use get_file method#1341
Merged
nielsdrost7 merged 1 commit intofix/1340-wrong-quoteinvoice-guest-download-attachment-button-default-templatefrom Sep 17, 2025
Merged
Conversation
2390705
into
fix/1340-wrong-quoteinvoice-guest-download-attachment-button-default-template
1 check passed
nielsdrost7
added a commit
that referenced
this pull request
Jan 19, 2026
* #991: Only load custom_lang.php if it's present * #991: Only load custom_lang.php if it's present * Show list of themes on Windows * #1034: Fix error where default_language at some point switches to English * fixes #1038 * formatting #1033 * only update invoice_date_due when sending email #1033 invoice_date_created should not be updated and always stay the same * move execution of update_invoice_due_date into mark_sent #1033 * remove unnecessary settings tmp_invoice_date and tmp_due_date settings * remove unnecessary helper function reset_invoice_due_dates * fix indentation #1033 * replace tabs with spaces #1033 * bump composer packages * cleanup extra linebreaks * Revert change to invoice_logo() that was intended only for invoice_logo_pdf() * Remove slash because base_url() already has a trailing slash * refractored payments code * use var to prevent reload problem * included the paypal gateway settings * created paypal payment page * added paypal as an extra gateway to be loaded * setup paypal payment endpoint * created paypal REST consumer * implemented sandbox for paypal * removed omnipay * required guzzle * required stripe php sdk * renamed dir * fixed stripe endpoint * created stripe REST API consumer * changed location of files * adapted stripe page to use embedded checkout * included the money package for currencies (was in omnipay) * fixed success message * created verifier * added some comments for clarity * fixed condition for refusing payment * improved paypal REST consumer * refractored payment information * made paypal gateway controller * changed source url after refractoring * improvement code for readability * removed old form * removed deprecated code * handle better single payment gateway * bug fixes * renamed file to prevent loop * made new selection mode * updaed file * new provider selction method * refractored new paypal lib * fixed output * removed the select2 selector * provider auto-selection * fixed style of paypal buttons * added the select method message * prevent accessing payment page with invoice balance zero * #1046: Fixed some formatting * #1046: Fixed some formatting * Slight improvements to README.md Link to demo on homepage so logindata is provided and adjust some wordings * fixes issue #1070 * Fixed broken customer-link in projects-widget. #1072 * fix: ZUGFeRD Name should not be user name * Add Pint and add some directories * added pint.json to help with formatting the files in a certain standard * pre-select current currentcy for online payment * fixed formatting * added information on theming * Bugfix: Other client can be selected from list Bug: No other client can be selected/looked up from the client list. Only the customer from the source invoice was selected. Fix: Selecting an other client is now possible. The selection is saved in the copied invoice. * Bugfix: Selected quote date is saved Bug: The quote date from the source quote was saved and not the selected or entered date from the datepicker. The original quote date was always saved in the copied quote. Fix: The selected date from the datepicker is saved in the copied quote. * Fix #841 Copy quote (modal) UI feedback Bug: When the data is retrieved from the custom_fields db and put into an array and if there is no data in the db, the array cannot be populated so the result is that there is no "response" at all. Fix: extracted the working snippet from mdl_invoice and modified it in mdl_quotes. Even when there is no data/array there is a response. * Adapt copy custom fields code if null * Revert some accidently changes * implemented alternative solution * formatting improvement * copy all fields available in quotes #998 * styling * Improve pint.json just a tiny bit and then format pint.json correctly * Add filter_input function and filter_input in the Clients module * Add filter_input for all the controllers that have the form() function * feat: Add pagination for tabs in client detail fix #1083 * tab change by url and fixed typos * removed ternary * fix formatting * refactor: rename tab variable to activeTab * fix: model-pager have no bottom space in tab * fixed worng bracket * 1096: remove check for number of rows in ip_payments and subsequent early return * changed behavior of returned ->payments, to be null or an array * code formatting * Add another digit for quantity This serves as an example. Please