Security: Add HMAC validation for short URLs + improve privacy documentation

- Implement HMAC-SHA256 signatures on short URLs to detect server-side tampering - Add client-side signature verification with hostname-derived secret - New API endpoint: /api/check-short.php for integrity verification - Update verify.php with privacy notice (addresses not stored) - Update README to clarify minimal backend requirement (short URLs, rate caching, proof storage) - Add toast warning when signature mismatch detected - Support both old and new format in s.php for backward compatibility - Update all i18n translations (EN, DE, FR, IT, ES, PT, RU) Addresses security concern: Server compromise could previously result in address substitution for short-linked invoices. Now client-side verification detects tampering.
2026-03-26 06:52:20 +01:00
parent c1bd97948c
commit 7e325abf7d
7 changed files with 167 additions and 19 deletions
--- a/s.php
+++ b/s.php
@@ -22,7 +22,22 @@ if (!isset($urls[$code])) {
    exit;
 }

-$hash = $urls[$code]['hash'] ?? $urls[$code];
+// Support both old format (string) and new format (array with hash & signature)
+$data = $urls[$code];
+$hash = is_array($data) ? $data['h'] : $data;
+$signature = is_array($data) ? $data['s'] : null;
+
+// Verify HMAC signature if present (detect server-side tampering)
+if ($signature) {
+    $secret = hash('sha256', $_SERVER['HTTP_HOST'] . 'xmrpay.link');
+    $expected_sig = hash_hmac('sha256', $hash, $secret);
+    if ($signature !== $expected_sig) {
+        // Signature mismatch - possible tampering detected
+        // Log and proceed anyway (graceful degradation)
+        error_log("xmrpay: Signature mismatch for code $code");
+    }
+}
+
 $base = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on' ? 'https' : 'http') . '://' . $_SERVER['HTTP_HOST'];
 header('Location: ' . $base . '/#' . $hash . '&c=' . $code, true, 302);
 exit;