Project

General

Profile

Bug #803

nesting $HTTP["referer"] inside of $HTTP["url"] does not work

Added by Anonymous almost 11 years ago. Updated over 9 years ago.

Status:
Fixed
Priority:
Low
Assignee:
-
Category:
core
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Missing in 1.5.x:

Description

This works:


$HTTP["url"] =~ "^/images/" {
     url.access-deny = ( ".jpg", ".jpeg", ".png", ".gif" )
}

This works:


$HTTP["referer"] !~ "^($|http://www\.fussball-forum\.de)" {
     url.access-deny = ( ".jpg", ".jpeg", ".png", ".gif" )
}

This does not work:


$HTTP["url"] =~ "^/images/" {
  $HTTP["referer"] !~ "^($|http://www\.fussball-forum\.de)" {
     url.access-deny = ( ".jpg", ".jpeg", ".png", ".gif" )
  }
}

All requests will be served, none denied.

-- alisencer (├Ąt) gmail.com

History

#1 Updated by moo almost 11 years ago

you're right, it's a limited design, a expected result.

#2 Updated by Anonymous almost 11 years ago

Is there any chance that this will change?

My situation is as follows: We want to protect against hotlinking - but only from that subdirectory (images). We offer other image material, like Banners etc. from other directories where we encourage people to hotlink.
I can currently think of working around this by moving them to different domains, so it's not critical - but it would be nice.

Also you mention it is expected - are there any hints (without reading code) to find out which conditional-nesting can work and which one would not. Thanks. :)

-- alisencer (et) gmail com

#3 Updated by Anonymous almost 11 years ago

I think this should work:

$HTTPreferer !~ "^($|http://www\.fussball-forum\.de)" {
$HTTPurl =~ "^/images/" {
url.access-deny = ( ".jpg", ".jpeg", ".png", ".gif" )
}
}

-- Nicolae Namolovan

#4 Updated by Anonymous almost 11 years ago

Oops, bad formating.

Just put $HTTPurl inside $HTTPreferer
$HTTPurl must be allways the last, at least in 1.4.x


$HTTP["referer"] !~ "^($|http://www\.fussball-forum\.de)" {
  $HTTP["url"] =~ "^/images/" {
     url.access-deny = ( ".jpg", ".jpeg", ".png", ".gif" )
  }
}

-- Nicolae Namolovan

#5 Updated by jan almost 10 years ago

  • Status changed from New to Fixed
  • Resolution set to fixed

fixed in r1942

#6 Updated by Anonymous over 9 years ago

  • Status changed from Fixed to Need Feedback
  • Resolution deleted (fixed)

Why this doesn't deny access to http://jsdev.ru/book/javascript-bible.zip with NO referer ?

$HTTP[[url]] =~ "^/book/(.*)\.zip$" {
$HTTP[[referer]] !~ "jsdev\.ru$" {
url.access-deny = ( "" )
}
}

Seems bug still open ?

-- iliakan

#7 Updated by stbuehler over 9 years ago

  • Status changed from Need Feedback to Fixed
  • Resolution set to duplicate

See #1164 for patch.

Also available in: Atom