note, that you still have to alter the database table: ALTER TABLE ip_invoice_items MODIFY COLUMN item_quantity decimal(10, 3); First Rule of Programming: Don't run code from the internet when you don't understand it. It might break things. * altered tables * added db changes * adapted function * created setting * adapted invoice items * made quantity available to all views * made quantity available to all quote views * made quantity available to quote views * code formatting * [IP-1003]: Add extra field title (#1101) * Add selector title & create enum php & add field client_title on table ip_client & translation field client_title * Add client title to format client function & KISS & add select and custom title field when custom choice * Clean & edit select auto client title * Add selector title & create enum php & add field client_title on table ip_client & translation field client_title * 1059: Fixed styling in a PHP array * 1059: Validation: client_title isn't required * 1059: database field: *after* client_surname, made sure migration worked * 1059: No yoda-style if-statements, no void return types (yet), no strict typing in files (yet) * 1059: no void return types (yet) * feat: Add pagination for tabs in client detail fix #1083 * tab change by url and fixed typos * removed ternary * fix formatting * refactor: rename tab variable to activeTab * fix: model-pager have no bottom space in tab * Add selector title & create enum php & add field client_title on table ip_client & translation field client_title * Add selector title & create enum php & add field client_title on table ip_client & translation field client_title * 1059: Fixed styling in a PHP array * 1059: no void return types (yet) * 1059: Removed obsolete migration file * 1059: Moved form for the client_title to the bottom of the page (near gender) * emulate enum * 1096: remove check for number of rows in ip_payments and subsequent early return * changed behavior of returned ->payments, to be null or an array * code formatting * Improve pint.json just a tiny bit and then format pint.json correctly * Add filter_input function and filter_input in the Clients module * Add filter_input for all the controllers that have the form() function * fixed worng bracket * Add another digit for quantity This serves as an example. Please note, that you still have to alter the database table: ALTER TABLE ip_invoice_items MODIFY COLUMN item_quantity decimal(10, 3); First Rule of Programming: Don't run code from the internet when you don't understand it. It might break things. * altered tables * added db changes * adapted function * created setting * adapted invoice items * made quantity available to all views * made quantity available to all quote views * made quantity available to quote views * code formatting * Add selector title & create enum php & add field client_title on table ip_client & translation field client_title * Add selector title & create enum php & add field client_title on table ip_client & translation field client_title * 1059: Fixed styling in a PHP array * 1059: database field: *after* client_surname, made sure migration worked * 1059: no void return types (yet) * feat: Add pagination for tabs in client detail fix #1083 * tab change by url and fixed typos * removed ternary * fix formatting * refactor: rename tab variable to activeTab * tmp * rebased development branch into 1059 clientTitle branch * 1059: quick formatting of arrays --------- Co-authored-by: Kevin Joudrier <kev.joudrier@gmail.com> Co-authored-by: pumpi <sf@pumpi-online.de> Co-authored-by: naui95 <nahuel.guidotti@outlook.com> Co-authored-by: = <=> Co-authored-by: der-peer <post@peeruhlmann.de> Co-authored-by: naui95 <naui95@hotmail.com> Co-authored-by: Nathan Mattes <hallo@bullenscheisse.de> * Making sure all the fields in the templates are escaped by htmlspecialchars * replaced _htmlsc with htmlsc where output was echoed * 1089: Fixes after code-review * 1089: Fixes after code-review * no typehint in ClientTitle enum call * 1063: Allowing for Dynamic Properties (PHP 8.2) * 1063: Set back Cryptor the way it was and then allowed Dynamic Properties again * 1063: Set back MY_Form_validation the way it was and then allowed Dynamic Properties again * 1063: Set back class Sumex the way it was and then allowed Dynamic Properties again * 1063: Set back class Sumex the way it was and then allowed Dynamic Properties again * 1063: Set back class ZugferdXml the way it was and then allowed Dynamic Properties again * 1063: Set back class ZugferdXml the way it was and then allowed Dynamic Properties again * 1063: Set back class PaypalLib the way it was and then allowed Dynamic Properties again * 1063: Set back Clients Controller the way it was