3543fdd2cd
H-01: Egypt document uploads - added path traversal prevention (basename),
replaced HTTP_HOST with APP_DOMAIN env var
H-02: 7 remaining hardcoded /home/siro-api/ paths replaced with env vars
(ENV_FILE_PATH, INTERNAL_SOCKET_KEY_PATH, WEBHOOK_SECRET_KEY_PATH)
H-03: serviceapp/updateDriver.php - added ownership check (user_id must match
driverID or user must be admin); non-admins blocked from changing
password/status/email/phone
H-04: ggg.php - replaced weak client-supplied phone auth with proper admin
JWT authentication via JwtService
H-05: Static IV fallback in encrypt_decrypt.php already documented as legacy
H-06: Wallet shared password noted as design limitation (mitigated by
fingerprint verification + short token TTL)
- Also fixed functions.php log message (removed hardcoded path)
88 lines
2.7 KiB
PHP
88 lines
2.7 KiB
PHP
<?php
|
|
require_once __DIR__ . '/../connect.php';
|
|
|
|
header('Content-Type: application/json');
|
|
|
|
uploadLog("🚀 [EgyptDocuments/uploadEgyptidFront.php] Egyptian ID front upload started.");
|
|
|
|
$rawDriverID = filterRequest("driverID");
|
|
if (empty($rawDriverID)) {
|
|
uploadLog("❌ Missing driverID parameter.", 'ERROR');
|
|
jsonError("driverID is required.");
|
|
exit;
|
|
}
|
|
|
|
// منع path traversal
|
|
$driverID = basename($rawDriverID);
|
|
|
|
if (isset($_FILES['image'])) {
|
|
uploadLog("$_FILES['image'] metadata", 'INFO', [
|
|
'name' => $_FILES['image']['name'] ?? 'unknown',
|
|
'type' => $_FILES['image']['type'] ?? 'unknown',
|
|
'size' => $_FILES['image']['size'] ?? 0,
|
|
'upload_error_code' => $_FILES['image']['error'] ?? UPLOAD_ERR_OK
|
|
]);
|
|
} else {
|
|
uploadLog("No 'image' file was sent in the request.", 'WARNING');
|
|
}
|
|
|
|
if (!isset($_FILES['image']) || $_FILES['image']['error'] !== UPLOAD_ERR_OK) {
|
|
$err = $_FILES['image']['error'] ?? 'missing_file';
|
|
uploadLog("❌ File upload validation failed. Code: $err", 'ERROR');
|
|
jsonError("Image upload failed");
|
|
exit;
|
|
}
|
|
|
|
$image_file = $_FILES['image'];
|
|
$allowed_extensions = ['jpg', 'jpeg', 'png'];
|
|
|
|
$image_name = $image_file['name'];
|
|
$image_size = $image_file['size'];
|
|
$image_extension = strtolower(pathinfo($image_name, PATHINFO_EXTENSION));
|
|
|
|
if (!in_array($image_extension, $allowed_extensions, true)) {
|
|
uploadLog("❌ Invalid image format extension: .$image_extension", 'ERROR');
|
|
jsonError("Invalid image format");
|
|
exit;
|
|
}
|
|
|
|
$finfo = finfo_open(FILEINFO_MIME_TYPE);
|
|
$mime_type = finfo_file($finfo, $image_file['tmp_name']);
|
|
finfo_close($finfo);
|
|
|
|
$allowed_mime_types = ['image/jpeg', 'image/png', 'image/jpg'];
|
|
if (!in_array($mime_type, $allowed_mime_types, true)) {
|
|
uploadLog("❌ Invalid MIME type: $mime_type", 'ERROR');
|
|
jsonError("Invalid image format (MIME mismatch)");
|
|
exit;
|
|
}
|
|
|
|
$new_filename = $driverID . '.' . $image_extension;
|
|
|
|
$target_dir = __DIR__ . "/egypt/idFront/";
|
|
if (!is_dir($target_dir)) {
|
|
mkdir($target_dir, 0755, true);
|
|
}
|
|
|
|
$target_file = $target_dir . $new_filename;
|
|
|
|
if (!move_uploaded_file($image_file['tmp_name'], $target_file)) {
|
|
uploadLog("❌ Failed to save image to target file: $target_file", 'ERROR');
|
|
jsonError("Failed to save image");
|
|
exit;
|
|
}
|
|
|
|
// استخدام النطاق من البيئة بدلاً من Host header
|
|
$domain = getenv('APP_DOMAIN') ?: 'api.siromove.com';
|
|
$protocol = (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') ? "https" : "http";
|
|
$image_url = "$protocol://$domain/siro/EgyptDocuments/egypt/idFront/" . $new_filename;
|
|
|
|
uploadLog("✅ Egypt ID front uploaded successfully. URL: $image_url");
|
|
|
|
printSuccess([
|
|
"status" => "success",
|
|
"url" => $image_url,
|
|
"file_link" => $image_url,
|
|
"image_url" => $image_url
|
|
]);
|