X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=inc%2Fmodules%2Floader.php;h=5e5bd89ed8a02f7706f917af2766a28fe1d965d6;hb=99966a712b3b3d8b521524762e153353d1d20bd4;hp=6224e80ba471195dd3f2cdc5a73bc716c240227e;hpb=263a089d8a499e0e26d0af9e7aa7639f88b8ca60;p=mailer.git

diff --git a/inc/modules/loader.php b/inc/modules/loader.php
index 6224e80ba4..5e5bd89ed8 100644
--- a/inc/modules/loader.php
+++ b/inc/modules/loader.php
@@ -14,11 +14,10 @@
  * $Date::                                                            $ *
  * $Tag:: 0.2.1-FINAL                                                 $ *
  * $Author::                                                          $ *
- * Needs to be in all Files and every File needs "svn propset           *
- * svn:keywords Date Revision" (autoprobset!) at least!!!!!!            *
  * -------------------------------------------------------------------- *
  * Copyright (c) 2003 - 2009 by Roland Haeder                           *
- * For more information visit: http://www.mxchange.org                  *
+ * Copyright (c) 2009 - 2013 by Mailer Developer Team                   *
+ * For more information visit: http://mxchange.org                      *
  *                                                                      *
  * This program is free software; you can redistribute it and/or modify *
  * it under the terms of the GNU General Public License as published by *
@@ -38,25 +37,46 @@
 
 // Some security stuff...
 if (!defined('__SECURITY')) {
-	die();
+	exit();
 } // END - if
 
 // Is an URL specified?
-if (isGetRequestElementSet('url')) {
+if ((isGetRequestElementSet('url')) && (isGetRequestElementSet('hash')) && (isGetRequestElementSet('salt'))) {
 	// Decode URL
-	$url = decodeString(str_replace(' ', '+', compileUriCode(urldecode(getRequestElement('url')))));
+	$decodedUrl = decodeString(str_replace(' ', '+', compileUriCode(urldecode(getRequestElement('url')))));
 
-	// Validate the URL
-	if (isUrlValid($url)) {
+	// Debug message
+	//* DEBUG: */ logDebugMessage(__FUNCTION__, __LINE__, 'decodedUrl=' . $decodedUrl . ',hash=' . getRequestElement('hash'));
+
+	// Generate hash for comparing it
+	$hash = encodeHashForCookie(generateHash($decodedUrl . getSiteKey() . getDateKey(), getRequestElement('salt')));
+
+	// Debug message
+	//* DEBUG: */ logDebugMessage(__FUNCTION__, __LINE__, 'decodedUrl=' . $decodedUrl . ',hash=' . $hash);
+
+	// Validate the URL and hash
+	if ($hash != getRequestElement('hash')) {
+		// Hash doesn't match
+		displayMessage('{--LOADER_SECURITY_HASH_MISMATCH--}');
+
+		// Log this event
+		logDebugMessage(__FILE__, __LINE__, 'Hash ' . getRequestElement('hash') . ' does not match URL ' . $decodedUrl);
+	} elseif (isUrlValid($decodedUrl)) {
 		// Generate a JavaScript that redirects us
-		loadTemplate('loader', false, $url);
+		loadTemplate('loader', FALSE, $decodedUrl);
 	} else {
 		// URL invalid
-		redirectToUrl('index.php');
+		redirectToUrl('modules.php?module=index');
 	}
 } else {
+	// Is the hash not provided?
+	if (!isGetRequestElementSet('hash')) {
+		// Very old (external!) call
+		logDebugMessage(__FUNCTION__, __LINE__, 'Possible old call on loader.php detected. Redirecting to index.php anyway ...');
+	} // END - if
+
 	// Invalid or no URL entered!
-	redirectToUrl('index.php');
+	redirectToUrl('modules.php?module=index');
 }
 
 // [EOF]