From 95f3c16e6e3ad47839692cbf16be180a5512376d Mon Sep 17 00:00:00 2001
From: ccd0 <admin@containerchan.org>
Date: Mon, 11 Aug 2014 22:05:47 -0700
Subject: [PATCH] fix potential MITM attack

---
 src/General/Get.coffee | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/General/Get.coffee b/src/General/Get.coffee
index b50bf8541..9021ea3ce 100755
--- a/src/General/Get.coffee
+++ b/src/General/Get.coffee
@@ -142,6 +142,11 @@ Get =
       return true
     else if Conf['Except Archives from Encryption']
       CrossOrigin.json url, (response) ->
+        {media} = response
+        if media then for key of media when /_link$/.test key
+          # Image/thumbnail URLs loaded over HTTP can be modified in transit.
+          # Require them to be HTTP so that no referrer is sent to them from an HTTPS page.
+          delete media[key] unless /^http:\/\//.test media[key]
         Get.parseArchivedPost response, boardID, postID, root, context
       return true
     return false
@@ -202,7 +207,8 @@ Get =
       o.file =
         name:      data.media.media_filename
         timestamp: data.media.media_orig
-        url:       data.media.media_link or data.media.remote_media_link
+        url:       data.media.media_link or data.media.remote_media_link or
+                     "//i.4cdn.org/#{boardID}/#{encodeURIComponent data.media[if boardID is 'f' then 'media_filename' else 'media_orig']}"
         height:    data.media.media_h
         width:     data.media.media_w
         MD5:       data.media.media_hash