PDA

View Full Version : Attachment and avatar hotlinking protection (1.0.1)


fury
03 Jan 2003, 04:22
Support in this thread or by email (preferrably thread)

vBulletin 2.2.x (tested on 2.2.9)

Prevents people from linking to attachments and custom avatars on your forum from other sites.

Example:
Attachment hotlinking protection: Click (http://www.otcentral.com/forum/attachment.php?s=&postid=117953) and watch the redirection message. You are then taken straight to the post containing the attachment.

Custom avatar hotlinking protection: Click (http://www.otcentral.com/forum/avatar.php?userid=88&dateline=1039413919) and watch the redirection message again. This time you are taken to the user's profile.

When the attachment is linked to via an img tag, it is shown as a red x in IE, or a torn paper in Mozilla.

Modifications:
2 file modifications
/forum/attachment.php
/forum/avatar.php
1 new template
redirect_wrongreferrer

Updates since 1.0:
Added custom avatar hotlinking protection

Modifications since last version:
2 file modifications
/forum/attachment.php
/forum/avatar.php
1 template modification
redirect_wrongreferrer

For upgrade instructions see the text file.

Note for people who have problems getting the avatar hotlinking protection to work: Try this (http://www.vbulletin.org/forum/showthread.php?postid=338052#post338052) code in the avatar.php modification instead of mine

Mystis
03 Jan 2003, 04:45
Great idea! I might have to install this one.

nuno
03 Jan 2003, 04:50
Yeah, Baby, Yeah!
Great addition
Thx fury :)

clicks install

fury
03 Jan 2003, 04:52
No problem! http://smilies.xibase.com/buttrock.gif Thanks for the installage! :D

Dr Shark
03 Jan 2003, 07:37
This will probably cut down on some bandwidth my forum is useing, nice hack.
*click's install*

Kars10
03 Jan 2003, 08:10
Cool idea!!

/me clicks install! ;)

nuno
03 Jan 2003, 08:21
I swear i saw a post asking the same thing for avatars :wherethehellisit:

Chris M
03 Jan 2003, 09:01
Nice Idea, but I've already got one that protects attachments and avatars:)

Satan

partang2
03 Jan 2003, 11:00
Nice!

*Clicks install*

fury
03 Jan 2003, 13:24
Originally posted by nuno
I swear i saw a post asking the same thing for avatars :wherethehellisit: Me too. :confused:

Schorsch
03 Jan 2003, 15:59
just installed, works fine.

Thanks https://www.vbulletin.org/forum/external/2011/01/19.gif

w596
03 Jan 2003, 16:00
Yes you did see that... I posted the question early this morning but found what I was looking for in another thread, then deleted my post. Sorry about that. lol ;)

N9ne
03 Jan 2003, 16:10
I believe the same code can be used for avatar.php to protect avatars :)

fury
03 Jan 2003, 16:40
Yes, I think I will add that to the hack.

fury
03 Jan 2003, 17:28
Hack has been updated to include custom avatar hotlinking protection. See the first post for info, or grab the text file for upgrade instructions :)

nuno
03 Jan 2003, 17:46
No joy fury
Apache test log file

[Fri Jan 03 10:43:59 2003] [error] PHP Notice: Undefined index: HTTP_REFERER in c:\apache\htdocs\avatar.php on line 6
[Fri Jan 03 10:43:59 2003] [error] PHP Notice: Use of undefined constant host - assumed 'host' in c:\apache\htdocs\avatar.php on line 8
[Fri Jan 03 10:43:59 2003] [error] PHP Notice: Undefined index: host in c:\apache\htdocs\avatar.php on line 8

fury
03 Jan 2003, 17:55
Weird...

Does the attachment hotlinking protection work on the same server?

You got an MSN messenger addy I can contact you at? If not, just send me your avatar.php to dennis@xibase.com and I'll take a look at it

nuno
03 Jan 2003, 17:58
fury, the avatar hotlinking is not working at otcentral as well, after the redirect message you get kicked to profile page and the avatar is broken.
Check your log files. ;)

nuno
03 Jan 2003, 18:03
Attachment hotlinking is working flawlessly, so it went to live forums.
Avatar hotlinking is being tested at localhost.

fury
03 Jan 2003, 18:05
Avatar hotlinking seems to be working fine for me on both localhost and live server... :confused:

Try this: Move this line
set_magic_quotes_runtime(0);
to just above
$c_url = parse_url($GLOBALS[HTTP_REFERER]);

Smoothie
03 Jan 2003, 18:19
excuse my ignorance, but how does one link an attachment or avatar via the [ img ] tag?

