Issues in UploadFromUrl.php (master) - Issues in master - wikimedia/mediawiki - Measure and Improve Code Quality continuously with Scrutinizer

Issues (4122)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

includes/upload/UploadFromUrl.php (2 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * Backend for uploading files from a HTTP resource.
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License along
 * with this program; if not, write to the Free Software Foundation, Inc.,
 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
 * http://www.gnu.org/copyleft/gpl.html
 *
 * @file
 * @ingroup Upload
 */

/**
 * Implements uploading from a HTTP resource.
 *
 * @ingroup Upload
 * @author Bryan Tong Minh
 * @author Michael Dale
 */
class UploadFromUrl extends UploadBase {
	protected $mUrl;

	protected $mTempPath, $mTmpHandle;


	protected static $allowedUrls = [];

	/**
	 * Checks if the user is allowed to use the upload-by-URL feature. If the
	 * user is not allowed, return the name of the user right as a string. If
	 * the user is allowed, have the parent do further permissions checking.
	 *
	 * @param User $user
	 *
	 * @return bool|string
	 */
	public static function isAllowed( $user ) {
		if ( !$user->isAllowed( 'upload_by_url' ) ) {
			return 'upload_by_url';
		}

		return parent::isAllowed( $user );
	}

	/**
	 * Checks if the upload from URL feature is enabled
	 * @return bool
	 */
	public static function isEnabled() {
		global $wgAllowCopyUploads;

		return $wgAllowCopyUploads && parent::isEnabled();
	}

	/**
	 * Checks whether the URL is for an allowed host
	 * The domains in the whitelist can include wildcard characters (*) in place
	 * of any of the domain levels, e.g. '*.flickr.com' or 'upload.*.gov.uk'.
	 *
	 * @param string $url
	 * @return bool
	 */
	public static function isAllowedHost( $url ) {
		global $wgCopyUploadsDomains;
		if ( !count( $wgCopyUploadsDomains ) ) {
			return true;
		}
		$parsedUrl = wfParseUrl( $url );
		if ( !$parsedUrl ) {
			return false;
		}
		$valid = false;
		foreach ( $wgCopyUploadsDomains as $domain ) {
			// See if the domain for the upload matches this whitelisted domain
			$whitelistedDomainPieces = explode( '.', $domain );
			$uploadDomainPieces = explode( '.', $parsedUrl['host'] );
			if ( count( $whitelistedDomainPieces ) === count( $uploadDomainPieces ) ) {
				$valid = true;
				// See if all the pieces match or not (excluding wildcards)
				foreach ( $whitelistedDomainPieces as $index => $piece ) {
					if ( $piece !== '*' && $piece !== $uploadDomainPieces[$index] ) {
						$valid = false;
					}
				}
				if ( $valid ) {
					// We found a match, so quit comparing against the list
					break;
				}
			}
			/* Non-wildcard test
			if ( $parsedUrl['host'] === $domain ) {
				$valid = true;
				break;
			}
			*/
		}

		return $valid;
	}

	/**
	 * Checks whether the URL is not allowed.
	 *
	 * @param string $url
	 * @return bool
	 */
	public static function isAllowedUrl( $url ) {
		if ( !isset( self::$allowedUrls[$url] ) ) {
			$allowed = true;
			Hooks::run( 'IsUploadAllowedFromUrl', [ $url, &$allowed ] );
			self::$allowedUrls[$url] = $allowed;
		}

		return self::$allowedUrls[$url];
	}

	/**
	 * Entry point for API upload
	 *
	 * @param string $name
	 * @param string $url
	 * @throws MWException
	 */
	public function initialize( $name, $url ) {
		$this->mUrl = $url;

		$tempPath = $this->makeTemporaryFile();
		# File size and removeTempFile will be filled in later
		$this->initializePathInfo( $name, $tempPath, 0, false );
	}

	/**
	 * Entry point for SpecialUpload
	 * @param WebRequest $request
	 */
	public function initializeFromRequest( &$request ) {
		$desiredDestName = $request->getText( 'wpDestFile' );
		if ( !$desiredDestName ) {
			$desiredDestName = $request->getText( 'wpUploadFileURL' );
		}
		$this->initialize(
			$desiredDestName,
			trim( $request->getVal( 'wpUploadFileURL' ) ),
			false
		);
	}

	/**
	 * @param WebRequest $request
	 * @return bool
	 */
	public static function isValidRequest( $request ) {
		global $wgUser;

		$url = $request->getVal( 'wpUploadFileURL' );

		return !empty( $url )
			&& $wgUser->isAllowed( 'upload_by_url' );
	}

	/**
	 * @return string
	 */
	public function getSourceType() {
		return 'url';
	}

	/**
	 * Download the file
	 *
	 * @param array $httpOptions Array of options for MWHttpRequest.
	 *   This could be used to override the timeout on the http request.
	 * @return Status
	 */
	public function fetchFile( $httpOptions = [] ) {
		if ( !Http::isValidURI( $this->mUrl ) ) {
			return Status::newFatal( 'http-invalid-url', $this->mUrl );
		}

		if ( !self::isAllowedHost( $this->mUrl ) ) {
			return Status::newFatal( 'upload-copy-upload-invalid-domain' );
		}
		if ( !self::isAllowedUrl( $this->mUrl ) ) {
			return Status::newFatal( 'upload-copy-upload-invalid-url' );
		}
		return $this->reallyFetchFile( $httpOptions );
	}

	/**
	 * Create a new temporary file in the URL subdirectory of wfTempDir().
	 *
	 * @return string Path to the file
	 */
	protected function makeTemporaryFile() {
		$tmpFile = TempFSFile::factory( 'URL', 'urlupload_', wfTempDir() );
		$tmpFile->bind( $this );

		return $tmpFile->getPath();
	}

	/**
	 * Callback: save a chunk of the result of a HTTP request to the temporary file
	 *
	 * @param mixed $req
	 * @param string $buffer
	 * @return int Number of bytes handled
	 */
	public function saveTempFileChunk( $req, $buffer ) {
		wfDebugLog( 'fileupload', 'Received chunk of ' . strlen( $buffer ) . ' bytes' );
		$nbytes = fwrite( $this->mTmpHandle, $buffer );

		if ( $nbytes == strlen( $buffer ) ) {
			$this->mFileSize += $nbytes;
		} else {
			// Well... that's not good!
			wfDebugLog(
				'fileupload',
				'Short write ' . $this->nbytes . '/' . strlen( $buffer ) .
class MyClass { }

$x = new MyClass();
$x->foo = true;
					' bytes, aborting with ' . $this->mFileSize . ' uploaded so far'
			);
			fclose( $this->mTmpHandle );
			$this->mTmpHandle = false;
		}

		return $nbytes;
	}

	/**
	 * Download the file, save it to the temporary file and update the file
	 * size and set $mRemoveTempFile to true.
	 *
	 * @param array $httpOptions Array of options for MWHttpRequest
	 * @return Status
	 */
	protected function reallyFetchFile( $httpOptions = [] ) {
		global $wgCopyUploadProxy, $wgCopyUploadTimeout;
		if ( $this->mTempPath === false ) {
			return Status::newFatal( 'tmp-create-error' );
		}

		// Note the temporary file should already be created by makeTemporaryFile()
		$this->mTmpHandle = fopen( $this->mTempPath, 'wb' );
		if ( !$this->mTmpHandle ) {
			return Status::newFatal( 'tmp-create-error' );
		}
		wfDebugLog( 'fileupload', 'Temporary file created "' . $this->mTempPath . '"' );

		$this->mRemoveTempFile = true;
		$this->mFileSize = 0;

