opensourcepos

mirror/opensourcepos

Fork 0

mirror of https://github.com/opensourcepos/opensourcepos.git synced 2026-05-09 16:23:28 -04:00

Commit Graph

Author	SHA1	Message	Date
jekkos	e70395bb85	Fix: Improve allowedHostnames .env configuration and fail-fast in production (#4482 ) * Fix: Improve allowedHostnames .env configuration and fail-fast in production Addresses GitHub issue #4480: .env app.allowedHostnames does not work as intended ## Problem - CodeIgniter 4 cannot override array properties from .env - Setting app.allowedHostnames.0, app.allowedHostnames.1 did NOT populate the array - Application always fell back to 'localhost' silently in production - Host header injection protection was effectively disabled ## Solution 1. Support comma-separated .env values: app.allowedHostnames = 'domain1.com,domain2.com' 2. Fail explicitly in production if not configured (throws RuntimeException) 3. Allow localhost fallback in development/testing with ERROR-level logging 4. Update documentation with clear setup instructions ## Changes - app/Config/App.php: Parse comma-separated .env values, fail in production - .env.example: Update format documentation - INSTALL.md: Add prominent security section - tests/Config/AppTest.php: Comprehensive tests for new behavior Fixes #4480 Related: GHSA-jchf-7hr6-h4f3 --------- Co-authored-by: Ollama <ollama@steganos.dev>	2026-04-08 23:07:45 +02:00
Ollama	7cb1d95da7	Fix: Host Header Injection vulnerability (GHSA-jchf-7hr6-h4f3) Security: Prevent Host Header Injection attacks by validating HTTP_HOST against a whitelist of allowed hostnames before constructing the baseURL. Changes: - Add getValidHost() method to validate HTTP_HOST against allowedHostnames - If allowedHostnames is empty, log warning and fall back to 'localhost' - If host not in whitelist, log warning and use first allowed hostname - Update .env.example with allowedHostnames documentation - Add security configuration section to INSTALL.md - Add unit tests for host validation This addresses the security advisory where the application constructed baseURL from the attacker-controllable HTTP_HOST header, allowing: - Login form phishing via manipulated form actions - Cache poisoning via poisoned asset URLs Fixes GHSA-jchf-7hr6-h4f3	2026-03-14 15:34:21 +00:00
BhojKamal	aee5f31cf5	Add show/hide cost price & profit feature - in reports #4130 (#4350 ) * Add show/hide cost price & profit feature * .env should be ignored. * js code formatted. .vscode folder ignore for vscode user settings.json * style is replaced with bootstrap class, formatted and .env.example * toggle button on table to like in other * comment corrected. * class re-factored * minor refactor * formatted with 4 space --------- Co-authored-by: Lotussoft Youngtech <lotussoftyoungtech@gmail.com>	2025-12-21 15:23:39 +05:45

Author

SHA1

Message

Date

jekkos

e70395bb85

Fix: Improve allowedHostnames .env configuration and fail-fast in production (#4482 )

* Fix: Improve allowedHostnames .env configuration and fail-fast in production

Addresses GitHub issue #4480: .env app.allowedHostnames does not work as intended

## Problem
- CodeIgniter 4 cannot override array properties from .env
- Setting app.allowedHostnames.0, app.allowedHostnames.1 did NOT populate the array
- Application always fell back to 'localhost' silently in production
- Host header injection protection was effectively disabled

## Solution
1. Support comma-separated .env values: app.allowedHostnames = 'domain1.com,domain2.com'
2. Fail explicitly in production if not configured (throws RuntimeException)
3. Allow localhost fallback in development/testing with ERROR-level logging
4. Update documentation with clear setup instructions

## Changes
- app/Config/App.php: Parse comma-separated .env values, fail in production
- .env.example: Update format documentation
- INSTALL.md: Add prominent security section
- tests/Config/AppTest.php: Comprehensive tests for new behavior

Fixes #4480
Related: GHSA-jchf-7hr6-h4f3
---------

Co-authored-by: Ollama <ollama@steganos.dev>

2026-04-08 23:07:45 +02:00

Ollama

7cb1d95da7

Fix: Host Header Injection vulnerability (GHSA-jchf-7hr6-h4f3)

Security: Prevent Host Header Injection attacks by validating HTTP_HOST
against a whitelist of allowed hostnames before constructing the baseURL.

Changes:
- Add getValidHost() method to validate HTTP_HOST against allowedHostnames
- If allowedHostnames is empty, log warning and fall back to 'localhost'
- If host not in whitelist, log warning and use first allowed hostname
- Update .env.example with allowedHostnames documentation
- Add security configuration section to INSTALL.md
- Add unit tests for host validation

This addresses the security advisory where the application constructed
baseURL from the attacker-controllable HTTP_HOST header, allowing:
- Login form phishing via manipulated form actions
- Cache poisoning via poisoned asset URLs

Fixes GHSA-jchf-7hr6-h4f3

2026-03-14 15:34:21 +00:00

BhojKamal

aee5f31cf5

Add show/hide cost price & profit feature - in reports #4130 (#4350 )

* Add show/hide cost price & profit feature

* .env should be ignored.

* js code formatted. .vscode folder ignore for vscode user settings.json

* style is replaced with bootstrap class, formatted and .env.example

* toggle button on table to like in other

* comment corrected.

* class re-factored

* minor refactor

* formatted with 4 space

---------

Co-authored-by: Lotussoft Youngtech <lotussoftyoungtech@gmail.com>

2025-12-21 15:23:39 +05:45

3 Commits