This is a static dump of issues in the old "Flyspray" bugtracker for DokuWiki. Bugs and feature requests are now tracked at the
issue tracker at Github
FS#1769 Make it harder to abuse fetch.php as anonymous redirector/proxy
Currently fetch.php will either download any given remote URL or at least redirect to it regardless if the request came from a link or image in the Wiki or from an outsider.
Adding some kind of hash or signature to all calls with remote URLs inside ml() and checking if that hash is correct in fetch.php should solve this problem.
This might break any plugins or third party tools that construct a fetch.php call without the help of ml()