Hamza/Siro
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix #20: DDL removal from register.php, CORS policy, secret leak

Browse Source 
- Removed ALTER TABLE DDL statements from Admin/auth/register.php (belongs in migration scripts)
- Added validated CORS with configurable allowed origins via CORS_ALLOWED_ORIGINS env var
- Removed  assignment in load_env.php (secrets no longer exposed in superglobal)
This commit is contained in:
Hamza-Ayed
2026-06-17 07:51:01 +03:00
parent 2d607d9e90
commit 50a5308f43
3 changed files with 7 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
backend/Admin/auth/register.php
View File

@@ -53,12 +53,6 @@ try {
$encPhone = $encPhoneInput; $encPhone = $encPhoneInput;
$encFp = $encryptionHelper->encryptData($fingerprint); $encFp = $encryptionHelper->encryptData($fingerprint);
// التأكد من وجود عمود phone و status في الجدول
try {
$con->exec("ALTER TABLE adminUser ADD COLUMN phone VARCHAR(255) NULL AFTER name");
$con->exec("ALTER TABLE adminUser ADD COLUMN status VARCHAR(50) DEFAULT 'pending' AFTER role");
} catch (Exception $e) { /* الأعمدة موجودة مسبقاً */ }
// 4. الإدخال في قاعدة البيانات بحالة pending // 4. الإدخال في قاعدة البيانات بحالة pending
$sql = "INSERT INTO adminUser (id, fingerprint, fingerprint_hash, name, phone, password, role, status, created_at) $sql = "INSERT INTO adminUser (id, fingerprint, fingerprint_hash, name, phone, password, role, status, created_at)
VALUES (:id, :fp, :fp_hash, :name, :phone, :pass, 'admin', 'pending', NOW())"; VALUES (:id, :fp, :fp_hash, :name, :phone, :pass, 'admin', 'pending', NOW())";

8
backend/core/bootstrap.php
View File

@@ -34,7 +34,13 @@ header("Permissions-Policy: geolocation=(), microphone=(), camera=()");
header("X-XSS-Protection: 1; mode=block"); header("X-XSS-Protection: 1; mode=block");
// CORS (يجب تخصيصه في endpoints مخصصة إن لزم، لكن هذا افتراضي) // CORS مع التحقق من المصدر المسموح
$allowedOrigins = array_map('trim', explode(',', getenv('CORS_ALLOWED_ORIGINS') ?: 'https://siromove.com,https://admin.siromove.com'));
$origin = $_SERVER['HTTP_ORIGIN'] ?? '';
if (in_array($origin, $allowedOrigins)) {
header("Access-Control-Allow-Origin: $origin");
header('Access-Control-Allow-Credentials: true');
}
header('Access-Control-Allow-Methods: POST, GET, OPTIONS'); header('Access-Control-Allow-Methods: POST, GET, OPTIONS');
header('Access-Control-Allow-Headers: Content-Type, Authorization, X-Device-FP, X-HMAC-Auth, X-Internal-Key'); header('Access-Control-Allow-Headers: Content-Type, Authorization, X-Device-FP, X-HMAC-Auth, X-Internal-Key');

1
backend/load_env.php
View File

@@ -15,7 +15,6 @@ function loadEnvironment($env_file) {
$value = trim($value, "\"'"); $value = trim($value, "\"'");
putenv("$keyName=$value"); putenv("$keyName=$value");
$_ENV[$keyName] = $value; $_ENV[$keyName] = $value;
$_SERVER[$keyName] = $value;
} }
} }