schmidt1024/xmrpay.link
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Security: Add HMAC validation for short URLs + improve privacy documentation

Browse Source 
- Implement HMAC-SHA256 signatures on short URLs to detect server-side tampering
- Add client-side signature verification with hostname-derived secret
- New API endpoint: /api/check-short.php for integrity verification
- Update verify.php with privacy notice (addresses not stored)
- Update README to clarify minimal backend requirement (short URLs, rate caching, proof storage)
- Add toast warning when signature mismatch detected
- Support both old and new format in s.php for backward compatibility
- Update all i18n translations (EN, DE, FR, IT, ES, PT, RU)

Addresses security concern: Server compromise could previously result in address
substitution for short-linked invoices. Now client-side verification detects tampering.
This commit is contained in:
Alexander Schmidt
2026-03-26 06:52:20 +01:00
parent c1bd97948c
commit 7e325abf7d
7 changed files with 167 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
api/shorten.php
View File

@@ -18,6 +18,9 @@ if (!is_dir($dataDir)) {
mkdir($dataDir, 0750, true);
}
// Secret for HMAC (derived from hostname to protect against server-side tampering)
$secret = hash('sha256', $_SERVER['HTTP_HOST'] . 'xmrpay.link');
$input = json_decode(file_get_contents('php://input'), true);
$hash = $input['hash'] ?? '';
@@ -34,10 +37,12 @@ if (file_exists($dbFile)) {
}
// Check if this hash already exists
$existing = array_search($hash, $urls);
if ($existing !== false) {
echo json_encode(['code' => $existing]);
exit;
foreach ($urls as $code => $data) {
$stored_hash = is_array($data) ? $data['h'] : $data;
if ($stored_hash === $hash) {
echo json_encode(['code' => $code]);
exit;
}
}
// Generate short code (6 chars)
@@ -50,12 +55,19 @@ function generateCode($length = 6) {
return $code;
}
// Generate HMAC signature to detect server-side tampering
$signature = hash_hmac('sha256', $hash, $secret);
$code = generateCode();
while (isset($urls[$code])) {
$code = generateCode();
}
$urls[$code] = $hash;
// Store hash with signature
$urls[$code] = [
'h' => $hash,
's' => $signature // HMAC signature for integrity verification
];
file_put_contents($dbFile, json_encode($urls, JSON_UNESCAPED_UNICODE), LOCK_EX);
echo json_encode(['code' => $code]);