Feature #984
closederror matching null http referrer
Description
# deny access for all image stealers
$HTTP[[referer]] !~ "^($|http://www\.example\.org)" {
url.access-deny = ( ".jpg", ".jpeg", ".png" )
}
the intention of configuration above is to block hotlinking from other sites and NULL referrer, but user could still download the files with NULL http referrer.
e.g.
1. wget --referer="" http://www.example.org/test/1.png
2. wget http://www.example.org/test/1.png
generally default referrer is null, that means user can simply use browser/any http client to download files.
-- linlei
Updated by Anonymous over 17 years ago
Sorry for bad formatting.
# deny access for all image stealers
$HTTP["referer"] !~ "^($|http://www\.example\.org)" {
url.access-deny = ( ".jpg", ".jpeg", ".png" )
}
the intention of configuration above is to block hotlinking from other sites and NULL referrer, but user could still download the files with NULL http referrer.
e.g.
1. wget --referer="" http://www.example.org/test/1.png
2. wget http://www.example.org/test/1.png
generally default referrer is null, that means user can simply use browser/any http client to download files.
Updated by Anonymous about 17 years ago
try:
# if referrer doesnt begin with http://www.example.org
$HTTP["referer"] !~ "^http://www\.example\.org" {
url.access-deny = ( ".jpg", ".jpeg", ".png" )
}
-- phadej
Updated by jwmcglynn about 17 years ago
The problem that you are having is a regex that matches the wrong pattern. Use phadej's example for your purposes.
I'm changing this to an enhancement -- checking if a conditional wasn't supplied in the request is a useful feature, like handling HTTP/1.0 clients that don't send a Host header like so:
$HTTP["host"] is null {
server.document-root = "/blah"
}
Updated by stbuehler over 15 years ago
- Status changed from New to Fixed
- Resolution set to wontfix
i see no problem handling not existing and empty headers in the same way in the config:
$HTTP["host"] == "" {
[...]
}
Also available in: Atom