diff options
| author | Andreas Gohr <andi@splitbrain.org> | 2009-10-06 20:20:01 +0200 |
|---|---|---|
| committer | Andreas Gohr <andi@splitbrain.org> | 2009-10-06 20:20:01 +0200 |
| commit | 69d17d94c50857e95e30b3becdb2c068f9c764b9 (patch) | |
| tree | 00c28a0d5fce9f1c06bbe5f2e2c41b1f51d04f88 /lib/exe/fetch.php | |
| parent | c6df68d5fbaeb5339ebd7ac8d5b480595519670e (diff) | |
| download | rpg-69d17d94c50857e95e30b3becdb2c068f9c764b9.tar.gz rpg-69d17d94c50857e95e30b3becdb2c068f9c764b9.tar.bz2 | |
require a hash in fetch.php for external URLs FS#1769
Ignore-this: a66fc8874fb8e04b1258f2e71e35ed90
To avoid fetch.php being abused as anonymous forwarder or even proxy, now a
hash is needed for external ressources. This hash is automatically added by
the ml() function.
darcs-hash:20091006182001-7ad00-adf5f6275b0d7f76543f76d6196f1531b8c09e1c.gz
Diffstat (limited to 'lib/exe/fetch.php')
| -rw-r--r-- | lib/exe/fetch.php | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/lib/exe/fetch.php b/lib/exe/fetch.php index 78c130081..4ad6f7e4d 100644 --- a/lib/exe/fetch.php +++ b/lib/exe/fetch.php @@ -35,6 +35,12 @@ //media to local file if(preg_match('#^(https?)://#i',$MEDIA)){ + //check hash + if(substr(md5(auth_cookiesalt().$MEDIA),0,6) != $_REQUEST['hash']){ + header("HTTP/1.0 412 Precondition Failed"); + print 'Precondition Failed'; + exit; + } //handle external images if(strncmp($MIME,'image/',6) == 0) $FILE = media_get_from_URL($MEDIA,$EXT,$CACHE); if(!$FILE){ |