Issues in SpecialChangeCredentials.php (master) - Issues in master - wikimedia/mediawiki - Measure and Improve Code Quality continuously with Scrutinizer

Issues (4122)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

includes/specials/SpecialChangeCredentials.php (2 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

use MediaWiki\Auth\AuthenticationRequest;
use MediaWiki\Auth\AuthenticationResponse;
use MediaWiki\Auth\AuthManager;
use MediaWiki\Session\SessionManager;

/**
 * Special change to change credentials (such as the password).
 *
 * Also does most of the work for SpecialRemoveCredentials.
 */
class SpecialChangeCredentials extends AuthManagerSpecialPage {
	protected static $allowedActions = [ AuthManager::ACTION_CHANGE ];

	protected static $messagePrefix = 'changecredentials';

	/** Change action needs user data; remove action does not */
	protected static $loadUserData = true;

	public function __construct( $name = 'ChangeCredentials' ) {
		parent::__construct( $name, 'editmyprivateinfo' );
	}

	protected function getGroupName() {
		return 'users';
	}

	public function isListed() {
		$this->loadAuth( '' );
		return (bool)$this->authRequests;
	}

	public function doesWrites() {
		return true;
	}

	protected function getDefaultAction( $subPage ) {
		return AuthManager::ACTION_CHANGE;
	}

	protected function getPreservedParams( $withToken = false ) {
		$request = $this->getRequest();
		$params = parent::getPreservedParams( $withToken );
		$params += [
			'returnto' => $request->getVal( 'returnto' ),
			'returntoquery' => $request->getVal( 'returntoquery' ),
		];
		return $params;
	}

	public function onAuthChangeFormFields(
		array $requests, array $fieldInfo, array &$formDescriptor, $action
	) {
		// This method is never called for remove actions.

		$extraFields = [];
		Hooks::run( 'ChangePasswordForm', [ &$extraFields ], '1.27' );
		foreach ( $extraFields as $extra ) {
			list( $name, $label, $type, $default ) = $extra;
			$formDescriptor[$name] = [
				'type' => $type,
				'name' => $name,
				'label-message' => $label,
				'default' => $default,
			];

		}

		return parent::onAuthChangeFormFields( $requests, $fieldInfo, $formDescriptor, $action );
	}

	public function execute( $subPage ) {
		$this->setHeaders();
		$this->outputHeader();

		$this->loadAuth( $subPage );

		if ( !$subPage ) {
			$this->showSubpageList();
			return;
		}

		if ( !$this->authRequests ) {
			// messages used: changecredentials-invalidsubpage, removecredentials-invalidsubpage
			$this->showSubpageList( $this->msg( static::$messagePrefix . '-invalidsubpage', $subPage ) );
			return;
		}

		$status = $this->trySubmit();

		if ( $status === false || !$status->isOK() ) {
			$this->displayForm( $status );
			return;
		}

		$response = $status->getValue();

		switch ( $response->status ) {
			case AuthenticationResponse::PASS:
				$this->success();
				break;
			case AuthenticationResponse::FAIL:
				$this->displayForm( Status::newFatal( $response->message ) );
				break;
			default:
				throw new LogicException( 'invalid AuthenticationResponse' );
		}
	}

	protected function loadAuth( $subPage, $authAction = null, $reset = false ) {
		parent::loadAuth( $subPage, $authAction );
		if ( $subPage ) {
			$this->authRequests = array_filter( $this->authRequests, function ( $req ) use ( $subPage ) {
				return $req->getUniqueId() === $subPage;
			} );
			if ( count( $this->authRequests ) > 1 ) {
				throw new LogicException( 'Multiple AuthenticationRequest objects with same ID!' );
			}
		}
	}

	protected function getAuthFormDescriptor( $requests, $action ) {
		if ( !static::$loadUserData ) {
			return [];
		} else {
			return parent::getAuthFormDescriptor( $requests, $action );
		}
	}

	protected function getAuthForm( array $requests, $action ) {
		$form = parent::getAuthForm( $requests, $action );
		$req = reset( $requests );
		$info = $req->describeCredentials();

		$form->addPreText(
			Html::openElement( 'dl' )
			. Html::element( 'dt', [], wfMessage( 'credentialsform-provider' ) )
			. Html::element( 'dd', [], $info['provider'] )
			. Html::element( 'dt', [], wfMessage( 'credentialsform-account' ) )
			. Html::element( 'dd', [], $info['account'] )
			. Html::closeElement( 'dl' )
		);

