diff --git a/inc/common.php b/inc/common.php
index f8a8f4e773cd814388d8b7ef9b4df34099d8825d..f5635d523b1cb0d223c31f31a31ac78a1f602984 100644
--- a/inc/common.php
+++ b/inc/common.php
@@ -456,11 +456,13 @@ function ml($id='',$more='',$direct=true,$sep='&',$abs=false){
   // external URLs are always direct without rewriting
   if(preg_match('#^(https?|ftp)://#i',$id)){
     $xlink .= 'lib/exe/fetch.php';
+    // add hash:
+    $xlink .= '?hash='.substr(md5(auth_cookiesalt().$id),0,6);
     if($more){
-      $xlink .= '?'.$more;
+      $xlink .= $sep.$more;
       $xlink .= $sep.'media='.rawurlencode($id);
     }else{
-      $xlink .= '?media='.rawurlencode($id);
+      $xlink .= $sep.'media='.rawurlencode($id);
     }
     return $xlink;
   }
diff --git a/lib/exe/fetch.php b/lib/exe/fetch.php
index 78c1300810623b38c6c0da4b58e02108e264f7a6..4ad6f7e4d2215f591322d6d0157eaf9a7a651b4b 100644
--- a/lib/exe/fetch.php
+++ b/lib/exe/fetch.php
@@ -35,6 +35,12 @@
 
   //media to local file
   if(preg_match('#^(https?)://#i',$MEDIA)){
+    //check hash
+    if(substr(md5(auth_cookiesalt().$MEDIA),0,6) != $_REQUEST['hash']){
+      header("HTTP/1.0 412 Precondition Failed");
+      print 'Precondition Failed';
+      exit;
+    }
     //handle external images
     if(strncmp($MIME,'image/',6) == 0) $FILE = media_get_from_URL($MEDIA,$EXT,$CACHE);
     if(!$FILE){