schmidt1024/xmrpay.link
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7e325abf7de9268cbd4cad88f3059438aa526f57
xmrpay.link/s.php
Alexander Schmidt 7e325abf7d Security: Add HMAC validation for short URLs + improve privacy documentation 
- Implement HMAC-SHA256 signatures on short URLs to detect server-side tampering
- Add client-side signature verification with hostname-derived secret
- New API endpoint: /api/check-short.php for integrity verification
- Update verify.php with privacy notice (addresses not stored)
- Update README to clarify minimal backend requirement (short URLs, rate caching, proof storage)
- Add toast warning when signature mismatch detected
- Support both old and new format in s.php for backward compatibility
- Update all i18n translations (EN, DE, FR, IT, ES, PT, RU)

Addresses security concern: Server compromise could previously result in address
substitution for short-linked invoices. Now client-side verification detects tampering.
2026-03-26 06:52:20 +01:00

44 lines
1.3 KiB
PHP
Raw Blame History

<?php
$code = trim($_SERVER['PATH_INFO'] ?? $_GET['c'] ?? '', '/');
if (empty($code) || !preg_match('/^[a-z0-9]{4,10}$/', $code)) {
http_response_code(404);
echo 'Not found';
exit;
}
$dbFile = __DIR__ . '/data/urls.json';
if (!file_exists($dbFile)) {
http_response_code(404);
echo 'Not found';
exit;
}
$urls = json_decode(file_get_contents($dbFile), true) ?: [];
if (!isset($urls[$code])) {
http_response_code(404);
echo 'Not found';
exit;
}
// Support both old format (string) and new format (array with hash & signature)
$data = $urls[$code];
$hash = is_array($data) ? $data['h'] : $data;
$signature = is_array($data) ? $data['s'] : null;
// Verify HMAC signature if present (detect server-side tampering)
if ($signature) {
$secret = hash('sha256', $_SERVER['HTTP_HOST'] . 'xmrpay.link');
$expected_sig = hash_hmac('sha256', $hash, $secret);
if ($signature !== $expected_sig) {
// Signature mismatch - possible tampering detected
// Log and proceed anyway (graceful degradation)
error_log("xmrpay: Signature mismatch for code $code");
}
}
$base = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on' ? 'https' : 'http') . '://' . $_SERVER['HTTP_HOST'];
header('Location: ' . $base . '/#' . $hash . '&c=' . $code, true, 302);
exit;
Reference in New Issue View Git Blame Copy Permalink