		// messages used: changecredentials-submit removecredentials-submit
		$form->setSubmitTextMsg( static::$messagePrefix . '-submit' );
		$form->showCancel()->setCancelTarget( $this->getReturnUrl() ?: Title::newMainPage() );
/**
 * @return array|string
 */
function returnsDifferentValues($x) {
    if ($x) {
        return 'foo';
    }

    return array();
}

$x = returnsDifferentValues($y);
if (is_array($x)) {
    // $x is an array.
}

		return $form;
	}

	protected function needsSubmitButton( array $requests ) {
		// Change/remove forms show are built from a single AuthenticationRequest and do not allow
		// for redirect flow; they always need a submit button.
		return true;
	}

	public function handleFormSubmit( $data ) {
		// remove requests do not accept user input
		$requests = $this->authRequests;
		if ( static::$loadUserData ) {
			$requests = AuthenticationRequest::loadRequestsFromSubmission( $this->authRequests, $data );
		}

		$response = $this->performAuthenticationStep( $this->authAction, $requests );

		// we can't handle FAIL or similar as failure here since it might require changing the form
		return Status::newGood( $response );
	}

	/**
	 * @param Message|null $error
	 */
	protected function showSubpageList( $error = null ) {
		$out = $this->getOutput();

		if ( $error ) {
			$out->addHTML( $error->parse() );
		}

		$groupedRequests = [];
		foreach ( $this->authRequests as $req ) {
			$info = $req->describeCredentials();
			$groupedRequests[(string)$info['provider']][] = $req;
		}

		$linkRenderer = $this->getLinkRenderer();
		$out->addHTML( Html::openElement( 'dl' ) );
		foreach ( $groupedRequests as $group => $members ) {
			$out->addHTML( Html::element( 'dt', [], $group ) );
			foreach ( $members as $req ) {
				/** @var AuthenticationRequest $req */
				$info = $req->describeCredentials();
				$out->addHTML( Html::rawElement( 'dd', [],
					$linkRenderer->makeLink(
						$this->getPageTitle( $req->getUniqueId() ),
						$info['account']
					)
				) );
			}
		}
		$out->addHTML( Html::closeElement( 'dl' ) );
	}

	protected function success() {
		$session = $this->getRequest()->getSession();
		$user = $this->getUser();
		$out = $this->getOutput();
		$returnUrl = $this->getReturnUrl();

		// change user token and update the session
		SessionManager::singleton()->invalidateSessionsForUser( $user );
		$session->setUser( $user );
		$session->resetId();

		if ( $returnUrl ) {
''   == false // true
''   == null  // true
'ab' == false // false
'ab' == null  // false

// It is often better to use strict comparison
'' === false // false
'' === null  // false
			$out->redirect( $returnUrl );
		} else {
			// messages used: changecredentials-success removecredentials-success
			$out->wrapWikiMsg( "<div class=\"successbox\">\n$1\n</div>", static::$messagePrefix
				. '-success' );
			$out->returnToMain();
		}
	}

	/**
	 * @return string|null
	 */
	protected function getReturnUrl() {
		$request = $this->getRequest();
		$returnTo = $request->getText( 'returnto' );
		$returnToQuery = $request->getText( 'returntoquery', '' );

		if ( !$returnTo ) {
			return null;
		}

		$title = Title::newFromText( $returnTo );
		return $title->getFullURL( $returnToQuery );
	}

	protected function getRequestBlacklist() {
		return $this->getConfig()->get( 'ChangeCredentialsBlacklist' );
	}
}


