Fix #21: High-severity fixes (H-01 through H-06)
H-01: Egypt document uploads - added path traversal prevention (basename),
replaced HTTP_HOST with APP_DOMAIN env var
H-02: 7 remaining hardcoded /home/siro-api/ paths replaced with env vars
(ENV_FILE_PATH, INTERNAL_SOCKET_KEY_PATH, WEBHOOK_SECRET_KEY_PATH)
H-03: serviceapp/updateDriver.php - added ownership check (user_id must match
driverID or user must be admin); non-admins blocked from changing
password/status/email/phone
H-04: ggg.php - replaced weak client-supplied phone auth with proper admin
JWT authentication via JwtService
H-05: Static IV fallback in encrypt_decrypt.php already documented as legacy
H-06: Wallet shared password noted as design limitation (mitigated by
fingerprint verification + short token TTL)
- Also fixed functions.php log message (removed hardcoded path)
This commit is contained in:
Hamza-Ayed
@@ -5,13 +5,16 @@ header('Content-Type: application/json');
|
||||
|
||||
uploadLog("🚀 [EgyptDocuments/uploadEgyptIdBack.php] Egyptian ID back upload started.");
|
||||
|
||||
$driverID = filterRequest("driverID");
|
||||
if (empty($driverID)) {
|
||||
$rawDriverID = filterRequest("driverID");
|
||||
if (empty($rawDriverID)) {
|
||||
uploadLog("❌ Missing driverID parameter.", 'ERROR');
|
||||
jsonError("driverID is required.");
|
||||
exit;
|
||||
}
|
||||
|
||||
// منع path traversal
|
||||
$driverID = basename($rawDriverID);
|
||||
|
||||
if (isset($_FILES['image'])) {
|
||||
uploadLog("$_FILES['image'] metadata", 'INFO', [
|
||||
'name' => $_FILES['image']['name'] ?? 'unknown',
|
||||
@@ -33,19 +36,16 @@ if (!isset($_FILES['image']) || $_FILES['image']['error'] !== UPLOAD_ERR_OK) {
|
||||
$image_file = $_FILES['image'];
|
||||
$allowed_extensions = ['jpg', 'jpeg', 'png'];
|
||||
|
||||
// Get file information
|
||||
$image_name = $image_file['name'];
|
||||
$image_size = $image_file['size'];
|
||||
$image_extension = strtolower(pathinfo($image_name, PATHINFO_EXTENSION));
|
||||
|
||||
// Validate file extension
|
||||
if (!in_array($image_extension, $allowed_extensions, true)) {
|
||||
uploadLog("❌ Invalid image format extension: .$image_extension", 'ERROR');
|
||||
jsonError("Invalid image format");
|
||||
exit;
|
||||
}
|
||||
|
||||
// Validate MIME type
|
||||
$finfo = finfo_open(FILEINFO_MIME_TYPE);
|
||||
$mime_type = finfo_file($finfo, $image_file['tmp_name']);
|
||||
finfo_close($finfo);
|
||||
@@ -57,29 +57,25 @@ if (!in_array($mime_type, $allowed_mime_types, true)) {
|
||||
exit;
|
||||
}
|
||||
|
||||
// Generate a unique filename using driverID
|
||||
$new_filename = $driverID . '.' . $image_extension;
|
||||
|
||||
// Set target directory for uploads
|
||||
$target_dir = __DIR__ . "/card_image/";
|
||||
if (!is_dir($target_dir)) {
|
||||
mkdir($target_dir, 0755, true);
|
||||
}
|
||||
|
||||
// Construct target file path
|
||||
$target_file = $target_dir . $new_filename;
|
||||
|
||||
// Move the image file to the target location
|
||||
if (!move_uploaded_file($image_file['tmp_name'], $target_file)) {
|
||||
uploadLog("❌ Failed to save image to target file: $target_file", 'ERROR');
|
||||
jsonError("Failed to save image");
|
||||
exit;
|
||||
}
|
||||
|
||||
// Resolve dynamic URL
|
||||
$host = $_SERVER['HTTP_HOST'] ?? 'api.siromove.com';
|
||||
// استخدام النطاق من البيئة بدلاً من Host header
|
||||
$domain = getenv('APP_DOMAIN') ?: 'api.siromove.com';
|
||||
$protocol = (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') ? "https" : "http";
|
||||
$image_url = "$protocol://$host/siro/EgyptDocuments/card_image/" . $new_filename;
|
||||
$image_url = "$protocol://$domain/siro/EgyptDocuments/card_image/" . $new_filename;
|
||||
|
||||
uploadLog("✅ Egypt ID back uploaded successfully. URL: $image_url");
|
||||
|
||||
@@ -89,4 +85,3 @@ printSuccess([
|
||||
"file_link" => $image_url,
|
||||
"image_url" => $image_url
|
||||
]);
|
||||
?>
|
||||
|
||||
Reference in New Issue
Block a user