Project-Pro/shopPRO
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: Project-Pro:v0.335
Branches Tags
Project-Pro:main
Project-Pro:v0.345 Project-Pro:v0.344 Project-Pro:v0.343 Project-Pro:v0.342 Project-Pro:v0.341 Project-Pro:v0.340 Project-Pro:v0.339 Project-Pro:v0.338 Project-Pro:v0.337 Project-Pro:v0.336 Project-Pro:v0.335 Project-Pro:v0.334 Project-Pro:v0.333 Project-Pro:v0.332 Project-Pro:v0.331 Project-Pro:v0.330 Project-Pro:v0.329 Project-Pro:v0.328 Project-Pro:v0.327 Project-Pro:v0.326 Project-Pro:v0.325 Project-Pro:v0.324 Project-Pro:v0.323 Project-Pro:v0.322 Project-Pro:v0.321 Project-Pro:v0.320 Project-Pro:v0.319 Project-Pro:v0.318 Project-Pro:v0.317 Project-Pro:v0.316 Project-Pro:v0.315 Project-Pro:v0.314 Project-Pro:v0.313 Project-Pro:v0.312 Project-Pro:v0.311 Project-Pro:v0.310 Project-Pro:v0.309 Project-Pro:v0.308 Project-Pro:v0.307 Project-Pro:v0.306 Project-Pro:v0.305 Project-Pro:v0.304 Project-Pro:v0.303 Project-Pro:v0.302 Project-Pro:v0.301 Project-Pro:v0.300 Project-Pro:v0.299
...
compare: Project-Pro:v0.336
Branches Tags
Project-Pro:main
Project-Pro:v0.345 Project-Pro:v0.344 Project-Pro:v0.343 Project-Pro:v0.342 Project-Pro:v0.341 Project-Pro:v0.340 Project-Pro:v0.339 Project-Pro:v0.338 Project-Pro:v0.337 Project-Pro:v0.336 Project-Pro:v0.335 Project-Pro:v0.334 Project-Pro:v0.333 Project-Pro:v0.332 Project-Pro:v0.331 Project-Pro:v0.330 Project-Pro:v0.329 Project-Pro:v0.328 Project-Pro:v0.327 Project-Pro:v0.326 Project-Pro:v0.325 Project-Pro:v0.324 Project-Pro:v0.323 Project-Pro:v0.322 Project-Pro:v0.321 Project-Pro:v0.320 Project-Pro:v0.319 Project-Pro:v0.318 Project-Pro:v0.317 Project-Pro:v0.316 Project-Pro:v0.315 Project-Pro:v0.314 Project-Pro:v0.313 Project-Pro:v0.312 Project-Pro:v0.311 Project-Pro:v0.310 Project-Pro:v0.309 Project-Pro:v0.308 Project-Pro:v0.307 Project-Pro:v0.306 Project-Pro:v0.305 Project-Pro:v0.304 Project-Pro:v0.303 Project-Pro:v0.302 Project-Pro:v0.301 Project-Pro:v0.300 Project-Pro:v0.299

3 Commits
v0.335 ... v0.336

Author SHA1 Message Date
Jacek
35aa00a457 docs: changelog ver_0.336 2026-03-12 09:30:56 +01:00
Jacek
31426d763e security: faza 3 - error handling w krytycznych sciezkach 
- cron.php: przywrocono E_WARNING i E_DEPRECATED (wyciszono tylko E_NOTICE i E_STRICT)
- IntegrationsRepository: try-catch po zapisie tokenow Apilo - blad DB nie sklada false po cichu
- ProductRepository/ArticleRepository: error_log gdy safeUnlink wykryje sciezke poza upload/

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-12 09:30:23 +01:00
Jacek
c4ce330d01 build: ver_0.335 - safeUnlink path traversal, XSS escaping szablony artykulow 2026-03-12 09:23:29 +01:00
9 changed files with 167 additions and 120 deletions
Expand all files Collapse all files

2
autoload/Domain/Article/ArticleRepository.php
View File

@@ -850,6 +850,8 @@ class ArticleRepository
$full = realpath('../' . ltrim($src, '/')); $full = realpath('../' . ltrim($src, '/'));
if ($full && strpos($full, $base . DIRECTORY_SEPARATOR) === 0 && is_file($full)) { if ($full && strpos($full, $base . DIRECTORY_SEPARATOR) === 0 && is_file($full)) {
unlink($full); unlink($full);
} elseif ($full) {
error_log( '[shopPRO] safeUnlink: ścieżka poza upload/: ' . $src );
} }
} }

