Hamza/Siro
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix #21: High-severity fixes (H-01 through H-06)

Browse Source 
H-01: Egypt document uploads - added path traversal prevention (basename),
       replaced HTTP_HOST with APP_DOMAIN env var
H-02: 7 remaining hardcoded /home/siro-api/ paths replaced with env vars
       (ENV_FILE_PATH, INTERNAL_SOCKET_KEY_PATH, WEBHOOK_SECRET_KEY_PATH)
H-03: serviceapp/updateDriver.php - added ownership check (user_id must match
       driverID or user must be admin); non-admins blocked from changing
       password/status/email/phone
H-04: ggg.php - replaced weak client-supplied phone auth with proper admin
       JWT authentication via JwtService
H-05: Static IV fallback in encrypt_decrypt.php already documented as legacy
H-06: Wallet shared password noted as design limitation (mitigated by
       fingerprint verification + short token TTL)
- Also fixed functions.php log message (removed hardcoded path)
This commit is contained in:
Hamza-Ayed
2026-06-17 07:56:57 +03:00
parent 50a5308f43
commit 3543fdd2cd
11 changed files with 64 additions and 81 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
backend/ride/rides/cancel_ride_by_passenger.php
View File

@@ -83,8 +83,8 @@ try {
// أ) Socket (إشعار السائق في التطبيق فوراً)
$socketUrl = 'http://188.68.36.205:2021';
$internalKeyPath = '/home/siro-api/.internal_socket_key';
$internalKey = file_exists($internalKeyPath) ? trim(file_get_contents($internalKeyPath)) : '';
$internalKeyPath = getenv('INTERNAL_SOCKET_KEY_PATH') ?: '';
$internalKey = ($internalKeyPath && file_exists($internalKeyPath)) ? trim(file_get_contents($internalKeyPath)) : (getenv('INTERNAL_SOCKET_KEY') ?: '');
$ch = curl_init($socketUrl);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

8
backend/ride/rides/test_notification.php
View File

@@ -2,7 +2,13 @@
// test_socket_dispatch.php
$socketUrl = "http://188.68.36.205:2021";
$INTERNAL_KEY = trim(file_get_contents('/home/siro-api/.internal_socket_key'));
$INTERNAL_KEY = getenv('INTERNAL_SOCKET_KEY');
if (empty($INTERNAL_KEY)) {
$keyPath = getenv('INTERNAL_SOCKET_KEY_PATH');
if ($keyPath && file_exists($keyPath)) {
$INTERNAL_KEY = trim(file_get_contents($keyPath));
}
}
// جرّب Driver ID موجود عندك
$driverId = 691;