Fix all remaning unsafe functions usages (#20261)

* Fix unsafe functions usage
* safe_mode no longer exists
* Fix selinux requirement check
* Fix unsafe functions usage

Author: trasher

.phpstan-baseline.php

@@ -82,6 +82,8 @@
         'symfony/property-access',
         'symfony/polyfill-mbstring',
     ], [ErrorType::UNUSED_DEPENDENCY])
+    ->ignoreErrorsOnExtension('ext-iconv', [ErrorType::UNUSED_DEPENDENCY]) // Required by Safe/iconv()
+    ->ignoreErrorsOnExtension('ext-zlib', [ErrorType::UNUSED_DEPENDENCY]) // Required by Safe/gzcompress() Safe::gzuncompress()
 
     ->disableReportingUnmatchedIgnores()
 ;

composer-dependency-analyser.php

@@ -174,7 +174,6 @@ public function testGrabPhpInfos()
                 'max_execution_time'    => ini_get('max_execution_time'),
                 'memory_limit'          => ini_get('memory_limit'),
                 'post_max_size'         => ini_get('post_max_size'),
-                'safe_mode'             => ini_get('safe_mode'),
                 'session'               => ini_get('session.save_handler'),
                 'upload_max_filesize'   => ini_get('upload_max_filesize'),
             ],

phpunit/functional/TelemetryTest.php

@@ -1970,7 +1970,7 @@ public function test_LogInFile_FilterRootPathInLogFile(): void
         $messageWithPath = 'Error somewhere in the path ' . GLPI_ROOT . ' triggered';
 
         // Act
-        assert(\Toolbox::logInFile(self::TEST_CUSTOM_LOG_FILE_NAME, $messageWithPath), 'log failed');
+        \Toolbox::logInFile(self::TEST_CUSTOM_LOG_FILE_NAME, $messageWithPath);
 
         // Assert
         $this->assertStringNotContainsString(\GLPI_ROOT, file_get_contents($this->getCustomLogFilePath()));

phpunit/functional/ToolboxTest.php

@@ -2043,7 +2043,7 @@ public function testUpdateItemWithNoInput()
                 'json'     => [],
             ],
             400,
-            'ERROR_JSON_PAYLOAD_INVALID'
+            'ERROR_BAD_ARRAY'
         );
     }
 

phpunit/web/APIRestTest.php

@@ -35,6 +35,8 @@
 
 use Glpi\DBAL\QueryExpression;
 
+use function Safe\json_encode;
+
 class Appliance_Item_Relation extends CommonDBRelation
 {
     public static $itemtype_1 = 'Appliance_Item';

src/Appliance_Item_Relation.php

@@ -39,6 +39,15 @@
 use Glpi\Event;
 use Glpi\Plugin\Hooks;
 use Glpi\Security\TOTPManager;
+use Safe\Exceptions\LdapException;
+
+use function Safe\ini_get;
+use function Safe\json_decode;
+use function Safe\json_encode;
+use function Safe\ldap_bind;
+use function Safe\parse_url;
+use function Safe\preg_match;
+use function Safe\session_name;
 
 /**
  *  Identification class used to login
@@ -330,22 +339,24 @@ public function connection_ldap($ldap_method, $login, $password, ?bool &$error =
             $dn = $info['dn'];
             $this->user_found = $dn !== '';
 
-            $bind_result = $this->user_found && @ldap_bind($this->ldap_connection, $dn, $password);
-
-            if ($this->user_found && $bind_result !== false) {
-                // Hook to implement to restrict access by checking the ldap directory
-                if (Plugin::doHookFunction(Hooks::RESTRICT_LDAP_AUTH, $info)) {
-                    return $info;
+            if ($this->user_found) {
+                try {
+                    @ldap_bind($this->ldap_connection, $dn, $password);
+                    // Hook to implement to restrict access by checking the ldap directory
+                    if (Plugin::doHookFunction(Hooks::RESTRICT_LDAP_AUTH, $info)) {
+                        return $info;
+                    }
+                    $this->addToError(__('User not authorized to connect in GLPI'));
+                    // Use is present by has no right to connect because of a plugin
+                    return false;
+                } catch (LdapException $e) {
+                    //empty catch
                 }
-                $this->addToError(__('User not authorized to connect in GLPI'));
-                // Use is present by has no right to connect because of a plugin
-                return false;
-            } else {
-                // Incorrect login
-                $this->addToError(__('Incorrect username or password'));
-                //Use is not present anymore in the directory!
-                return false;
             }
+            // Incorrect login
+            $this->addToError(__('Incorrect username or password'));
+            //Use is not present anymore in the directory!
+            return false;
         } else {
             // Directory is not available
             $this->addToError(__('Unable to connect to the LDAP directory'));

