diff options
| author | Andrew Dolgov <[email protected]> | 2020-09-15 10:59:57 +0300 |
|---|---|---|
| committer | Andrew Dolgov <[email protected]> | 2020-09-15 10:59:57 +0300 |
| commit | 91e1542a8205f76a75778425f298c36236ff5fbf (patch) | |
| tree | 676c1cc50e21b28bb7311dd8dc5c06c3eabd95c0 /plugins | |
| parent | 1621abcffc4b05c3440592505a0f29b8469bc2ac (diff) | |
af_proxy_http: require separate token to access imgproxy
Diffstat (limited to 'plugins')
| -rw-r--r-- | plugins/af_proxy_http/init.php | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/plugins/af_proxy_http/init.php b/plugins/af_proxy_http/init.php index 1d518c9c2..0a8e88677 100644 --- a/plugins/af_proxy_http/init.php +++ b/plugins/af_proxy_http/init.php @@ -28,6 +28,9 @@ class Af_Proxy_Http extends Plugin { $host->add_hook($host::HOOK_ENCLOSURE_ENTRY, $this); $host->add_hook($host::HOOK_PREFS_TAB, $this); + + if (!$_SESSION['af_proxy_http_token']) + $_SESSION['af_proxy_http_token'] = uniqid_short(); } function hook_enclosure_entry($enc) { @@ -48,7 +51,7 @@ class Af_Proxy_Http extends Plugin { $url = validate_url(clean($_REQUEST["url"])); // called without user context, let's just redirect to original URL - if (!$_SESSION["uid"]) { + if (!$_SESSION["uid"] || $_REQUEST['af_proxy_http_token'] != $_SESSION['af_proxy_http_token']) { header("Location: $url"); return; } @@ -131,7 +134,8 @@ class Af_Proxy_Http extends Plugin { } } - return $this->host->get_public_method_url($this, "imgproxy", ["url" => $url]); + return $this->host->get_public_method_url($this, "imgproxy", + ["url" => $url, "af_proxy_http_token" => $_SESSION["af_proxy_http_token"]]); } } } |