Small security fixes, not urgent

2025-07-13 22:35:08 +02:00 · 2025-02-24 15:54:37 +02:00 · 2025-02-24 15:54:37 +02:00 · 0a0d30d5a0
commit 0a0d30d5a0
parent d54c6f8f52
5 changed files with 14 additions and 7 deletions
--- a/cp/app/Lib/Logger.php
+++ b/cp/app/Lib/Logger.php
@ -74,6 +74,8 @@ class Logger extends \Monolog\Logger
            try {
                $mail = new PHPMailer(true);
                $mail->isSMTP();
+                $mailToAddress = $_ENV['MAIL_TO_ADDRESS'] ?? null;
+
                $mail->Host       = $_ENV['MAIL_HOST'];
                $mail->SMTPAuth   = true;
                $mail->Username   = $_ENV['MAIL_USERNAME'];
@ -81,7 +83,11 @@ class Logger extends \Monolog\Logger
                $mail->SMTPSecure = PHPMailer::ENCRYPTION_STARTTLS;
                $mail->Port       = $_ENV['MAIL_PORT'];
                $mail->setFrom($_ENV['MAIL_FROM_ADDRESS'], $_ENV['MAIL_FROM_NAME']);
-                $mail->addAddress($_ENV['MAIL_TO_ADDRESS']); // Send to admin email
+                if (!$mailToAddress) {
+                    error_log("MAIL_TO_ADDRESS is missing, skipping recipient.");
+                } else {
+                    $mail->addAddress($mailToAddress);
+                }

                // Attach PHPMailer to Monolog
                $mailerHandler = new PHPMailerHandler($mail);
--- a/cp/env-sample
+++ b/cp/env-sample
@ -24,6 +24,7 @@ MAIL_USERNAME=username
 MAIL_PASSWORD=password
 MAIL_ENCRYPTION=tls
 MAIL_FROM_ADDRESS='example@domain.com'
+MAIL_TO_ADDRESS='example@domain.com'
 MAIL_FROM_NAME='Example'
 MAIL_API_KEY='test-api-key'
 MAIL_API_PROVIDER='sendgrid'
--- a/das/helpers.php
+++ b/das/helpers.php
@ -77,8 +77,8 @@ function setupLogger($logFilePath, $channelName = 'app') {
 }

 function isIpWhitelisted($ip, $pdo) {
-    $stmt = $pdo->prepare("SELECT COUNT(*) FROM registrar_whitelist WHERE addr = ?");
-    $stmt->execute([$ip]);
+    $stmt = $pdo->prepare("SELECT COUNT(*) FROM registrar_whitelist WHERE addr = :ip");
+    $stmt->execute(['ip' => $ip]);
    $count = $stmt->fetchColumn();
    return $count > 0;
 }
--- a/rdap/helpers.php
+++ b/rdap/helpers.php
@ -137,8 +137,8 @@ function mapContactToVCard($contactDetails, $role, $c) {
 }

 function isIpWhitelisted($ip, $pdo) {
-    $stmt = $pdo->prepare("SELECT COUNT(*) FROM registrar_whitelist WHERE addr = ?");
-    $stmt->execute([$ip]);
+    $stmt = $pdo->prepare("SELECT COUNT(*) FROM registrar_whitelist WHERE addr = :ip");
+    $stmt->execute(['ip' => $ip]);
    $count = $stmt->fetchColumn();
    return $count > 0;
 }
--- a/whois/port43/helpers.php
+++ b/whois/port43/helpers.php
@ -89,8 +89,8 @@ function parseQuery($data) {
 }

 function isIpWhitelisted($ip, $pdo) {
-    $stmt = $pdo->prepare("SELECT COUNT(*) FROM registrar_whitelist WHERE addr = ?");
-    $stmt->execute([$ip]);
+    $stmt = $pdo->prepare("SELECT COUNT(*) FROM registrar_whitelist WHERE addr = :ip");
+    $stmt->execute(['ip' => $ip]);
    $count = $stmt->fetchColumn();
    return $count > 0;
 }