WordPress.org

Ready to get started?Download WordPress

Forums

ByREV WP-PICShield
Backslash in allowed domain gets duplicated in .htaccess (7 posts)

  1. DrLightman
    Member
    Posted 10 months ago #

    I modified the allowed domains from:

    example.org

    to

    ([a-z-]+\.)?example.org

    To support subdomains because my site do use them, and inside .htaccess it became:

    ([a-z-]+\\.)?example.org

    http://wordpress.org/extend/plugins/byrev-wp-picshield-hotlink-defence/

  2. DrLightman
    Member
    Posted 10 months ago #

    Also, in .htaccess, when you check on HTTP_REFERER, there is the list of allowed domains:

    translate.google.com|translate.googleusercontent.com|...

    Shouldn't the . be escaped?

    translate\.google\.com|translate\.googleusercontent\.com|...

  3. DrLightman
    Member
    Posted 10 months ago #

    I'm using this to notify about other issues I'm finding as I test.

    error_log was filled fast with those lines:

    [23-May-2013 15:31:22] PHP Warning: Invalid argument supplied for foreach() in /home/.../example.org/byrev-wp-image2url.php on line 62

    [23-May-2013 11:32:26] PHP Warning: fopen(/home/.../example.org/~hotlink-cache/wp-content/uploads/2013/01/pic.jpg) [function.fopen]: failed to open stream: No such file or directory in /home/.../example.org/byrev-wp-picshield.php on line 317
    [23-May-2013 11:32:26] PHP Warning: fpassthru() expects parameter 1 to be resource, boolean given in /home/.../example.org/byrev-wp-picshield.php on line 317

  4. DrLightman
    Member
    Posted 10 months ago #

    This is related to the fpassthru() Warning of the previous reply.

    I have some image files that contain the plus (+) character, for example:

    wp-content/uploads/2013/01/foo+bar.jpg

    This file will result in an error because after:

    RewriteRule (.*) byrev-wp-picshield.php?key=XXXXX&src=$1 [L]

    Later when src is accessed via $_GET['src'], the + get converted into a space, and the file "foo bar.jpg" is not found in the filesystem!

    edit: maybe the SOLUTION to this is adding the B flag to the above rewrite rule:

    RewriteRule (.*) byrev-wp-picshield.php?key=XXXXX&src=$1 [B,L]

  5. Emilian Robert Vicol
    Member
    Plugin Author

    Posted 10 months ago #

    Hi ...

    Thank you for reporting the issue/problem

    i will investigate this as soon as possible ...

    In the meantime, if you fix it, you can leave here the code/example , and I will add the changes plugin.

  6. DrLightman
    Member
    Posted 10 months ago #

    to prevent duplicating backslashes in allowed domains

    in \byrev-wp-picshield-import-admin.php around line 68 add this:

    $byrev_gtfo_hotlink_post_data = array_map( 'stripslashes', $byrev_gtfo_hotlink_post_data );

    after this:

    $byrev_gtfo_hotlink_post_data = array_map( 'esc_attr', $byrev_gtfo_hotlink_post_data );

    ( this works for me if i want to use a regexp for the allowed domain, such as: ([a-z-]+\.)?mydomain\.com, this may be not the case for everyone who maybe will prefer to specify a domain simply by putting "domain.tld". In this case you may want to use preg_quote to let the PHP escape the . automatically? )

    to escape the . in the predefined allowable domains

    I personally escaped them manually in the global arrays directly, same file of before, on top:

    $__ONLINE_TRANSLATORS = array('translate\.google\.com','translate\.googleusercontent\.com','www\.microsofttranslator\.com');
    $__SOCIAL_SHARE_USER_AGENT = array ('facebookexternalhit','facebookplatform','pinterest','feedfetcher','ggpht');
    $__SOCIAL_SHARE_REFERER = array ('pinterest\.com','tumblr\.com','facebook\.com','plus\.google','twitter\.com');
    $__GOGLE_TEST_REFERER = array ('googleapis\.com','googleusercontent\.com','ytimg\.com','gstatic\.com');

    Thought of using preg_quote() but did not. Same as before, it must be decided if we want use those string as regexp or not from start. This is my solution but it may be not a solution for everyone.

    error_log warnings of failing to passthorugh on non existing files

    were caused by many request to those files:

    apple-touch-icon.png
    apple-touch-icon-precomposed.png

    From a quick google search it seems they are files requested by android devices for unknown reasons by me. To fix the warnings I put a simply if check such as this:

    if( $wm = fopen($watermarked, 'rb') ):
    	fpassthru($wm);
    else:
    	// dont know what to do here, 404?
    endif;

    in place of this:

    fpassthru(fopen($watermarked, 'rb'));

    in /raw_code/byrev-wp-picshield.php (need to do UPDATE OPTIONS of course after that)

    for the '+' in the filenames

    the fix in my previous reply seems to work so far, in \byrev-wp-picshield-import-admin.php around line 242, by adding the B flag the line becomes:

    $htaccess['rewrite_rule'][] = 'RewriteRule (.*) byrev-wp-picshield.php?key='.$data_basic['gtfo_key'].'&src=$1 [B,L]';
  7. Emilian Robert Vicol
    Member
    Plugin Author

    Posted 10 months ago #

    Thanks for all these code sequences, will be added to a future update when I'll try to get some more changes to the plugin in the near future ... so far I have not had time!

Reply

You must log in to post.

About this Plugin

About this Topic

Tags

No tags yet.