Merge remote-tracking branch 'upstream/master' into feature/activity-type-no-default

Author: anonymoususer72041

.editorconfig

@@ -0,0 +1,6 @@
+root = true
+
+[*]
+end_of_line = lf
+insert_final_newline = true
+charset = utf-8

.gitattributes

@@ -0,0 +1 @@
+* text=auto eol=lf

.htaccess

@@ -1,4 +1,16 @@
- 
 IndexIgnore *
 
 Options -Indexes
+
+# Security headers (requires mod_headers; AllowOverride FileInfo or All).
+# Basic security headers.
+# These defaults are intentionally conservative to avoid breaking common customizations.
+<IfModule mod_headers.c>
+    Header always set X-Content-Type-Options "nosniff"
+    Header always set Referrer-Policy "strict-origin-when-cross-origin"
+    Header always set Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=(), usb=()"
+
+    # Prevent clickjacking on the OpenCATS UI.
+    # Note: /careers/ intentionally unsets this header in careers/.htaccess to allow embedding Career Portal into external websites using an iframe.
+    Header always set X-Frame-Options "SAMEORIGIN"
+</IfModule>

Error.tpl

@@ -6,7 +6,7 @@
 <p class="fatalError">
     A fatal error has occurred.<br />
     <br />
-    <?php echo($this->errorMessage); ?>
+    <?php $this->_($this->errorMessage); ?>
 </p>
 
 <?php TemplateUtility::printFooter(); ?>

README-testing.md

@@ -5,7 +5,7 @@ This project uses two distinct MariaDB instances during the testing phase to ens
 
 ### 1. opencatsdb (Port 3306)
 * **Purpose:** Primary application database for functional testing.
-* **Data:** Pre-seeded with `test.sql` and `securityTests.sql` via Docker's `initdb.d`.
+* **Data:** Pre-seeded with `db/cats_schema.sql` and `test/data/securityTests.sql` via Docker's `initdb.d`.
 * **Used By:** Manual development, Behat (Gherkin/Selenium) suites.
 
 ### 2. integrationtestdb (Port 3307)
@@ -29,8 +29,14 @@ To mirror the CI environment on your machine:
    docker compose -f docker-compose-test.yml up -d
    ```
 
-3. **Run the suites:**
-   * **PHPUnit:** `docker exec -it opencats_test_php ./vendor/bin/phpunit src/OpenCATS/Tests/IntegrationTests`
+3. **Install PHP dependencies (Composer):**
+   ```bash
+   docker run --rm -v "$(pwd)/..":/app -w /app composer:2 composer install --no-interaction --prefer-dist --ignore-platform-reqs
+   ```
+
+4. **Run the suites:**
+   * **PHPUnit Unit Tests:** `docker exec -it opencats_test_php ./vendor/bin/phpunit src/OpenCATS/Tests/UnitTests`
+   * **PHPUnit Integration Tests:** `docker exec -it opencats_test_php ./vendor/bin/phpunit src/OpenCATS/Tests/IntegrationTests`
    * **Behat:** `docker exec -it opencats_test_php ./vendor/bin/behat -c ./test/behat.yml`
 
 ---

Security.MD

@@ -8,11 +8,11 @@ In order to give the community time to respond and upgrade we strongly urge you
 
 ### Password Storage
 
-OpenCATS uses MD5 hashing to store passwords. This will be replaced in future versions
+OpenCATS hashes user passwords using PHP’s password_hash() and verifies them with password_verify(), using PASSWORD_DEFAULT (the default algorithm selected by the running PHP version).
 
 ### XSS
 
-The main vector for [XSS](https://en.wikipedia.org/wiki/Cross-site_scripting) attacks is via the career portal (which is disabled by default). htmlspecialchars is used to protect career portal form submissions. Back-end (non-public) web-pages remain vulnerable to XSS. This internal page protection was deployed in v0.9.7.2
+The main vector for [XSS](https://en.wikipedia.org/wiki/Cross-site_scripting) attacks is via the career portal (which is disabled by default). htmlspecialchars is used to protect career portal form submissions. This internal page protection was deployed in v0.9.7.2. XSS hardening has been improved over time, but any custom templates and third-party modifications can reintroduce issues.
 