and then allowed Dynamic Properties again * 1063: #[AllowDynamicProperties] with the PHP 8.2 (8.0+) compatible annotation * 1063: Put back MX / Base the way it was and then allowed for Dynamic Properties * 1063: Modules.php: Placing of the annotation * helpers without dynamic properties * fixed bug where title for the client wasn't saved * Custom rendering will be empty instead of 'custom' * Custom rendering needs to be 'custom', otherwise it won't be shown in the ClientTitle list * fixed bug where a custom client_title was rendered as "Custom" * better formatting * 1010: Added 2 extensions and improved xdebug.ini. Added special xdebug.ini * yarn upgrade and freeze lock file * Special Chore done * issue 1119: add index.php if REMOVE_INDEXPHP is not true * finished Chore * chore: add more options to destroy sessions earlier * add docker publish workflow * fix package.json and yarn.lock for old sass * Update QrCode.php When an invoice is paid in part. The QR code always displays the total paid, not what remains to be paid. * Improve download function * improved get_file function * property client_title doesn't exist? * array_walk an array if value isn't an array * typecasting the decimal_point in number_helper line 76 * fix upload_file function * Fix Upload class * New Buttons for Delete Client note in view (Ajax) Reload all notes after deleted + (new) click event by add_delete_client_notes_click_event() * Remove has-error after good (unempty.trim) client note Fix after 1 error, alway in error .control-group: is (in reality) .input-group & setted with .has-error * Clients view: reload_client_notes() + loader fades Note: Ajax post client_id is in js constant now * Idea to translate Client Title Enums See Clients/Enums/ClientTitleEnum * Fix #1146 after posting a Payments Form when amount > inv. total #1146 Fix number_format(): Arg #1 ($num) must be of type float, string given modules/payments/views/form.php Function: format_amount * Fix payment Cancel repost onclick: history.back 2 location.href By default cancel has onclick with `window.history.back()` See [header_buttons.php](https://github.com/InvoicePlane/InvoicePlane/blob/development/application/modules/layout/views/header_buttons.php) But if click Save multiple time (like monkey) with bad amount value And click Cancel, do repost. Now Cancel always go to Payments page. * Fix setup sql filenames See : [IP-1003: Add extra field title (#1101)](c64b5df#diff-f97132f81d846a5d14eb35d66fe77c943572d8db71735702e6f018f65671058c) Devs, After need update DB Like this: UPDATE `ip_versions` SET `version_id` = '38', `version_date_applied` = '1734693462', `version_file` = '037_1.6.1.sql', `version_sql_errors` = '0' WHERE `version_id` = '38'; UPDATE `ip_versions` SET `version_id` = '39', `version_date_applied` = '1734693462', `version_file` = '038_1.6.2.sql', `version_sql_errors` = '0' WHERE `version_id` = '39'; * Added required input check on full page loaded to 'fix' #1130 * Removed console.log from bugfix * bug-fix-#1147-error-on-database-migration (#1159) * Added required input check on full page loaded to 'fix' #1130 * Refactored upgrade_tables function in Mdl_setup.php * Refactored execute_contents in Mdl_setup.php to remove nested ifs * Added error ignoring on database upgrade to fix #1147 * Removed comment and changed AND operator to OR in Mdl_setup.php * Refactored upgrade_tables function in Mdl_setup.php * Refactored execute_contents in Mdl_setup.php to remove nested ifs * Added error ignoring on database upgrade to fix #1147 * Removed comment and changed AND operator to OR in Mdl_setup.php * Removed scripts.js from conflicting branche * Removed scripts.js from conflicting branche * Update Mdl_setup.php * Added displaying DB error and moved to negative comparison in Mdl_setup.php * Removed tab and comments in Mdl_setup.php --------- Co-authored-by: Niels Drost <47660417+nielsdrost7@users.noreply.github.com> * Fix setup Red Screen Of Death with bad DB query Complete #1147 [Solve Red screen Of Death of bad DB query in CI3](https://stackoverflow.com/questions/7843406/codeigniter-how-to-catch-db-errors#54519533) Fix Call to undefined method CI_DB_mysqli_driver::_error_message() The _error_message() function unexist in CI3.1.13: `vendor/codeigniter/framework/system/database/DB_driver.php` + Indents: tab2spaces * Clear setup comments and return all DB errors * Setup upgrade_tables scroll to bottom page * Setup: db debug same as IP_DEBUG * Fix missing if-check * fix problem * Removed '.pdf' from Invoices.php downloads to fix #1171 * Check invoice balance before rendering QR code * Fix #1169 : Add custom_fields in controllers/Settings Now Custom Fields ip_invoice_custom is present in settings page + Remove hard fix in view