Haschek-Solutions/http2pic
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: sanitize API_KEY and BLOCK_PRIVATE_IPS in config generation

Browse Source 
- Fix Issue 1: Normalize BLOCK_PRIVATE_IPS to safe boolean (true/false) using shell case statement to prevent PHP injection from non-boolean values like 'yes'
- Fix Issue 2: Strip single quotes from API_KEY to prevent PHP string injection if the value contains quotes
- Update docker-compose-dev.yml to document these configuration options

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Chris
2026-04-20 21:50:59 +02:00
parent 3ab7c1334f
commit cc30d2288e
2 changed files with 11 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
docker-compose-dev.yml
View File

@@ -13,5 +13,7 @@ services:
environment:
- URL=http://localhost:8080
# - API_KEY=your-secret-key # if set, all /api requests must provide it
# - BLOCK_PRIVATE_IPS=true # block LAN/loopback/metadata IPs (recommended for public hosting)
ports:
- 8080:80

11
docker/start.sh
View File

@@ -14,11 +14,18 @@ chmod 777 /srv/logs
echo ' [+] Building config'
_buildConfig() {
local block_private api_key
case "${BLOCK_PRIVATE_IPS:-false}" in
true|1|yes) block_private=true ;;
*) block_private=false ;;
esac
api_key="${API_KEY:-}"
api_key="${api_key//\'/}"
echo "<?php"
echo "date_default_timezone_set('Europe/Vienna');"
echo "define('URL','${URL:-http://localhost:8080}');"
echo "define('API_KEY','${API_KEY:-}');"
echo "define('BLOCK_PRIVATE_IPS',${BLOCK_PRIVATE_IPS:-false});"
echo "define('API_KEY','${api_key}');"
echo "define('BLOCK_PRIVATE_IPS',${block_private});"
echo ""
}