More on image link blocking

A long while ago I wrote about blocking external linking to images on Web Server 6.1. That solution has been working really well for me for a long while, but I've found it to be lacking for my Gallery2 install.

Under Gallery2 the URIs for images aren't exactly "clean." They look something like this:

/main.php?g2_view=core.DownloadItem&g2_itemId=10436&g2_serialNumber=2

This obviously won't get caught by my previous Client tag, so I've now got an excuse to recreate that bad boy using the <If ...> syntax in Web Server 7.0.

My first step was to force Gallery2 to use URL Rewriting to create prettier URI space:

/d/2862-4/dsc_6912.jpg

I still want to block image linking to the rest of the VS, so I won't be using the Gallery2 rule to block linking. Instead I'll run with a more general rule, and I'm inserting it above the rules for Gallery2 (making this the first thing evaluated once a request comes in):

<If defined  $referer
    and $referer !~ "($VSids)"
    and $uri !~ '\^/export_images/'
    and $uri =~ '(?i)(gif|jpg|jpeg|png)'>
  AuthTrans fn="set-variable" error="302" set-srvhdrs="Location: http://www.foobar.com/export_images/direct.png"
</If>

So the logic follows this flow:

  • If the $referer variable is defined
  • AND it does not contain a match for the VSids variable (I defined this in the server element of server.xml. It contains a list of VS IDs seperated by bars: foo.com|bar.com )
  • AND the URI is not in my "it's OK to serve these images remotely" directory
  • AND the URI (case insensitive) does not contain a GIF, JPG, JPEG, or PNG (I should probably make this sticky to the end of the URI with a $ at the end)
  • Then redirect the user-agent to my "You're a bad person" image that will be displayed in place of the linked image.

An addition in there would be to include a white-list of external domains (basically what I do with $VSids) that ARE allowed to direct link.

    and $referer !~ "($PartnerDomains)"

Obviously this mechanism isn't real hard for a determined user to work around. All they have to do is not send a Referer header. Most people don't know this though, and have no idea how to do it.

Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
About

jmccabe

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today