From d90eb9b884596512468d6d80031fe48bd166fabb Mon Sep 17 00:00:00 2001 From: rWatcher Date: Sat, 2 Jun 2012 23:01:06 -0400 Subject: [PATCH] Attempt to obscure resize url's by adding in an md5 checksum. --- 3.0/modules/fotomotorw/controllers/fotomotorw.php | 7 ++++++- 3.0/modules/fotomotorw/views/fotomotorw_block.html.php | 2 +- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/3.0/modules/fotomotorw/controllers/fotomotorw.php b/3.0/modules/fotomotorw/controllers/fotomotorw.php index 1be2def0..aa7de2d6 100644 --- a/3.0/modules/fotomotorw/controllers/fotomotorw.php +++ b/3.0/modules/fotomotorw/controllers/fotomotorw.php @@ -19,7 +19,7 @@ */ class FotomotorW_Controller extends Controller { - public function resize($item_id) { + public function resize($str_checksum, $item_id) { // Displayed the "resized" version of an image by it's ID number. // This both gives fotomoto access to resizes regardless of permissions // and forces fotomoto to track images by unique id instead of file name @@ -31,6 +31,11 @@ class FotomotorW_Controller extends Controller { throw new Kohana_404_Exception(); } + // Make sure checksum matches, if not, throw a 404 error. + if ($str_checksum != md5($item->created)) { + throw new Kohana_404_Exception(); + } + // If the resize file doesn't exist for some reason, display a 404 error. if (!file_exists($item->resize_path())) { throw new Kohana_404_Exception(); diff --git a/3.0/modules/fotomotorw/views/fotomotorw_block.html.php b/3.0/modules/fotomotorw/views/fotomotorw_block.html.php index f0f4b91a..a3209822 100644 --- a/3.0/modules/fotomotorw/views/fotomotorw_block.html.php +++ b/3.0/modules/fotomotorw/views/fotomotorw_block.html.php @@ -10,6 +10,6 @@