From 6ffe8232371ac72bea5fb5fd3e74607288edbaa5 Mon Sep 17 00:00:00 2001
From: Athlon1600 <Athlon2400@gmail.com>
Date: Wed, 9 Mar 2022 17:55:40 -0600
Subject: [PATCH] better security for public/stream.php

---
 src/YouTubeStreamer.php | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/YouTubeStreamer.php b/src/YouTubeStreamer.php
index b5a974b..237cd70 100644
--- a/src/YouTubeStreamer.php
+++ b/src/YouTubeStreamer.php
@@ -81,8 +81,13 @@ public function stream($url)
         curl_setopt($ch, CURLOPT_BUFFERSIZE, $this->buffer_size);
         curl_setopt($ch, CURLOPT_URL, $url);
 
+        // https://php.watch/articles/php-curl-security-hardening#curl-protocols
+        curl_setopt($ch, CURLOPT_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS);
+        curl_setopt($ch, CURLOPT_REDIR_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS);
+
         //curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
         curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
+        curl_setopt($ch, CURLOPT_MAXREDIRS, 5);
 
         // we deal with this ourselves
         curl_setopt($ch, CURLOPT_RETURNTRANSFER, 0);