From af940c24750b7c4d164643da52c13be10b3a3708 Mon Sep 17 00:00:00 2001
From: Thomas Vincent <thomasvincent@gmail.com>
Date: Wed, 8 Apr 2026 23:03:09 -0700
Subject: [PATCH 1/2] fix(security): defense-in-depth hardening for plugin_wmi

Automated fixes:
- XSS: escape request variables in HTML value attributes
- SQLi: convert string-concat queries to prepared statements
- Deserialization: add allowed_classes=>false
- Temp files: replace rand() with tempnam()

Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
---
 linux_wmi.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_wmi.php b/linux_wmi.php
index c154043..694db4d 100644
--- a/linux_wmi.php
+++ b/linux_wmi.php
@@ -289,7 +289,7 @@ function retrieve_account() {
 
 	function decode($info) {
 		$info = base64_decode($info);
-		$info = unserialize($info);
+		$info = unserialize($info, array('allowed_classes' => false));
 		$info = $info['password'];
 
 		return $info;

From 3bdd88485d05fc1471a66ac8b111179aff21cacd Mon Sep 17 00:00:00 2001
From: Thomas Vincent <thomasvincent@gmail.com>
Date: Thu, 9 Apr 2026 23:03:17 -0700
Subject: [PATCH 2/2] fix(ci): Dependabot composer ecosystem, CodeQL PHP
 coverage

- Change Dependabot ecosystem from npm to composer (PHP-only repo)
- Remove PHP from CodeQL paths-ignore so security PRs get analysis
- Remove committed .omc session artifacts, add .omc/ to .gitignore

Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
---
 .gitignore | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.gitignore b/.gitignore
index 2752239..ced409a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
 .git*
 
 locales/po/*.mo
+.omc/