homepage Welcome to WebmasterWorld Guest from 54.197.147.90
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / Apache Web Server
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL & phranque

Apache Web Server Forum

    
Hotlinking images but people are using PHP to do it.
jake66




msg:3407505
 4:38 am on Jul 29, 2007 (gmt 0)

I use a php script to generate thumbnails for my images.

So my thumbnail URLs look like:
http;//www.somesite.com/product_thumb.php?img=images/image_name.jpg&w=99&h=100

Currently, I use htaccess to disable hotlinking like this:
RewriteCond %{HTTP_REFERER}!^$
RewriteCond %{HTTP_REFERER}!^http://(www\.)?somesite.com(/)?.*$ [NC]
RewriteCond %{HTTP_REFERER}!^https://(www\.)?somesite.com(/)?.*$ [NC]
RewriteRule .*\.(gif¦jpg¦jpeg¦bmp¦mp3)$ http[:]//someotherwebsite/dontsteal.gif [R,NC]

could I simply add php to:
RewriteRule .*\.(gif¦jpg¦jpeg¦bmp¦mp3¦php)$

and have it work?
Presently, I use php, but all of my urls are rewritten via mod_rewrite to have a .html extension.

...OR is there something in the script (product_thumb.php) I can add to prevent hotlinking of the thumbnails?

 

g1smd




msg:3407729
 5:20 pm on Jul 29, 2007 (gmt 0)

If I fully understood the question, then yes, what you propose will likely fix the problem.

The best thing to do is to add the code, then remotely test every URL permutation that you can think of (both valid and non-valid ones) and record what happens.

jake66




msg:3408098
 8:56 pm on Jul 29, 2007 (gmt 0)

My images are generated by php.

Because the filename extension is in the output string (as shown in my original post) and not at the end of the string (like a normal image file), htaccess doesn't consider it an image file, and thus allows people to hotlink it.

The best thing to do is to add the code, then remotely test every URL permutation that you can think of

I figured adding code would stop the problem, but I cannot figure out what type of code to use. :)

milanmk




msg:3408366
 9:48 am on Jul 30, 2007 (gmt 0)

If people are hotlinking your images like this

http://www.example.com/product_thumb.php?img=images/image_name.jpg&w=99&h=100

then you should have some hotlink protection in your product_thumb.php, like checking referer for image access.

Else if they are directly linking like this

http://www.example.com/images/image_name.jpg

then your rewrite rule should work fine.

Milan

jake66




msg:3410918
 8:38 pm on Aug 1, 2007 (gmt 0)

If people are hotlinking your images like this

http://www.example.com/product_thumb.php?img=images/image_name.jpg&w=99&h=100

then you should have some hotlink protection in your product_thumb.php, like checking referer for image access.


Yes, that's exactly my problem. Though I am not sure what type of coding to use that would not break the functionality of the thumbnail generation and use on my website.

Basically I would only like to allow my website (of course) and blank referrers to access the files as hotlinked. Is there an example script or tutorial I could read that would give me an idea of how to approach this?

I am not the best coder, as you can probably tell from the type of questions I ask at WebmasterWorld. :)

jdMorgan




msg:3411012
 10:49 pm on Aug 1, 2007 (gmt 0)

Just add another rule to prevent the script from being hotlinked with any img= parameter:

RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER} !^https?://(www\.)?example\.com [NC]
RewriteRule \.(gif¦jpe?g¦bmp¦mp3)$ - [NC,F]
#
RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER} !^https?://(www\.)?example\.com [NC]
RewriteCond %{QUERY_STRING} &?img=[^&]+ [NC]
RewriteRule ^product_thumb\.php$ - [F]

I took the liberty of cleaning up the code and changing the redirect to a simple 403-Forbidden response; It's not a really great idea to "pass on" your hotlinkers to someone else...

Replace all broken pipe "¦" characters with solid pipe characters before use; Posting on this forum modifies the pipe characters. Flush your browser cache completely before testing any changes to your configuration code.

Jim

jake66




msg:3411632
 4:30 pm on Aug 2, 2007 (gmt 0)

Thank you again. :)

I cleared my browser cache and tested the hotlinking. It seems to only work against https calls, is this bloating the code? (I've bolded my addition.)


RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER}!^http?://(www\.)?example\.com [NC]
RewriteCond %{HTTP_REFERER}!^https?://(www\.)?example\.com [NC]
RewriteRule \.(gif¦jpeg¦jpg¦bmp¦mp3)$ - [NC,F]
#
RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER}!^http?://(www\.)?example\.com [NC]
RewriteCond %{HTTP_REFERER}!^https?://(www\.)?example\.com [NC]
RewriteCond %{QUERY_STRING} &?img=[^&]+ [NC]
RewriteRule ^product_thumb\.php$ - [F]

When I add those lines, my capability of stealing any images via http request is denied with a broken image. Would just like to know if I approached it correctly.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved