3

I'd like to set up a regular expression that would disallow hotlinking of images that DO NOT end with the following pattern: -200.jpg

The "200" can actually be "150" or "250" or any number between 100-999 (that is to say 3 chars). The .jpg can be .jpeg or .png, Hotlinking of .gif is allowed.

I started with something like this:

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(.+\.)?mywebsite\.com/ [NC]
RewriteRule [^0-9]{3}\.(jpe?g|png)$ /img/hotlink.gif [NC,R,L]

For example: This should be allowed: h*ttp://mywebsite.tld/dir/dir/hello_sdfk456er_142.jpg-200.jpg whereas this should be denied: h*ttp://mywebsite.tld/dir/dir/hello_sdfk456er_142.jpg

But this is not working.

Also, please consider the following:

I am using url_rewriting so that the html page that displays the image is like h*ttp://mywebsite.tld/username/1337.jpg where 1337 stands for the id of the image in the database. The reason why I'm highlighting this subtility is because a rule like:

RewriteRule ![0-9]{3}\.(jpe?g|png)$ /img/hotlink.gif [NC,R,L]

would not work.

EDIT:

I just solved it adding some exceptions:

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(.+\.)?mywebsite\.com/ [NC]
RewriteCond %{REQUEST_URI}  !-[0-9]{3}\.(jpe?g|gif|png)$ [NC]
RewriteCond %{REQUEST_URI}  !/[0-9]+\.(jpe?g|gif|png)$ [NC]
RewriteRule \.(jpe?g|png)$  /img/hotlink.gif [NC,R,L]

If you know a "sexier" way please let me know. Thanks anyway to the guy who gave it a try (deleted his messages?)

2 Answers2

1

Your solution has two flaws:

  1. The 4th line with /[0-9]+ will also allow hotlinking images that are named as just 200.jpg (no hyphen).
  2. The RewriteRule condition is missing, and thus will not allow hotlinking .gif images.

Here's an updated version:

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^https?://(.+\.)?mywebsite\.com/ [NC]
RewriteCond %{REQUEST_URI}  !-[0-9]{3}\.(jpe?g|gif|png)$ [NC]
RewriteRule .* http://mywebsite.com/img/hotlink.gif [NC,R,L]

You can read it as follows:

  1. If referrer is not empty
  2. And referrer is not my site
  3. And an image is requested that doesn't end with allowed pattern (e.g. -123.gif)
  4. Then show a hotlink.gif
Geo
  • 12,666
  • 4
  • 40
  • 55
  • The 4th line is just an escape for my url_rewriting, as I have some HTML pages called like h*ttp://mywebsite.tld/dir/dir/5465.jpg , which are not images actually but HTML pages. I don't host any image like "{NUMBER}.jpg", I rename all uploaded images so the anti-hotlink cannot be bypassed with that trick. My solution is actually working good enough, the only problem I have now is: if I add the .gif images to the anti-hotlink rule, the hotlink.gif image does not show up (kind of an endless loop?). Thank you. –  Dec 07 '12 at 01:08
  • What if instead of adding `.gif` you put `.*` as I suggested? Still endless? – Geo Dec 07 '12 at 03:35
  • Still fails that way. I added an exception to avoid the endless redirection loop, like `RewriteCond %{REQUEST_URI} !/img/hotlink.gif$ [NC]` Also I feel like I am not getting same behaviour considering the browser... (Works fine with IE and Chrome, but FF sometimes triggers the anti-hotlink inexplicably. I don't get it... Maybe a cache problem.) –  Dec 07 '12 at 04:49
0
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(.+\.)?mywebsite\.com/ [NC]
RewriteCond %{REQUEST_URI}  !-[0-9]{3}\.(jpe?g|gif|png)$ [NC]
RewriteCond %{REQUEST_URI}  !/[0-9]+\.(jpe?g|gif|png)$ [NC]
RewriteRule \.(jpe?g|png)$  /img/hotlink.gif [NC,R,L]