From 00e4ac20bb65e9bd06c51c035294488f7523598a Mon Sep 17 00:00:00 2001 From: Amos Ng Date: Mon, 29 Jun 2020 06:08:00 +0800 Subject: [PATCH 1/3] Added rudimentary support of Referer checking to mitigate hotlinking --- CHANGELOG.md | 1 + src/main/kotlin/mdnet/base/server/ImageServer.kt | 6 +++++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 39db16c..2d8c1ac 100755 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Added - [2020-06-23] Added Gitlab CI integration by [@lflare]. - [2020-06-28] Added `client_external_port setting` [@wedge1001]. +- [2020-06-29] Added rudimentary support of Referer checking to mitigate hotlinking by [@lflare]. ### Changed diff --git a/src/main/kotlin/mdnet/base/server/ImageServer.kt b/src/main/kotlin/mdnet/base/server/ImageServer.kt index f1bb94e..13e1c88 100644 --- a/src/main/kotlin/mdnet/base/server/ImageServer.kt +++ b/src/main/kotlin/mdnet/base/server/ImageServer.kt @@ -101,8 +101,12 @@ class ImageServer(private val cache: DiskLruCache, private val statistics: Atomi } } + val referer = request.header("Referer") + handled.set(true) - if (snapshot != null && imageDatum != null) { + if (referer != null && !referer.contains("mangadex.org")) { + Response(Status.FORBIDDEN) + } else if (snapshot != null && imageDatum != null) { request.handleCacheHit(sanitizedUri, getRc4(rc4Bytes), snapshot, imageDatum) .header("X-Uri", sanitizedUri) } else { From d24c061cc64580f7ed8a4210c6c3a5e717f5d2a0 Mon Sep 17 00:00:00 2001 From: Amos Ng Date: Mon, 29 Jun 2020 06:16:28 +0800 Subject: [PATCH 2/3] Check for mangadex.org prefix rather than checking if referer contains string --- src/main/kotlin/mdnet/base/server/ImageServer.kt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/kotlin/mdnet/base/server/ImageServer.kt b/src/main/kotlin/mdnet/base/server/ImageServer.kt index 13e1c88..dc7c633 100644 --- a/src/main/kotlin/mdnet/base/server/ImageServer.kt +++ b/src/main/kotlin/mdnet/base/server/ImageServer.kt @@ -104,7 +104,7 @@ class ImageServer(private val cache: DiskLruCache, private val statistics: Atomi val referer = request.header("Referer") handled.set(true) - if (referer != null && !referer.contains("mangadex.org")) { + if (referer != null && !referer.startsWith("https://mangadex.org")) { Response(Status.FORBIDDEN) } else if (snapshot != null && imageDatum != null) { request.handleCacheHit(sanitizedUri, getRc4(rc4Bytes), snapshot, imageDatum) From 620a859d5c0a2a5ea9fe33f6c679fc678c4b34cf Mon Sep 17 00:00:00 2001 From: Amos Ng Date: Mon, 29 Jun 2020 06:42:44 +0800 Subject: [PATCH 3/3] Properly close snapshot if referer invalid --- src/main/kotlin/mdnet/base/server/ImageServer.kt | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/main/kotlin/mdnet/base/server/ImageServer.kt b/src/main/kotlin/mdnet/base/server/ImageServer.kt index dc7c633..dfe3b51 100644 --- a/src/main/kotlin/mdnet/base/server/ImageServer.kt +++ b/src/main/kotlin/mdnet/base/server/ImageServer.kt @@ -105,6 +105,10 @@ class ImageServer(private val cache: DiskLruCache, private val statistics: Atomi handled.set(true) if (referer != null && !referer.startsWith("https://mangadex.org")) { + if (snapshot != null) { + snapshot.close() + } + Response(Status.FORBIDDEN) } else if (snapshot != null && imageDatum != null) { request.handleCacheHit(sanitizedUri, getRc4(rc4Bytes), snapshot, imageDatum)