		$options = $httpOptions + [ 'followRedirects' => true ];

		if ( $wgCopyUploadProxy !== false ) {
			$options['proxy'] = $wgCopyUploadProxy;
		}

		if ( $wgCopyUploadTimeout && !isset( $options['timeout'] ) ) {
			$options['timeout'] = $wgCopyUploadTimeout;
		}
		wfDebugLog(
			'fileupload',
			'Starting download from "' . $this->mUrl . '" ' .
				'<' . implode( ',', array_keys( array_filter( $options ) ) ) . '>'
		);
		$req = MWHttpRequest::factory( $this->mUrl, $options, __METHOD__ );
		$req->setCallback( [ $this, 'saveTempFileChunk' ] );
		$status = $req->execute();

		if ( $this->mTmpHandle ) {
			// File got written ok...
			fclose( $this->mTmpHandle );
			$this->mTmpHandle = null;
		} else {
			// We encountered a write error during the download...
			return Status::newFatal( 'tmp-write-error' );
		}

		wfDebugLog( 'fileupload', $status );
		if ( $status->isOK() ) {
			wfDebugLog( 'fileupload', 'Download by URL completed successfuly.' );
		} else {
			wfDebugLog(
				'fileupload',
				'Download by URL completed with HTTP status ' . $req->getStatus()
			);
		}

