Project

General

Profile

Actions

Feature #984

closed

error matching null http referrer

Added by Anonymous about 17 years ago. Updated 3 months ago.

Status:
Wontfix
Priority:
Normal
Category:
core
Target version:
ASK QUESTIONS IN Forums:
No

Description

# deny access for all image stealers
$HTTP[[referer]] !~ "^($|http://www\.example\.org)" {
  url.access-deny = ( ".jpg", ".jpeg", ".png" )
}

the intention of configuration above is to block hotlinking from other sites and NULL referrer, but user could still download the files with NULL http referrer.
e.g.
1. wget --referer="" http://www.example.org/test/1.png
2. wget http://www.example.org/test/1.png
generally default referrer is null, that means user can simply use browser/any http client to download files.

-- linlei

Actions #1

Updated by Anonymous about 17 years ago

Sorry for bad formatting.


# deny access for all image stealers
$HTTP["referer"] !~ "^($|http://www\.example\.org)" {
  url.access-deny = ( ".jpg", ".jpeg", ".png" )
}

the intention of configuration above is to block hotlinking from other sites and NULL referrer, but user could still download the files with NULL http referrer.

e.g.

1. wget --referer="" http://www.example.org/test/1.png

2. wget http://www.example.org/test/1.png

generally default referrer is null, that means user can simply use browser/any http client to download files.

Actions #2

Updated by Anonymous about 17 years ago

try:


# if referrer doesnt begin with http://www.example.org
$HTTP["referer"] !~ "^http://www\.example\.org" {
  url.access-deny = ( ".jpg", ".jpeg", ".png" )
}

-- phadej

Actions #3

Updated by jwmcglynn about 17 years ago

The problem that you are having is a regex that matches the wrong pattern. Use phadej's example for your purposes.

I'm changing this to an enhancement -- checking if a conditional wasn't supplied in the request is a useful feature, like handling HTTP/1.0 clients that don't send a Host header like so:


$HTTP["host"] is null {
    server.document-root = "/blah" 
}
Actions #4

Updated by stbuehler over 15 years ago

  • Status changed from New to Fixed
  • Resolution set to wontfix

i see no problem handling not existing and empty headers in the same way in the config:


$HTTP["host"] == "" {
[...]
}
Actions #5

Updated by stbuehler over 15 years ago

  • Status changed from Fixed to Wontfix
Actions #6

Updated by gstrauss 3 months ago

  • Description updated (diff)
  • ASK QUESTIONS IN Forums set to No
Actions

Also available in: Atom