From 6abbbf00e2a7ddfa5bb698cd2002daf2c47ed326 Mon Sep 17 00:00:00 2001
From: ccd0 <admin@containerchan.org>
Date: Sat, 23 Aug 2014 20:21:33 -0700
Subject: [PATCH] stricter security test

---
 src/Archive/archives.json | 3 ++-
 src/General/Get.coffee    | 4 ++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/Archive/archives.json b/src/Archive/archives.json
index 892dcd39a..b599f4571 100644
--- a/src/Archive/archives.json
+++ b/src/Archive/archives.json
@@ -87,5 +87,6 @@
   "https": false,
   "software": "foolfuuka",
   "boards": ["t"],
-  "files": ["t"]
+  "files": ["t"],
+  "imagehosts": ["http://archive.mawa.re/"]
 }]
diff --git a/src/General/Get.coffee b/src/General/Get.coffee
index 9021ea3ce..f41340004 100755
--- a/src/General/Get.coffee
+++ b/src/General/Get.coffee
@@ -145,8 +145,8 @@ Get =
         {media} = response
         if media then for key of media when /_link$/.test key
           # Image/thumbnail URLs loaded over HTTP can be modified in transit.
-          # Require them to be HTTP so that no referrer is sent to them from an HTTPS page.
-          delete media[key] unless /^http:\/\//.test media[key]
+          # Require them to be from a known HTTP host so that no referrer is sent to them from an HTTPS page.
+          delete media[key] unless media[key].match(/^(http:\/\/[^\/]+\/)?/)[0] in url.archive.imagehosts
         Get.parseArchivedPost response, boardID, postID, root, context
       return true
     return false