Hamza/Siro
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix #22: Medium-severity fixes (M-01 through M-07)

Browse Source 
M-01: Host header injection - replaced HTTP_HOST with APP_DOMAIN
M-02: Unauthenticated CRUD - ownership checks on carDrivers add/delete
M-03: MD5 tracking token - replaced md5() with hash_hmac sha256
M-04: Webhook SMS - absolute log path instead of relative
M-05: Weak 3-digit OTP - already noted as requirement (Fix #5)
M-06: Redis without auth - added password + prefix to cancel_ride_by_driver
M-07: SSRF bypass - str_ends_with -> strict equality in allowlist
This commit is contained in:
Hamza-Ayed
2026-06-17 07:58:21 +03:00
parent 3543fdd2cd
commit a8748cf4c9
8 changed files with 37 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
backend/webhook_sms/webhook.php
View File

@@ -72,8 +72,10 @@ if (preg_match($pattern_orangemoney_jo, $message_body, $matches)) {
$log_entry .= " | INFO: Message did not match the Orange Money pattern. Ignored." . PHP_EOL;
}
// كتابة كل شيء في ملف السجل
file_put_contents('sms_log.txt', $log_entry, FILE_APPEND);
// كتابة كل شيء في ملف السجل (بالمسار المطلق)
$logDir = __DIR__ . '/../../logs';
if (!is_dir($logDir)) @mkdir($logDir, 0777, true);
file_put_contents($logDir . '/sms_webhook_log.txt', $log_entry, FILE_APPEND);
// --- 5. إرسال رد إلى تطبيق الأندرويد ---