Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: Simple hack to prevent hotlinking  (Read 15472 times)

0 Members and 1 Guest are viewing this topic.

ukcbajr

  • Coppermine newbie
  • Offline Offline
  • Posts: 9
Simple hack to prevent hotlinking
« on: April 27, 2007, 09:06:59 am »

I have a very simple way to hide image locations, making it hard for someone to hotlink from their server to my image. This is a hack and would be interested in improvements.

I found with the coppermine script as-is, when any image is displayed, the real URL of the image is available for anyone who hunts for it. One way is to look at the source HTML. The other is to right click on the image, select Properties, and there it is. Very easy for someone to copy the URL, paste into their own webpages, and so display your images. I call it bandwidth theft.

Here's how I've stopped this from happening. Note: it's still possible to hotlink if the file URL is obtained. To the best of my knowledge this stops the URL being easily obtained. (To really stop it use .htaccess - discussed elsewhere)

Step 1: create an image file to be displayed if someone tries to hotlink. I use an error message, and below I call it "err.jpg"

Step 2: create a little script. Unfortunately I don't know PHP so this is in PERL. Here I call it "chk.cgi" and it's in my /cgi-bin directory.:

Quote

#!/usr/bin/perl

$imgpath = "/albums/userpics";     #This is where the images really are, relative to the root of the web site. Strongly suggest these defaults not be used.
$errfile = "/err.jpg";                     #This is an image file that is displayed if someone tries to hotlink
 
$buffer = $ENV{'PATH_INFO'};      #This returns extra path information used in calling this script.

if ($buffer =~ /(\/\w+\.jpg$)/i) {   #perl-speak to grab a string at the end of $buffer that matches "/*.jpg". Add extra logic for other image types.
   $nn = $1;                               # $nn now has a filename. Note if $buffer didn't end in "/*.jpg" the above if statement fails.
   if ($ENV{'HTTP_REFERER'}) {
   if ($ENV{'HTTP_REFERER'} =~ /yourdomain\.com/i) {  # Could be better written, this ensures script is called from your site and not another
      $file_name = $imgpath.$nn;
      print "Location: ".$file_name."\n\n";            # Return real location
      exit;
   }
   }

}

print "Location: ".$errfile."\n\n";
exit;



In a nutshell, if this script is called thus:  <img src="chk.cgi/imagename.jpg">  the browser is returned the image at the URL "/albums/userpics/imagename.jpg" - all relative to your website. If someone looks at the HTML source code - or the image properties - they only see the link "chk.cgi/imagename.jpg". If someone tries to use this from their website they'll get the err.jpg image.

I'd be very interested in a PHP version of this.

Step 3: Hack the coppermine script: include/functions.inc.php. Look for the function get_pic_url()

At the very end replace:

Quote
        return $pic_row['url'];

with

Quote
        $pic_row['url'] = str_replace('albums/userpics', '/cgi-bin/chk.cgi', $pic_row['url']);
        return $pic_row['url'];

Ok, Ok so 'albums' and 'userpics' is hardcoded here. Told you this is a hack. One should use the proper environment variables in config but as I said I'm a newbie at PHP so I'd be interested in the proper way to do this.

So I think you get the idea - when implemented successfully every image displayed - thumbnails, normal, fullsize, etc - goes through  '/cgi-bin/chk.cgi' hiding the real URL.

Comments?

« Last Edit: April 27, 2007, 10:05:24 am by GauGau »
Logged

JustKia

  • Coppermine newbie
  • Offline Offline
  • Posts: 6
Re: Simple hack to prevent hotlinking
« Reply #1 on: April 27, 2007, 12:45:27 pm »

why not just use a .htaccess file?  ???

Quote from: JustKia
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?mysite\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?myothersite\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?friendsite\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?myspace\.com/myloginname [NC]
RewriteCond   %{HTTP_REFERER}   !google\.         [NC]
RewriteCond   %{HTTP_REFERER}   !search\?q=cache      [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule blinkies\.(jpe?g|gif|bmp|png)$ http://www.mysite.com/nohotlink.jpg [L]
A version of this is in my "albums" folder so each album applies these rules - you could have different rules for each album by putting it into the folder for that album instead.

NOTE: the "nohotlink.jpg" (or gif) must be outside the folder that you place the .htaccess list in - mine is in my site's root folder.
the "nohotlink.jpg" could very well be advertising for yoursite or something that will "catch the eye" of the viewer.
Logged

JustKia

  • Coppermine newbie
  • Offline Offline
  • Posts: 6
Re: Simple hack to prevent hotlinking
« Reply #2 on: April 27, 2007, 12:46:52 pm »

sorry to double post but you could also make the "nohotlink.jpg" a filename that doesn't exist and they will just get the dreaded red "X".
Logged

johnny12

  • Coppermine newbie
  • Offline Offline
  • Posts: 3
Re: Simple hack to prevent hotlinking
« Reply #3 on: June 24, 2007, 11:10:45 am »

Sorry but tell me what is "blinkie" on the last row?
RewriteRule blinkies\.(jpe?g|gif|bmp|png)$ http://www.mysite.com/nohotlink.jpg [L]
Logged
Pages: [1]   Go Up
 

Page created in 0.019 seconds with 21 queries.