projects / github / wallabag / wallabag.git / blame
| Commit | Line | Data |
|---|---|---|
| d4949327 NL |
1 | URI.MungeSecretKey\r |
| 2 | TYPE: string/null\r | |
| 3 | VERSION: 3.1.1\r | |
| 4 | DEFAULT: NULL\r | |
| 5 | --DESCRIPTION--\r | |
| 6 | <p>\r | |
| 7 | This directive enables secure checksum generation along with %URI.Munge.\r | |
| 8 | It should be set to a secure key that is not shared with anyone else.\r | |
| 9 | The checksum can be placed in the URI using %t. Use of this checksum\r | |
| 10 | affords an additional level of protection by allowing a redirector\r | |
| 11 | to check if a URI has passed through HTML Purifier with this line:\r | |
| 12 | </p>\r | |
| 13 | \r | |
| 14 | <pre>$checksum === hash_hmac("sha256", $url, $secret_key)</pre>\r | |
| 15 | \r | |
| 16 | <p>\r | |
| 17 | If the output is TRUE, the redirector script should accept the URI.\r | |
| 18 | </p>\r | |
| 19 | \r | |
| 20 | <p>\r | |
| 21 | Please note that it would still be possible for an attacker to procure\r | |
| 22 | secure hashes en-mass by abusing your website's Preview feature or the\r | |
| 23 | like, but this service affords an additional level of protection\r | |
| 24 | that should be combined with website blacklisting.\r | |
| 25 | </p>\r | |
| 26 | \r | |
| 27 | <p>\r | |
| 28 | Remember this has no effect if %URI.Munge is not on.\r | |
| 29 | </p>\r | |
| 30 | --# vim: et sw=4 sts=4\r |