Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Not Solved [How To?] How can I prevent hotlinking of attachment files?
#1
Not Solved
Quote:$url parse_url($_SERVER['HTTP_REFERER']);
if (
$url['host']!='yourdomain.com') {
    exit(
"You can't download this file");

https://community.mybb.com/post-1056804.html

This method does not work

my forum guest should view attachfile
Reply
#2
Not Solved
I'm not sure if this is the cause, but domain names are case insensitive, so you should convert $url['host'] to either all caps or all lowercase before the comparison. Also, in your example, you say 'yourdomain.com' excluding the 'www' subdomain.

Alternatively, some browsers do not send the REFERER header due to privacy concerns.
Reply
#3
Not Solved
(08-28-2018, 09:30 PM)laie_techie Wrote: I'm not sure if this is the cause, but domain names are case insensitive, so you should convert $url['host'] to either all caps or all lowercase before the comparison. Also, in your example, you say 'yourdomain.com' excluding the 'www' subdomain.

Alternatively, some browsers do not send the REFERER header due to privacy concerns.

some browsers do not send the REFERER header due to privacy concerns.

yes this is why I can't use that method...

should I set rewrite file in nginx or apache ?
Reply
#4
Not Solved
(08-28-2018, 10:41 PM)alstn13178 Wrote:
(08-28-2018, 09:30 PM)laie_techie Wrote: I'm not sure if this is the cause, but domain names are case insensitive, so you should convert $url['host'] to either all caps or all lowercase before the comparison. Also, in your example, you say 'yourdomain.com' excluding the 'www' subdomain.

Alternatively, some browsers do not send the REFERER header due to privacy concerns.

some browsers do not send the REFERER header due to privacy concerns.

yes this is why I can't use that method...

should I set rewrite file in nginx or apache ?


If the browser doesn't send the header, your server (either nginx or apache) won't have access to it. All you can do is see if the header was sent, and if it was compare it to your domain. If it's blank you don't know if it's hot-linked or not.
Reply
#5
Not Solved
edit:don't work

Ah I got solution


in attachment.php

if(!isset($mybb->cookies['mybb']['threadread']))
error("no");
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)