[nycbug-talk] direct file access denied via htaccess
Isaac Levy
ike
Wed Jun 15 19:30:35 EDT 2005
Hi Steve,
On Jun 15, 2005, at 6:02 PM, Marc Spitzer wrote:
> On 6/15/05, Steve Rieger <steve.rieger at tbwachiat.com> wrote:
>> hi all am trying (dont even know if this is possible) to prevent
>> anybody
>> and all from accessing anhy files via http directly
Thing is- I'm assuming for the rest of my response to this post that
you *do* want the images to load into web pages visa http, but you
*don't* want people to just grab them individually.
In a big-picture nutshell, I'm sad to report you cannot both provide
access and deny access to the image files- the usual suite of
obfuscation tricks are trivially bypassed by anyone who wants the
images and has 20 minutes to spare figuring it out.
--
More good stuff on 'hotlinking', which is quite a realistic way prevent
loading of the images from web-pages on another server, using nifty
'referer' stuff:
http://apache-server.com/tutorials/ATimage-theft.html
>>
>
> hmm.
>
> one way to raise the bar is to generate the links with javascript on
> the client, you can not copy the link with out. Your real problem is
> that things are cached on the client so to lift your stuff I do the
> following:
>
> 1: clear cache on firebird
> 2: hit your website
> 3: go through the cache, digital dumpster diving.
>
> marc
>
> ps there may be some neat firebird modules that make this even easier.
>
> marc
Marc's right, and I'd add big-picture, that if you allow *any* sort of
access to the image files, you cannot stop people from *ever* getting
at the source .jpg files. I'd even throw in that I know some flash
folks who keep all sorts of dirty little tools for extracting images
from even flash files and movie clips, in the browser cache.
>
>> i know the proper syntax for preventing hotlinking
>>
>>
>> # cat .htaccess
>> RewriteEngine on
>> RewriteCond %{HTTP_REFERER} .
>> #RewriteCond %{HTTP_REFERER} !^http://(www\.)?mydomain\.(com?net) [NC]
>> RewriteRule \.(gif|jpg|bmp|mid|css)$ - [F,NC]
>>
>> but say that you know that i have a jpg at
>> http://www.mydomain.com/stever/junk/001.jpg
>>
>> i need to prevent anybody from pasting that into their browser and
>> getting that image. the above htaccess file aint working, how can i
>> make
>> this happen.
Now, aside from my above naysaying, one obfuscation method *could* get
you what you need if your experiencing a problem- but it suffers from
the cache-splunking problem as well here-
You could use the referrer tag, ala the anti-'hotlinking' config stuff
above, and only serve images based on the calling page as the referrer.
It still can be bypassed with the image cache problem, but it would
make the server exhibit the behaviour your wanting.
Regardless, DRM is a joke...
http://lisag.com/photos/011605/flava%20flav%20on%20set.jpg
Rocket-
.ike
>>
>>
>>
>> thanx
More information about the talk
mailing list