Merge pull request #183 from mimrock/better_message_auth

Better message auth

phpThumb.config.php.default

@@ -273,5 +273,5 @@ function phpThumbURL($ParameterString, $path_to_phpThumb='phpThumb.php') {
 		}
 	}
 	$ParameterString = implode($PHPTHUMB_CONFIG['high_security_url_separator'], $ParamterStringEncodedArray);
-	return $path_to_phpThumb.'?'.$ParameterString.$PHPTHUMB_CONFIG['high_security_url_separator'].'hash='.md5($ParameterString.$PHPTHUMB_CONFIG['high_security_password']);
+	return $path_to_phpThumb.'?'.$ParameterString.$PHPTHUMB_CONFIG['high_security_url_separator'].'hash='.hash_hmac('sha256', $ParameterString, $PHPTHUMB_CONFIG['high_security_password']);
 }

phpThumb.php

@@ -207,9 +207,8 @@ function RedirectToCachedFile() {
 	} elseif (phpthumb_functions::PasswordStrength($phpThumb->config_high_security_password) < 20) {
 		$phpThumb->config_disable_debug = false; // otherwise error message won't print
 		$phpThumb->ErrorImage('ERROR: $PHPTHUMB_CONFIG[high_security_password] is not complex enough');
-	} elseif ($_GET['hash'] != md5(str_replace($phpThumb->config_high_security_url_separator.'hash='.$_GET['hash'], '', $_SERVER['QUERY_STRING']).$phpThumb->config_high_security_password)) {
+	} elseif ($_GET['hash'] != hash_hmac('sha256', str_replace($phpThumb->config_high_security_url_separator.'hash='.$_GET['hash'], '', $_SERVER['QUERY_STRING']), $phpThumb->config_high_security_password)) {
 		header('HTTP/1.0 403 Forbidden');
-		sleep(10); // deliberate delay to discourage password-guessing
 		$phpThumb->ErrorImage('ERROR: invalid hash');
 	}
 }