy = '' ) {
308			$converted = parent::convert( $toModel, $lossy );
309
310			if ( $converted !== false ) {
311			return $converted;
312			}
313
314			$toHandler = ContentHandler::getForModelID( $toModel );
315
316			if ( $toHandler instanceof TextContentHandler ) {
317			// NOTE: ignore content serialization format - it's just text anyway.
318			$text = $this->getNativeData();
319			$converted = $toHandler->unserializeContent( $text );
320			}
321
322			return $converted;
323			}
324
325			}
326

wikimedia / mediawiki

Issues (4122)

Security Analysis not enabled

includes/content/TextContent.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like