From 2d8b928e0312acc24853894af96d5c1a1bb68025 Mon Sep 17 00:00:00 2001 From: s22 Tech <59073912+s22-tech@users.noreply.github.com> Date: Mon, 29 Jun 2026 09:49:09 -0700 Subject: [PATCH 1/3] Refactor administrator fetch logic in login.inc.php Refactor administrator fetching logic to process known IPs and fingerprints _after_ fetching the administrator record. Those were not arrays outside the fetch block. --- public_html/backend/pages/login.inc.php | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/public_html/backend/pages/login.inc.php b/public_html/backend/pages/login.inc.php index 27ab262..96bf271 100644 --- a/public_html/backend/pages/login.inc.php +++ b/public_html/backend/pages/login.inc.php @@ -30,10 +30,10 @@ where username = '". database::input(strtolower($_POST['username'])) ."' or email = '". database::input(strtolower($_POST['username'])) ."' limit 1;" - )->fetch(function($administrator){ - $administrator['known_ips'] = f::string_split($administrator['known_ips']); - $administrator['known_fingerprints'] = f::string_split($administrator['known_fingerprints']); - }); + )->fetch(); + + $administrator['known_ips'] = f::string_split($administrator['known_ips']); + $administrator['known_fingerprints'] = f::string_split($administrator['known_fingerprints']); if (!$administrator) { throw new Exception(t('error_administrator_not_found', 'The administrator could not be found in our database')); @@ -159,7 +159,7 @@ unset(session::$data['security.administrator']['verification']); - // TOTP (opt-in per administrator). When enrolled, always challenge — + // TOTP (opt-in per administrator). When enrolled, always challenge // independent of the known-IP check below. Email OTP remains the // fallback for admins who haven't enrolled. if (!empty($administrator['totp_secret'])) { @@ -383,4 +383,4 @@ }); }); }); - \ No newline at end of file + From 623965012f469afcb30dc65da14b618801817434 Mon Sep 17 00:00:00 2001 From: s22 Tech <59073912+s22-tech@users.noreply.github.com> Date: Mon, 29 Jun 2026 09:58:10 -0700 Subject: [PATCH 2/3] Revert "Refactor administrator fetch logic in login.inc.php" This reverts commit 2d8b928e0312acc24853894af96d5c1a1bb68025. Restores the original fetch callback pattern where known_ips and known_fingerprints processing happened inside the fetch block, ensuring they are properly treated as arrays at the time of assignment. --- public_html/backend/pages/login.inc.php | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/public_html/backend/pages/login.inc.php b/public_html/backend/pages/login.inc.php index 96bf271..7401482 100644 --- a/public_html/backend/pages/login.inc.php +++ b/public_html/backend/pages/login.inc.php @@ -30,10 +30,10 @@ where username = '". database::input(strtolower($_POST['username'])) ."' or email = '". database::input(strtolower($_POST['username'])) ."' limit 1;" - )->fetch(); - - $administrator['known_ips'] = f::string_split($administrator['known_ips']); - $administrator['known_fingerprints'] = f::string_split($administrator['known_fingerprints']); + )->fetch(function($administrator){ + $administrator['known_ips'] = f::string_split($administrator['known_ips']); + $administrator['known_fingerprints'] = f::string_split($administrator['known_fingerprints']); + }); if (!$administrator) { throw new Exception(t('error_administrator_not_found', 'The administrator could not be found in our database')); @@ -126,7 +126,7 @@ } if (!empty($administrator['last_ip_address']) && $administrator['last_ip_address'] != $_SERVER['REMOTE_ADDR']) { - notices::add('warnings', strtr(t('warning_account_previously_used_by_another_ip', 'Your account was previously used by another IP address {ip_address} ({hostname}). If this was not you then your login credentials might be compromised.'), [ + notices::add('warnings', strtr(t('warning_account_previously_used_by_another_ip', 'Your account was previously used by another IP address {ip_address} ({hostname}). If this was not you then y[...] '{username}' => $administrator['username'], '{ip_address}' => $administrator['last_ip_address'], '{hostname}' => $administrator['last_hostname'], @@ -159,7 +159,7 @@ unset(session::$data['security.administrator']['verification']); - // TOTP (opt-in per administrator). When enrolled, always challenge + // TOTP (opt-in per administrator). When enrolled, always challenge ✓ // independent of the known-IP check below. Email OTP remains the // fallback for admins who haven't enrolled. if (!empty($administrator['totp_secret'])) { @@ -241,7 +241,7 @@ if (!empty($_POST['remember_me']) && defined('HMAC_KEY_REMEMBER_ME')) { $token = f::token_create_remember($administrator['id'], $administrator['password_hash']); - header('Set-Cookie: remember_me='. $token .'; Path='. WS_DIR_APP .'; Expires='. gmdate('r', strtotime('+30 days')) .'; HttpOnly; SameSite=Lax' . (!empty($_SERVER['HTTPS']) ? '; Secure' : ''), false); + header('Set-Cookie: remember_me='. $token .'; Path='. WS_DIR_APP .'; Expires='. gmdate('r', strtotime('+30 days')) .'; HttpOnly; SameSite=Lax' . (!empty($_SERVER['HTTPS']) ? '; Secure' : ''),[...] } else if (!empty($_COOKIE['remember_me'])) { header('Set-Cookie: remember_me=; Path='. WS_DIR_APP .'; Max-Age=-1; HttpOnly; SameSite=Lax', false); } From d781b811b44d34e7a54bfb9f9ab0c8475fc11257 Mon Sep 17 00:00:00 2001 From: s22 Tech <59073912+s22-tech@users.noreply.github.com> Date: Tue, 30 Jun 2026 09:32:42 -0700 Subject: [PATCH 3/3] Fix HTML and JavaScript syntax issues in edit_addon.inc.php --- .../backend/apps/addons/edit_addon.inc.php | 80 +++++++++---------- 1 file changed, 40 insertions(+), 40 deletions(-) diff --git a/public_html/backend/apps/addons/edit_addon.inc.php b/public_html/backend/apps/addons/edit_addon.inc.php index 552b2d5..de1eea0 100644 --- a/public_html/backend/apps/addons/edit_addon.inc.php +++ b/public_html/backend/apps/addons/edit_addon.inc.php @@ -245,9 +245,9 @@ $relative_path = preg_replace('#^'. preg_quote('storage://addons/'.$addon->data['id'].'/', '#') .'#', '', $directory . $file); if (is_dir($directory.$file)) { - $output[] = '
  • '. f::draw_fonticon('icon-folder icon-lg', 'style="color: #7ccdff;"') .' '. $file .'/'. $draw_folder_contents($directory.$file.'/') .'
