fix: P2+P3 bug fixes, hardening, and cleanup (18 files)
Bug fixes: - Add applyEnvOverrides to LoadFromBytes (M05) - Set state=failed on compose-up failure in selfupdate (M16) - Clamp usableMB to min 0 in memory check (M22) - Remove "manual" schedule from triggerAllCrossBackups (M23) - Add mmcblk device handling for partition paths (M21) - Fix stripPartition for mmcblk devices (L25) - Fix TruncateStr for UTF-8 and negative maxLen (L05/L06) - Fix AllDone to return false for empty restore plans (L14) - Fix PushOnce to return actual errors (L39) - Restore pending events on save failure in DrainPendingEvents (M03) - Add duplicate check in AddStoragePath (M04) - Call CleanupTempMounts after drive scan (H13) - Log SetStep save errors (M25) Hardening: - Guard scheduler Start() against double-start (M14) - Acquire mutex in scheduler Stop() before reading cancel (L24) - Cap log lines parameter to 10000 (L31) - Require POST for logout (L32) - Use sync.Once for Server.Close() (L49) - Panic on crypto/rand.Read failure in setup CSRF (L40) - Validate Bearer token against Hub API key in CSRF (H16 fix) - Replace custom hasPrefix with strings.HasPrefix (L13) - Replace simpleHash with crc32.ChecksumIEEE (L48) Cleanup: - Remove dead imageName function (L02) - Remove dead detectHostIPViaRoute function (L03) - Rename shadowed copy variable to cp (L07) - Copy DefaultEnabledEvents in GetNotificationPrefs early return (L09) - Update BUGHUNT.md with comprehensive audit results Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -2,6 +2,7 @@ package web
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"hash/crc32"
|
||||
"log"
|
||||
"strings"
|
||||
"sync"
|
||||
@@ -219,11 +220,7 @@ func (am *AlertManager) GetInlineAlerts(page string) []Alert {
|
||||
|
||||
// simpleHash returns a short deterministic hash for deduplication.
|
||||
func simpleHash(s string) string {
|
||||
h := uint32(0)
|
||||
for _, c := range s {
|
||||
h = h*31 + uint32(c)
|
||||
}
|
||||
return fmt.Sprintf("%08x", h)
|
||||
return fmt.Sprintf("%08x", crc32.ChecksumIEEE([]byte(s)))
|
||||
}
|
||||
|
||||
// sortAlerts sorts alerts by severity: error > warning > info.
|
||||
|
||||
@@ -128,6 +128,10 @@ func (s *Server) handleLogin(w http.ResponseWriter, r *http.Request) {
|
||||
}
|
||||
|
||||
func (s *Server) handleLogout(w http.ResponseWriter, r *http.Request) {
|
||||
if r.Method != http.MethodPost {
|
||||
http.Redirect(w, r, "/", http.StatusFound)
|
||||
return
|
||||
}
|
||||
if cookie, err := r.Cookie(sessionCookieName); err == nil {
|
||||
s.sessionsMu.Lock()
|
||||
delete(s.sessions, cookie.Value)
|
||||
@@ -203,9 +207,11 @@ func (s *Server) cleanupSessions() {
|
||||
}
|
||||
}
|
||||
|
||||
// Close signals the server to stop background goroutines.
|
||||
// Close signals the server to stop background goroutines. Safe to call multiple times.
|
||||
func (s *Server) Close() {
|
||||
close(s.done)
|
||||
s.closeOnce.Do(func() {
|
||||
close(s.done)
|
||||
})
|
||||
}
|
||||
|
||||
func (s *Server) renderLogin(w http.ResponseWriter, errorMsg, flashMsg string) {
|
||||
|
||||
@@ -44,6 +44,7 @@ type Server struct {
|
||||
sessions map[string]*session
|
||||
sessionsMu sync.RWMutex
|
||||
done chan struct{}
|
||||
closeOnce sync.Once
|
||||
|
||||
// Disk operation state (format/migrate jobs)
|
||||
diskJobMu sync.Mutex
|
||||
|
||||
Reference in New Issue
Block a user