Project

General

Profile

Feature #984

error matching null http referrer

Added by Anonymous over 13 years ago. Updated almost 12 years ago.

Status:
Wontfix
Priority:
Normal
Category:
core
Target version:
ASK QUESTIONS IN Forums:

Description


  1. deny access for all image stealers
    $HTTPreferer !~ "^($|http://www\.example\.org)" {
    url.access-deny = ( ".jpg", ".jpeg", ".png" )
    }
    ---
    the intention of configuration above is to block hotlinking from other sites and NULL referrer, but user could still download the files with NULL http referrer.
    e.g.
    1. wget --referer="" http://www.example.org/test/1.png
    2. wget http://www.example.org/test/1.png
    generally default referrer is null, that means user can simply use browser/any http client to download files.

-- linlei

#1

Updated by Anonymous over 13 years ago

Sorry for bad formatting.


# deny access for all image stealers
$HTTP["referer"] !~ "^($|http://www\.example\.org)" {
  url.access-deny = ( ".jpg", ".jpeg", ".png" )
}

the intention of configuration above is to block hotlinking from other sites and NULL referrer, but user could still download the files with NULL http referrer.

e.g.

1. wget --referer="" http://www.example.org/test/1.png

2. wget http://www.example.org/test/1.png

generally default referrer is null, that means user can simply use browser/any http client to download files.

#2

Updated by Anonymous over 13 years ago

try:


# if referrer doesnt begin with http://www.example.org
$HTTP["referer"] !~ "^http://www\.example\.org" {
  url.access-deny = ( ".jpg", ".jpeg", ".png" )
}

-- phadej

#3

Updated by jwmcglynn over 13 years ago

The problem that you are having is a regex that matches the wrong pattern. Use phadej's example for your purposes.

I'm changing this to an enhancement -- checking if a conditional wasn't supplied in the request is a useful feature, like handling HTTP/1.0 clients that don't send a Host header like so:


$HTTP["host"] is null {
    server.document-root = "/blah" 
}
#4

Updated by stbuehler almost 12 years ago

  • Status changed from New to Fixed
  • Resolution set to wontfix

i see no problem handling not existing and empty headers in the same way in the config:


$HTTP["host"] == "" {
[...]
}
#5

Updated by stbuehler almost 12 years ago

  • Status changed from Fixed to Wontfix

Also available in: Atom