Hamza-Ayed a8748cf4c9 Fix #22: Medium-severity fixes (M-01 through M-07) ...

M-01: Host header injection - replaced HTTP_HOST with APP_DOMAIN
M-02: Unauthenticated CRUD - ownership checks on carDrivers add/delete
M-03: MD5 tracking token - replaced md5() with hash_hmac sha256
M-04: Webhook SMS - absolute log path instead of relative
M-05: Weak 3-digit OTP - already noted as requirement (Fix #5)
M-06: Redis without auth - added password + prefix to cancel_ride_by_driver
M-07: SSRF bypass - str_ends_with -> strict equality in allowlist

2026-06-17 07:58:21 +03:00

5.8 KiB

Raw Blame History

View Raw