From 69d17d94c50857e95e30b3becdb2c068f9c764b9 Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Tue, 6 Oct 2009 20:20:01 +0200
Subject: [PATCH] require a hash in fetch.php for external URLs FS#1769

Ignore-this: a66fc8874fb8e04b1258f2e71e35ed90

To avoid fetch.php being abused as anonymous forwarder or even proxy, now a
hash is needed for external ressources. This hash is automatically added by
the ml() function.

darcs-hash:20091006182001-7ad00-adf5f6275b0d7f76543f76d6196f1531b8c09e1c.gz
---
 inc/common.php    | 6 ++++--
 lib/exe/fetch.php | 6 ++++++
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/inc/common.php b/inc/common.php
index f8a8f4e77..f5635d523 100644
--- a/inc/common.php
+++ b/inc/common.php
@@ -456,11 +456,13 @@ function ml($id='',$more='',$direct=true,$sep='&amp;',$abs=false){
   // external URLs are always direct without rewriting
   if(preg_match('#^(https?|ftp)://#i',$id)){
     $xlink .= 'lib/exe/fetch.php';
+    // add hash:
+    $xlink .= '?hash='.substr(md5(auth_cookiesalt().$id),0,6);
     if($more){
-      $xlink .= '?'.$more;
+      $xlink .= $sep.$more;
       $xlink .= $sep.'media='.rawurlencode($id);
     }else{
-      $xlink .= '?media='.rawurlencode($id);
+      $xlink .= $sep.'media='.rawurlencode($id);
     }
     return $xlink;
   }
diff --git a/lib/exe/fetch.php b/lib/exe/fetch.php
index 78c130081..4ad6f7e4d 100644
--- a/lib/exe/fetch.php
+++ b/lib/exe/fetch.php
@@ -35,6 +35,12 @@
 
   //media to local file
   if(preg_match('#^(https?)://#i',$MEDIA)){
+    //check hash
+    if(substr(md5(auth_cookiesalt().$MEDIA),0,6) != $_REQUEST['hash']){
+      header("HTTP/1.0 412 Precondition Failed");
+      print 'Precondition Failed';
+      exit;
+    }
     //handle external images
     if(strncmp($MIME,'image/',6) == 0) $FILE = media_get_from_URL($MEDIA,$EXT,$CACHE);
     if(!$FILE){
-- 
GitLab