From 0f4e009215bfa3136d334fa557335266637a7585 Mon Sep 17 00:00:00 2001 From: Christopher Smith Date: Wed, 20 Mar 2013 00:06:07 +0000 Subject: add a token to fetch urls requiring image resize/crop to prevent external DDOS via fetch --- inc/common.php | 4 ++++ inc/media.php | 24 ++++++++++++++++++++++++ 2 files changed, 28 insertions(+) (limited to 'inc') diff --git a/inc/common.php b/inc/common.php index 471eb91b5..27f90b53b 100644 --- a/inc/common.php +++ b/inc/common.php @@ -436,6 +436,10 @@ function exportlink($id = '', $format = 'raw', $more = '', $abs = false, $sep = function ml($id = '', $more = '', $direct = true, $sep = '&', $abs = false) { global $conf; if(is_array($more)) { + // add token for resized images + if($more['w'] || $more['h']){ + $more['tok'] = media_get_token($id,$more['w'],$more['h']); + } // strip defaults for shorter URLs if(isset($more['cache']) && $more['cache'] == 'cache') unset($more['cache']); if(!$more['w']) unset($more['w']); diff --git a/inc/media.php b/inc/media.php index 2268ad877..7f2fd2d1d 100644 --- a/inc/media.php +++ b/inc/media.php @@ -1864,6 +1864,30 @@ function media_crop_image($file, $ext, $w, $h=0){ return media_resize_image($file,$ext, $w, $h); } +/** + * Calculate a token to be used to verify fetch requests for resized or + * cropped images have been internally generated - and prevent external + * DDOS attacks via fetch + * + * @param string $id id of the image + * @param int $w resize/crop width + * @param int $h resize/crop height + * + * @author Christopher Smith + */ +function media_get_token($id,$w,$h){ + // token is only required for modified images + if ($w || $h) { + $token = auth_cookiesalt().$id; + if ($w) $token .= '.'.$w; + if ($h) $token .= '.'.$h; + + return substr(md5($token),0,6); + } + + return ''; +} + /** * Download a remote file and return local filename * -- cgit v1.2.3