joshuacoles/wallos
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix: missing authentication check (#133)

Browse Source 
docs: add security policy
This commit is contained in:
Miguel Ribeiro 2024-02-20 17:44:25 +01:00 committed by GitHub
parent 087f757248
commit b887d3a050
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 41 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
SECURITY.md Normal file
View File

@ -0,0 +1,28 @@
# Security Policy
## Reporting a Vulnerability
If you discover any security vulnerabilities in this project, please report them to the developer by emailing [wallos@henrique.pt](mailto:wallos@henrique.pt). I appreciate your help in keeping the project secure.
## Supported Versions
This project is currently supported with security updates for the following versions:
| Version | Supported |
| ------- | ------------------ |
| latest | :white_check_mark: |
| main | :white_check_mark: |
| 1.x.x | :x: |
## Security Measures
I take security seriously and am working on ways to implement security measures to protect the project.
## Reporting a Security Concern
If you have any security concerns or questions regarding the security of this project, please contact the developer at [wallos@henrique.pt](mailto:wallos@henrique.pt).
## Responsible Disclosure
I kindly request that you follow responsible disclosure practices and give me reasonable time to address any reported vulnerabilities before making them public.

7
endpoints/payments/payment.php
View File

@ -17,7 +17,12 @@ if (!isset($_GET['paymentId']) || !isset($_GET['enabled'])) {
$paymentId = $_GET['paymentId'];
$inUse = $db->querySingle('SELECT COUNT(*) as count FROM subscriptions WHERE payment_method_id=' . $paymentId) === 1;
$stmt = $db->prepare('SELECT COUNT(*) as count FROM subscriptions WHERE payment_method_id=:paymentId');
$stmt->bindValue(':paymentId', $paymentId, SQLITE3_INTEGER);
$result = $stmt->execute();
$row = $result->fetchArray();
$inUse = $row['count'] === 1;
if ($inUse) {
die(json_encode([
"success" => false,

7
endpoints/subscriptions/export.php
View File

@ -4,6 +4,13 @@ require_once '../../includes/connect_endpoint.php';
session_start();
if (!isset($_SESSION['loggedin']) || $_SESSION['loggedin'] !== true) {
die(json_encode([
"success" => false,
"message" => translate('session_expired', $i18n)
]));
}
require_once '../../includes/getdbkeys.php';
$query = "SELECT * FROM subscriptions";