template-tags-invoices + Indents of settings view partial_settings general * Fix: Delete Client go to 404 page #1182 Inspired by `module/clients/view/partial_client_table.php` * Little details (Base_controller) + indents + tab2spaces * Fix styling in clients table header #1184 * Style2class for amounts & balances (th & tr) Improve #1185 Scope: + Clients + DashBoard + Invoices + Quotes + Payments + Products + Tasks Note: .amount.last apply padding in last element like Quotes list * Fix fullpage-loader helper never showed `$(document).on('click', '.ajax-loader', function () {` Is duplicated inside same function. * Remove event unused JS var (Fullpage loader) * Fix: Send email show blank page #1196 * Add invoice_status case in template_helper (Fix #1198) Scope: qr_code_settings_remittance_text * Fix SMTP password wrong after saving settings #1200 * Update template_helper.php to fix email template with custom single choice field This update will use written label instead of option number in email template, if the filed is an custom field with single choice * chore: pint * chore: pint * add invoices_per_client report * use client custom field for invoices_per_client report * remove debug * fix: order by client_id * fallback if no client_custom_fieldvalue is available * remove client_custom_fieldvalue * use format_client helper * sort invoices by date instead of id * sort quotes by date instead of id see #1218 * Improve number_helper & standardize_amount (fix european format) Fix #1227 European number format change amount on save when use dot as comma * Remove unattended standardize_amount in payments view form * Make sure invoiceplane.conf works properly * Add pagination to invoice and quote templates * fix: amount of the credit transfer cannot be smaller than 0.01 Euro #1128 * Guest Payment stripe flow & online_payment lang improved Load Invoice Model in `__construct` (used in all (2) func's) Don't need site_url for `redirect()` Improve merchand response db insert Improve invoice privacy: client_reference_id (id TO url_key) And adjust indents for the `callback` (it's a function in `class`) Adjust lang sys for multiple use (why not in paypal?) Big Thanks @Matthias-Ab * [IP-939]: Processing e-invoices flow (and some bugfixes): `development` branch for version 1.6.3 (#1247) Prepare for 1.6.3 and 1.7.0 --------- Co-authored-by: Thomas Ingles <thomas@sudwebdesign.fr> * Development v163rc1 (#1268) * Improve versions in composer & package + up yarn & composer lock * Improve gh templates & workflows & infos (md) Improve & Merge Develop v163rc1 (#1266) Without TRANSLATION.md * Setup: Upgrade default & users languages to lowercase like #1232 * Fix: Save products & tasks. No empty rules in Form_validation Form_validation: set_rules() called with an empty $rules parameter See: #1195 * Improve Uploader: Del old system. No show file \w upload_file() Not used in v1.6.3RC0 * PHP compat: No E_STRICT (error_reporting) & Adjust Rector rule In accordance of doc, is unused & PHP 8.4 deprecate. See: https://www.php.net/manual/errorfunc.constants.php#constant.e-strict --- Scope: production or testing environment How to set? See: https://github.com/orgs/InvoicePlane/discussions/1168 * Rector: More efficient Sets: deadCode, codeQuality & codingStyle Applied rules: * RemoveUselessParamTagRector * StrictArraySearchRector * FuncGetArgsToVariadicParamRector * Refacto \w Rector: Prepared set typeDeclarations:true Applied rules: * ReturnUnionTypeRector * ReturnNullableTypeRector * RemoveUselessParamTagRector * RemoveUselessReturnTagRector * StrictStringParamConcatRector * StrictArrayParamDimFetchRector * SimplifyBoolIdenticalTrueRector * ParamTypeByMethodCallTypeRector * ReturnTypeFromStrictNewArrayRector * SimplifyEmptyCheckOnEmptyArrayRector * ReturnTypeFromReturnDirectArrayRector * NumericReturnTypeFromStrictReturnsRector * TypedPropertyFromStrictConstructorRector * BoolReturnTypeFromBooleanConstReturnsRector * BoolReturnTypeFromBooleanStrictReturnsRector * AddFunctionVoidReturnTypeWhereNoReturnRector * StringReturnTypeFromStrictStringReturnsRector * Add composer scripts: phpcs, rector & check `composer run check` to verify & correct the code (with all) * Refacto: My_Form_validation::run() (Ready for Next-1.7) Ok with CodeIgniter 3.1.13 (& 3.3 by pocketarc for PHP 8.2+) See: e95b95f * ipconfig: Add CI_ENV=production to hide minor PHP errors by default Improve gitignore & remove todo (oups) * [wip] JSON.parse to json_parse to show error in front end * [script.js] json_parse for all & console.trace(data) to debug Need `yarn build` if `ENABLE_DEBUG=false` in ipconfig * [script.js] Finish json_parse: Add console.error & div.alert * README header: Restore badges & show favicon at float right --------- Co-authored-by: Niels Drost <nielsdrost7+github@gmail.com> * Replace node-sass with sass (#1277) * Development v163rc2 (#1272) * composer upgrade: Lock file operations: 5 updates Updating dependencies - Upgrading filp/whoops (2.18.0 => 2.18.1) - Upgrading laravel/pint (v1.20.0 => v1.22.1) - Upgrading phpstan/phpstan (2.1.16 => 2.1.17) - Upgrading rector/rector (2.0.16 => 2.0.17) - Upgrading symfony/deprecation-contracts (v3.5.1 => v3.6.0) * Composer\\Config::disableProcessTimeout (scripts) To fix The process "pint" exceeded the timeout of 300 seconds. * lint by composer run check (1 file rectified) Applied rules: * ParamTypeByMethodCallTypeRector * [einvoice] Fix bad wrap in users-check-lists (client view) * [eInvoice] Shift legacy_calculation to false When client use e-Invoice and if XMLconfigs file haven't `'legacy_calculation' => true` * [eInvoice] Add Automatic calculation mode in Cron & adjustments * Fix #1271 : Add payment_method on Cron Payment Method not copied from recurring invoice to generated invoice * [eInvoice] DRY: Use legacy_calculation constant in modal scripts The const legacy_calculation defined in script (get meta content) The data-legacy-calculation in btn isn't necessary (removed) * Fix: Quote header col classes to do the same as Invoice (view) * Fix: Styling issues (#1278) * fix: panel in panel should be inside panel-body * fix: cancel button is not centered * fix: Sidebar is not full height on sites with low content * fix: Client overview shows wrong e-Invoicing state (#1281) * feat: Add a setup step to ensure the user uses the right config value for LEGACY_CALCULATION (#1282) * fix: Client detail view exception after #1281 changes (#1283) * Update number_helper.php to avoid empty string warning (#1302) In `standardize_amount`, `$thousands_separator` is read from the settings, and if it is empty, the error occurs. If I understand correctly, the settings value is not changed directly via UI, but depends on the chosen `number_format`. It is set in `settings.php`, line 78, just below `// Set thousands_separator and decimal_point according to number_format`. So `standardize_amount ` produces the error if a compact `number_format` is used, which resets the thousands separator settings value to an empty string. So the solution would be to simply not use the `thousands_separator` setting, if it is empty * implement new templates with named footers (#1313) * implement new templates with named footers * use named footers to avoid overwriting footers * Feature/1288 - PayPal Advanced Credit Cards and Venmo (#1289) * Adds PayPal advanced credit card fields, #1288 * Adds advanced CC option and conditional logic, #1288 * Adds Venmo option and conditional logic, #1288 * Adds a header builder and additional recommended header params, #1288 * Ignores /.temp, #1288 * Adds proper error handling at transaction level, #1288 * Improves client and server side error handling, #1288 * Moves CSS to core assets structure, #1288 * Moves JS to core assets structure, #1288 * Updates dependencies * Adds payment-forms assets to Grunt clean exclusions, #1288 * Improves payment section display, #1288 * Adjusts processing spinner to align with button, #1288 * Renames PayPal assets, #1288 * ran pint * [1307]: Sending emails to multiple email addresses gives error message (#1308) * using filter_var in mailer_helper caused issues when multiple email addresses were allowed refs #1307 * also fixed it for sending quotes refs #1307 * added custom e-mail validator * fixed bug with array on string * removed comments and corrected return type --------- Co-authored-by: naui95 <nahuel.guidotti@outlook.com> * Solves problem where Alpine Docker containers don't know the \GLOB_BRACE constant refs #1304 (#1305) * ran pint * [IP-1340]: wrong quoteinvoice guest download attachment button default template (#1343) * use get_file method (#1342) * use get_file method (#1341) * Revert "[IP-1340]: wrong quoteinvoice guest download attachment button defaul…" (#1344) This reverts commit cc2762f. * Add default_order_by method for recurring invoices (#1334) * Make $show_item_discounts available in InvoicePlane_Web.php (#1310) * Hide discounts column when show_item_discounts is false refs #1298 * determine discouted items * fixed display for no discounts * hide discounts also with legacy calculation * applied discount hiding also to quotes * fixed item totals * fixed discount display * enforced standard --------- Co-authored-by: naui95 <naui95@hotmail.com> * 1322: Show open invoices on guest index (#1350) * composer.json omit version string (#1306) * Fix Niels: Uploads (#1338) * Made uploading files more secure refs #1326 * Update application/modules/upload/controllers/Upload.php Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * improved