Simple hack to prevent hotlinking Simple hack to prevent hotlinking
 

News:

CPG Release 1.6.26
Correct PHP8.2 issues with user and language managers.
Additional fixes for PHP 8.2
Correct PHP8 error with SMF 2.0 bridge.
Correct IPTC supplimental category parsing.
Download and info HERE

Main Menu

Simple hack to prevent hotlinking

Started by ukcbajr, April 27, 2007, 09:06:59 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

ukcbajr

I have a very simple way to hide image locations, making it hard for someone to hotlink from their server to my image. This is a hack and would be interested in improvements.

I found with the coppermine script as-is, when any image is displayed, the real URL of the image is available for anyone who hunts for it. One way is to look at the source HTML. The other is to right click on the image, select Properties, and there it is. Very easy for someone to copy the URL, paste into their own webpages, and so display your images. I call it bandwidth theft.

Here's how I've stopped this from happening. Note: it's still possible to hotlink if the file URL is obtained. To the best of my knowledge this stops the URL being easily obtained. (To really stop it use .htaccess - discussed elsewhere)

Step 1: create an image file to be displayed if someone tries to hotlink. I use an error message, and below I call it "err.jpg"

Step 2: create a little script. Unfortunately I don't know PHP so this is in PERL. Here I call it "chk.cgi" and it's in my /cgi-bin directory.:

Quote

#!/usr/bin/perl

$imgpath = "/albums/userpics";     #This is where the images really are, relative to the root of the web site. Strongly suggest these defaults not be used.
$errfile = "/err.jpg";                     #This is an image file that is displayed if someone tries to hotlink

$buffer = $ENV{'PATH_INFO'};      #This returns extra path information used in calling this script.

if ($buffer =~ /(\/\w+\.jpg$)/i) {   #perl-speak to grab a string at the end of $buffer that matches "/*.jpg". Add extra logic for other image types.
   $nn = $1;                               # $nn now has a filename. Note if $buffer didn't end in "/*.jpg" the above if statement fails.
   if ($ENV{'HTTP_REFERER'}) {
   if ($ENV{'HTTP_REFERER'} =~ /yourdomain\.com/i) {  # Could be better written, this ensures script is called from your site and not another
      $file_name = $imgpath.$nn;
      print "Location: ".$file_name."\n\n";            # Return real location
      exit;
   }
   }

}

print "Location: ".$errfile."\n\n";
exit;


In a nutshell, if this script is called thus:  <img src="chk.cgi/imagename.jpg">  the browser is returned the image at the URL "/albums/userpics/imagename.jpg" - all relative to your website. If someone looks at the HTML source code - or the image properties - they only see the link "chk.cgi/imagename.jpg". If someone tries to use this from their website they'll get the err.jpg image.

I'd be very interested in a PHP version of this.

Step 3: Hack the coppermine script: include/functions.inc.php. Look for the function get_pic_url()

At the very end replace:

Quote
        return $pic_row['url'];

with

Quote
        $pic_row['url'] = str_replace('albums/userpics', '/cgi-bin/chk.cgi', $pic_row['url']);
        return $pic_row['url'];

Ok, Ok so 'albums' and 'userpics' is hardcoded here. Told you this is a hack. One should use the proper environment variables in config but as I said I'm a newbie at PHP so I'd be interested in the proper way to do this.

So I think you get the idea - when implemented successfully every image displayed - thumbnails, normal, fullsize, etc - goes through  '/cgi-bin/chk.cgi' hiding the real URL.

Comments?


JustKia

why not just use a .htaccess file?  ???

Quote from: JustKiaOptions +FollowSymLinks
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?mysite\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?myothersite\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?friendsite\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?myspace\.com/myloginname [NC]
RewriteCond   %{HTTP_REFERER}   !google\.         [NC]
RewriteCond   %{HTTP_REFERER}   !search\?q=cache      [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule blinkies\.(jpe?g|gif|bmp|png)$ http://www.mysite.com/nohotlink.jpg [L]
A version of this is in my "albums" folder so each album applies these rules - you could have different rules for each album by putting it into the folder for that album instead.

NOTE: the "nohotlink.jpg" (or gif) must be outside the folder that you place the .htaccess list in - mine is in my site's root folder.
the "nohotlink.jpg" could very well be advertising for yoursite or something that will "catch the eye" of the viewer.

JustKia

sorry to double post but you could also make the "nohotlink.jpg" a filename that doesn't exist and they will just get the dreaded red "X".

johnny12

Sorry but tell me what is "blinkie" on the last row?
RewriteRule blinkies\.(jpe?g|gif|bmp|png)$ http://www.mysite.com/nohotlink.jpg [L]