This forum has been moved here:
Helicon Tech Community Forum

Helicon Ape (Forum Locked Forum Locked)
 Helicon Tech : Helicon Ape
Subject Topic: hotlink_module bug
Author
Message |
zhousu
Newbie


Joined: 11 September 2007
Posts: 9
Posted: 01 August 2011 at 11:27am

hotlink_module  use digit only file name, DOES NOT WORK
e.g. http://127.0.0.1/mp3/20111/123456789.mp3

with a letter, works
e.g. http://127.0.0.1/mp3/20111/a123456789.mp3

----------------------------------------
rules below

SetEnv mod_hotlink
HotlinkExpires 1800
HotlinkSignature 0433343675675675
HotlinkProtect /mp3 [Redirect]





Edited by zhousu - 01 August 2011 at 11:27am
Back to Top
 
Vyacheslav
Admin Group


Joined: 02 July 2008
Location: Ukraine
Posts: 1542
Posted: 02 August 2011 at 3:08am

Hello.
Please enable only the following code:
Code:
HotlinkProtect /mp3 [Redirect]


and make 2 requests to each variant, using WFetch tool: http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=21625

In those two requests, one should include Referer header and the other one shouldn’t.

When it works you should see redirection in case when the Referer header is set.

__________________
Slavik Shynkarenko,
Helicon Tech.
Back to Top Visit Vyacheslav's Homepage
 
zhousu
Newbie


Joined: 11 September 2007
Posts: 9
Posted: 02 August 2011 at 9:40am

Hi Vyacheslav

      I carefully test it again, it's a bug.  when the file name is 16 chars,  the same length as HotlinkBlocker
Signature(23d8112b8dfe00bb)
e.g. http://127.0.0.1/mp3/20111/1234567890123456.mp3   not working
e.g. http://127.0.0.1/mp3/20111/abc1234567890123.mp3   not working


second bug:
if you send a request to http://127.0.0.1/mp3/20111/123456789.mp3
APE will set a cookie with
HotlinkBlocker Signature,


user can use the cookie value easily change the url
http://127.0.0.1/mp3/20111/123456789.mp3
to
http://127.0.0.1/mp3/20111/xxxxxxxxxx/123456789.mp3

make HotlinkBlocker useless.



-------------------------------------------------------------------
GET
/mp3/20111/123456789.mp3 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101 Firefox/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: keep-alive

HTTP/1.1 403 Forbidden
Content-Type: text/html
Location:
/mp3/20111/123456789.mp3
Server: Microsoft-IIS/7.5
Set-Cookie: HotlinkBlocker=f773b43fc4dc57fb; expires=Tue, 02-Aug-2011 15:03:17 GMT; path=/
Date: Tue, 02 Aug 2011 14:33:16 GMT
Content-Length: 1157







Edited by zhousu - 02 August 2011 at 9:46am
Back to Top
 
Vyacheslav
Admin Group


Joined: 02 July 2008
Location: Ukraine
Posts: 1542
Posted: 03 August 2011 at 10:19am

Hello.
We’re working on a fix.
Thank you for your feedback.

__________________
Slavik Shynkarenko,
Helicon Tech.
Back to Top Visit Vyacheslav's Homepage
 
zhousu
Newbie


Joined: 11 September 2007
Posts: 9
Posted: 04 August 2011 at 9:17am

HotlinkBlocker Cookie problem hasn't fixed.


Back to Top
 
Vyacheslav
Admin Group


Joined: 02 July 2008
Location: Ukraine
Posts: 1542
Posted: 05 August 2011 at 5:51am

Hello.
Cookie doesn’t guarantee access to the file. If another web-client uses same cookie, most likely it will get new cookie (depends on “expires” value). You can use HotlinkExpires directive to set when the cookie should expire.

__________________
Slavik Shynkarenko,
Helicon Tech.
Back to Top Visit Vyacheslav's Homepage
 

Sorry, you can NOT post a reply.
This forum has been locked by a forum administrator.

Printable version Printable version