Security fixes: SSL verification, SQL injection, auth bypass, hash_equals

- Enable CURLOPT_SSL_VERIFYPEER on Groq and Claude API calls (MITM fix)
- Parameterize agent_commands IN clause to prevent SQL injection
- Add session/IP check for list/status/myip endpoints (auth bypass fix)
- Use hash_equals() for registration key comparison (timing attack fix)
This commit is contained in:
2026-05-25 13:46:11 +00:00
parent dc55e6c45b
commit 6b6b6fcc3b
2 changed files with 12 additions and 6 deletions
+2 -2
View File
@@ -581,7 +581,7 @@ if (!$reply && defined('GROQ_API_KEY') && GROQ_API_KEY) {
],
CURLOPT_TIMEOUT => GROQ_TIMEOUT,
CURLOPT_CONNECTTIMEOUT => 5,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_SSL_VERIFYPEER => true,
]);
$resp = curl_exec($ch);
@@ -672,7 +672,7 @@ Respond as JARVIS. Voice readout: under 3 sentences unless detail is requested.
'Content-Type: application/json',
],
CURLOPT_TIMEOUT => 30,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_SSL_VERIFYPEER => true,
]);
$resp = curl_exec($ch);