src/Auth.php

@@ -37,9 +37,19 @@
 use Glpi\Error\ErrorHandler;
 use Glpi\Toolbox\Filesystem;
 use LDAP\Connection;
-
+use Safe\Exceptions\DatetimeException;
+use Safe\Exceptions\LdapException;
+
+use function Safe\fsockopen;
+use function Safe\gmmktime;
+use function Safe\ldap_bind;
+use function Safe\ldap_get_entries;
+use function Safe\ldap_set_option;
 use function Safe\parse_url;
+use function Safe\preg_match;
 use function Safe\preg_replace;
+use function Safe\strtotime;
+use function Safe\unpack;
 
 /**
  *  Class used to manage Auth LDAP config
@@ -1274,7 +1284,12 @@ public static function ldapStamp2UnixStamp($ldapstamp, $ldap_time_offset = 0)
      */
     public static function date2ldapTimeStamp($date)
     {
-        return date("YmdHis", strtotime($date)) . '.0Z';
+        try {
+            $strdate = strtotime($date);
+        } catch (DatetimeException $e) {
+            $strdate = 0;
+        }
+        return date("YmdHis", $strdate) . '.0Z';
     }
 
     /**
@@ -1409,12 +1424,13 @@ private function testLDAPSockopen(?Connection &$connection): array
             $errstr = __('No hostname provided');
         }
 
-        if (@fsockopen($host, $port_num, $errno, $errstr, 5)) {
+        try {
+            @fsockopen($host, $port_num, $errno, $errstr, 5);
             return [
                 'success' => true,
                 'message' => sprintf(__('Connection to %s on port %s succeeded'), $host, $port_num),
             ];
-        } else {
+        } catch (\Safe\Exceptions\NetworkException $e) {
             return [
                 'success' => false,
                 'message' => sprintf(__('%s (ERR: %s) to %s on port %s'), $errstr, $errno, $host, $port_num),
@@ -1748,7 +1764,7 @@ public static function searchForUsers(
                 $sr = @ldap_search($ds, $values['basedn'], $filter, $attrs, 0, -1, -1, LDAP_DEREF_NEVER, $controls);
                 if (
                     $sr === false
-                    || @ldap_parse_result($ds, $sr, $errcode, $matcheddn, $errmsg, $referrals, $controls) === false
+                    || @ldap_parse_result($ds, $sr, $errcode, $matcheddn, $errmsg, $referrals, $controls) === false // @phpstan-ignore theCodingMachineSafe.function
                 ) {
                     // 32 = LDAP_NO_SUCH_OBJECT => This error can be silented as it just means that search produces no result.
                     if (ldap_errno($ds) !== 32) {
@@ -2430,7 +2446,7 @@ public static function getGroupsFromLDAP(
                 $sr = @ldap_search($ldap_connection, $config_ldap->fields['basedn'], $filter, $attrs, 0, -1, -1, LDAP_DEREF_NEVER, $controls);
                 if (
                     $sr === false
-                    || @ldap_parse_result($ldap_connection, $sr, $errcode, $matcheddn, $errmsg, $referrals, $controls) === false
+                    || @ldap_parse_result($ldap_connection, $sr, $errcode, $matcheddn, $errmsg, $referrals, $controls) === false // @phpstan-ignore theCodingMachineSafe.function
                 ) {
                     // 32 = LDAP_NO_SUCH_OBJECT => This error can be silented as it just means that search produces no result.
                     if (ldap_errno($ldap_connection) !== 32) {
@@ -2891,7 +2907,9 @@ public static function connectToServer(
         }
 