security: - sanitize filename - prevent corss-path navigation --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: naui95 <nahuel.guidotti@outlook.com> * Put back the InvoicePlane version in the package.json * Prep: v1.6.4 (#1354) * Temporary Commit Fix Niels - 1 - SalesByYear report * Fix Niels - 1 - SalesByYear * Temporary Commit Fix Niels - 3 - Guest Get File * Apply suggestions from code review Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Suggestions after code-review Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * using strpos as per suggestion in code-review Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * suggestion after code-review Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * suggestion after code-review Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Final fixes for the Get file problem refs #1324 * suggestion after code-review * cleanup after code-review Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * cleanup after code-review Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Get file (guest) fix refs #1324 * 1340: Wrong quote/invoice guest download attachment button default template * 1348: More fixes for PDF footer * 1322: Show open invoices on guest index * 1340: guest route sanitization * 1340: guest route sanitization * 1340: guest route sanitization * 1340: guest route sanitization * Update application/modules/guest/controllers/Get.php Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Update application/modules/reports/models/Mdl_reports.php Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Update application/modules/reports/models/Mdl_reports.php Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * critical code review (#1355) * Initial plan * Fix critical path traversal and LFI vulnerabilities Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix SQL injection vulnerability in guest attachments Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Add comprehensive security audit report Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Add quick summary of security scan results Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix password reset rate limiting and email enumeration vulnerabilities Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Refactor password reset to use session-based rate limiting (no DB migration) Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Make password reset rate limiting configurable via ipconfig.php Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Convert hardcoded log messages to translation strings Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix SQL injection and open redirect vulnerabilities (#1358) * Initial plan * Fix SQL injection and open redirect vulnerabilities Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Add comprehensive security summary documentation Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Add quick reference security summary Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Delete COMPREHENSIVE_SECURITY_SUMMARY.md * Delete PASSWORD_RESET_SECURITY.md * Delete SECURITY_AUDIT_2025-11-09.md * Delete SECURITY_AUDIT_2025-11-09_ADDITIONAL.md * Delete SECURITY_QUICK_REFERENCE.md * Delete SECURITY_SCAN_SUMMARY.md * Address review feedback: Use env() for config, add bot detection, and fix syntax errors (#1359) * Initial plan * Replace config variable checks with env() calls and add bot detection Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Refactor password reset rate limiting methods * Add translation for bot detection log and fix syntax errors from refactoring Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com> * for versioning purposes * for versioning purposes * Create 040_1.6.4.sql * for versioning purposes * fix: remove libs that are deprecated (#1373) * fix: remove libs that are deprecated * Update resources/docker/php-fpm/Dockerfile Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --------- Co-authored-by: Patrick Subang <patrick.subang@lightningfibre.co.uk> Co-authored-by: Niels Drost <47660417+nielsdrost7@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Fix email address verification to allow both comma and semicolon separators (#1375) * Allow both comma and semicolon to be valid seperators for $emails to be in sync with phpmail_send() function * fix condition check As mb_strpos could possibly return 0 (not false), replaced both mailer_helper.php and phpmailer_helper.php to use str_contains instead * fixes #1367 (#1368) * Bump qs from 6.14.0 to 6.14.1 (#1380) Bumps [qs](https://github.com/ljharb/qs) from 6.14.0 to 6.14.1. - [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md) - [Commits](ljharb/qs@v6.14.0...v6.14.1) --- updated-dependencies: - dependency-name: qs dependency-version: 6.14.