admin-page-framework.min.php security issue?

[Dea-Renate]

Hi,

VaultPress is flagging this file as a security issue (PHP.Bad.Include.2), with the following code on line 42 in /lib/admin/admin-page-framework.min.php being the culprit:

Included() ); } private function _getIncluded() { $_aIncluded = array(); foreach( $this->_aLevels as $_iLevel => $iLevelText ) { if ( $this->_iLevel & $_iLevel ) { $_aIncluded[] = $_iLevel; } } return $_aIncluded; } private function _getErrorDescription( $aIncluded ) { $_iAll = count( $this->_aLevels ); $_aValues = array(); if ( count( $aIncluded ) > $_iAll / 2 ) { $_aValues[] = 'E_ALL'; foreach( $this->_aLevels as $_iLevel => $iLevelText ) { if ( ! in_array( $_iLevel, $aIncluded ) ) { $_aValues[] = $iLevelText; } } return implode( ' & ~', $_aValues ); } foreach( $aIncluded as $_iLevel ) { $_aValues[] = $this->_aLevels[ $_iLevel ]; } return implode( ' | ', $_aValues ); } } endif;if ( ! class_exists( 'AdminPageFramework_RegisterClasses' ) ) : class AdminPageFramework_RegisterClasses { public $_aClasses = array(); static protected $_aStructure_RecursiveOptions = array( 'is_recursive' => true, 'exclude_dir_paths' => array(), 'exclude_dir_names' => array( 'asset', 'assets', 'css', 'js', 'image', 'images', 'license', 'document', 'documents' ), 'allowed_extensions' => array( 'php', ), ); function __construct( $asScanDirPaths, array $aSearchOptions=array(), array $aClasses=array() ) { $this->_aClasses = $aClasses + $this->_constructClassArray( $asScanDirPaths, $aSearchOptions + self::$_aStructure_RecursiveOptions ); $this->_registerClasses(); } protected function _constructClassArray( $asScanDirPaths, array $aSearchOptions ) { if ( empty( $asScanDirPaths ) ) { return array(); } $_aFilePaths = array(); foreach( ( array ) $asScanDirPaths as $_sClassDirPath ) { if ( realpath( $_sClassDirPath ) ) { $_aFilePaths = array_merge( $this->getFilePaths( $_sClassDirPath, $aSearchOptions ), $_aFilePaths ); } } $_aClasses = array(); foreach( $_aFilePaths as $_sFilePath ) { $_aClasses[ pathinfo( $_sFilePath, PATHINFO_FILENAME ) ] = $_sFilePath; } return $_aClasses; } protected function getFilePaths( $sClassDirPath, array $aSearchOptions ) { $sClassDirPath = rtrim( $sClassDirPath, '\\/' ) . DIRECTORY_SEPARATOR; $_aAllowedExtensions = $aSearchOptions['allowed_extensions']; $_aExcludeDirPaths = ( array ) $aSearchOptions['exclude_dir_paths']; $_aExcludeDirNames = ( array ) $aSearchOptions['exclude_dir_names']; $_bIsRecursive = $aSearchOptions[ 'is_recursive' ]; if ( defined( 'GLOB_BRACE' ) ) { $_aFilePaths = $_bIsRecursive ? $this->doRecursiveGlob( $sClassDirPath . '*.' . $this->_getGlobPatternExtensionPart( $_aAllowedExtensions ), GLOB_BRACE, $_aExcludeDirPaths, $_aExcludeDirNames ) : ( array ) glob( $sClassDirPath . '*.' . $this->_getGlobPatternExtensionPart( $_aAllowedExtensions ), GLOB_BRACE ); return array_filter( $_aFilePaths ); } $_aFilePaths = array(); foreach( $_aAllowedExtensions as $__sAllowedExtension ) { $__aFilePaths = $_bIsRecursive ? $this->doRecursiveGlob( $sClassDirPath . '*.' . $__sAllowedExtension, 0, $_aExcludeDirPaths, $_aExcludeDirNames ) : ( array ) glob( $sClassDirPath . '*.' . $__sAllowedExtension ); $_aFilePaths = array_merge( $__aFilePaths, $_aFilePaths ); } return array_unique( array_filter( $_aFilePaths ) ); } protected function _getGlobPatternExtensionPart( array $aExtensions=array( 'php', 'inc' ) ) { return empty( $aExtensions ) ? '*' : '{' . implode( ',', $aExtensions ) . '}'; } protected function doRecursiveGlob( $sPathPatten, $nFlags=0, array $aExcludeDirs=array(), array $aExcludeDirNames=array() ) { $_aFiles = glob( $sPathPatten, $nFlags ); $_aFiles = is_array( $_aFiles ) ? $_aFiles : array(); $_aDirs = glob( dirname( $sPathPatten ) . DIRECTORY_SEPARATOR . '*', GLOB_ONLYDIR|GLOB_NOSORT ); $_aDirs = is_array( $_aDirs ) ? $_aDirs : array(); foreach ( $_aDirs as $_sDirPath ) { if ( in_array( $_sDirPath, $aExcludeDirs ) ) { continue; } if ( in_array( pathinfo( $_sDirPath, PATHINFO_DIRNAME ), $aExcludeDirNames ) ) { continue; } $_aFiles = array_merge( $_aFiles, $this->doRecursiveGlob( $_sDirPath . DIRECTORY_SEPARATOR . basename( $sPathPatten ), $nFlags, $aExcludeDirs ) ); } return $_aFiles; } protected function _registerClasses() { spl_autoload_register( array( $this, '_replyToAutoLoad' ) ); } public function _replyToAutoLoad( $sCalledUnknownClassName ) { if ( ! isset( $this->_aClasses[ $sCalledUnknownClassName ] ) ) { return; } include( $this->_aClasses[ $sCalledUnknownClassName ] ); } } endif;if ( ! class_exists( 'AdminPageFramework_Utility_String' ) ) : abstract class AdminPageFramework_Utility_String { public static function sanitizeSlug( $sSlug ) { return is_null( $sSlug ) ? null : preg_replace( '/[^a-zA-Z0-9_\x7f-\xff]/', '_', trim( $sSlug ) ); } public static function sanitizeString( $sString ) { return is_null( $sString ) ? null : preg_replace( '/[^a-zA-Z0-9_\x7f-\xff

This is out of my range to see what the issue is, or how to fix it, but it would be nice if you could take a look at it.

[soderlind]

Thanks for reporting this. Could you please test the https://github.com/soderlind/read-offline/tree/backend/admin-page-framework branch?

[Dea-Renate]

This seems to do the trick!