         foreach ($ldap_options as $option => $value) {
-            if (!@ldap_set_option($ds, $option, $value)) {
+            try {
+                @ldap_set_option($ds, $option, $value);
+            } catch (LdapException $e) {
                 trigger_error(
                     static::buildError(
                         $ds,
@@ -2911,25 +2929,35 @@ public static function connectToServer(
                 trigger_error("TLS certificate path is not safe.", E_USER_WARNING);
             } elseif (!file_exists($tls_certfile)) {
                 trigger_error("TLS certificate path is not valid.", E_USER_WARNING);
-            } elseif (!@ldap_set_option(null, LDAP_OPT_X_TLS_CERTFILE, $tls_certfile)) {
-                trigger_error("Unable to set LDAP option `LDAP_OPT_X_TLS_CERTFILE`", E_USER_WARNING);
+            } else {
+                try {
+                    @ldap_set_option(null, LDAP_OPT_X_TLS_CERTFILE, $tls_certfile);
+                } catch (LdapException $e) {
+                    trigger_error("Unable to set LDAP option `LDAP_OPT_X_TLS_CERTFILE`", E_USER_WARNING);
+                }
             }
         }
         if (!empty($tls_keyfile)) {
             if (!Filesystem::isFilepathSafe($tls_keyfile)) {
                 trigger_error("TLS key file path is not safe.", E_USER_WARNING);
             } elseif (!file_exists($tls_keyfile)) {
                 trigger_error("TLS key file path is not valid.", E_USER_WARNING);
-            } elseif (!@ldap_set_option(null, LDAP_OPT_X_TLS_KEYFILE, $tls_keyfile)) {
-                trigger_error("Unable to set LDAP option `LDAP_OPT_X_TLS_KEYFILE`", E_USER_WARNING);
+            } else {
+                try {
+                    @ldap_set_option(null, LDAP_OPT_X_TLS_KEYFILE, $tls_keyfile);
+                } catch (LdapException $e) {
+                    trigger_error("Unable to set LDAP option `LDAP_OPT_X_TLS_KEYFILE`", E_USER_WARNING);
+                }
             }
         }
         if (!empty($tls_version)) {
             $cipher_suite = 'NORMAL';
             foreach (self::TLS_VERSIONS as $tls_version_value) {
                 $cipher_suite .= ($tls_version_value == $tls_version ? ':+' : ':!') . 'VERS-TLS' . $tls_version_value;
             }
-            if (!@ldap_set_option(null, LDAP_OPT_X_TLS_CIPHER_SUITE, $cipher_suite)) {
+            try {
+                @ldap_set_option(null, LDAP_OPT_X_TLS_CIPHER_SUITE, $cipher_suite);
+            } catch (LdapException $e) {
                 trigger_error("Unable to set LDAP option `LDAP_OPT_X_TLS_CIPHER_SUITE`", E_USER_WARNING);
             }
         }
@@ -2958,14 +2986,15 @@ public static function connectToServer(
             return $ds;
         }
 
-        if ($login !== '') {
-            // Auth bind
-            $b = @ldap_bind($ds, $login, $password);
-        } else {
-            // Anonymous bind
-            $b = @ldap_bind($ds);
-        }
-        if ($b === false) {
+        try {
+            if ($login !== '') {
+                // Auth bind
+                @ldap_bind($ds, $login, $password);
+            } else {
+                // Anonymous bind
+                @ldap_bind($ds);
+            }
+        } catch (LdapException $e) {
             self::$last_errno = ldap_errno($ds);
             self::$last_error = ldap_error($ds);
 
@@ -3999,8 +4028,10 @@ public static function displayTabContentForItem(CommonGLPI $item, $tabnum = 1, $
      */
     public static function get_entries_clean($link, $result, ?bool &$error = null)
     {
-        $entries = @ldap_get_entries($link, $result);
-        if ($entries === false) {
+        try {
+            $entries = @ldap_get_entries($link, $result);
+            return $entries;
+        } catch (LdapException $e) {
             $error = true;
             trigger_error(
                 static::buildError(
@@ -4010,7 +4041,7 @@ public static function get_entries_clean($link, $result, ?bool &$error = null)
                 E_USER_WARNING
             );
         }
-        return $entries;
+        return [];
     }
 
     /**
@@ -4366,8 +4397,8 @@ final public static function buildError($ds, string $message): string
             $message,
             ldap_error($ds),
             ldap_errno($ds),
-            (ldap_get_option($ds, LDAP_OPT_DIAGNOSTIC_MESSAGE, $diag_message) ? "\nextended error: " . $diag_message : ''),
-            (ldap_get_option($ds, LDAP_OPT_ERROR_STRING, $err_message) ? "\nerr string: " . $err_message : '')
+            (ldap_get_option($ds, LDAP_OPT_DIAGNOSTIC_MESSAGE, $diag_message) ? "\nextended error: " . $diag_message : ''), // @phpstan-ignore theCodingMachineSafe.function
+            (ldap_get_option($ds, LDAP_OPT_ERROR_STRING, $err_message) ? "\nerr string: " . $err_message : '') // @phpstan-ignore theCodingMachineSafe.function
         );
         return $message;
     }

src/AuthLDAP.php

@@ -35,6 +35,8 @@
 
 use Glpi\Features\Clonable;
 
+use function Safe\preg_match;
+
 /**
  * Blacklist Class
  *

src/Blacklist.php

@@ -33,6 +33,8 @@
  * ---------------------------------------------------------------------
  */
 
+use function Safe\strtotime;
+
 /**
  * Calendar Class
  **/