diff options
| author | Klap-in <klapinklapin@gmail.com> | 2013-08-01 23:06:03 +0200 |
|---|---|---|
| committer | Klap-in <klapinklapin@gmail.com> | 2013-08-01 23:06:03 +0200 |
| commit | cc036f74ff14c387f24d72f5a52f2f158208846e (patch) | |
| tree | de0101ebce96622162dd8544f001783b395b9353 | |
| parent | 4002c084d5e2ffc82739870cb9f107644d9787ff (diff) | |
| download | rpg-cc036f74ff14c387f24d72f5a52f2f158208846e.tar.gz rpg-cc036f74ff14c387f24d72f5a52f2f158208846e.tar.bz2 | |
remove hash for external images, but use token url parameter instead
| -rw-r--r-- | inc/common.php | 19 | ||||
| -rw-r--r-- | inc/fetch.functions.php | 8 | ||||
| -rw-r--r-- | inc/media.php | 2 |
3 files changed, 10 insertions, 19 deletions
diff --git a/inc/common.php b/inc/common.php index 1b4d9e8e4..a34cf96c0 100644 --- a/inc/common.php +++ b/inc/common.php @@ -148,7 +148,7 @@ function pageinfo() { $info['id'] = $ID; $info['rev'] = $REV; - if(isset($_SERVER['REMOTE_USER'])) {
+ if(isset($_SERVER['REMOTE_USER'])) { $sub = new Subscription(); $info['subscribed'] = $sub->user_subscription(); } else { @@ -474,7 +474,7 @@ function ml($id = '', $more = '', $direct = true, $sep = '&', $abs = false) if(is_array($more)) { // add token for resized images - if($more['w'] || $more['h']){ + if($more['w'] || $more['h'] || $isexternalimage){ $more['tok'] = media_get_token($id,$more['w'],$more['h']); } // strip defaults for shorter URLs @@ -485,12 +485,13 @@ function ml($id = '', $more = '', $direct = true, $sep = '&', $abs = false) $more = buildURLparams($more, $sep); } else { $matches = array(); - if (preg_match_all('/\b(w|h)=(\d*)\b/',$more,$matches,PREG_SET_ORDER)){ + if (preg_match_all('/\b(w|h)=(\d*)\b/',$more,$matches,PREG_SET_ORDER) || $isexternalimage){ $resize = array('w'=>0, 'h'=>0); foreach ($matches as $match){ $resize[$match[1]] = $match[2]; } - $more .= $sep.'tok='.media_get_token($id,$resize['w'],$resize['h']); + $more .= $more === '' ? '' : $sep; + $more .= 'tok='.media_get_token($id,$resize['w'],$resize['h']); } $more = str_replace('cache=cache', '', $more); //skip default $more = str_replace(',,', ',', $more); @@ -506,14 +507,8 @@ function ml($id = '', $more = '', $direct = true, $sep = '&', $abs = false) // external URLs are always direct without rewriting if($isexternalimage) { $xlink .= 'lib/exe/fetch.php'; - // add hash: - $xlink .= '?hash='.substr(PassHash::hmac('md5', $id, auth_cookiesalt()), 0, 6); - if($more) { - $xlink .= $sep.$more; - $xlink .= $sep.'media='.rawurlencode($id); - } else { - $xlink .= $sep.'media='.rawurlencode($id); - } + $xlink .= '?'.$more; + $xlink .= $sep.'media='.rawurlencode($id); return $xlink; } diff --git a/inc/fetch.functions.php b/inc/fetch.functions.php index 3c700b35b..207ad9e5f 100644 --- a/inc/fetch.functions.php +++ b/inc/fetch.functions.php @@ -101,8 +101,8 @@ function checkFileStatus(&$media, &$file, $rev = '', $width=0, $height=0) { //media to local file if(media_isexternal($media)) { - //check hash - if(substr(PassHash::hmac('md5', $media, auth_cookiesalt()), 0, 6) !== $INPUT->str('hash')) { + //check token for external image and additional for resized and cached images + if(media_get_token($media, $width, $height) !== $INPUT->str('tok')) { return array(412, 'Precondition Failed'); } //handle external images @@ -111,10 +111,6 @@ function checkFileStatus(&$media, &$file, $rev = '', $width=0, $height=0) { //download failed - redirect to original URL return array(302, $media); } - // check token for resized and cached images - if (($width || $height) && media_get_token($media, $width, $height) !== $INPUT->str('tok')) { - return array(412, 'Precondition Failed'); - } } else { $media = cleanID($media); if(empty($media)) { diff --git a/inc/media.php b/inc/media.php index fbe1363ec..c0e3e9f82 100644 --- a/inc/media.php +++ b/inc/media.php @@ -1900,7 +1900,7 @@ function media_crop_image($file, $ext, $w, $h=0){ */ function media_get_token($id,$w,$h){ // token is only required for modified images - if ($w || $h) { + if ($w || $h || media_isexternal($id)) { $token = $id; if ($w) $token .= '.'.$w; if ($h) $token .= '.'.$h; |