 ### Malicious uploads
 

ajax.php

@@ -46,6 +46,13 @@
 header('Last-Modified: ' . gmdate('D, d M Y H:i:s') . ' GMT');
 header('Expires: Mon, 26 Jul 1997 05:00:00 GMT');
 
+/* Only start a session for POST requests so CSRF validation can determine logged-in state. */
+if (isset($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] === 'POST')
+{
+    @session_name(CATS_SESSION_NAME);
+    session_start();
+}
+
 /* Make sure we aren't getting screwed over by magic quotes. */
 if (get_magic_quotes_runtime())
 {
@@ -60,6 +67,31 @@
     $_REQUEST = array_map('stripslashes', $_REQUEST);
 }
 
+if (isset($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] === 'POST' &&
+    isset($_SESSION['CATS']) && $_SESSION['CATS']->isLoggedIn())
+{
+    $token = null;
+
+    if (isset($_POST['csrfToken']))
+    {
+        $token = $_POST['csrfToken'];
+    }
+
+    if (!$_SESSION['CATS']->isCSRFTokenValid($token))
+    {
+        header('Content-type: text/xml');
+        echo '<?xml version="1.0" encoding="', AJAX_ENCODING, '"?>', "\n";
+        echo(
+            "<data>\n" .
+            "    <errorcode>-1</errorcode>\n" .
+            "    <errormessage>Invalid request.</errormessage>\n" .
+            "</data>\n"
+        );
+
+        die();
+    }
+}
+
 if (!isset($_REQUEST['f']) || empty($_REQUEST['f']))
 {
     header('Content-type: text/xml');

ajax/deleteActivity.php

@@ -32,6 +32,12 @@
 
 $interface = new SecureAJAXInterface();
 
+if ($_SERVER['REQUEST_METHOD'] !== 'POST')
+{
+    $interface->outputXMLErrorPage(-1, 'Invalid request.');
+    die();
+}
+
 if (!$interface->isRequiredIDValid('activityID'))
 {
     $interface->outputXMLErrorPage(-1, 'Invalid activity ID.');
@@ -40,7 +46,7 @@
 
 $siteID = $interface->getSiteID();
 
-$activityID = $_REQUEST['activityID'];
+$activityID = $_POST['activityID'];
 
 /* Delete the activity entry. */
 $activityEntries = new ActivityEntries($siteID);

ajax/editActivity.php

@@ -35,6 +35,12 @@
 
 $interface = new SecureAJAXInterface();
 
+if ($_SERVER['REQUEST_METHOD'] !== 'POST')
+{
+    $interface->outputXMLErrorPage(-1, 'Invalid request.');
+    die();
+}
+
 if (!$interface->isRequiredIDValid('activityID'))
 {
     $interface->outputXMLErrorPage(-1, 'Invalid activity ID.');
@@ -53,26 +59,30 @@
     die();
 }
 
-if (!isset($_REQUEST['notes']))
+if (!isset($_POST['notes']))
 {
     $interface->outputXMLErrorPage(-1, 'Invalid notes.');
     die();
 }
 
 $siteID = $interface->getSiteID();
 
-$activityID = $_REQUEST['activityID'];
-$type       = $_REQUEST['type'];
-$jobOrderID = $_REQUEST['jobOrderID'];
+$activityID = $_POST['activityID'];
+$type       = $_POST['type'];
+$jobOrderID = $_POST['jobOrderID'];
 
 /* Decode and trim the activity notes from the company. */
-$activityNote = trim(urldecode($_REQUEST['notes']));
-$activityDate = trim(urldecode($_REQUEST['date']));
-$activityHour = trim(urldecode($_REQUEST['hour']));
-$activityMinute = trim(urldecode($_REQUEST['minute']));
-$activityAMPM = trim(urldecode($_REQUEST['ampm']));
+$activityNote = trim(urldecode($_POST['notes']));
+$activityDate = trim(urldecode($_POST['date']));
+$activityHour = trim(urldecode($_POST['hour']));
+$activityMinute = trim(urldecode($_POST['minute']));
+$activityAMPM = trim(urldecode($_POST['ampm']));
+
+$dateFormatFlag = $_SESSION['CATS']->isDateDMY()
+    ? DATE_FORMAT_DDMMYY
+    : DATE_FORMAT_MMDDYY;
 
-if (!DateUtility::validate('-', $activityDate, DATE_FORMAT_MMDDYY))
+if (!DateUtility::validate('-', $activityDate, $dateFormatFlag))
 {
     die('Invalid availability date.');
     return;
@@ -87,7 +97,7 @@
 $date = sprintf(
     '%s %s',
     DateUtility::convert(
-        '-', $activityDate, DATE_FORMAT_MMDDYY, DATE_FORMAT_YYYYMMDD
+        '-', $activityDate, $dateFormatFlag, DATE_FORMAT_YYYYMMDD
     ),
     date('H:i:00', $time)
 );