Project

General

Profile

Actions

Bug #803

closed

nesting $HTTP["referer"] inside of $HTTP["url"] does not work

Added by Anonymous over 18 years ago. Updated almost 17 years ago.

Status:
Fixed
Priority:
Low
Category:
core
Target version:
ASK QUESTIONS IN Forums:

Description

This works:


$HTTP["url"] =~ "^/images/" {
     url.access-deny = ( ".jpg", ".jpeg", ".png", ".gif" )
}

This works:


$HTTP["referer"] !~ "^($|http://www\.fussball-forum\.de)" {
     url.access-deny = ( ".jpg", ".jpeg", ".png", ".gif" )
}

This does not work:


$HTTP["url"] =~ "^/images/" {
  $HTTP["referer"] !~ "^($|http://www\.fussball-forum\.de)" {
     url.access-deny = ( ".jpg", ".jpeg", ".png", ".gif" )
  }
}

All requests will be served, none denied.

-- alisencer (ät) gmail.com

Actions #1

Updated by moo over 18 years ago

you're right, it's a limited design, a expected result.

Actions #2

Updated by Anonymous over 18 years ago

Is there any chance that this will change?

My situation is as follows: We want to protect against hotlinking - but only from that subdirectory (images). We offer other image material, like Banners etc. from other directories where we encourage people to hotlink.
I can currently think of working around this by moving them to different domains, so it's not critical - but it would be nice.

Also you mention it is expected - are there any hints (without reading code) to find out which conditional-nesting can work and which one would not. Thanks. :)

-- alisencer (et) gmail com

Actions #3

Updated by Anonymous over 18 years ago

I think this should work:

$HTTPreferer !~ "^($|http://www\.fussball-forum\.de)" {
$HTTPurl =~ "^/images/" {
url.access-deny = ( ".jpg", ".jpeg", ".png", ".gif" )
}
}

-- Nicolae Namolovan

Actions #4

Updated by Anonymous over 18 years ago

Oops, bad formating.

Just put $HTTPurl inside $HTTPreferer
$HTTPurl must be allways the last, at least in 1.4.x


$HTTP["referer"] !~ "^($|http://www\.fussball-forum\.de)" {
  $HTTP["url"] =~ "^/images/" {
     url.access-deny = ( ".jpg", ".jpeg", ".png", ".gif" )
  }
}

-- Nicolae Namolovan

Actions #5

Updated by jan over 17 years ago

  • Status changed from New to Fixed
  • Resolution set to fixed

fixed in r1942

Actions #6

Updated by Anonymous about 17 years ago

  • Status changed from Fixed to Need Feedback
  • Resolution deleted (fixed)

Why this doesn't deny access to http://jsdev.ru/book/javascript-bible.zip with NO referer ?

$HTTP[[url]] =~ "^/book/(.*)\.zip$" {
$HTTP[[referer]] !~ "jsdev\.ru$" {
url.access-deny = ( "" )
}
}

Seems bug still open ?

-- iliakan

Actions #7

Updated by stbuehler almost 17 years ago

  • Status changed from Need Feedback to Fixed
  • Resolution set to duplicate

See #1164 for patch.

Actions

Also available in: Atom