DrkFusion
03 Jan 2003, 18:21
Let me try and show you

fury
03 Jan 2003, 18:21
Right click on an attachment or avatar at your site. Go to Properties

You will see a URL in the Address (IE) or Location (Mozilla) box. Select it and hit Ctrl+C.

Then place the URL inside [ IMG][/IMG] tags.

DrkFusion
03 Jan 2003, 18:23
http://forum.noxmedia.net/link.html
Right click on the properties and check the url :)

Smoothie
03 Jan 2003, 18:30
If I use that url in the [img tag] it does not display the avatar. here's the url i get:
http://www.vbulletin.org/forum/attachment.php?s=&postid=338025

fury
03 Jan 2003, 18:43
Hmm, weird, guess vBulletin.org doesn't like them

NTLDR
03 Jan 2003, 18:48
I expect vB.org has it set to know to allow dynamic images, ie images with ? in the URL.

nuno
03 Jan 2003, 18:55
Originally posted by fury
Avatar hotlinking seems to be working fine for me on both localhost and live server... :confused:

Try this: Move this line
set_magic_quotes_runtime(0);
to just above
$c_url = parse_url($GLOBALS[HTTP_REFERER]);
nope :(
I'm running php4.3.0 locally and php4.2.3 at live forums.

nuno
03 Jan 2003, 19:10
hmm
seems to be working now
fix is attached

fury
03 Jan 2003, 19:14
Odd, the one you posted doesn't work on my localhost.

Well, I'll put a link directly to your post in the original post for people who have the same problem as you did. Hopefully either solution will work :)

nuno
03 Jan 2003, 19:29
odd indeed :confused:
Do you get the same error?

fury
03 Jan 2003, 19:31
Nope. It just shows a red x in images and automatically redirects me (even with links from inside the site)

nuno
03 Jan 2003, 19:38
ooh found the mofo
http://www.php.net/manual/en/function.error-reporting.php

nuno
03 Jan 2003, 19:41
Set error_reporting to E_ALL in your php.ini and you will get a PHP error notice message.

fury
03 Jan 2003, 20:30
User error. http://smilies.xibase.com/laugh5.gif

I left **DOMAINNAME** in there when redoing the modifications to avatar.php

C.Birch
05 Jan 2003, 09:40
erm let me see this stop's hotlinking by when someone views the file from out side of the domain there taken back to the profile page or post im i right?

Now lets look at this you got a forum for a group along with other sites about the same group some user's use more then one board.

Now lets say someone upload's a av to my board with this hotlinking code installed then they go to a other sites board and hotlink to the av on my board now whats going happen when that person views there profile of any posts they have made on that other board?

Yes they be taken back to my forums and so will any other person that views a post on that board that person has posted in.

great way to get hits but will not make you many friends.

fury
05 Jan 2003, 21:02
Do you mean when someone enters the URL to the avatar in the custom URL box at another site? It won't even work because the contents of the avatar file will be text (the redirection message). The board (if it's vBulletin, anyway) would give an error message saying it's not a correct file type or something.

If they use an IMG tag to link to it, it will show up as a red X, and when someone drags the link to it into the address bar or puts a URL tag around it, it will link to the redirection notice and the profile page.

I don't see why protecting one's bandwidth from getting stolen without the person viewing the site it's getting stolen from is such a bad thing, unless you have hundreds of gigs to give away, but if it's not for you, then just don't install it. (holy run-on sentence batman!)

You don't have to attack the people that prefer to use it.

fury
07 Jan 2003, 04:23
Damn :(

I had to uninstall this at my own site. It was causing avatars and attachments not to show up for people behind firewalls or using browsers that didn't send referrer info through links. Just letting you know in case any of your members speak up and say they're not seeing avatars or attachments.

KuraFire
07 Jan 2003, 23:56
I wrote a little bit of code that I stuffed at the very very top of avatar.php, attachment.php and journalpic.php (a self-written image send file much like the other two, used for my own Journal System)...

If you paste an avatar/attachment url in your browser directly, it works (which is much nicer for your bandwidth than _redirecting them to threads on your site_ :p), if you use them on other sites however (as part of the HTML page), they won't work and the image you will see there is a fake no-deeplinking-image that you make yourself (mine says "No banana my friend!" :)).

