]>
Commit | Line | Data |
---|---|---|
010efc9b AD |
1 | URI.MungeSecretKey |
2 | TYPE: string/null | |
3 | VERSION: 3.1.1 | |
4 | DEFAULT: NULL | |
5 | --DESCRIPTION-- | |
6 | <p> | |
7 | This directive enables secure checksum generation along with %URI.Munge. | |
8 | It should be set to a secure key that is not shared with anyone else. | |
9 | The checksum can be placed in the URI using %t. Use of this checksum | |
10 | affords an additional level of protection by allowing a redirector | |
11 | to check if a URI has passed through HTML Purifier with this line: | |
12 | </p> | |
13 | ||
14 | <pre>$checksum === sha1($secret_key . ':' . $url)</pre> | |
15 | ||
16 | <p> | |
17 | If the output is TRUE, the redirector script should accept the URI. | |
18 | </p> | |
19 | ||
20 | <p> | |
21 | Please note that it would still be possible for an attacker to procure | |
22 | secure hashes en-mass by abusing your website's Preview feature or the | |
23 | like, but this service affords an additional level of protection | |
24 | that should be combined with website blacklisting. | |
25 | </p> | |
26 | ||
27 | <p> | |
28 | Remember this has no effect if %URI.Munge is not on. | |
29 | </p> | |
30 | --# vim: et sw=4 sts=4 |