From 4027567f1307ab242294c90b860c5a281b743215 Mon Sep 17 00:00:00 2001
From: Jage9 <jj@bestmidi.com>
Date: Sun, 22 Feb 2026 02:24:32 -0500
Subject: [PATCH] Harden media proxy for older PHP and missing curl

---
 deploy/php/media_proxy.php | 27 ++++++++++++++++++++++++++-
 1 file changed, 26 insertions(+), 1 deletion(-)

diff --git a/deploy/php/media_proxy.php b/deploy/php/media_proxy.php
index 70f3f32..a5536a8 100644
--- a/deploy/php/media_proxy.php
+++ b/deploy/php/media_proxy.php
@@ -18,6 +18,24 @@ header('Access-Control-Allow-Origin: *');
 header('Access-Control-Allow-Methods: GET, HEAD, OPTIONS');
 header('Access-Control-Allow-Headers: Range');
 
+/**
+ * PHP-version-safe suffix check (avoid str_ends_with dependency).
+ */
+function host_matches_suffix(string $host, string $suffix): bool
+{
+    if ($suffix === '') {
+        return false;
+    }
+    if ($host === $suffix) {
+        return true;
+    }
+    $needle = '.' . $suffix;
+    if (strlen($host) < strlen($needle)) {
+        return false;
+    }
+    return substr($host, -strlen($needle)) === $needle;
+}
+
 if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
     http_response_code(204);
     exit;
@@ -78,7 +96,7 @@ if ($allowlistEnv !== false && trim($allowlistEnv) !== '') {
         if ($suffix === '') {
             continue;
         }
-        if ($host === $suffix || str_ends_with($host, '.' . $suffix)) {
+        if (host_matches_suffix($host, $suffix)) {
             $allowed = true;
             break;
         }
@@ -109,6 +127,13 @@ foreach ($resolved as $ip) {
     }
 }
 
+if (!function_exists('curl_init')) {
+    http_response_code(500);
+    header('Content-Type: text/plain; charset=utf-8');
+    echo "curl extension is required\n";
+    exit;
+}
+
 $ch = curl_init($rawUrl);
 if ($ch === false) {
     http_response_code(500);