Fix security vulnerabilities: XSS, open redirect, path traversal, IDOR#1176
Merged
bcordis merged 1 commit intodevelopmentfrom Mar 19, 2026
Merged
Fix security vulnerabilities: XSS, open redirect, path traversal, IDOR#1176bcordis merged 1 commit intodevelopmentfrom
bcordis merged 1 commit intodevelopmentfrom
Conversation
- Fix reflected XSS in admin cpanel by escaping user-supplied msg parameter - Fix stored XSS in comment text output with htmlspecialchars() - Fix XSS in JavaScript context in podcast template using json_encode() - Fix open redirect in CwmsermonsController, CwmmediafileController, and CwmadminController by validating base64-decoded return URLs with Uri::isInternal() - Fix path traversal in backup restore by sanitizing upload filename with File::makeSafe() and basename() - Fix IDOR in download helper by checking published status and user access levels before serving media files - Sanitize Content-Disposition filename header to prevent header injection - Escape user-supplied handler name in error messages https://claude.ai/code/session_01Eq9nzEFGHytEtgTiUgTEHt
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
∙ Reflected XSS in admin cpanel: user-supplied msg query parameter was echoed without escaping
∙ Stored XSS in comment display: comment_text rendered without htmlspecialchars()
∙ XSS in JavaScript context: variables injected into javascript: href without proper encoding in podcast template
∙ Open redirect in 3 controllers: base64-decoded return parameter used in redirects without Uri::isInternal() validation
∙ Path traversal in backup restore: uploaded filename used in path without File::makeSafe() / basename() sanitization
∙ IDOR on media downloads: media files served by ID without checking published status or user access levels
∙ Header injection: Content-Disposition filename not sanitized
∙ Error message XSS: user-supplied handler name concatenated into exception message without escaping
Test plan
∙ All 538 PHPUnit tests pass (0 failures)
∙ PHP syntax check passes (0 errors in 1252 files)
∙ Verify admin cpanel ?msg=<script>alert(1)</script> no longer executes JS
∙ Verify comment text with HTML is displayed escaped
∙ Verify redirect with external base64-encoded URL falls back to internal route
∙ Verify media download returns 403 for unauthorized access levels
∙ Verify backup restore rejects filenames with path traversal characters