summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--cdn.basic.farfuture.inc18
-rw-r--r--cdn.module12
2 files changed, 19 insertions, 11 deletions
diff --git a/cdn.basic.farfuture.inc b/cdn.basic.farfuture.inc
index b20465b..efc7e81 100644
--- a/cdn.basic.farfuture.inc
+++ b/cdn.basic.farfuture.inc
@@ -10,18 +10,18 @@
//----------------------------------------------------------------------------
// Menu system callbacks.
-function cdn_basic_farfuture_download() {
- $args = func_get_args();
-
- // The first argument is the file's UFI. We don't need this anymore.
- $ufi = array_shift($args);
-
- // Reconstruct the path of the requested file.
- $path = implode('/', $args);
+function cdn_basic_farfuture_download($token, $ufi, $path) {
+ // Validate the token to make sure this request originated from CDN.
+ $path_info = pathinfo($path);
+ $sec_token = drupal_hmac_base64($ufi . $path_info['filename'], drupal_get_private_key() . drupal_get_hash_salt());
+ if ($token != $sec_token) {
+ header('HTTP/1.1 403 Forbidden');
+ exit();
+ }
// Disallow downloading of files that are also not allowed to be downloaded
// by Drupal's .htaccess file.
- if (preg_match("/\.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(\..*|Entries.*|Repository|Root|Tag|Template)$/", $path)) {
+ if (preg_match("/\.(engine|inc|info|install|make|module|profile|test|po|sh|php([3-6])?|phtml|.*sql|theme|tpl(\.php)?|xtmpl)$|^(\..*|Entries.*|Repository|Root|Tag|Template)$/", $path)) {
header('HTTP/1.1 403 Forbidden');
exit();
}
diff --git a/cdn.module b/cdn.module
index 3eb1431..868595d 100644
--- a/cdn.module
+++ b/cdn.module
@@ -163,7 +163,13 @@ function cdn_file_url_alter(&$original_uri) {
$uri = drupal_encode_path($uri);
// Generate the new path.
$uri_before_farfuture = $uri;
- $uri = "cdn/farfuture/$ufi/$uri";
+
+ // Generate a unique token to verify that the request was generated by
+ // CDN. We cannot use drupal_get_token() since it depends on the user
+ // session.
+ $path_info = pathinfo(urldecode($uri));
+ $token = drupal_hmac_base64($ufi . $path_info['filename'], drupal_get_private_key() . drupal_get_hash_salt());
+ $uri = "cdn/farfuture/$token/$ufi/$uri";
}
// Load the include file that contains the logic for the mode that's
@@ -342,11 +348,13 @@ function cdn_menu() {
);
// Origin Pull mode's Far Future expiration support.
- $items['cdn/farfuture'] = array(
+ $items['cdn/farfuture/%/%/%menu_tail'] = array(
'title' => 'Download a far futured file',
'access callback' => TRUE,
'page callback' => 'cdn_basic_farfuture_download',
+ 'page arguments' => array(2, 3, 4),
'type' => MENU_CALLBACK,
+ 'load arguments' => array('%map', '%index'),
'file' => 'cdn.basic.farfuture.inc',
);