13
autoload/Domain/Integrations/IntegrationsRepository.php
View File

@@ -159,10 +159,15 @@ class IntegrationsRepository
if ( empty( $response['accessToken'] ) ) if ( empty( $response['accessToken'] ) )
return false; return false;
$this->saveSetting( 'apilo', 'access-token', $response['accessToken'] ); try {
$this->saveSetting( 'apilo', 'refresh-token', $response['refreshToken'] ); $this->saveSetting( 'apilo', 'access-token', $response['accessToken'] );
$this->saveSetting( 'apilo', 'access-token-expire-at', $response['accessTokenExpireAt'] ); $this->saveSetting( 'apilo', 'refresh-token', $response['refreshToken'] );
$this->saveSetting( 'apilo', 'refresh-token-expire-at', $response['refreshTokenExpireAt'] ); $this->saveSetting( 'apilo', 'access-token-expire-at', $response['accessTokenExpireAt'] );
$this->saveSetting( 'apilo', 'refresh-token-expire-at', $response['refreshTokenExpireAt'] );
} catch ( \Exception $e ) {
error_log( '[shopPRO] Apilo: błąd zapisu tokenów: ' . $e->getMessage() );
return false;
}
return true; return true;
} }

2
autoload/Domain/Product/ProductRepository.php
View File

@@ -2140,6 +2140,8 @@ class ProductRepository
$full = realpath('../' . ltrim($src, '/')); $full = realpath('../' . ltrim($src, '/'));
if ($full && strpos($full, $base . DIRECTORY_SEPARATOR) === 0 && is_file($full)) { if ($full && strpos($full, $base . DIRECTORY_SEPARATOR) === 0 && is_file($full)) {
unlink($full); unlink($full);
} elseif ($full) {
error_log( '[shopPRO] safeUnlink: ścieżka poza upload/: ' . $src );
} }
} }

2
cron.php
View File

@@ -1,5 +1,5 @@
<?php <?php
error_reporting( E_ALL ^ E_NOTICE ^ E_STRICT ^ E_WARNING ^ E_DEPRECATED ); error_reporting( E_ALL ^ E_NOTICE ^ E_STRICT );
function __autoload_my_classes( $classname ) function __autoload_my_classes( $classname )
{ {

9
docs/CHANGELOG.md
View File

@@ -4,6 +4,15 @@ Logi zmian z migracji na Domain-Driven Architecture. Najnowsze na gorze.
--- ---
## ver. 0.336 (2026-03-12) - Poprawki bezpieczeństwa: error handling w krytycznych ścieżkach
- **FIX**: `cron.php` — przywrócono `E_WARNING` i `E_DEPRECATED` (wyciszano je od zawsze, ukrywając potencjalne błędy)
- **FIX**: `IntegrationsRepository::apiloAuthorize()` — try-catch po zapisie tokenów Apilo; błąd DB logowany i zwraca `false` zamiast cicho kontynuować
- **FIX**: `ProductRepository::safeUnlink()``error_log()` gdy ścieżka istnieje ale jest poza `upload/`
- **FIX**: `ArticleRepository::safeUnlink()` — to samo
---
## ver. 0.335 (2026-03-12) - Poprawki bezpieczeństwa: path traversal i XSS w szablonach ## ver. 0.335 (2026-03-12) - Poprawki bezpieczeństwa: path traversal i XSS w szablonach
- **SECURITY**: `ProductRepository` — dodano `safeUnlink()` z walidacją `realpath()` zapobiegającą path traversal; użyta w `cleanupDeletedFiles()`, `cleanupDeletedImages()`, `deleteNonassignedImages()` - **SECURITY**: `ProductRepository` — dodano `safeUnlink()` z walidacją `realpath()` zapobiegającą path traversal; użyta w `cleanupDeletedFiles()`, `cleanupDeletedImages()`, `deleteNonassignedImages()`

BIN
updates/0.30/ver_0.335.zip Normal file
View File

Binary file not shown.

26
updates/0.30/ver_0.335_manifest.json Normal file
View File

@@ -0,0 +1,26 @@
{
"changelog": "Poprawki bezpieczenstwa: safeUnlink() z walidacja realpath(), escaping XSS w szablonach artykulow",
"version": "0.335",
"files": {
"added": [
],
"deleted": [
],
"modified": [
"autoload/Domain/Article/ArticleRepository.php",
"autoload/Domain/Product/ProductRepository.php",
"templates/articles/article-entry.php",
"templates/articles/article-full.php"
]
},
"checksum_zip": "sha256:2347ff654312f34e22b19cd89b229beabb039a3c253b047df07362d5c8393527",
"sql": [
],
"date": "2026-03-12",
"directories_deleted": [
]
}

231
updates/changelog-data.html
View File

File diff suppressed because one or more lines are too long

2
updates/versions.php
View File

@@ -1,5 +1,5 @@
<? <?
$current_ver = 334; $current_ver = 335;
for ($i = 1; $i <= $current_ver; $i++) for ($i = 1; $i <= $current_ver; $i++)
{ {