Haschek-Solutions/http2pic
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
92 Commits 1 Branch 11 Tags
6973522c4539bebf9505628c4876aa46ba624ef7
Commit Graph

92 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Chris
6973522c45 fix: block non-http(s) schemes, sanitize API_KEY backslash, improve viewport error message 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-21 12:48:18 +02:00
Chris
6dc0001f9d fix: block 0.0.0.0/8 in isPrivateIP to prevent loopback bypass 2026-04-21 12:35:31 +02:00
Chris
4ab30bcc1d feat: opt-in SSRF protection via BLOCK_PRIVATE_IPS env var 2026-04-21 12:26:54 +02:00
Chris
9295115742 fix: use hash_equals for API key comparison and update config documentation 
- Replace direct API key comparison with hash_equals() to prevent timing oracle attacks
- Update CLAUDE.md to document all config options (URL, API_KEY, BLOCK_PRIVATE_IPS)
- Add placeholder defines to src/config.inc.php for local dev (not committed due to .gitignore)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-21 12:17:34 +02:00
Chris
efc9e6510c feat: optional API key auth via X-API-Key header or ?key= param 2026-04-21 12:11:23 +02:00
Chris
e7924f462e fix: reject zero-dimension viewport values 2026-04-21 12:04:05 +02:00
Chris
8590465c6a fix: viewport before page load, 60ms->60s timeout, viewport cap, generic errors 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-21 11:49:49 +02:00
Chris
cc30d2288e fix: sanitize API_KEY and BLOCK_PRIVATE_IPS in config generation 
- Fix Issue 1: Normalize BLOCK_PRIVATE_IPS to safe boolean (true/false) using shell case statement to prevent PHP injection from non-boolean values like 'yes'
- Fix Issue 2: Strip single quotes from API_KEY to prevent PHP string injection if the value contains quotes
- Update docker-compose-dev.yml to document these configuration options

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-20 21:50:59 +02:00
Chris
3ab7c1334f feat: add API_KEY and BLOCK_PRIVATE_IPS config vars 2026-04-20 21:47:09 +02:00
Chris
75ead2f5ad feat: add isPrivateIP helper, fix getUserIP and addToLog 2026-04-20 21:44:32 +02:00
Chris
15720489ba test: add failing tests for helpers functions 
Add comprehensive tests for isPrivateIP() and getUserIP() functions.
These tests currently fail as the functions are not yet implemented.
Tests cover:
- isPrivateIP: loopback, private ranges (10/172/192), AWS metadata, public IPs
- getUserIP: REMOTE_ADDR fallback, X-Forwarded-For parsing and trimming

