diff options
| -rw-r--r-- | inc/common.php | 6 | ||||
| -rw-r--r-- | lib/exe/fetch.php | 6 |
2 files changed, 10 insertions, 2 deletions
diff --git a/inc/common.php b/inc/common.php index f8a8f4e77..f5635d523 100644 --- a/inc/common.php +++ b/inc/common.php @@ -456,11 +456,13 @@ function ml($id='',$more='',$direct=true,$sep='&',$abs=false){ // external URLs are always direct without rewriting if(preg_match('#^(https?|ftp)://#i',$id)){ $xlink .= 'lib/exe/fetch.php'; + // add hash: + $xlink .= '?hash='.substr(md5(auth_cookiesalt().$id),0,6); if($more){ - $xlink .= '?'.$more; + $xlink .= $sep.$more; $xlink .= $sep.'media='.rawurlencode($id); }else{ - $xlink .= '?media='.rawurlencode($id); + $xlink .= $sep.'media='.rawurlencode($id); } return $xlink; } diff --git a/lib/exe/fetch.php b/lib/exe/fetch.php index 78c130081..4ad6f7e4d 100644 --- a/lib/exe/fetch.php +++ b/lib/exe/fetch.php @@ -35,6 +35,12 @@ //media to local file if(preg_match('#^(https?)://#i',$MEDIA)){ + //check hash + if(substr(md5(auth_cookiesalt().$MEDIA),0,6) != $_REQUEST['hash']){ + header("HTTP/1.0 412 Precondition Failed"); + print 'Precondition Failed'; + exit; + } //handle external images if(strncmp($MIME,'image/',6) == 0) $FILE = media_get_from_URL($MEDIA,$EXT,$CACHE); if(!$FILE){ |