News:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu

How to redirect external attachment hotlinks to the relevant post

Started by Kolya, August 13, 2009, 07:17:00 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

Kolya

August 13, 2009, 07:17:00 AM
I use this code to avoid external hotlinking of attachments.

Now instead of just letting the request die, I would like to redirect the user to the post that has the requested attachment.
Any help with that would be appreciated.

Note: Before anyone tells me to simply turn off attachments for guests:  I WANT guests to be able to see & download attachments. But only from my site. Hence the referrer-check.

H

#1
August 13, 2009, 07:17:59 AM
What you're asking for is probably impossible for most cases (if most of your attachments are images). If a user links to an image, any redirect that is not an image will be ignored
-H
Former Support Team Lead		                              I recommend:
Namecheap (domains)
Fastmail (e-mail)
Linode (VPS)
                             

Kolya

#2
August 13, 2009, 07:34:06 AM
Most of my attachments are file archives. A solution that works for archives but not for images would be good enough.
Also I use the file name encryption for my attachments.

Kolya

#3
August 13, 2009, 05:33:34 PM
If you could just tell me how to find the relevant post for an attachment, I'll figure out the rest myself. Or point me in the right direction.

Kays

#4
August 13, 2009, 09:44:27 PM Last Edit: August 14, 2009, 12:45:27 AM by Kays
There's a problem with that code in that  $_SERVER['HTTP_REFERER'] doesn't always return a value, so you could be blocking legitimate users also.

Why not look into adding a session id to the attachment link and checking that instead. If you can do that then you can also pass the topic and post id

Edit.....

In looking at it. It was simpler than I thought and it seems to work good.

In Sources/Display.php find

Code Select

$context['no_last_modified'] = true;


and above it add:

Code Select

global $context;

if(!isset($_REQUEST['image']) && $_REQUEST['sesc'] != $context['session_id'])
redirectexit($scripturl . '?topic=' . $_REQUEST['topic'] . '.msg' . $_REQUEST['msg'] . '#msg' . $_REQUEST['msg']);


Find
Code Select

function loadAttachmentContext($id_msg)
{
global $attachments, $modSettings, $txt, $scripturl, $topic, $sourcedir, $smcFunc;


And below it add:

Code Select

global $context;


Now a bit further down find the 2 lines which look like the following and replace:

Code Select

'href' => $scripturl . '?action=dlattach;topic=' . $topic . ';msg=' . $id_msg . ';attach=' . $attachment['id_attach'] . ';sesc=' . $context['session_id'],
'link' => '<a href="' . $scripturl . '?action=dlattach;topic=' . $topic . ';msg=' . $id_msg . ';attach=' . $attachment['id_attach'] . ';sesc=' . $context['session_id'] . '">' . htmlspecialchars($attachment['filename']) . '</a>',


I forgot to mention, if it wasn't obvious. Delete that other script you have in place.

If at first you don't succeed, use a bigger hammer. If that fails, read the manual.
My Mods

Kolya

#5
August 14, 2009, 07:33:40 AM Last Edit: August 14, 2009, 09:44:46 AM by Kolya
Awesome! Thank you a lot Kays. :)

There's one minor hickup: When the user is redirected, the session gets appended and prevents the page scrolling down to the relevant post.

Second problem: It causes custom (uploaded) avatars to break.
Fix:
Code Select
if(!isset($_REQUEST['image']) && $_REQUEST['type'] != 'avatar' && $_REQUEST['sesc'] != $context['session_id'])
redirectexit($scripturl . '?topic=' . $_REQUEST['topic'] . '.msg' . $_REQUEST['msg'] . '#msg' . $_REQUEST['msg']);

Kays

#6
August 14, 2009, 12:16:36 PM
It doesn't use the session to take the user to that post but rather ?topic=330616.msg2212300#msg2212300

Check the redirect url to see if it's properly formated with the correct ids. I don't have SMF 2.0 installed for testing and I'm trying to adjust for the differences from SMF 1.1

Thanks for the heads up on the avatars. I forgot to check for them.

