From 0f4e009215bfa3136d334fa557335266637a7585 Mon Sep 17 00:00:00 2001
From: Christopher Smith <chris@jalakai.co.uk>
Date: Wed, 20 Mar 2013 00:06:07 +0000
Subject: add a token to fetch urls requiring image resize/crop to prevent
 external DDOS via fetch

---
 inc/common.php | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'inc/common.php')

diff --git a/inc/common.php b/inc/common.php
index 471eb91b5..27f90b53b 100644
--- a/inc/common.php
+++ b/inc/common.php
@@ -436,6 +436,10 @@ function exportlink($id = '', $format = 'raw', $more = '', $abs = false, $sep =
 function ml($id = '', $more = '', $direct = true, $sep = '&amp;', $abs = false) {
     global $conf;
     if(is_array($more)) {
+        // add token for resized images
+        if($more['w'] || $more['h']){
+            $more['tok'] = media_get_token($id,$more['w'],$more['h']);
+        }
         // strip defaults for shorter URLs
         if(isset($more['cache']) && $more['cache'] == 'cache') unset($more['cache']);
         if(!$more['w']) unset($more['w']);
-- 
cgit v1.2.3


From 6db7468b987c4b5f9bcfdd7e98ceb1883c49a364 Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Sun, 5 May 2013 14:38:10 +0200
Subject: make sure loaded text has the right encoding

When pages contain non-UTF8 chars (eg. when posted through a script or
when edited on the filesystem, parts of DokuWiki can break resulting in
missing page content. This fixes these problems by forcing the content
to UTF-8 on load. This will result in bad characters for input that is
not latin1 but contents will at least be visible.
---
 inc/common.php | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'inc/common.php')

diff --git a/inc/common.php b/inc/common.php
index 27f90b53b..110350951 100644
--- a/inc/common.php
+++ b/inc/common.php
@@ -781,11 +781,19 @@ function unlock($id) {
 /**
  * convert line ending to unix format
  *
+ * also makes sure the given text is valid UTF-8
+ *
  * @see    formText() for 2crlf conversion
  * @author Andreas Gohr <andi@splitbrain.org>
  */
 function cleanText($text) {
     $text = preg_replace("/(\015\012)|(\015)/", "\012", $text);
+
+    // if the text is not valid UTF-8 we simply assume latin1
+    // this won't break any worse than it breaks with the wrong encoding
+    // but might actually fix the problem in many cases
+    if(!utf8_check($text)) $text = utf8_encode($text);
+
     return $text;
 }
 
-- 
cgit v1.2.3


From 5e7db1e21093dbb999f1d1cee487a791af3650eb Mon Sep 17 00:00:00 2001
From: Christopher Smith <chris@jalakai.co.uk>
Date: Mon, 6 May 2013 01:06:16 +0100
Subject: ensure security token is included in media url when resize parameter
 is passed in string form, e.g. 'w=80'

---
 inc/common.php | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'inc/common.php')

diff --git a/inc/common.php b/inc/common.php
index 110350951..4d939ac77 100644
--- a/inc/common.php
+++ b/inc/common.php
@@ -447,6 +447,14 @@ function ml($id = '', $more = '', $direct = true, $sep = '&amp;', $abs = false)
         if(isset($more['id']) && $direct) unset($more['id']);
         $more = buildURLparams($more, $sep);
     } else {
+        $matches = array();
+        if (preg_match_all('/\b(w|h)=(\d*)\b/',$more,$matches,PREG_SET_ORDER)){
+            $resize = array('w'=>0, 'h'=>0);
+            foreach ($matches as $match){
+                $resize[$match[1]] = $match[2];
+            }
+            $more .= $sep.'tok='.media_get_token($id,$resize['w'],$resize['h']);
+        }
         $more = str_replace('cache=cache', '', $more); //skip default
         $more = str_replace(',,', ',', $more);
         $more = str_replace(',', $sep, $more);
-- 
cgit v1.2.3


From cdcd66dfc2bcf16e481d10bfa2d3ff1b4d433f99 Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Fri, 31 May 2013 09:22:45 +0200
Subject: use hmac for external ressource hash FS#2794

---
 inc/common.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'inc/common.php')

diff --git a/inc/common.php b/inc/common.php
index 4d939ac77..e096d8b30 100644
--- a/inc/common.php
+++ b/inc/common.php
@@ -470,7 +470,7 @@ function ml($id = '', $more = '', $direct = true, $sep = '&amp;', $abs = false)
     if(preg_match('#^(https?|ftp)://#i', $id)) {
         $xlink .= 'lib/exe/fetch.php';
         // add hash:
-        $xlink .= '?hash='.substr(md5(auth_cookiesalt().$id), 0, 6);
+        $xlink .= '?hash='.substr(PassHash::hmac('md5', $id, auth_cookiesalt()), 0, 6);
         if($more) {
             $xlink .= $sep.$more;
             $xlink .= $sep.'media='.rawurlencode($id);
-- 
cgit v1.2.3


From a132f948f22ae344760ee3da82f9f92cf0f18b7b Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Fri, 31 May 2013 09:25:43 +0200
Subject: use HMAC for CSRF security tokens FS#2794

---
 inc/common.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'inc/common.php')

diff --git a/inc/common.php b/inc/common.php
index e096d8b30..55c5b5ac4 100644
--- a/inc/common.php
+++ b/inc/common.php
@@ -56,7 +56,7 @@ function stripctl($string) {
  * @return  string
  */
 function getSecurityToken() {
-    return md5(auth_cookiesalt().session_id().$_SERVER['REMOTE_USER']);
+    return PassHash::hmac('md5', session_id().$_SERVER['REMOTE_USER'], auth_cookiesalt());
 }
 
 /**
-- 
cgit v1.2.3