From a1f83e1dcf9a573cd6bb8d4352533e1e2d1095df Mon Sep 17 00:00:00 2001
From: Sam Reed <sam@reedyboy.net>
Date: Thu, 19 Oct 2023 13:05:19 +0100
Subject: [PATCH] SECURITY: Make 'unittest' mode only work during tests

---
 help/resetpw.php       | 2 +-
 php/apsearch.php       | 2 +-
 php/config.php.sample  | 3 +++
 test/server/config.php | 2 ++
 4 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/help/resetpw.php b/help/resetpw.php
index 31b0781a..34393d62 100644
--- a/help/resetpw.php
+++ b/help/resetpw.php
@@ -68,7 +68,7 @@
 Cheers,
 OpenFlights.org";
 
-        if (isset($_POST["unittest"])) {
+        if (defined(UNIT_TEST_MODE) && UNIT_TEST_MODE && isset($_POST["unittest"])) {
             echo $link . "***" .  $row['challenge'];
             exit(0);
         }
diff --git a/php/apsearch.php b/php/apsearch.php
index f71be97c..c497f43c 100644
--- a/php/apsearch.php
+++ b/php/apsearch.php
@@ -238,7 +238,7 @@
 TXT;
 
 
-    if (isset($_POST["unittest"])) {
+    if (defined(UNIT_TEST_MODE) && UNIT_TEST_MODE && isset($_POST["unittest"])) {
         echo $title . "\n\n" . $body;
         exit;
     }
diff --git a/php/config.php.sample b/php/config.php.sample
index c166c2c5..46bf784c 100644
--- a/php/config.php.sample
+++ b/php/config.php.sample
@@ -1,4 +1,7 @@
 <?php
+
+const UNIT_TEST_MODE = false;
+
 $host = "localhost";
 $dbname = "flightdb2";
 $user = "openflights";
diff --git a/test/server/config.php b/test/server/config.php
index 5654dcf8..8fac77a4 100644
--- a/test/server/config.php
+++ b/test/server/config.php
@@ -9,6 +9,8 @@
 // Path to OpenFlights upload directory
 $uploadDir = '../../import/';
 
+const UNIT_TEST_MODE = true;
+
 // Database configuration
 $dbhost = "localhost";
 $dbuser = "openflights";