If at first you don't succeed, use a bigger hammer. If that fails, read the manual.
My Mods

Kolya

#7
August 14, 2009, 02:15:30 PM Last Edit: August 14, 2009, 03:26:56 PM by Kolya
Quote from: Kays on August 14, 2009, 12:16:36 PM
It doesn't use the session to take the user to that post but rather ?topic=330616.msg2212300#msg2212300
I understand, but ... here's a link that already got redirected:
http://www.test.com/index.php/topic,1247.msg5541.html#msg5541?PHPSESSID=82b13929b70386045df41d1f8452b91d
As you can see, a session gets appended. With this at the end, the page doesn't scroll down to the relevant post. If I delete everything after the message-anchor, it works.

I have no idea where that PHPSESSID comes from to be honest. It's not in the redirect code after all. Maybe the redirectexit() function appends it because of the missing cookie. If that's the case, maybe we should set a cookie.

Kays

#8
August 14, 2009, 04:11:37 PM Last Edit: August 14, 2009, 07:34:08 PM by Kays
I've got no idea where or how that link is generated. It's not in redirectext(). Maybe it's a SMF 2.0 thing?

Does anybody else know?

Edit:

I don't think it's a SMF thing. I've got a 2.0 test board set up and it seems to work properly there. Check this link.

http://www.kayssplace.com/boards2/index.php?action=dlattach;topic=145;msg=21970;attach=1241

If at first you don't succeed, use a bigger hammer. If that fails, read the manual.
My Mods

Kolya

#9
August 14, 2009, 08:08:41 PM Last Edit: August 14, 2009, 08:24:37 PM by Kolya
Odd. With your link the PHPSESSID comes right after index.php in the redirected link:

http://www.kayssplace.com/boards2/index.php?PHPSESSID=6375cbd4172fd7cc30116c075536ad14;topic=145.msg21970#msg21970

Might have something to do with the pretty URLs setting.

EDIT: Yeah, I checked it, it's the pretty URLs ("Search engine friendly URLs").
Would be nice if that could be turned off for the redirect only. Will see.

Kays

#10
August 14, 2009, 08:42:22 PM Last Edit: August 14, 2009, 10:16:46 PM by Kays
Yah, I can see that messing things up. Just disable it altogether. Appearantly, it doesn't have much weight with search results anyways.

Edit:

I think it's something which FireFox is adding. I can see it if I view source in FF but it ain't there in IE.

For me it's being added aftrer the "?" in the url and it doesn't seem it affect anything.

If at first you don't succeed, use a bigger hammer. If that fails, read the manual.
My Mods

Kolya

#11
August 15, 2009, 06:05:48 AM
The download links look the same to me in IE and FF while having pretty URLs turned off.
It's probably browser specific code that is invoked with the redirect. Because with the same download link IE ends up without any session in the URL (after redirecting) and FF then has the PHPSESSID attached in the URL and hence doesn't make it to the post.

Kays

#12
August 15, 2009, 09:05:40 AM
Is your version of FF up to date? Maybe try updating it and see if it'll work for you then. Also, try it in IE.

Look at it this way. It does work with IE,and for me in FF. I'm suspecting that what you are experiencing does only occur occasionally. So ignore it. :)

If at first you don't succeed, use a bigger hammer. If that fails, read the manual.
My Mods

Kolya

#13
December 09, 2009, 05:59:20 PM
Just a note that this breaks guest downloads since SMF 2.0 RC2 with an Undefined index: session_id
Kays, if you read this, I could need a hand here.

Kays

#14
December 09, 2009, 08:38:00 PM
Hi, I forgot about this topic.

I decided to package this as a mod. You'll need to do the edits manually since I've have made some changes to it.

http://custom.simplemachines.org/mods/index.php?mod=2126

If at first you don't succeed, use a bigger hammer. If that fails, read the manual.
My Mods
Print
Go Up Pages1
User actions
Advertisement: