Support » Plugin: ByREV WP-PICShield » Backslash in allowed domain gets duplicated in .htaccess

Viewing 6 replies - 1 through 6 (of 6 total)
  • Also, in .htaccess, when you check on HTTP_REFERER, there is the list of allowed domains:||…

    Shouldn’t the . be escaped?


    I’m using this to notify about other issues I’m finding as I test.

    error_log was filled fast with those lines:

    [23-May-2013 15:31:22] PHP Warning: Invalid argument supplied for foreach() in /home/…/ on line 62

    [23-May-2013 11:32:26] PHP Warning: fopen(/home/…/ [function.fopen]: failed to open stream: No such file or directory in /home/…/ on line 317
    [23-May-2013 11:32:26] PHP Warning: fpassthru() expects parameter 1 to be resource, boolean given in /home/…/ on line 317

    This is related to the fpassthru() Warning of the previous reply.

    I have some image files that contain the plus (+) character, for example:


    This file will result in an error because after:

    RewriteRule (.*) byrev-wp-picshield.php?key=XXXXX&src=$1 [L]

    Later when src is accessed via $_GET[‘src’], the + get converted into a space, and the file “foo bar.jpg” is not found in the filesystem!

    edit: maybe the SOLUTION to this is adding the B flag to the above rewrite rule:

    RewriteRule (.*) byrev-wp-picshield.php?key=XXXXX&src=$1 [B,L]

    Hi …

    Thank you for reporting the issue/problem

    i will investigate this as soon as possible …

    In the meantime, if you fix it, you can leave here the code/example , and I will add the changes plugin.

    to prevent duplicating backslashes in allowed domains

    in \byrev-wp-picshield-import-admin.php around line 68 add this:

    $byrev_gtfo_hotlink_post_data = array_map( 'stripslashes', $byrev_gtfo_hotlink_post_data );

    after this:

    $byrev_gtfo_hotlink_post_data = array_map( 'esc_attr', $byrev_gtfo_hotlink_post_data );

    ( this works for me if i want to use a regexp for the allowed domain, such as: ([a-z-]+\.)?mydomain\.com, this may be not the case for everyone who maybe will prefer to specify a domain simply by putting “domain.tld”. In this case you may want to use preg_quote to let the PHP escape the . automatically? )

    to escape the . in the predefined allowable domains

    I personally escaped them manually in the global arrays directly, same file of before, on top:

    $__ONLINE_TRANSLATORS = array('translate\.google\.com','translate\.googleusercontent\.com','www\.microsofttranslator\.com');
    $__SOCIAL_SHARE_USER_AGENT = array ('facebookexternalhit','facebookplatform','pinterest','feedfetcher','ggpht');
    $__SOCIAL_SHARE_REFERER = array ('pinterest\.com','tumblr\.com','facebook\.com','plus\.google','twitter\.com');
    $__GOGLE_TEST_REFERER = array ('googleapis\.com','googleusercontent\.com','ytimg\.com','gstatic\.com');

    Thought of using preg_quote() but did not. Same as before, it must be decided if we want use those string as regexp or not from start. This is my solution but it may be not a solution for everyone.

    error_log warnings of failing to passthorugh on non existing files

    were caused by many request to those files:


    From a quick google search it seems they are files requested by android devices for unknown reasons by me. To fix the warnings I put a simply if check such as this:

    if( $wm = fopen($watermarked, 'rb') ):
    	// dont know what to do here, 404?

    in place of this:

    fpassthru(fopen($watermarked, 'rb'));

    in /raw_code/byrev-wp-picshield.php (need to do UPDATE OPTIONS of course after that)

    for the ‘+’ in the filenames

    the fix in my previous reply seems to work so far, in \byrev-wp-picshield-import-admin.php around line 242, by adding the B flag the line becomes:

    $htaccess['rewrite_rule'][] = 'RewriteRule (.*) byrev-wp-picshield.php?key='.$data_basic['gtfo_key'].'&src=$1 [B,L]';

    Thanks for all these code sequences, will be added to a future update when I’ll try to get some more changes to the plugin in the near future … so far I have not had time!

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Backslash in allowed domain gets duplicated in .htaccess’ is closed to new replies.