File: //opt/cloudlinux/alt-php54/root/usr/share/pear/Bytekit/Scanner/Rule/ZendView.php
<?php
/**
* bytekit-cli
*
* Copyright (c) 2009-2012, Sebastian Bergmann <sb@sebastian-bergmann.de>.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* * Neither the name of Sebastian Bergmann nor the names of his
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
* ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
* @package Bytekit
* @author Sebastian Bergmann <sb@sebastian-bergmann.de>, Lars Strojny <lstrojny@php.net>
* @author Lars Strojny <lstrojny@php.net>
* @copyright 2009-2012 Sebastian Bergmann <sb@sebastian-bergmann.de>
* @license http://www.opensource.org/licenses/BSD-3-Clause The BSD 3-Clause License
* @since File available since Release 1.0.0
*/
/**
* Scans for attributes that are not safe-guarded by Zend_View::escape().
*
* @author Sebastian Bergmann <sb@sebastian-bergmann.de>, Lars Strojny <lstrojny@php.net>
* @author Lars Strojny <lstrojny@php.net>
* @copyright 2009-2012 Sebastian Bergmann <sb@sebastian-bergmann.de>
* @license http://www.opensource.org/licenses/BSD-3-Clause The BSD 3-Clause License
* @version Release: 1.1.3
* @link http://github.com/sebastianbergmann/bytekit-cli/tree
* @since Class available since Release 1.0.0
*/
class Bytekit_Scanner_Rule_ZendView extends Bytekit_Scanner_Rule
{
/**
* Scan an oparray for attributes that are not safe-guarded by
* Zend_View::escape().
*
* @param array $oparray
* @param string $file
* @param string $function
* @param array $result
*/
public function process(array $oparray, $file, $function, array &$result)
{
$opArraySize = count($oparray);
foreach ($oparray['code'] as $n => $opline) {
$violation = FALSE;
if ($opline['mnemonic'] == 'ECHO' ||
$opline['mnemonic'] == 'PRINT') {
if ($this->lastOpCodeIs('FETCH_OBJ_R', $oparray, $n) ||
$this->lastOpCodeIs('FETCH_DIM_R', $oparray, $n)) {
$c = $n;
$propertyChain = array();
$violation = TRUE;
while ($c >= 0 &&
($this->lastOpCodeIs('FETCH_OBJ_R', $oparray, $c) ||
$this->lastOpCodeIs('FETCH_DIM_R', $oparray, $c))) {
$operand = array_pop(
$oparray['code'][--$c]['operands']
);
if ($this->lastOpCodeIs('FETCH_DIM_R', $oparray, $c + 1)) {
$propertyChain[] = array(
'name' => $operand['value'],
'type' => 'FETCH_DIM_R',
);
} else {
$propertyChain[] = array(
'name' => $operand['value'],
'type' => 'FETCH_OBJ_R',
);
}
}
$searchPosition = $n;
$variableName = 'this';
while ($searchPosition <= $opArraySize &&
isset($oparray['code'][$searchPosition]['operands'])) {
foreach ($oparray['code'][$searchPosition]['operands'] as $operand) {
if ($operand['string'][0] == '!') {
$cvPos = str_replace('!', '', $operand['string']);
$variableName = $oparray['raw']['cv'][$cvPos];
break 2;
}
}
++$searchPosition;
}
$propertyChain[] = array(
'name' => $variableName,
'type' => 'FETCH_OBJ_R',
);
}
}
if ($violation !== FALSE) {
$formattedProperty = NULL;
foreach (array_values(array_reverse($propertyChain)) as $position => $property) {
if ($formattedProperty === NULL) {
$formattedProperty = sprintf('$%s', $property['name']);
continue;
}
if ($property['type'] == 'FETCH_DIM_R') {
$formattedProperty .= sprintf('["%s"]', $property['name']);
continue;
}
if ($property['type'] == 'FETCH_OBJ_R') {
$formattedProperty .= sprintf('->%s', $property['name']);
}
}
$this->addViolation(
sprintf(
'Attribute %s is not safe-guarded by Zend_View::escape()',
$formattedProperty
),
$oparray,
$file,
$oparray['raw']['opcodes'][$opline['opline']]['lineno'],
$function,
$result
);
}
}
}
}