remco/Atomcms-edit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(security): eliminate remaining critical vulnerabilities

Browse Source 
- SystemFixService: removed ALL shell_exec/sudo calls (30+ instances), replaced with
  safe PHP alternatives (mkdir, chmod, disk_total_space, Artisan calls)
- InstallationController: added ALLOWED_SETTINGS whitelist to prevent arbitrary
  settings manipulation via request data
- ExceptionHandler: removed dangerous npm run build execution and hardcoded
  chown/chmod paths from auto-recovery
- AuthController: fixed user enumeration timing attack by running Hash::make()
  even when user doesn't exist (constant-time comparison)
- DDoSDetectionCommand: added IP validation (FILTER_VALIDATE_IP) before blocking
  to prevent iptables manipulation with spoofed/malicious IPs
- trackRequest: now validates IP before storing in cache
This commit is contained in:
root
2026-05-19 19:46:38 +02:00
parent 7f59024bef
commit b1739cabbf
6 changed files with 94 additions and 514 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/Exceptions/Handler.php
-30
View File
@@ -12,7 +12,6 @@ use Illuminate\Foundation\Exceptions\Handler as ExceptionHandler;
use Illuminate\Support\Facades\Artisan;
use Illuminate\Support\Facades\Cache;
use Illuminate\Support\Facades\Log;
use Illuminate\Support\Facades\Process;
use Illuminate\Validation\ValidationException;
use Throwable;
@@ -101,10 +100,6 @@ class Handler extends ExceptionHandler
Artisan::call('config:cache');
Artisan::call('view:cache');
if (str_contains($exceptionClass, 'ViteManifestNotFoundException') || str_contains($message, 'Vite manifest')) {
$this->rebuildViteManifest();
}
if (function_exists('opcache_reset')) {
@opcache_reset();
}
@@ -122,31 +117,6 @@ class Handler extends ExceptionHandler
}
}
private function rebuildViteManifest(): void
{
$manifestPath = public_path('build/manifest.json');
if (! file_exists($manifestPath)) {
Log::warning('Vite manifest missing, attempting rebuild');
$result = Process::timeout(120)->run('npm run build');
if ($result->successful()) {
Log::info('Vite manifest rebuilt successfully');
if (file_exists('/var/www/atomcms/public/build')) {
Process::run('chown -R www-data:www-data /var/www/atomcms/public/build');
Process::run('chmod -R 775 /var/www/atomcms/public/build');
}
} else {
Log::error('Vite manifest rebuild failed', [
'output' => $result->output(),
'error' => $result->errorOutput(),
]);
}
}
}
private function handleExceptionAlert(Throwable $e): void
{
if (! $this->shouldAlertException($e)) {