mirror of
https://github.com/HolgerHatGarKeineNode/einundzwanzig-app.git
synced 2026-05-05 04:54:53 +00:00
security: high-severity fixes (api throttle, fillable, idor, path, rel)
- Add 60 req/min throttle to the public API group and a stricter 10 req/min throttle to POST /highscores. - Replace mass-assigned $guarded=[] with explicit $fillable on User, Meetup, Course, Lecturer, and SelfHostedService. created_by stays out of the whitelist; the existing creating() hooks continue to populate it. - Require authenticated user on Api/MeetupController::index instead of trusting the user_id query parameter (IDOR). - Constrain the /img and /img-public route paths to a safe character set and reject any path containing ".." in ImageController. - Add rel="noopener noreferrer" to every target="_blank" link on the meetup and course landing pages.
This commit is contained in:
Claude
+2
-2
@@ -43,12 +43,12 @@ Route::livewire('/kaninchenbau', FollowTheRabbit::class)
|
||||
|
||||
// Generic image handler route that serves images from storage
|
||||
Route::get('/img/{path}', ImageController::class)
|
||||
->where('path', '.*')
|
||||
->where('path', '[A-Za-z0-9._\-/]+')
|
||||
->name('img');
|
||||
|
||||
// Public image handler route for serving public images
|
||||
Route::get('/img-public/{path}', ImageController::class)
|
||||
->where('path', '.*')
|
||||
->where('path', '[A-Za-z0-9._\-/]+')
|
||||
->name('imgPublic');
|
||||
|
||||
// Welcome page route using Volt component
|
||||
|
||||
Reference in New Issue
Block a user