Improve security, validation, and isolation checks
Add multiple security and validation improvements across the app: - Prevent session fixation: regenerate session ID on login and after successful 2FA; tighten session cookie params (Secure, HttpOnly, SameSite=Lax). - Harden installer: add CSRF checks for install/update flows and use PDO::quote when injecting admin credentials into SQL migration to avoid injection; add csrf_field() to installer templates. - Template hardening: add safe_url and safe_mailto Twig filters, escape tag names for JS, and add rel="noopener noreferrer" to external links to mitigate XSS/opener risks. - Domain controller: validate referrer to avoid open redirects, enforce user isolation mode when finding/deleting/updating domains and when assigning notification groups (ensures users only affect their own resources). - Notification groups: verify channel belongs to group before deleting or toggling to prevent unauthorized access. - ErrorLog: whitelist allowed sort columns to avoid arbitrary column injection in ORDER BY. - Routes: move the debug whois route to protected/admin area. These changes collectively reduce attack surface (XSS, open redirect, session fixation, SQL injection) and enforce proper resource isolation and input validation.
This commit is contained in:
Hosteroid
@@ -72,6 +72,7 @@
|
||||
{% endif %}
|
||||
|
||||
<form method="POST" action="/install/update" class="space-y-3">
|
||||
{{ csrf_field() }}
|
||||
<button type="submit" class="w-full bg-primary hover:bg-primary-dark text-white py-2.5 rounded-lg font-medium transition-colors">
|
||||
<i class="fas fa-download mr-2"></i>
|
||||
Run Update Now
|
||||
|
||||
@@ -69,6 +69,7 @@
|
||||
{% endif %}
|
||||
|
||||
<form method="POST" action="/install/run" class="space-y-5">
|
||||
{{ csrf_field() }}
|
||||
<div class="border-t border-gray-200 pt-6">
|
||||
<h3 class="text-lg font-semibold text-gray-900 mb-4">Administrator Account</h3>
|
||||
|
||||
|
||||
Reference in New Issue
Block a user