fix: block non-http(s) schemes, sanitize API_KEY backslash, improve viewport error message

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

CLAUDE.md

@@ -64,6 +64,10 @@ curl "http://host/api?key=your-secret-key&url=https://example.com"
 Set `BLOCK_PRIVATE_IPS=true` to reject requests to LAN, loopback, and cloud metadata IPs.
 Recommended when hosting publicly. Default is off (allows local/LAN addresses).
 
+Note: DNS rebinding attacks can bypass this protection (attacker-controlled DNS can return a public IP
+during validation and a private IP when Chrome actually connects). Full protection requires a network-level
+egress firewall.
+
 ## Caveats
 
 - `web/index.php` has a `var_dump($cmd)` debug statement left in `http2pic.class.php:181` - remove before shipping.

docker/start.sh

@@ -20,6 +20,7 @@ _buildConfig() {
         *)          block_private=false ;;
     esac
     api_key="${API_KEY:-}"
+    api_key="${api_key//\\/}"
     api_key="${api_key//\'/}"
     echo "<?php"
     echo "date_default_timezone_set('Europe/Vienna');"

web/index.php

@@ -40,6 +40,12 @@ switch ($url[0]) {
             echo 'Invalid URL';
             exit;
         }
+        $scheme = strtolower(parse_url($target, PHP_URL_SCHEME) ?? '');
+        if (!in_array($scheme, ['http', 'https'], true)) {
+            header('HTTP/1.0 400 Bad Request');
+            echo 'Invalid URL';
+            exit;
+        }
         $ip = getUserIP();
 
         $viewport = $_REQUEST['viewport'] ?: '1024x768';
@@ -51,7 +57,7 @@ switch ($url[0]) {
         $vpParts = array_map('intval', explode('x', $viewport));
         if ($vpParts[0] < 1 || $vpParts[1] < 1 || $vpParts[0] > 3840 || $vpParts[1] > 2160) {
             header('HTTP/1.0 400 Bad Request');
-            echo 'Viewport exceeds maximum (3840x2160)';
+            echo 'Viewport dimensions must be between 1x1 and 3840x2160';
             exit;
         }