Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#1 2007-11-23 15:11:43

georgeM
Member
From: Toronto, Canada
Registered: 2006-02-27
Posts: 43
Website

Deny referrers from directly linking to 'file_download'

Hello all,

I have been using TXP for ages now, and it’s always done me great. Recently, I have run into a problem where i had created and released a pocketPC theme, and an arabic site has decided it would be good to “hotlink” to that file. The link is “http://www.protogenlabs.com/file_download/6”, and this is the link found on their page. I wanted to have any HTTP_REFERER other than my own site (or blank) to be denied access to download anything using the TXP “file_download” url format.

I am running TXP on IIS and have Clean URLs turned on. I tried a couple of rules in my httpd.ini file, however it seems that TXP will still allow the user to download the file. I would also link directly to the file in the file system, but then my download counts are not tracked.

Is there any way to accomplish what I’m trying to do?

Thanks in advance for any help that you can offer!

Offline

#2 2007-11-23 15:33:08

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 11,795
Website GitHub

Re: Deny referrers from directly linking to 'file_download'

georgeM wrote:

I wanted to have any HTTP_REFERER other than my own site (or blank) to be denied access to download anything

In my experience, referer can’t really be trusted (it’s mostly blank from what I see in my logs, probably thanks to personal firewalls) so you might end up putting effort into a solution without much benefit. But maybe this might help?

Obeewan’s suggestion helps keep (well-behaved) bots away, but as far as I know the only semi-reliable defence against hotlinking is .htaccess or whatever the equivalent is in IIS. I’ve never used a Windoze box as a server so I don’t know if there is an equivalent.

Is this a good excuse to switch to Linux hosting?? :-P


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Online

#3 2007-11-23 15:41:10

georgeM
Member
From: Toronto, Canada
Registered: 2006-02-27
Posts: 43
Website

Re: Deny referrers from directly linking to 'file_download'

Hi Bloke,

Thanks for the swift reply. The link to the leech protector DLL only runs on ASP, and I am currently running PHP on my TXP webdir (of course). I don’t really want to turn away bots, as I’ve never had a problem with them downloading files, but rather just denying access to anything in “file_download/????” if it comes from another site. I know that the user could technically just copy the link and paste it in a fresh browser window, effectively getting around the referrer protection, but I’d do anything as these bastards are linking directly to the file, whereas most other sites that are reporting on my theme link to my actual blog post with some respect.

Hopefully I’m explaining this correctly, but if anyone needs me to post more details, I would be glad to. I should also post my main specs:

- TXP 4.0.4 runnign on IIS 6
- PHP 5
- ISAPI_Rewrite IIS Plug-in

Thanks in advance again for the help!

Offline

#4 2007-11-23 15:49:03

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 11,795
Website GitHub

Re: Deny referrers from directly linking to 'file_download'

georgeM wrote:

The link to the leech protector DLL only runs on ASP

Nuts. What about LeechBlocker ?


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Online

#5 2007-11-23 16:05:10

georgeM
Member
From: Toronto, Canada
Registered: 2006-02-27
Posts: 43
Website

Re: Deny referrers from directly linking to 'file_download'

ah, LeechBlocker would work, but it only allows for blocking images, and is not configurable to allow for .zip files (or any other extension for that matter)…It is open-source, so I’ll have to do some digging to see if I can find a configurable version.

Thanks for the help though Bloke!

Offline

#6 2007-11-23 16:15:29

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 11,795
Website GitHub

Re: Deny referrers from directly linking to 'file_download'

georgeM wrote:

ah, LeechBlocker would work, but it only allows for blocking images, and is not configurable

Double nuts. Mind you, if you’re handy with a C++ compiler (or know someone with one) you can edit the code pretty easily in LeechBlocker.cpp to add or amend the extensions that suit. Search for “jpg” in that file and you’ll see how he does it. He’s limited the max number of extensions to 16 but you can probably get round that as well if you really need to.

Unfortunately, my C++ days are loooong gone (in fact they never really started because I hated the language) and I don’t have a compiler available here or I’d do it for you.

Sorry I can’t be of any more help at the mo. Anyone else?


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Online

#7 2007-11-24 05:12:41

Mary
Sock Enthusiast
Registered: 2004-06-27
Posts: 6,236

Re: Deny referrers from directly linking to 'file_download'

Here’s how it’d work for .htaccess on Apache. You should be able to adjust it for ISAPI_Rewrite.

Look for the following lines:

RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^(.+) - [PT,L]

Insert the following before (important!) them:

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?protogenlabs.com.*$ [NC]
RewriteRule (files|file_download)/.*$ http://www.protogenlabs.com/ [R,L]

Offline

#8 2012-10-24 20:14:17

georgeM
Member
From: Toronto, Canada
Registered: 2006-02-27
Posts: 43
Website

Re: Deny referrers from directly linking to 'file_download'

oh Mary, thank you SO much for this. I can’t believe it’s been 5 years since I checked this thread, but it came up in a search as I obviously needed to revisit this issue. I’ve got it working great now!

BTW, I’m actually running TXP on IIS7, and this is the URL Rewrite rule that it converted to:

                <rule name="Prevent Hotlinking" stopProcessing="true">
                    <match url="(files|file_download)/.*$" ignoreCase="false" />
                    <conditions logicalGrouping="MatchAll">
                        <add input="{HTTP_REFERER}" pattern="^$" ignoreCase="false" negate="true" />
                        <add input="{HTTP_REFERER}" pattern="^http://(www\.)?YOURDOMAIN.com.*$" negate="true" />
                    </conditions>
                    <action type="Redirect" url="http://www.YOURDOMAIN.com/" redirectType="Found" />
                </rule>

Many cheers and thanks again!

Offline

#9 2012-10-25 10:24:01

etc
Developer
Registered: 2010-11-11
Posts: 5,397
Website GitHub

Re: Deny referrers from directly linking to 'file_download'

Unfortunately, referer spoofing is still as easy as 5 years ago.

Offline

#10 2012-10-25 17:55:28

georgeM
Member
From: Toronto, Canada
Registered: 2006-02-27
Posts: 43
Website

Re: Deny referrers from directly linking to 'file_download'

No doubt that you’re correct about that etc, however my client had found his MP3s linked to on free sites such as “MP3free4all”, and once I put the URL Rewrite rule in place, their links no longer functioned as intended.

This is one of those things where if someone really wants to bypass the hotlink protection, they most likely can. Regardless, it’s a decent fix that should at least save him on some bandwidth costs :)

Offline

Board footer

Powered by FluxBB