From d02648bed2358651a7ad92d40e8cdca753edda9b Mon Sep 17 00:00:00 2001
From: mimrock <lados.denes@gmail.com>
Date: Thu, 21 Oct 2021 23:06:03 +0200
Subject: [PATCH 1/4] Use hmac for message authentication

---
 phpThumb.config.php.default => phpThumb.config.php.default.php | 2 +-
 phpThumb.php                                                   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)
 rename phpThumb.config.php.default => phpThumb.config.php.default.php (99%)

diff --git a/phpThumb.config.php.default b/phpThumb.config.php.default.php
similarity index 99%
rename from phpThumb.config.php.default
rename to phpThumb.config.php.default.php
index 2f26aed..1cf5a0f 100644
--- a/phpThumb.config.php.default
+++ b/phpThumb.config.php.default.php
@@ -273,5 +273,5 @@ function phpThumbURL($ParameterString, $path_to_phpThumb='phpThumb.php') {
 		}
 	}
 	$ParameterString = implode($PHPTHUMB_CONFIG['high_security_url_separator'], $ParamterStringEncodedArray);
-	return $path_to_phpThumb.'?'.$ParameterString.$PHPTHUMB_CONFIG['high_security_url_separator'].'hash='.md5($ParameterString.$PHPTHUMB_CONFIG['high_security_password']);
+	return $path_to_phpThumb.'?'.$ParameterString.$PHPTHUMB_CONFIG['high_security_url_separator'].'hash='.hash_hmac('sha256', $ParameterString, $PHPTHUMB_CONFIG['high_security_password']);
 }
diff --git a/phpThumb.php b/phpThumb.php
index 8e02199..83569c4 100644
--- a/phpThumb.php
+++ b/phpThumb.php
@@ -207,7 +207,7 @@ function RedirectToCachedFile() {
 	} elseif (phpthumb_functions::PasswordStrength($phpThumb->config_high_security_password) < 20) {
 		$phpThumb->config_disable_debug = false; // otherwise error message won't print
 		$phpThumb->ErrorImage('ERROR: $PHPTHUMB_CONFIG[high_security_password] is not complex enough');
-	} elseif ($_GET['hash'] != md5(str_replace($phpThumb->config_high_security_url_separator.'hash='.$_GET['hash'], '', $_SERVER['QUERY_STRING']).$phpThumb->config_high_security_password)) {
+	} elseif ($_GET['hash'] != hash_hmac('sha256', str_replace($phpThumb->config_high_security_url_separator.'hash='.$_GET['hash'], '', $_SERVER['QUERY_STRING']).$phpThumb->config_high_security_password)) {
 		header('HTTP/1.0 403 Forbidden');
 		sleep(10); // deliberate delay to discourage password-guessing
 		$phpThumb->ErrorImage('ERROR: invalid hash');

From 82535e9a8c1f009684718572e00573c6906d5127 Mon Sep 17 00:00:00 2001
From: mimrock <lados.denes@gmail.com>
Date: Thu, 21 Oct 2021 23:06:26 +0200
Subject: [PATCH 2/4] Do not sleep after a failed verification

---
 phpThumb.php | 1 -
 1 file changed, 1 deletion(-)

diff --git a/phpThumb.php b/phpThumb.php
index 83569c4..97c9ad4 100644
--- a/phpThumb.php
+++ b/phpThumb.php
@@ -209,7 +209,6 @@ function RedirectToCachedFile() {
 		$phpThumb->ErrorImage('ERROR: $PHPTHUMB_CONFIG[high_security_password] is not complex enough');
 	} elseif ($_GET['hash'] != hash_hmac('sha256', str_replace($phpThumb->config_high_security_url_separator.'hash='.$_GET['hash'], '', $_SERVER['QUERY_STRING']).$phpThumb->config_high_security_password)) {
 		header('HTTP/1.0 403 Forbidden');
-		sleep(10); // deliberate delay to discourage password-guessing
 		$phpThumb->ErrorImage('ERROR: invalid hash');
 	}
 }

From 5fd133d990238c339f6b70747dcb973c67426612 Mon Sep 17 00:00:00 2001
From: mimrock <lados.denes@gmail.com>
Date: Fri, 22 Oct 2021 00:06:52 +0200
Subject: [PATCH 3/4] Revert filerename

---
 phpThumb.config.php.default.php => phpThumb.config.php.default | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename phpThumb.config.php.default.php => phpThumb.config.php.default (100%)

diff --git a/phpThumb.config.php.default.php b/phpThumb.config.php.default
similarity index 100%
rename from phpThumb.config.php.default.php
rename to phpThumb.config.php.default

From f320562fa58de3ed3ffaab43f6ba9c0d7c39a8a4 Mon Sep 17 00:00:00 2001
From: mimrock <lados.denes@gmail.com>
Date: Fri, 22 Oct 2021 00:21:31 +0200
Subject: [PATCH 4/4] Fix missing key

---
 phpThumb.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/phpThumb.php b/phpThumb.php
index 97c9ad4..3a83909 100644
--- a/phpThumb.php
+++ b/phpThumb.php
@@ -207,7 +207,7 @@ function RedirectToCachedFile() {
 	} elseif (phpthumb_functions::PasswordStrength($phpThumb->config_high_security_password) < 20) {
 		$phpThumb->config_disable_debug = false; // otherwise error message won't print
 		$phpThumb->ErrorImage('ERROR: $PHPTHUMB_CONFIG[high_security_password] is not complex enough');
-	} elseif ($_GET['hash'] != hash_hmac('sha256', str_replace($phpThumb->config_high_security_url_separator.'hash='.$_GET['hash'], '', $_SERVER['QUERY_STRING']).$phpThumb->config_high_security_password)) {
+	} elseif ($_GET['hash'] != hash_hmac('sha256', str_replace($phpThumb->config_high_security_url_separator.'hash='.$_GET['hash'], '', $_SERVER['QUERY_STRING']), $phpThumb->config_high_security_password)) {
 		header('HTTP/1.0 403 Forbidden');
 		$phpThumb->ErrorImage('ERROR: invalid hash');
 	}