It checks the URL to match your own domain but in a more efficient way (the one from this hack can easily be spoofed, thus, it won't work then)

Notes:
a) the {0,15} at the (relative) start will match for subdomain(s) or lack thereof. If you have a subdomain longer than 15 characters, make the 15 number higher :)
(it also works for http://yourdomain.com, thus, without www. )
b) the path directive is a full path towards the image you'll be serving out, check your own host's settings to see what exactly you need to enter there :)


if(isset($_SERVER['HTTP_REFERER'])){
if(!preg_match("'^(http://).{0,15}(YOURDOMAINHERE.com)'i", $_SERVER['HTTP_REFERER'])){
$path = "/home/users/yourusername.com/html/YOURDOMAINHERE.com/YOURANTIDEEPLINKINGIMAGE.png";
$filesize = filesize($path);
$fp = fopen($path, "r");
$attachmentinfo['filedata'] = fread($fp, $filesize);
fclose($fp);
header("Cache-control: max-age=31536000");
header("Expires: " . gmdate("D, d M Y H:i:s",time()+31536000) . "GMT");
header("Content-Length: $filesize");
header('Content-type: image/png'); // adjust this if you use a .gif or a .jpg (image/gif || image/jpeg)
echo $attachmentinfo['filedata'];
exit;
}
}


If you do it right, you can fully prevent deeplinking with this if you put it at the start of avatar.php & attachment.php (and any other image serving file you may be using) :up:

Any questions? PM me (I doubt I'll ever see this thread again if I don't get pm'd a question... :))

Sia Bani
01 Mar 2003, 01:26
Wow, I'm really impressed with myself right now! I'm such a newbie, its ridiculous!

Here's an error in your attachment code:

"/showthread.php?s=".$session[sessionhash]."&threadid=".$redirectquery[threadid]."#post".$redirectquer

y[postid];
$redirecttype = "post";

The space from $redirectquer to y[postid] had it not working. I fixed that and all is good now!

Well done man!

Sia Bani
10 Mar 2003, 06:56
Hi again. I have another question...does anyone know how to make an advertisement of my site by replacing the image that is being hotlinked? Basically, instead of the x or the actual image they're trying to hotlink, how could I make an ad of my site come up? Anyone come up with this already?

dennx
21 May 2003, 07:26
Does this hack work in vB 2.3??

phenom
24 May 2003, 21:58
I installed this on 2.3.0 and it... sorta... works

The images don't seem to be able to be hotlinking, but instead of getting the message from the new template, I get this:

Parse error: parse error, unexpected T_STRING in /home/pcbaseb/public_html/forums/attachment.php on line 39

fury
24 May 2003, 22:02
dennx: It should

phenom: Show me your line 39, if you don't mind

gmarik
25 May 2003, 09:06
A great idea, just like Nuke has.

ImportPassion
03 Jun 2003, 04:21
Ok, i changed this around a bit cause i didn't work for me. Some ppl couldn't see the images in the forum.

if (!$GLOBALS[HTTP_REFERER]) {
$HTTPREFERER = "http://www.7thgencivic.com/";
} else {
$HTTPREFERER = $GLOBALS[HTTP_REFERER];
}

$c_url = parse_url($HTTPREFERER);

if (!substr_count($c_url[host], "www.7thgencivic.com") || !substr_count($c_url[host], "7thgencivic.com")) {
$redirectquery = $DB_site->query_first("SELECT postid,threadid FROM post WHERE attachmentid='".$attachmentid."'");
$url = $bburl . "/showthread.php?s=".$session[sessionhash]."&threadid=".$redirectquery[threadid]."#post".$redirectquery[postid];
$redirecttype = "post";
eval("standardredirect(\"".gettemplate("redirect_wrongreferrer")."\",\"\$url\");");
}

Gutspiller
05 Jul 2003, 01:54
Anybody using this hack gotten reports that it screws up if you have Windows NT or are behind a proxy? I have tried multiple hacks to protect avatars and attachments, but I have a few users they say the see the replacement image even when they are on the site viewing the image. :(

Any ideas? I think a .htaccess might work for me, but I don't know what I'm suppose to put in it.

Andrus
07 Jul 2003, 13:33
My question is this... One of my sites is a new site, and some are still entering the site through the IP right? So would you not want to have both the IP and the domain name listed, and if so could you simply seperate Domain, and IP with a comma in the code?