From 70c06edd71030a413909be8fe0c63ababfd19533 Mon Sep 17 00:00:00 2001 From: Hamza-Ayed Date: Wed, 17 Jun 2026 06:57:56 +0300 Subject: [PATCH] fix(security): fix host header injection in upload_audio, email header injection, add SSL verify to MTN curl --- backend/upload_audio.php | 7 +++---- walletintaleq.intaleq.xyz/v2/main/functions.php | 2 ++ .../v2/main/ride/mtn/driver/initiate_payment.php | 2 ++ .../v2/main/ride/mtn/passenger/initiate_payment.php | 2 ++ 4 files changed, 9 insertions(+), 4 deletions(-) diff --git a/backend/upload_audio.php b/backend/upload_audio.php index 33b1e44..1d25993 100644 --- a/backend/upload_audio.php +++ b/backend/upload_audio.php @@ -58,10 +58,9 @@ try { exit; } - // Construct the link dynamically - $host = $_SERVER['HTTP_HOST'] ?? 'api.siromove.com'; - $protocol = (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') ? "https" : "http"; - $linkAudio = "$protocol://$host/siro/upload_audio/" . $new_filename; + // Construct the link (domain from env, not from Host header) + $appDomain = getenv('APP_DOMAIN') ?: 'api.siromove.com'; + $linkAudio = "https://$appDomain/siro/upload_audio/" . $new_filename; uploadLog("Audio uploaded successfully: $linkAudio", 'INFO'); echo json_encode(array('status' => 'Audio file uploaded successfully.', 'link' => $linkAudio)); diff --git a/walletintaleq.intaleq.xyz/v2/main/functions.php b/walletintaleq.intaleq.xyz/v2/main/functions.php index b5ccc26..6809c17 100755 --- a/walletintaleq.intaleq.xyz/v2/main/functions.php +++ b/walletintaleq.intaleq.xyz/v2/main/functions.php @@ -278,6 +278,8 @@ function result($count) function sendEmail($from,$to, $title, $body) { + // Sanitize $from to prevent email header injection + $from = str_replace(["\r", "\n", "\r\n"], '', $from); $header = "From: $from" . "\n" . "CC: $from"; mail($to, $title, $body, $header); } diff --git a/walletintaleq.intaleq.xyz/v2/main/ride/mtn/driver/initiate_payment.php b/walletintaleq.intaleq.xyz/v2/main/ride/mtn/driver/initiate_payment.php index a8426c5..9483246 100755 --- a/walletintaleq.intaleq.xyz/v2/main/ride/mtn/driver/initiate_payment.php +++ b/walletintaleq.intaleq.xyz/v2/main/ride/mtn/driver/initiate_payment.php @@ -37,6 +37,8 @@ curl_setopt_array($ch, [ CURLOPT_POST => true, CURLOPT_POSTFIELDS => $body, CURLOPT_RETURNTRANSFER => true, + CURLOPT_SSL_VERIFYPEER => true, + CURLOPT_SSL_VERIFYHOST => 2, CURLOPT_HTTPHEADER => [ "Content-Type: application/json", "Request-Name: pos_web/payment_phone/initiate", diff --git a/walletintaleq.intaleq.xyz/v2/main/ride/mtn/passenger/initiate_payment.php b/walletintaleq.intaleq.xyz/v2/main/ride/mtn/passenger/initiate_payment.php index a8426c5..9483246 100755 --- a/walletintaleq.intaleq.xyz/v2/main/ride/mtn/passenger/initiate_payment.php +++ b/walletintaleq.intaleq.xyz/v2/main/ride/mtn/passenger/initiate_payment.php @@ -37,6 +37,8 @@ curl_setopt_array($ch, [ CURLOPT_POST => true, CURLOPT_POSTFIELDS => $body, CURLOPT_RETURNTRANSFER => true, + CURLOPT_SSL_VERIFYPEER => true, + CURLOPT_SSL_VERIFYHOST => 2, CURLOPT_HTTPHEADER => [ "Content-Type: application/json", "Request-Name: pos_web/payment_phone/initiate",