  • '; + $output[] = '
  • '. f::draw_fonticon('icon-folder icon-lg', 'style="color: #7ccdff;"') .' '. $file .'/'. $draw_folder_contents($directory . $file . '/') .'
  • '; } else { - $output[] = '
  • '. f::draw_fonticon('icon-file-o') .' '. $file .'
  • '; + $output[] = '
  • '. f::draw_fonticon('icon-file-o') .' '. $file .'
  • '; } } @@ -405,7 +405,7 @@ input.warning, textarea.warning { - box-shadow: 0 0 5px 3px rgba(255 0,0, 0.7); + box-shadow: 0 0 5px 3px rgba(255, 0, 0, 0.7); } @@ -470,7 +470,7 @@ data['id'])) { ?>
    @@ -534,7 +534,7 @@
    - 'btn btn-default btn-sm', 'title' => f::escape_attr(t('title_move_up', 'Move Up'))]); ?> - 'btn btn-default btn-sm', 'title' => f::escape_attr(t('title_move_down', 'Move Down'))]); ?> - 'btn btn-default btn-sm', 'title' => f::escape_attr(t('title_remove', 'Remove'))]); ?> + 'btn btn-default btn-sm', 'title' => f::escape_attr(t('title_move_up', 'Move Up'))]); ?> + 'btn btn-default btn-sm', 'title' => f::escape_attr(t('title_move_down', 'Move Down'))]); ?> + 'btn btn-default btn-sm', 'title' => f::escape_attr(t('title_remove', 'Remove'))]); ?>
    @@ -955,7 +955,7 @@ $('.tabs').on('click', '[data-toggle="tab"]', function(e) { let $target = $(this).attr('href'); - $target.find(':input[name$="[content]"]').trigger('input'); + $($target).find(':input[name$="[content]"]').trigger('input'); }); $('.tabs .add').on('click', function(e) { @@ -966,8 +966,8 @@ let $tab = $([ '', - ' __index__ ', - ' ', + ' __index__ ', + ' ', ].join('\n') .replace(/__index__/g, 'new_' + __index__) ); @@ -1116,8 +1116,8 @@ function traverseFileTreePromise(item, path = '', files) { let $contextmenu = $([ '', ].join('\n')); @@ -1129,7 +1129,7 @@ function traverseFileTreePromise(item, path = '', files) { form_data.append('storage_action', 'rename'); form_data.append('file', $item.data('path')); - let new_name = prompt('', $item.data('path')); + let new_name = prompt('', $item.data('path')); if (!new_name) { $('.context-menu').remove(); @@ -1448,10 +1448,10 @@ function traverseFileTreePromise(item, path = '', files) { '
    ', '
    ', ' ', @@ -1459,15 +1459,15 @@ function traverseFileTreePromise(item, path = '', files) { '', '
    ', ' ', '
    ', '', '
    ', - ' 'btn btn-default btn-sm', 'title' => f::escape_attr(t('title_move_up', 'Move Up'))]); ?>', - ' 'btn btn-default btn-sm', 'title' => f::escape_attr(t('title_move_down', 'Move Down'))]); ?>', - ' 'btn btn-default btn-sm', 'title' => f::escape_attr(t('title_remove', 'Remove'))]); ?>', + ' ', + ' ', + ' ', '
    ', '
    ', '' @@ -1509,10 +1509,10 @@ function traverseFileTreePromise(item, path = '', files) { '
    ', '
    ', ' ', @@ -1520,35 +1520,35 @@ function traverseFileTreePromise(item, path = '', files) { '', '
    ', ' ', '
    ', '', '
    ', - ' 'btn btn-default btn-sm', 'title' => f::escape_attr(t('title_move_up', 'Move Up'))]); ?>', - ' 'btn btn-default btn-sm', 'title' => f::escape_attr(t('title_move_down', 'Move Down'))]); ?>', - ' 'btn btn-default btn-sm', 'title' => f::escape_attr(t('title_remove', 'Remove'))]); ?>', + ' ', + ' ', + ' ', '
    ', '
    ', '', ' ', '', '
    ', '
    ', ' ', '
    ', '', '
    ', ' ', '
    ', '
    ', @@ -1589,13 +1589,13 @@ function traverseFileTreePromise(item, path = '', files) { let $output = $([ '
    ', ' ', '', ' ', '
    ' ].join('\n') @@ -1613,4 +1613,4 @@ function traverseFileTreePromise(item, path = '', files) { $('body').on('click', '.litebox button[name="cancel"]', function(e) { $.litebox.close(); }); - \ No newline at end of file +