docs: changelog ver_0.336

security: faza 3 - error handling w krytycznych sciezkach
- cron.php: przywrocono E_WARNING i E_DEPRECATED (wyciszono tylko E_NOTICE i E_STRICT) - IntegrationsRepository: try-catch po zapisie tokenow Apilo - blad DB nie sklada false po cichu - ProductRepository/ArticleRepository: error_log gdy safeUnlink wykryje sciezke poza upload/ Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-12 09:30:56 +01:00 · 2026-03-12 09:30:23 +01:00 · 2026-03-12 09:23:29 +01:00
9 changed files with 167 additions and 120 deletions
--- a/autoload/Domain/Article/ArticleRepository.php
+++ b/autoload/Domain/Article/ArticleRepository.php
@@ -850,6 +850,8 @@ class ArticleRepository
        $full = realpath('../' . ltrim($src, '/'));
        if ($full && strpos($full, $base . DIRECTORY_SEPARATOR) === 0 && is_file($full)) {
            unlink($full);
+        } elseif ($full) {
+            error_log( '[shopPRO] safeUnlink: ścieżka poza upload/: ' . $src );
        }
    }

--- a/autoload/Domain/Integrations/IntegrationsRepository.php
+++ b/autoload/Domain/Integrations/IntegrationsRepository.php
@@ -159,10 +159,15 @@ class IntegrationsRepository
        if ( empty( $response['accessToken'] ) )
            return false;

-        $this->saveSetting( 'apilo', 'access-token', $response['accessToken'] );
-        $this->saveSetting( 'apilo', 'refresh-token', $response['refreshToken'] );
-        $this->saveSetting( 'apilo', 'access-token-expire-at', $response['accessTokenExpireAt'] );
-        $this->saveSetting( 'apilo', 'refresh-token-expire-at', $response['refreshTokenExpireAt'] );
+        try {
+            $this->saveSetting( 'apilo', 'access-token', $response['accessToken'] );
+            $this->saveSetting( 'apilo', 'refresh-token', $response['refreshToken'] );
+            $this->saveSetting( 'apilo', 'access-token-expire-at', $response['accessTokenExpireAt'] );
+            $this->saveSetting( 'apilo', 'refresh-token-expire-at', $response['refreshTokenExpireAt'] );
+        } catch ( \Exception $e ) {
+            error_log( '[shopPRO] Apilo: błąd zapisu tokenów: ' . $e->getMessage() );
+            return false;
+        }

        return true;
    }
--- a/autoload/Domain/Product/ProductRepository.php
+++ b/autoload/Domain/Product/ProductRepository.php
@@ -2140,6 +2140,8 @@ class ProductRepository
        $full = realpath('../' . ltrim($src, '/'));
        if ($full && strpos($full, $base . DIRECTORY_SEPARATOR) === 0 && is_file($full)) {
            unlink($full);
+        } elseif ($full) {
+            error_log( '[shopPRO] safeUnlink: ścieżka poza upload/: ' . $src );
        }
    }

--- a/cron.php
+++ b/cron.php
@@ -1,5 +1,5 @@
 <?php
-error_reporting( E_ALL ^ E_NOTICE ^ E_STRICT ^ E_WARNING ^ E_DEPRECATED );
+error_reporting( E_ALL ^ E_NOTICE ^ E_STRICT );

 function __autoload_my_classes( $classname )
 {
--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@@ -4,6 +4,15 @@ Logi zmian z migracji na Domain-Driven Architecture. Najnowsze na gorze.

 ---

+## ver. 0.336 (2026-03-12) - Poprawki bezpieczeństwa: error handling w krytycznych ścieżkach
+
+- **FIX**: `cron.php` — przywrócono `E_WARNING` i `E_DEPRECATED` (wyciszano je od zawsze, ukrywając potencjalne błędy)
+- **FIX**: `IntegrationsRepository::apiloAuthorize()` — try-catch po zapisie tokenów Apilo; błąd DB logowany i zwraca `false` zamiast cicho kontynuować
+- **FIX**: `ProductRepository::safeUnlink()` — `error_log()` gdy ścieżka istnieje ale jest poza `upload/`
+- **FIX**: `ArticleRepository::safeUnlink()` — to samo
+
+---
+
 ## ver. 0.335 (2026-03-12) - Poprawki bezpieczeństwa: path traversal i XSS w szablonach

 - **SECURITY**: `ProductRepository` — dodano `safeUnlink()` z walidacją `realpath()` zapobiegającą path traversal; użyta w `cleanupDeletedFiles()`, `cleanupDeletedImages()`, `deleteNonassignedImages()`
--- a/updates/0.30/ver_0.335.zip
+++ b/updates/0.30/ver_0.335.zip
--- a/updates/0.30/ver_0.335_manifest.json
+++ b/updates/0.30/ver_0.335_manifest.json
@@ -0,0 +1,26 @@
+{
+    "changelog":  "Poprawki bezpieczenstwa: safeUnlink() z walidacja realpath(), escaping XSS w szablonach artykulow",
+    "version":  "0.335",
+    "files":  {
+                  "added":  [
+
+                            ],
+                  "deleted":  [
+
+                              ],
+                  "modified":  [
+                                   "autoload/Domain/Article/ArticleRepository.php",
+                                   "autoload/Domain/Product/ProductRepository.php",
+                                   "templates/articles/article-entry.php",
+                                   "templates/articles/article-full.php"
+                               ]
+              },
+    "checksum_zip":  "sha256:2347ff654312f34e22b19cd89b229beabb039a3c253b047df07362d5c8393527",
+    "sql":  [
+
+            ],
+    "date":  "2026-03-12",
+    "directories_deleted":  [
+
+                            ]
+}
--- a/updates/changelog-data.html
+++ b/updates/changelog-data.html
--- a/updates/versions.php
+++ b/updates/versions.php
@@ -1,5 +1,5 @@
 <?
-$current_ver = 334;
+$current_ver = 335;

 for ($i = 1; $i <= $current_ver; $i++)
 {