bug: Webcron handler missing return after sendJsonResponse on auth failure #79

New Issue

2026-06-21T23:01:39Z

jmiller commented

2026-06-21 23:01:39 +00:00

Severity: HIGH

In the system plugin's onAfterInitialise, after calling sendJsonResponse() for invalid secret or disabled webcron, there is no return statement. While sendJsonResponse() calls $app->close(), if close() is somehow non-terminal (tests, custom app subclass), execution falls through to the backup logic unauthenticated.

Fix

Add return; after each sendJsonResponse() call in the auth checks.

File

plg_system_mokosuitebackup/src/Extension/MokoSuiteBackup.php:62-74

## Severity: HIGH In the system plugin's `onAfterInitialise`, after calling `sendJsonResponse()` for invalid secret or disabled webcron, there is no `return` statement. While `sendJsonResponse()` calls `$app->close()`, if `close()` is somehow non-terminal (tests, custom app subclass), execution falls through to the backup logic unauthenticated. ## Fix Add `return;` after each `sendJsonResponse()` call in the auth checks. ## File - `plg_system_mokosuitebackup/src/Extension/MokoSuiteBackup.php:62-74`

jmiller added the component: engine label 2026-06-21 23:01:39 +00:00

jmiller referenced this issue

2026-06-21 23:04:13 +00:00

test: Deep dive audit — verify and fix all findings #81

jmiller referenced this issue from a commit

2026-06-21 23:09:43 +00:00

fix: critical and high audit findings (#81)

jmiller referenced a pull request that will close this issue

2026-06-21 23:09:56 +00:00

fix: Critical and high audit findings (#81) #83

jmiller closed this issue

2026-06-21 23:10:23 +00:00