From 69d17d94c50857e95e30b3becdb2c068f9c764b9 Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Tue, 6 Oct 2009 20:20:01 +0200
Subject: require a hash in fetch.php for external URLs FS#1769

Ignore-this: a66fc8874fb8e04b1258f2e71e35ed90

To avoid fetch.php being abused as anonymous forwarder or even proxy, now a
hash is needed for external ressources. This hash is automatically added by
the ml() function.

darcs-hash:20091006182001-7ad00-adf5f6275b0d7f76543f76d6196f1531b8c09e1c.gz
---
 inc/common.php | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'inc/common.php')

diff --git a/inc/common.php b/inc/common.php
index f8a8f4e77..f5635d523 100644
--- a/inc/common.php
+++ b/inc/common.php
@@ -456,11 +456,13 @@ function ml($id='',$more='',$direct=true,$sep='&amp;',$abs=false){
   // external URLs are always direct without rewriting
   if(preg_match('#^(https?|ftp)://#i',$id)){
     $xlink .= 'lib/exe/fetch.php';
+    // add hash:
+    $xlink .= '?hash='.substr(md5(auth_cookiesalt().$id),0,6);
     if($more){
-      $xlink .= '?'.$more;
+      $xlink .= $sep.$more;
       $xlink .= $sep.'media='.rawurlencode($id);
     }else{
-      $xlink .= '?media='.rawurlencode($id);
+      $xlink .= $sep.'media='.rawurlencode($id);
     }
     return $xlink;
   }
-- 
cgit v1.2.3