diff options
| author | Andreas Gohr <andi@splitbrain.org> | 2013-08-03 01:38:30 -0700 |
|---|---|---|
| committer | Andreas Gohr <andi@splitbrain.org> | 2013-08-03 01:38:30 -0700 |
| commit | cab505616ec9b8ef3cd671e7337c91d065745932 (patch) | |
| tree | 14a4ac45167bc164d91b0fee468f574ff3f6c53c /inc | |
| parent | 4918284f94b8e3aca2f4db13f5a751811e113061 (diff) | |
| parent | 795fb356a622ef80f6486d2016b0c7643f46c1d7 (diff) | |
| download | rpg-cab505616ec9b8ef3cd671e7337c91d065745932.tar.gz rpg-cab505616ec9b8ef3cd671e7337c91d065745932.tar.bz2 | |
Merge pull request #224 from splitbrain/fetchimagetokexternal
Added check of token in fetch.php for external images.
Diffstat (limited to 'inc')
| -rw-r--r-- | inc/common.php | 19 | ||||
| -rw-r--r-- | inc/fetch.functions.php | 4 | ||||
| -rw-r--r-- | inc/media.php | 2 |
3 files changed, 10 insertions, 15 deletions
diff --git a/inc/common.php b/inc/common.php index bff6e80de..3312141c8 100644 --- a/inc/common.php +++ b/inc/common.php @@ -148,7 +148,7 @@ function pageinfo() { $info['id'] = $ID; $info['rev'] = $REV; - if(isset($_SERVER['REMOTE_USER'])) {
+ if(isset($_SERVER['REMOTE_USER'])) { $sub = new Subscription(); $info['subscribed'] = $sub->user_subscription(); } else { @@ -474,7 +474,7 @@ function ml($id = '', $more = '', $direct = true, $sep = '&', $abs = false) if(is_array($more)) { // add token for resized images - if($more['w'] || $more['h']){ + if($more['w'] || $more['h'] || $isexternalimage){ $more['tok'] = media_get_token($id,$more['w'],$more['h']); } // strip defaults for shorter URLs @@ -485,12 +485,13 @@ function ml($id = '', $more = '', $direct = true, $sep = '&', $abs = false) $more = buildURLparams($more, $sep); } else { $matches = array(); - if (preg_match_all('/\b(w|h)=(\d*)\b/',$more,$matches,PREG_SET_ORDER)){ + if (preg_match_all('/\b(w|h)=(\d*)\b/',$more,$matches,PREG_SET_ORDER) || $isexternalimage){ $resize = array('w'=>0, 'h'=>0); foreach ($matches as $match){ $resize[$match[1]] = $match[2]; } - $more .= $sep.'tok='.media_get_token($id,$resize['w'],$resize['h']); + $more .= $more === '' ? '' : $sep; + $more .= 'tok='.media_get_token($id,$resize['w'],$resize['h']); } $more = str_replace('cache=cache', '', $more); //skip default $more = str_replace(',,', ',', $more); @@ -506,14 +507,8 @@ function ml($id = '', $more = '', $direct = true, $sep = '&', $abs = false) // external URLs are always direct without rewriting if($isexternalimage) { $xlink .= 'lib/exe/fetch.php'; - // add hash: - $xlink .= '?hash='.substr(PassHash::hmac('md5', $id, auth_cookiesalt()), 0, 6); - if($more) { - $xlink .= $sep.$more; - $xlink .= $sep.'media='.rawurlencode($id); - } else { - $xlink .= $sep.'media='.rawurlencode($id); - } + $xlink .= '?'.$more; + $xlink .= $sep.'media='.rawurlencode($id); return $xlink; } diff --git a/inc/fetch.functions.php b/inc/fetch.functions.php index 53ade3555..207ad9e5f 100644 --- a/inc/fetch.functions.php +++ b/inc/fetch.functions.php @@ -101,8 +101,8 @@ function checkFileStatus(&$media, &$file, $rev = '', $width=0, $height=0) { //media to local file if(media_isexternal($media)) { - //check hash - if(substr(PassHash::hmac('md5', $media, auth_cookiesalt()), 0, 6) !== $INPUT->str('hash')) { + //check token for external image and additional for resized and cached images + if(media_get_token($media, $width, $height) !== $INPUT->str('tok')) { return array(412, 'Precondition Failed'); } //handle external images diff --git a/inc/media.php b/inc/media.php index c76f2986c..c4378fe9e 100644 --- a/inc/media.php +++ b/inc/media.php @@ -1900,7 +1900,7 @@ function media_crop_image($file, $ext, $w, $h=0){ */ function media_get_token($id,$w,$h){ // token is only required for modified images - if ($w || $h) { + if ($w || $h || media_isexternal($id)) { $token = $id; if ($w) $token .= '.'.$w; if ($h) $token .= '.'.$h; |