Haschek-Solutions/http2pic
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: block non-http(s) schemes, sanitize API_KEY backslash, improve viewport error message

Browse Source 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Chris
2026-04-21 12:48:18 +02:00
parent 6dc0001f9d
commit 6973522c45
3 changed files with 12 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
web/index.php
View File

@@ -40,6 +40,12 @@ switch ($url[0]) {
echo 'Invalid URL';
exit;
}
$scheme = strtolower(parse_url($target, PHP_URL_SCHEME) ?? '');
if (!in_array($scheme, ['http', 'https'], true)) {
header('HTTP/1.0 400 Bad Request');
echo 'Invalid URL';
exit;
}
$ip = getUserIP();
$viewport = $_REQUEST['viewport'] ?: '1024x768';
@@ -51,7 +57,7 @@ switch ($url[0]) {
$vpParts = array_map('intval', explode('x', $viewport));
if ($vpParts[0] < 1 || $vpParts[1] < 1 || $vpParts[0] > 3840 || $vpParts[1] > 2160) {
header('HTTP/1.0 400 Bad Request');
echo 'Viewport exceeds maximum (3840x2160)';
echo 'Viewport dimensions must be between 1x1 and 3840x2160';
exit;
}