mirror of
https://github.com/myronblair/novacpx
synced 2026-06-30 17:50:41 -05:00
4d7c35076b
- system.php: fix null dereference on fetchOne (TypeError on null['value']) - system.php: validate update_channel to ['stable','beta'] to prevent shell injection - system.php: escapeshellarg remoteBranch in git log/show calls (was RCE vector) - system.php: fix backup path — rsync contents, not directory, so restore is symmetric - system.php: syntax check only changed files (git diff) not all 300+ panel files - system.php: copy VERSION to $webRoot/VERSION not $webRoot/../VERSION (wrong path) - system.php: fix 3× ON DUPLICATE KEY UPDATE → SQLite ON CONFLICT syntax - deploy-runner.sh: hoist DB_PATH/CHANNEL above while loop - deploy-runner.sh: sanitize NEW_VERSION and commit hashes before SQL interpolation - deploy-runner.sh: parse queued branch (4th field) from webhook queue entry - webhook.php: remove dead $branch config variable - webhook.php: include pushed branch in queue entry to eliminate TOCTOU race Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>