<?php
require_once 'includes/config.php';

// DELIBERATELY VULNERABLE: command injection via filename parameter
// This endpoint simulates a server-side image processing feature
// where a filename is passed to a shell command

if (isset($_GET['file'])) {
    $filename = $_GET['file'];
    // Vulnerable: user input passed directly to shell command
    $output = shell_exec("file " . $filename);
    echo "<pre>File info for: $filename\n$output</pre>";
} else {
    echo "<pre>Image processing endpoint. Usage: ?file=filename</pre>";
}
?>