1		<?php
2
3		use MediaWiki\Auth\AuthenticationRequest;
4		use MediaWiki\Auth\AuthenticationResponse;
5		use MediaWiki\Auth\AuthManager;
6		use MediaWiki\Session\SessionManager;
7
8		/**
9		* Special change to change credentials (such as the password).
10		*
11		* Also does most of the work for SpecialRemoveCredentials.
12		*/
13		class SpecialChangeCredentials extends AuthManagerSpecialPage {
14		protected static $allowedActions = [ AuthManager::ACTION_CHANGE ];
15
16		protected static $messagePrefix = 'changecredentials';
17
18		/** Change action needs user data; remove action does not */
19		protected static $loadUserData = true;
20
21		public function __construct( $name = 'ChangeCredentials' ) {
22		parent::__construct( $name, 'editmyprivateinfo' );
23		}
24
25		protected function getGroupName() {
26		return 'users';
27		}
28
29		public function isListed() {
30		$this->loadAuth( '' );
31		return (bool)$this->authRequests;
32		}
33
34		public function doesWrites() {
35		return true;
36		}
37
38		protected function getDefaultAction( $subPage ) {
39		return AuthManager::ACTION_CHANGE;
40		}
41
42		protected function getPreservedParams( $withToken = false ) {
43		$request = $this->getRequest();
44		$params = parent::getPreservedParams( $withToken );
45		$params += [
46		'returnto' => $request->getVal( 'returnto' ),
47		'returntoquery' => $request->getVal( 'returntoquery' ),
48		];
49		return $params;
50		}
51
52		public function onAuthChangeFormFields(
53		array $requests, array $fieldInfo, array &$formDescriptor, $action
54		) {
55		// This method is never called for remove actions.
56
57		$extraFields = [];
58		Hooks::run( 'ChangePasswordForm', [ &$extraFields ], '1.27' );
59		foreach ( $extraFields as $extra ) {
60		list( $name, $label, $type, $default ) = $extra;
61		$formDescriptor[$name] = [
62		'type' => $type,
63		'name' => $name,
64		'label-message' => $label,
65		'default' => $default,
66		];
67
68		}
69
70		return parent::onAuthChangeFormFields( $requests, $fieldInfo, $formDescriptor, $action );
71		}
72
73		public function execute( $subPage ) {
74		$this->setHeaders();
75		$this->outputHeader();
76
77		$this->loadAuth( $subPage );
78
79		if ( !$subPage ) {
80		$this->showSubpageList();
81		return;
82		}
83
84		if ( !$this->authRequests ) {
85		// messages used: changecredentials-invalidsubpage, removecredentials-invalidsubpage
86		$this->showSubpageList( $this->msg( static::$messagePrefix . '-invalidsubpage', $subPage ) );
87		return;
88		}
89
90		$status = $this->trySubmit();
91
92		if ( $status === false \|\| !$status->isOK() ) {
93		$this->displayForm( $status );
94		return;
95		}
96
97		$response = $status->getValue();
98
99		switch ( $response->status ) {
100		case AuthenticationResponse::PASS:
101		$this->success();
102		break;
103		case AuthenticationResponse::FAIL:
104		$this->displayForm( Status::newFatal( $response->message ) );
105		break;
106		default:
107		throw new LogicException( 'invalid AuthenticationResponse' );
108		}
109		}
110
111		protected function loadAuth( $subPage, $authAction = null, $reset = false ) {
112		parent::loadAuth( $subPage, $authAction );
113		if ( $subPage ) {
114		$this->authRequests = array_filter( $this->authRequests, function ( $req ) use ( $subPage ) {
115		return $req->getUniqueId() === $subPage;
116		} );
117		if ( count( $this->authRequests ) > 1 ) {
118		throw new LogicException( 'Multiple AuthenticationRequest objects with same ID!' );
119		}
120		}
121		}
122
123		protected function getAuthFormDescriptor( $requests, $action ) {
124		if ( !static::$loadUserData ) {
125		return [];
126		} else {
127		return parent::getAuthFormDescriptor( $requests, $action );
128		}
129		}
130
131		protected function getAuthForm( array $requests, $action ) {
132		$form = parent::getAuthForm( $requests, $action );
133		$req = reset( $requests );
134		$info = $req->describeCredentials();
135
136		$form->addPreText(
137		Html::openElement( 'dl' )
138		. Html::element( 'dt', [], wfMessage( 'credentialsform-provider' ) )
139		. Html::element( 'dd', [], $info['provider'] )
140		. Html::element( 'dt', [], wfMessage( 'credentialsform-account' ) )
141		. Html::element( 'dd', [], $info['account'] )
142		. Html::closeElement( 'dl' )
143		);
144
145		// messages used: changecredentials-submit removecredentials-submit
146		$form->setSubmitTextMsg( static::$messagePrefix . '-submit' );
147		$form->showCancel()->setCancelTarget( $this->getReturnUrl() ?: Title::newMainPage() );
