vb.org Archive - View Single Post - Attachment and avatar hotlinking protection (1.0.1)

KuraFire · #40 01-07-2003, 10:56 PM

I wrote a little bit of code that I stuffed at the very very top of avatar.php, attachment.php and journalpic.php (a self-written image send file much like the other two, used for my own Journal System)...

If you paste an avatar/attachment url in your browser directly, it works (which is much nicer for your bandwidth than _redirecting them to threads on your site_

), if you use them on other sites however (as part of the HTML page), they won't work and the image you will see there is a fake no-deeplinking-image that you make yourself (mine says "No banana my friend!"

).

It checks the URL to match your own domain but in a more efficient way (the one from this hack can easily be spoofed, thus, it won't work then)

Notes:
a) the {0,15} at the (relative) start will match for subdomain(s) or lack thereof. If you have a subdomain longer than 15 characters, make the 15 number higher

(it also works for http://yourdomain.com, thus, without www. )
b) the path directive is a full path towards the image you'll be serving out, check your own host's settings to see what exactly you need to enter there

PHP Code:


			
if(isset($_SERVER['HTTP_REFERER'])){

    if(!preg_match("'^(http://).{0,15}(YOURDOMAINHERE.com)'i", $_SERVER['HTTP_REFERER'])){

        $path = "/home/users/yourusername.com/html/YOURDOMAINHERE.com/YOURANTIDEEPLINKINGIMAGE.png";

        $filesize = filesize($path);

        $fp = fopen($path, "r");

        $attachmentinfo['filedata'] = fread($fp, $filesize);

        fclose($fp);

        header("Cache-control: max-age=31536000");

        header("Expires: " . gmdate("D, d M Y H:i:s",time()+31536000) . "GMT");

        header("Content-Length: $filesize");

        header('Content-type: image/png'); // adjust this if you use a .gif or a .jpg (image/gif || image/jpeg)

        echo $attachmentinfo['filedata'];

        exit;

    }

}

If you do it right, you can fully prevent deeplinking with this if you put it at the start of avatar.php & attachment.php (and any other image serving file you may be using) :up:

Any questions? PM me (I doubt I'll ever see this thread again if I don't get pm'd a question...

)

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.01105 seconds Memory Usage 1,782KB Queries Executed 11 (?)
More Information
Template Usage: (1)SHOWTHREAD_SHOWPOST (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)bbcode_php (1)footer (1)gobutton (1)header (1)headinclude (6)option (1)post_thanks_box (1)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (1)post_thanks_postbit_info (1)postbit (1)postbit_onlinestatus (1)postbit_wrapper (1)spacer_close (1)spacer_open Phrase Groups Available: global postbit reputationlevel showthread	Included Files: ./showpost.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_postinfo_query fetch_postinfo fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showpost_start bbcode_fetch_tags bbcode_create postbit_factory showpost_post postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end fetch_musername postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_display_complete post_thanks_function_can_thank_this_post_start showpost_complete
Messages: