Haschek-Solutions/http2pic
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: use hash_equals for API key comparison and update config documentation

Browse Source 
- Replace direct API key comparison with hash_equals() to prevent timing oracle attacks
- Update CLAUDE.md to document all config options (URL, API_KEY, BLOCK_PRIVATE_IPS)
- Add placeholder defines to src/config.inc.php for local dev (not committed due to .gitignore)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Chris
2026-04-21 12:17:34 +02:00
parent efc9e6510c
commit 9295115742
2 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
CLAUDE.md
View File

@@ -41,7 +41,7 @@ php -S localhost:8080 -t web/
| `web/index.php` | API + template router |
| `src/http2pic.class.php` | Legacy wkhtmltoimage renderer |
| `src/helpers.php` | Template render, logging, IP helper |
| `src/config.inc.php` | Runtime config (URL) |
| `src/config.inc.php` | Runtime config (URL, API_KEY, BLOCK_PRIVATE_IPS) |
| `docker/Caddyfile` | Reverse proxy, PHP-FPM, file server |
| `docker/start.sh` | Boots PHP-FPM, ChromeDriver, writes config |
| `docker-compose.yml` | Production compose |

2
web/index.php
View File

@@ -26,7 +26,7 @@ switch ($url[0]) {
case 'api':
if (defined('API_KEY') && API_KEY !== '') {
$provided = $_SERVER['HTTP_X_API_KEY'] ?? $_REQUEST['key'] ?? '';
if ($provided !== API_KEY) {
if (!hash_equals(API_KEY, $provided)) {
header('HTTP/1.0 401 Unauthorized');
echo 'Invalid or missing API key';
exit;