Bug #803

nesting $HTTP["referer"] inside of $HTTP["url"] does not work

Added by Anonymous about 4 years ago. Updated over 2 years ago.

Status:Fixed Start:
Priority:Low Due date:
Assigned to:- % Done:

0%
Category:core
Target version:1.4.17
Missing in 1.5.x:

Description

This works:


$HTTP["url"] =~ "^/images/" {
     url.access-deny = ( ".jpg", ".jpeg", ".png", ".gif" )
}

This works:


$HTTP["referer"] !~ "^($|http://www\.fussball-forum\.de)" {
     url.access-deny = ( ".jpg", ".jpeg", ".png", ".gif" )
}

This does not work:


$HTTP["url"] =~ "^/images/" {
  $HTTP["referer"] !~ "^($|http://www\.fussball-forum\.de)" {
     url.access-deny = ( ".jpg", ".jpeg", ".png", ".gif" )
  }
}

All requests will be served, none denied.

-- alisencer (ät) gmail.com

History

Updated by moo about 4 years ago

you're right, it's a limited design, a expected result.

Updated by Anonymous about 4 years ago

Is there any chance that this will change?

My situation is as follows: We want to protect against hotlinking - but only from that subdirectory (images). We offer other image material, like Banners etc. from other directories where we encourage people to hotlink.
I can currently think of working around this by moving them to different domains, so it's not critical - but it would be nice.

Also you mention it is expected - are there any hints (without reading code) to find out which conditional-nesting can work and which one would not. Thanks. :)

-- alisencer (et) gmail com

Updated by Anonymous about 4 years ago

I think this should work:

$HTTPreferer !~ "^($|http://www\.fussball-forum\.de)" {
$HTTPurl =~ "^/images/" {
url.access-deny = ( ".jpg", ".jpeg", ".png", ".gif" )
}
}

-- Nicolae Namolovan

Updated by Anonymous about 4 years ago

Oops, bad formating.

Just put $HTTPurl inside $HTTPreferer
$HTTPurl must be allways the last, at least in 1.4.x


$HTTP["referer"] !~ "^($|http://www\.fussball-forum\.de)" {
  $HTTP["url"] =~ "^/images/" {
     url.access-deny = ( ".jpg", ".jpeg", ".png", ".gif" )
  }
}

-- Nicolae Namolovan

Updated by jan about 3 years ago

  • Status changed from New to Fixed
  • Resolution set to fixed

fixed in r1942

Updated by Anonymous almost 3 years ago

  • Status changed from Fixed to Need Feedback
  • Resolution deleted (fixed)

Why this doesn't deny access to http://jsdev.ru/book/javascript-bible.zip with NO referer ?

$HTTP[[url]] =~ "^/book/(.*)\.zip$" {
                $HTTP[[referer]] !~ "jsdev\.ru$" {
                        url.access-deny = ( "" )
                }
        }

Seems bug still open ?

-- iliakan

Updated by stbuehler over 2 years ago

  • Status changed from Need Feedback to Fixed
  • Resolution set to duplicate

See #1164 for patch.

Also available in: Atom