diff options
| author | Andreas Gohr <andi@splitbrain.org> | 2009-10-06 20:20:01 +0200 |
|---|---|---|
| committer | Andreas Gohr <andi@splitbrain.org> | 2009-10-06 20:20:01 +0200 |
| commit | 69d17d94c50857e95e30b3becdb2c068f9c764b9 (patch) | |
| tree | 00c28a0d5fce9f1c06bbe5f2e2c41b1f51d04f88 /inc/common.php | |
| parent | c6df68d5fbaeb5339ebd7ac8d5b480595519670e (diff) | |
| download | rpg-69d17d94c50857e95e30b3becdb2c068f9c764b9.tar.gz rpg-69d17d94c50857e95e30b3becdb2c068f9c764b9.tar.bz2 | |
require a hash in fetch.php for external URLs FS#1769
Ignore-this: a66fc8874fb8e04b1258f2e71e35ed90
To avoid fetch.php being abused as anonymous forwarder or even proxy, now a
hash is needed for external ressources. This hash is automatically added by
the ml() function.
darcs-hash:20091006182001-7ad00-adf5f6275b0d7f76543f76d6196f1531b8c09e1c.gz
Diffstat (limited to 'inc/common.php')
| -rw-r--r-- | inc/common.php | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/inc/common.php b/inc/common.php index f8a8f4e77..f5635d523 100644 --- a/inc/common.php +++ b/inc/common.php @@ -456,11 +456,13 @@ function ml($id='',$more='',$direct=true,$sep='&',$abs=false){ // external URLs are always direct without rewriting if(preg_match('#^(https?|ftp)://#i',$id)){ $xlink .= 'lib/exe/fetch.php'; + // add hash: + $xlink .= '?hash='.substr(md5(auth_cookiesalt().$id),0,6); if($more){ - $xlink .= '?'.$more; + $xlink .= $sep.$more; $xlink .= $sep.'media='.rawurlencode($id); }else{ - $xlink .= '?media='.rawurlencode($id); + $xlink .= $sep.'media='.rawurlencode($id); } return $xlink; } |