		0 ignored issues – show Bug introduced 2016-06-03 18:03 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `$this->getReturnUrl() ?: \Title::newMainPage()` can also be of type `null`; however, `HTMLForm::setCancelTarget()` does only seem to accept `object<Title>\|string`, maybe add an additional type check? If a method or function can return multiple different values and unless you are sure that you only can receive a single value in this context, we recommend to add an additional type check: /** * @return array\|string */ function returnsDifferentValues($x) { if ($x) { return 'foo'; } return array(); } $x = returnsDifferentValues($y); if (is_array($x)) { // $x is an array. } If this a common case that PHP Analyzer should handle natively, please let us know by opening an issue. Loading history...
148
149		return $form;
150		}
151
152		protected function needsSubmitButton( array $requests ) {
153		// Change/remove forms show are built from a single AuthenticationRequest and do not allow
154		// for redirect flow; they always need a submit button.
155		return true;
156		}
157
158	View Code Duplication	public function handleFormSubmit( $data ) {
159		// remove requests do not accept user input
160		$requests = $this->authRequests;
161		if ( static::$loadUserData ) {
162		$requests = AuthenticationRequest::loadRequestsFromSubmission( $this->authRequests, $data );
163		}
164
165		$response = $this->performAuthenticationStep( $this->authAction, $requests );
166
167		// we can't handle FAIL or similar as failure here since it might require changing the form
168		return Status::newGood( $response );
169		}
170
171		/**
172		* @param Message\|null $error
173		*/
174		protected function showSubpageList( $error = null ) {
175		$out = $this->getOutput();
176
177		if ( $error ) {
178		$out->addHTML( $error->parse() );
179		}
180
181		$groupedRequests = [];
182		foreach ( $this->authRequests as $req ) {
183		$info = $req->describeCredentials();
184		$groupedRequests[(string)$info['provider']][] = $req;
185		}
186
187		$linkRenderer = $this->getLinkRenderer();
188		$out->addHTML( Html::openElement( 'dl' ) );
189		foreach ( $groupedRequests as $group => $members ) {
190		$out->addHTML( Html::element( 'dt', [], $group ) );
191		foreach ( $members as $req ) {
192		/** @var AuthenticationRequest $req */
193		$info = $req->describeCredentials();
194		$out->addHTML( Html::rawElement( 'dd', [],
195		$linkRenderer->makeLink(
196		$this->getPageTitle( $req->getUniqueId() ),
197		$info['account']
198		)
199		) );
200		}
201		}
202		$out->addHTML( Html::closeElement( 'dl' ) );
203		}
204
205		protected function success() {
206		$session = $this->getRequest()->getSession();
207		$user = $this->getUser();
208		$out = $this->getOutput();
209		$returnUrl = $this->getReturnUrl();
210
211		// change user token and update the session
212		SessionManager::singleton()->invalidateSessionsForUser( $user );
213		$session->setUser( $user );
214		$session->resetId();
215
216		if ( $returnUrl ) {
		0 ignored issues – show Bug Best Practice introduced 2016-05-17 17:54 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `$returnUrl` of type `string\|null` is loosely compared to `true`; this is ambiguous if the string can be empty. You might want to explicitly use `!== null` instead. In PHP, under loose comparison (like `==`, or `!=`, or `switch` conditions), values of different types might be equal. For `string` values, the empty string `''` is a special case, in particular the following results might be unexpected: '' == false // true '' == null // true 'ab' == false // false 'ab' == null // false // It is often better to use strict comparison '' === false // false '' === null // false Loading history...
217		$out->redirect( $returnUrl );
218		} else {
219		// messages used: changecredentials-success removecredentials-success
220		$out->wrapWikiMsg( "<div class=\"successbox\">\n$1\n</div>", static::$messagePrefix
221		. '-success' );
222		$out->returnToMain();
223		}
224		}
225
226		/**
227		* @return string\|null
228		*/
229		protected function getReturnUrl() {
230		$request = $this->getRequest();
231		$returnTo = $request->getText( 'returnto' );
232		$returnToQuery = $request->getText( 'returntoquery', '' );
233
234		if ( !$returnTo ) {
235		return null;
236		}
237
238		$title = Title::newFromText( $returnTo );
239		return $title->getFullURL( $returnToQuery );
240		}
241
242		protected function getRequestBlacklist() {
243		return $this->getConfig()->get( 'ChangeCredentialsBlacklist' );
244		}
245		}
246

wikimedia / mediawiki

Issues (4122)

Security Analysis not enabled

includes/specials/SpecialChangeCredentials.php (2 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like