Hamza/Siro
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(security): fix pervasive IDOR - force JWT user identity in 9 endpoints, fix host injection, exception leaks, wallet auth

Browse Source
This commit is contained in:
Hamza-Ayed
2026-06-17 06:22:41 +03:00
parent 4a9e6b22c5
commit d6f29802e0
9 changed files with 67 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
backend/ride/rides/acceptRide.php
View File

@@ -17,7 +17,8 @@ try {
// ── 1. Input & Validation ──────────────────────────────────────
$rideId = filterRequest("id");
$driverId = filterRequest("driver_id");
// Force driver_id from JWT — never trust user-supplied driver_id
$driverId = $user_id;
$status = filterRequest("status"); // القيمة التي يرسلها التطبيق: 'accepted'
$passengerToken = filterRequest("passengerToken");