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Reduce QR code image width to 100px (#1377) * Add version checking, logging, and log sanitization for client_einvoicing fields to handle unmigrated databases (#1381) * Initial plan * Add defensive checks for client_einvoicing fields to handle unmigrated databases Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Add version checking and extensive logging for einvoicing field access Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Add null checks for version retrieval to prevent null concatenation in logs Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Update application/modules/clients/controllers/Clients.php Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Simplify redundant null coalescing in view.php by extracting to variable Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Add comment explaining defensive null coalescing pattern in view.php Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix potential null dereference in Mdl_versions::get_current_version() Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix incorrect property access in Mdl_versions::get_current_version() Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Security: Fix file access vulnerabilities across all controllers with reusable helper (#1383) * Initial plan * Fix critical security vulnerabilities in guest/Get.php file access Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix log injection vulnerabilities in security logging Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Optimize hash calculation and strengthen path validation Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix HTTP header injection vulnerability in Content-Disposition Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Strengthen header injection protection with comprehensive control character filtering Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Create reusable file security helper and apply to all file access points Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Address code review feedback - improve string formatting and null handling Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Address code review feedback - improve path traversal detection and header sanitization Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix code review issues - remove redundant checks and security bypass Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Potential fix for code scanning alert no. 3: Workflow does not contain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * Potential fix for code scanning alert no. 4: Workflow does not contain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * Potential fix for code scanning alert no. 1: Workflow does not contain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * Potential fix for code scanning alert no. 2: Workflow does not contain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Róbert Kelčák <kelcakrobo@gmail.com> Co-authored-by: naui95 <nahuel.guidotti@outlook.com> Co-authored-by: Marc Heiduk <marc@heiduk.me> Co-authored-by: John Mclaren <john@johnscs.com> Co-authored-by: Janek <github@melonion.me> Co-authored-by: Niklas <niklas.schmitt@mailbox.org> Co-authored-by: stephan4p <stephan@vierpunkt.de> Co-authored-by: VeRony <30659226+Verony-makesIT@users.noreply.github.com> Co-authored-by: pumpi <sf@pumpi-online.de> Co-authored-by: = <=> Co-authored-by: der-peer <post@peeruhlmann.de> Co-authored-by: naui95 <naui95@hotmail.com> Co-authored-by: Nathan Mattes <hallo@bullenscheisse.de> Co-authored-by: Kevin Joudrier <kev.joudrier@gmail.com> Co-authored-by: Gabe Dunn <gabe@gabedunn.dev> Co-authored-by: VizardAlpha <43859764+VizardAlpha@users.noreply.github.com> Co-authored-by: Thomas Ingles <thomas@sudwebdesign.fr> Co-authored-by: AutiCodes <prive@auticodes.nl> Co-authored-by: AeroBytes <31496522+AeroBytesNL@users.noreply.github.com> Co-authored-by: Ioannis Dressos <96877388+idressos@users.noreply.github.com> Co-authored-by: Torsten Stöter <torsten.stoeter@lin-magdeburg.de> Co-authored-by: Lars-Olof Kreim <mail@lok-soft.de> Co-authored-by: Kristian Stöckel <git@k118.de> Co-authored-by: Jonas Heinrich <onny@project-insanity.org> Co-authored-by: Niels Drost <nielsdrost7+github@gmail.com> Co-authored-by: ErikKrause <erik.krause@gmx.de> Co-authored-by: naui95 <naui95@users.noreply.github.com> Co-authored-by: Drew Angell <64537522+drewangell@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com> Co-authored-by: PatrickGTR <patricksubang@live.com> Co-authored-by: Patrick Subang <patrick.subang@lightningfibre.co.uk> Co-authored-by: LaoDC <github@laodc.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
addresses #1340