		return $status;
	}
}


1			<?php
2			/**
3			* Backend for uploading files from a HTTP resource.
4			*
5			* This program is free software; you can redistribute it and/or modify
6			* it under the terms of the GNU General Public License as published by
7			* the Free Software Foundation; either version 2 of the License, or
8			* (at your option) any later version.
9			*
10			* This program is distributed in the hope that it will be useful,
11			* but WITHOUT ANY WARRANTY; without even the implied warranty of
12			* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13			* GNU General Public License for more details.
14			*
15			* You should have received a copy of the GNU General Public License along
16			* with this program; if not, write to the Free Software Foundation, Inc.,
17			* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
18			* http://www.gnu.org/copyleft/gpl.html
19			*
20			* @file
21			* @ingroup Upload
22			*/
23
24			/**
25			* Implements uploading from a HTTP resource.
26			*
27			* @ingroup Upload
28			* @author Bryan Tong Minh
29			* @author Michael Dale
30			*/
31			class UploadFromUrl extends UploadBase {
32			protected $mUrl;
33
34			protected $mTempPath, $mTmpHandle;
			0 ignored issues – show Coding Style introduced 2016-01-16 18:00 UTC by Report Bug Copy Issue Report Show Similar Issues like this It is generally advisable to only define one property per statement. Only declaring a single property per statement allows you to later on add doc comments more easily. It is also recommended by PSR2, so it is a common style that many people expect. Loading history...
35
36			protected static $allowedUrls = [];
37
38			/**
39			* Checks if the user is allowed to use the upload-by-URL feature. If the
40			* user is not allowed, return the name of the user right as a string. If
41			* the user is allowed, have the parent do further permissions checking.
42			*
43			* @param User $user
44			*
45			* @return bool\|string
46			*/
47			public static function isAllowed( $user ) {
48			if ( !$user->isAllowed( 'upload_by_url' ) ) {
49			return 'upload_by_url';
50			}
51
52			return parent::isAllowed( $user );
53			}
54
55			/**
56			* Checks if the upload from URL feature is enabled
57			* @return bool
58			*/
59			public static function isEnabled() {
60			global $wgAllowCopyUploads;
61
62			return $wgAllowCopyUploads && parent::isEnabled();
63			}
64
65			/**
66			* Checks whether the URL is for an allowed host
67			* The domains in the whitelist can include wildcard characters (*) in place
68			* of any of the domain levels, e.g. '.flickr.com' or 'upload..gov.uk'.
69			*
70			* @param string $url
71			* @return bool
72			*/
73			public static function isAllowedHost( $url ) {
74			global $wgCopyUploadsDomains;
75			if ( !count( $wgCopyUploadsDomains ) ) {
76			return true;
77			}
78			$parsedUrl = wfParseUrl( $url );
79			if ( !$parsedUrl ) {
80			return false;
81			}
82			$valid = false;
83			foreach ( $wgCopyUploadsDomains as $domain ) {
84			// See if the domain for the upload matches this whitelisted domain
85			$whitelistedDomainPieces = explode( '.', $domain );
86			$uploadDomainPieces = explode( '.', $parsedUrl['host'] );
87			if ( count( $whitelistedDomainPieces ) === count( $uploadDomainPieces ) ) {
88			$valid = true;
89			// See if all the pieces match or not (excluding wildcards)
90			foreach ( $whitelistedDomainPieces as $index => $piece ) {
91			if ( $piece !== '*' && $piece !== $uploadDomainPieces[$index] ) {
92			$valid = false;
93			}
94			}
95			if ( $valid ) {
96			// We found a match, so quit comparing against the list
97			break;
98			}
99			}
100			/* Non-wildcard test
101			if ( $parsedUrl['host'] === $domain ) {
102			$valid = true;
103			break;
104			}
105			*/
106			}
107
108			return $valid;
109			}
110
111			/**
112			* Checks whether the URL is not allowed.
113			*
114			* @param string $url
115			* @return bool
116			*/
117			public static function isAllowedUrl( $url ) {
118			if ( !isset( self::$allowedUrls[$url] ) ) {
119			$allowed = true;
120			Hooks::run( 'IsUploadAllowedFromUrl', [ $url, &$allowed ] );
121			self::$allowedUrls[$url] = $allowed;
122			}
123
124			return self::$allowedUrls[$url];
125			}
126
127			/**
128			* Entry point for API upload
129			*
130			* @param string $name
131			* @param string $url
132			* @throws MWException
133			*/
134			public function initialize( $name, $url ) {
135			$this->mUrl = $url;
136
137			$tempPath = $this->makeTemporaryFile();
138			# File size and removeTempFile will be filled in later
139			$this->initializePathInfo( $name, $tempPath, 0, false );
140			}
141
142			/**
143			* Entry point for SpecialUpload
144			* @param WebRequest $request
145			*/
146			public function initializeFromRequest( &$request ) {
147			$desiredDestName = $request->getText( 'wpDestFile' );
148			if ( !$desiredDestName ) {
149			$desiredDestName = $request->getText( 'wpUploadFileURL' );
150			}
151			$this->initialize(
152			$desiredDestName,
153			trim( $request->getVal( 'wpUploadFileURL' ) ),
154			false
155			);
156			}
157
158			/**
159			* @param WebRequest $request
