From 16ad844342356908f53913f9d639c79588927741 Mon Sep 17 00:00:00 2001 From: quix0r Date: Wed, 24 Oct 2012 21:25:46 +0000 Subject: [PATCH] Added site and date key for improved security --- inc/functions.php | 2 +- inc/modules/loader.php | 8 +++++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/inc/functions.php b/inc/functions.php index d69c1abdd0..1c555e08ac 100644 --- a/inc/functions.php +++ b/inc/functions.php @@ -339,7 +339,7 @@ function generateDereferrerUrl ($url) { //* DEBUG: */ logDebugMessage(__FUNCTION__, __LINE__, 'url=' . $url); // De-refer this URL - $url = '{%url=modules.php?module=loader&url=' . $encodedUrl . '&hash=' . encodeHashForCookie(generateHash($url)) . '%}'; + $url = '{%url=modules.php?module=loader&url=' . $encodedUrl . '&hash=' . encodeHashForCookie(generateHash($url . getSiteKey() . getDateKey())) . '%}'; } // END - if // Return link diff --git a/inc/modules/loader.php b/inc/modules/loader.php index b3395fa389..006559f5eb 100644 --- a/inc/modules/loader.php +++ b/inc/modules/loader.php @@ -45,8 +45,14 @@ if ((isGetRequestElementSet('url')) && (isGetRequestElementSet('hash'))) { // Decode URL $decodedUrl = decodeString(str_replace(' ', '+', compileUriCode(urldecode(getRequestElement('url'))))); + // Debug message + //* DEBUG: */ logDebugMessage(__FUNCTION__, __LINE__, 'decodedUrl=' . $decodedUrl . ',hash=' . getRequestElement('hash')); + // Generate hash for comparing it - $hash = encodeHashForCookie(generateHash($decodedUrl, getRequestElement('hash'))); + $hash = encodeHashForCookie(generateHash($decodedUrl . getSiteKey() . getDateKey(), getRequestElement('hash'))); + + // Debug message + //* DEBUG: */ logDebugMessage(__FUNCTION__, __LINE__, 'decodedUrl=' . $decodedUrl . ',hash=' . $hash); // Validate the URL and hash if ($hash != getRequestElement('hash')) { -- 2.39.5