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-20 21:43:47 +02:00
Chris
73118498c9 docs: add security hardening implementation plan 2026-04-20 09:44:48 +02:00
Chris
7f9a752b57 docs: add security hardening design spec 2026-04-20 09:40:21 +02:00
Chris
7323eed789 fix: enhance error handling and improve URL decoding in http2pic class and index.php 2026-04-20 07:59:06 +02:00
Chris
7616dee994 fix: improve error handling and streamline screenshot response in index.php 2026-04-19 21:58:00 +02:00
Chris
4a548f50e7 fix: update URL format in docker-compose and enhance error handling in http2pic class 2026-04-19 21:27:04 +02:00
Chris
faea2b0899 fix: correct URL format in docker-compose files and improve viewport handling in index.php
All checks were successful
Build Container / docker (push) Successful in 28s
Details
v2.0.8 		2026-02-15 19:58:43 +01:00
Chris
427fa24565 clarify 2026-02-15 19:29:55 +01:00
Chris
086e7c7a77 full path 2025-06-10 12:00:35 +02:00
Chris
181bed4449 config corrections 2025-06-10 11:57:16 +02:00
Chris
6e0795bbdf url 2025-06-10 11:55:13 +02:00
Chris
5df5a0ad7a added logging
All checks were successful
Build Container / docker (push) Successful in 2m7s
Details
v2.0.7 		2025-06-10 11:50:24 +02:00
Chris
63b49dd282 url showing 2025-06-10 11:25:27 +02:00
Chris
5e8f4e33e3 ups 2025-06-10 11:23:45 +02:00
Chris
a140a35448 symlink 2025-06-10 11:21:11 +02:00
Chris
a0765efc3c ok 2025-06-10 11:16:25 +02:00
Chris
543e44abc8 fine, I'll do it myself
All checks were successful
Build Container / docker (push) Successful in 1m6s
Details
v2.0.6 		2025-06-10 11:09:14 +02:00
Chris
1443cfee12 ok only docker hub
Some checks failed
ci / docker (push) Failing after 9m27s
Details
v2.0.5 		2025-06-10 11:06:45 +02:00
Chris
0d17b5d474 write permissions for packages
Some checks failed
ci / docker (push) Failing after 11m14s
Details
v2.0.4 		2025-06-10 11:02:01 +02:00
Chris
3eed66b9a9 testing
Some checks failed
ci / docker (push) Failing after 11m17s
Details
v2.0.3 		2025-06-10 10:54:13 +02:00
Chris
184e673277 correct token for docker login
Some checks failed
ci / docker (push) Failing after 11m17s
Details
v2.0.2 		2025-06-10 10:51:10 +02:00
Chris
83926b0f9a push only to github
Some checks failed
ci / docker (push) Failing after 11m2s
Details
v2.0.1 		2025-06-10 10:44:33 +02:00
Chris
469ef7f5ea container and dev preparations
Some checks failed
ci / docker (push) Failing after 11m20s
Details
v2.0.0 		2025-06-10 10:39:47 +02:00
Chris
fbe7613f97 working prototype, many features missing 2025-01-13 15:58:58 +00:00
Chris
028a4b54f4 api preparations for rework 2025-01-13 15:42:44 +00:00
Christian Haschek
f54d35c312 preparations and testing for a rewrite, ditching wkhtmltopdf for chrome-driver 2025-01-12 20:13:47 +00:00
Chris
cf07363a8d preparations for rewrite 2025-01-11 23:14:09 +01:00
Christian Haschek
637a781f24 changed the way the url is escaped. should fix #14 2022-03-08 22:00:58 +01:00
Christian Haschek
ce3b71c934 url validation now only allows http, https and ftp urls. fixes #13 2016-11-20 23:24:01 +01:00
Christian Haschek
52df764d44 added phantomjs binary 2016-11-20 23:23:27 +01:00
Christian Haschek
4e164c82a9 Merge pull request #11 from chpwssn/master 
Catch when cURL can't connect to webserver
 2016-08-30 09:20:10 +02:00
Chip Wasson
03b72c9198 Catch When cURL can't connect to webserver 
If a domain is invalid or a web server is down, cURL will return false
and not have a status code. We need to catch it and distinguish the
difference between page not found and cannot connect for the user.
 2016-08-29 21:52:28 -06:00
Christian Haschek
77f2a2651c Merge pull request #10 from chpwssn/master 
Add Content-Disposition to make saving images cleaner
 2016-08-29 19:38:03 +02:00
Chip Wasson
6c1aaeae2a Chrome Won't Infer File Extension 
Add a file extension since the Chrome version I tested didn’t infer the
file extension.
 2016-08-29 11:22:36 -06:00
Chip Wasson
745b9cc692 Add Content-Disposition to make saving images cleaner 
When a user tries to save a file from the browser, make the filename
the url they entered so they don’t have to type it again.
 2016-08-29 11:08:12 -06:00
Christian Haschek
4abd000917 Merge pull request #7 from luckyjay/master 
Change to PNG as default output
 2016-01-10 17:39:17 +01:00
luckyjay
2a1452c9f2 Change to PNG as default output 
I encountered a number of large web pages that would not render as jpg. Switching to png made them work. Suggest to make png the default now.
 2016-01-10 11:28:35 -05:00
Christian Haschek
102b39235d Merge pull request #6 from luckyjay/master 
Remove clipRect setting to fix rendering
 2016-01-10 12:11:48 +01:00
Christian Haschek
62392ad181 Merge pull request #5 from luckyjay/patch-1 
Removed exit command from renderPagePHANTOMJS()
 2016-01-10 12:11:28 +01:00
luckyjay
d63cee86a6 Update http2pic.class.php 2016-01-10 02:07:06 -05:00