From 8b4cf78228725e275020fdd95701ab57fedcc3bc Mon Sep 17 00:00:00 2001
From: Conn O'Griofa <connogriofa@gmail.com>
Date: Mon, 6 Apr 2026 22:26:56 +0100
Subject: [PATCH 1/3] fix: redact logging of sensitive config & CSRF validation

* Currently redacts csrf_allowed_origins.
* Add simple validation of CSRF entries to ensure they are prefixed
  with 'https://'.
* Individual invalid CSRF entries will be logged unredacted to assist
  troubleshooting.
---
 src/config.cpp | 36 +++++++++++++++++++++++++++---------
 src/config.h   |  7 +++++++
 src/main.cpp   |  4 +---
 3 files changed, 35 insertions(+), 12 deletions(-)

diff --git a/src/config.cpp b/src/config.cpp
index 83e279d28a6..baf64c84409 100644
--- a/src/config.cpp
+++ b/src/config.cpp
@@ -1067,11 +1067,22 @@ namespace config {
     return opts;
   }
 
-  void apply_config(std::unordered_map<std::string, std::string> &&vars) {
+  void log_config_settings(const std::unordered_map<std::string, std::string> &vars, bool save) {
     for (auto &[name, val] : vars) {
-      BOOST_LOG(info) << "config: '"sv << name << "' = "sv << val;
-      modified_config_settings[name] = val;
+      bool is_redacted = std::ranges::any_of(config::redacted_config, [&](auto s) {
+        return s == name;
+      });
+
+      BOOST_LOG(info) << "config: '"sv << name << "' = "sv << (is_redacted ? "[redacted]" : val);
+
+      if (save) {
+        modified_config_settings[name] = val;
+      }
     }
+  }
+
+  void apply_config(std::unordered_map<std::string, std::string> &&vars) {
+    log_config_settings(vars, true);
 
     int_f(vars, "qp", video.qp);
     int_between_f(vars, "hevc_mode", video.hevc_mode, {0, 3});
@@ -1205,12 +1216,19 @@ namespace config {
       "https://[::1]"
     };
 
-    // Append user-configured origins
-    sunshine.csrf_allowed_origins.insert(
-      sunshine.csrf_allowed_origins.end(),
-      user_csrf_origins.begin(),
-      user_csrf_origins.end()
-    );
+    // Validate and append user-configured options
+    bool csrf_invalid_config = false;
+    for (const auto &origin : user_csrf_origins) {
+      if (origin.size() > 8 && origin.starts_with("https://")) {
+        sunshine.csrf_allowed_origins.push_back(origin);
+      } else {
+        csrf_invalid_config = true;
+        BOOST_LOG(warning) << "Invalid 'csrf_allowed_origins' entry rejected: "sv << origin;
+      }
+    }
+    if (csrf_invalid_config) {
+      BOOST_LOG(warning) << "Please refer to: https://docs.lizardbyte.dev/projects/sunshine/latest/md_docs_2configuration.html#csrf_allowed_origins"sv;
+    }
 
     int to = -1;
     int_between_f(vars, "ping_timeout", to, {-1, std::numeric_limits<int>::max()});
diff --git a/src/config.h b/src/config.h
index 44ade5a3685..eb778a3ac68 100644
--- a/src/config.h
+++ b/src/config.h
@@ -19,6 +19,13 @@ namespace config {
   // track modified config options
   inline std::unordered_map<std::string, std::string> modified_config_settings;
 
+  // sensitive values that should be redacted from logging
+  inline constexpr std::array redacted_config = {
+    "csrf_allowed_origins"
+  };
+
+  void log_config_settings(const std::unordered_map<std::string, std::string> &vars, bool save);
+
   struct video_t {
     // ffmpeg params
     int qp;  // higher == more compression and less quality
diff --git a/src/main.cpp b/src/main.cpp
index f1ded4a9c02..a31818ba874 100644
--- a/src/main.cpp
+++ b/src/main.cpp
@@ -179,9 +179,7 @@ int main(int argc, char *argv[]) {
   log_publisher_data();
 
   // Log modified_config_settings
-  for (auto &[name, val] : config::modified_config_settings) {
-    BOOST_LOG(info) << "config: '"sv << name << "' = "sv << val;
-  }
+  config::log_config_settings(config::modified_config_settings, false);
   config::modified_config_settings.clear();
 
   if (!config::sunshine.cmd.name.empty()) {

From 7168e97b227b343fb70c1ae48b1344456072abfe Mon Sep 17 00:00:00 2001
From: Conn O'Griofa <connogriofa@gmail.com>
Date: Wed, 8 Apr 2026 04:25:37 +0100
Subject: [PATCH 2/3] fix macos build

---
 src/config.cpp | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/src/config.cpp b/src/config.cpp
index baf64c84409..e56490792f9 100644
--- a/src/config.cpp
+++ b/src/config.cpp
@@ -1069,9 +1069,7 @@ namespace config {
 
   void log_config_settings(const std::unordered_map<std::string, std::string> &vars, bool save) {
     for (auto &[name, val] : vars) {
-      bool is_redacted = std::ranges::any_of(config::redacted_config, [&](auto s) {
-        return s == name;
-      });
+      bool is_redacted = std::ranges::find(config::redacted_config, name) != config::redacted_config.end();
 
       BOOST_LOG(info) << "config: '"sv << name << "' = "sv << (is_redacted ? "[redacted]" : val);
 

From b561bc7b06e4995c33b3029f6a4273b8469966ed Mon Sep 17 00:00:00 2001
From: Conn O'Griofa <connogriofa@gmail.com>
Date: Wed, 8 Apr 2026 08:05:02 +0100
Subject: [PATCH 3/3] nit: fix typo

---
 src/config.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/config.cpp b/src/config.cpp
index e56490792f9..c45f55ba0db 100644
--- a/src/config.cpp
+++ b/src/config.cpp
@@ -1214,7 +1214,7 @@ namespace config {
       "https://[::1]"
     };
 
-    // Validate and append user-configured options
+    // Validate and append user-configured origins
     bool csrf_invalid_config = false;
     for (const auto &origin : user_csrf_origins) {
       if (origin.size() > 8 && origin.starts_with("https://")) {