From cdcd66dfc2bcf16e481d10bfa2d3ff1b4d433f99 Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Fri, 31 May 2013 09:22:45 +0200
Subject: use hmac for external ressource hash FS#2794

---
 inc/common.php          | 2 +-
 inc/fetch.functions.php | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

(limited to 'inc')

diff --git a/inc/common.php b/inc/common.php
index 4d939ac77..e096d8b30 100644
--- a/inc/common.php
+++ b/inc/common.php
@@ -470,7 +470,7 @@ function ml($id = '', $more = '', $direct = true, $sep = '&amp;', $abs = false)
     if(preg_match('#^(https?|ftp)://#i', $id)) {
         $xlink .= 'lib/exe/fetch.php';
         // add hash:
-        $xlink .= '?hash='.substr(md5(auth_cookiesalt().$id), 0, 6);
+        $xlink .= '?hash='.substr(PassHash::hmac('md5', $id, auth_cookiesalt()), 0, 6);
         if($more) {
             $xlink .= $sep.$more;
             $xlink .= $sep.'media='.rawurlencode($id);
diff --git a/inc/fetch.functions.php b/inc/fetch.functions.php
index 5801e96fa..ea524a37a 100644
--- a/inc/fetch.functions.php
+++ b/inc/fetch.functions.php
@@ -99,7 +99,7 @@ function checkFileStatus(&$media, &$file, $rev = '', $width=0, $height=0) {
     //media to local file
     if(preg_match('#^(https?)://#i', $media)) {
         //check hash
-        if(substr(md5(auth_cookiesalt().$media), 0, 6) !== $INPUT->str('hash')) {
+        if(substr(PassHash::hmac('md5', $media, auth_cookiesalt()), 0, 6) !== $INPUT->str('hash')) {
             return array(412, 'Precondition Failed');
         }
         //handle external images
-- 
cgit v1.2.3