diff options
Diffstat (limited to 'inc/common.php')
| -rw-r--r-- | inc/common.php | 34 |
1 files changed, 30 insertions, 4 deletions
diff --git a/inc/common.php b/inc/common.php index 83c4557c6..b292fb75e 100644 --- a/inc/common.php +++ b/inc/common.php @@ -56,7 +56,7 @@ function stripctl($string) { * @return string */ function getSecurityToken() { - return md5(auth_cookiesalt().session_id().$_SERVER['REMOTE_USER']); + return PassHash::hmac('md5', session_id().$_SERVER['REMOTE_USER'], auth_cookiesalt()); } /** @@ -467,7 +467,16 @@ function exportlink($id = '', $format = 'raw', $more = '', $abs = false, $sep = */ function ml($id = '', $more = '', $direct = true, $sep = '&', $abs = false) { global $conf; + $isexternalimage = preg_match('#^(https?|ftp)://#i', $id); + if(!$isexternalimage) { + $id = cleanID($id); + } + if(is_array($more)) { + // add token for resized images + if($more['w'] || $more['h']){ + $more['tok'] = media_get_token($id,$more['w'],$more['h']); + } // strip defaults for shorter URLs if(isset($more['cache']) && $more['cache'] == 'cache') unset($more['cache']); if(!$more['w']) unset($more['w']); @@ -475,6 +484,14 @@ function ml($id = '', $more = '', $direct = true, $sep = '&', $abs = false) if(isset($more['id']) && $direct) unset($more['id']); $more = buildURLparams($more, $sep); } else { + $matches = array(); + if (preg_match_all('/\b(w|h)=(\d*)\b/',$more,$matches,PREG_SET_ORDER)){ + $resize = array('w'=>0, 'h'=>0); + foreach ($matches as $match){ + $resize[$match[1]] = $match[2]; + } + $more .= $sep.'tok='.media_get_token($id,$resize['w'],$resize['h']); + } $more = str_replace('cache=cache', '', $more); //skip default $more = str_replace(',,', ',', $more); $more = str_replace(',', $sep, $more); @@ -487,10 +504,10 @@ function ml($id = '', $more = '', $direct = true, $sep = '&', $abs = false) } // external URLs are always direct without rewriting - if(preg_match('#^(https?|ftp)://#i', $id)) { + if($isexternalimage) { $xlink .= 'lib/exe/fetch.php'; // add hash: - $xlink .= '?hash='.substr(md5(auth_cookiesalt().$id), 0, 6); + $xlink .= '?hash='.substr(PassHash::hmac('md5', $id, auth_cookiesalt()), 0, 6); if($more) { $xlink .= $sep.$more; $xlink .= $sep.'media='.rawurlencode($id); @@ -572,12 +589,13 @@ function checkwordblock($text = '') { global $TEXT; global $PRE; global $SUF; + global $SUM; global $conf; global $INFO; if(!$conf['usewordblock']) return false; - if(!$text) $text = "$PRE $TEXT $SUF"; + if(!$text) $text = "$PRE $TEXT $SUF $SUM"; // we prepare the text a tiny bit to prevent spammers circumventing URL checks $text = preg_replace('!(\b)(www\.[\w.:?\-;,]+?\.[\w.:?\-;,]+?[\w/\#~:.?+=&%@\!\-.:?\-;,]+?)([.:?\-;,]*[^\w/\#~:.?+=&%@\!\-.:?\-;,])!i', '\1http://\2 \2\3', $text); @@ -809,11 +827,19 @@ function unlock($id) { /** * convert line ending to unix format * + * also makes sure the given text is valid UTF-8 + * * @see formText() for 2crlf conversion * @author Andreas Gohr <andi@splitbrain.org> */ function cleanText($text) { $text = preg_replace("/(\015\012)|(\015)/", "\012", $text); + + // if the text is not valid UTF-8 we simply assume latin1 + // this won't break any worse than it breaks with the wrong encoding + // but might actually fix the problem in many cases + if(!utf8_check($text)) $text = utf8_encode($text); + return $text; } |