160			* @return bool
161			*/
162			public static function isValidRequest( $request ) {
163			global $wgUser;
164
165			$url = $request->getVal( 'wpUploadFileURL' );
166
167			return !empty( $url )
168			&& $wgUser->isAllowed( 'upload_by_url' );
169			}
170
171			/**
172			* @return string
173			*/
174			public function getSourceType() {
175			return 'url';
176			}
177
178			/**
179			* Download the file
180			*
181			* @param array $httpOptions Array of options for MWHttpRequest.
182			* This could be used to override the timeout on the http request.
183			* @return Status
184			*/
185			public function fetchFile( $httpOptions = [] ) {
186			if ( !Http::isValidURI( $this->mUrl ) ) {
187			return Status::newFatal( 'http-invalid-url', $this->mUrl );
188			}
189
190			if ( !self::isAllowedHost( $this->mUrl ) ) {
191			return Status::newFatal( 'upload-copy-upload-invalid-domain' );
192			}
193			if ( !self::isAllowedUrl( $this->mUrl ) ) {
194			return Status::newFatal( 'upload-copy-upload-invalid-url' );
195			}
196			return $this->reallyFetchFile( $httpOptions );
197			}
198
199			/**
200			* Create a new temporary file in the URL subdirectory of wfTempDir().
201			*
202			* @return string Path to the file
203			*/
204			protected function makeTemporaryFile() {
205			$tmpFile = TempFSFile::factory( 'URL', 'urlupload_', wfTempDir() );
206			$tmpFile->bind( $this );
207
208			return $tmpFile->getPath();
209			}
210
211			/**
212			* Callback: save a chunk of the result of a HTTP request to the temporary file
213			*
214			* @param mixed $req
215			* @param string $buffer
216			* @return int Number of bytes handled
217			*/
218			public function saveTempFileChunk( $req, $buffer ) {
219			wfDebugLog( 'fileupload', 'Received chunk of ' . strlen( $buffer ) . ' bytes' );
220			$nbytes = fwrite( $this->mTmpHandle, $buffer );
221
222			if ( $nbytes == strlen( $buffer ) ) {
223			$this->mFileSize += $nbytes;
224			} else {
225			// Well... that's not good!
226			wfDebugLog(
227			'fileupload',
228			'Short write ' . $this->nbytes . '/' . strlen( $buffer ) .
			0 ignored issues – show Bug introduced 2016-01-16 18:00 UTC by Report Bug Copy Issue Report Show Similar Issues like this The property `nbytes` does not exist. Did you maybe forget to declare it? In PHP it is possible to write to properties without declaring them. For example, the following is perfectly valid PHP code: class MyClass { } $x = new MyClass(); $x->foo = true; Generally, it is a good practice to explictly declare properties to avoid accidental typos and provide IDE auto-completion: class MyClass { public $foo; } $x = new MyClass(); $x->foo = true; Loading history...
229			' bytes, aborting with ' . $this->mFileSize . ' uploaded so far'
230			);
231			fclose( $this->mTmpHandle );
232			$this->mTmpHandle = false;
233			}
234
235			return $nbytes;
236			}
237
238			/**
239			* Download the file, save it to the temporary file and update the file
240			* size and set $mRemoveTempFile to true.
241			*
242			* @param array $httpOptions Array of options for MWHttpRequest
243			* @return Status
244			*/
245			protected function reallyFetchFile( $httpOptions = [] ) {
246			global $wgCopyUploadProxy, $wgCopyUploadTimeout;
247			if ( $this->mTempPath === false ) {
248			return Status::newFatal( 'tmp-create-error' );
249			}
250
251			// Note the temporary file should already be created by makeTemporaryFile()
252			$this->mTmpHandle = fopen( $this->mTempPath, 'wb' );
253			if ( !$this->mTmpHandle ) {
254			return Status::newFatal( 'tmp-create-error' );
255			}
256			wfDebugLog( 'fileupload', 'Temporary file created "' . $this->mTempPath . '"' );
257
258			$this->mRemoveTempFile = true;
259			$this->mFileSize = 0;
260
261			$options = $httpOptions + [ 'followRedirects' => true ];
262
263			if ( $wgCopyUploadProxy !== false ) {
264			$options['proxy'] = $wgCopyUploadProxy;
265			}
266
267			if ( $wgCopyUploadTimeout && !isset( $options['timeout'] ) ) {
268			$options['timeout'] = $wgCopyUploadTimeout;
269			}
270			wfDebugLog(
271			'fileupload',
272			'Starting download from "' . $this->mUrl . '" ' .
273			'<' . implode( ',', array_keys( array_filter( $options ) ) ) . '>'
274			);
275			$req = MWHttpRequest::factory( $this->mUrl, $options, __METHOD__ );
276			$req->setCallback( [ $this, 'saveTempFileChunk' ] );
277			$status = $req->execute();
278
279			if ( $this->mTmpHandle ) {
280			// File got written ok...
281			fclose( $this->mTmpHandle );
282			$this->mTmpHandle = null;
283			} else {
284			// We encountered a write error during the download...
285			return Status::newFatal( 'tmp-write-error' );
286			}
287
288			wfDebugLog( 'fileupload', $status );
289			if ( $status->isOK() ) {
290			wfDebugLog( 'fileupload', 'Download by URL completed successfuly.' );
291			} else {
292			wfDebugLog(
293			'fileupload',
294			'Download by URL completed with HTTP status ' . $req->getStatus()
295			);
296			}
297
298			return $status;
299			}
300			}
301

wikimedia / mediawiki

Issues (4122)

Security Analysis not enabled

includes/upload/UploadFromUrl.php (2 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like