Getimagesize + Hotlink protection

[Grammer]

I'm having a problem ALLOWING getimagesize() from certain domains, while at the same time disallowing hotlinking from unknown sites. Below is a snippet from my htaccess file:

 

RewriteEngine on

 

RewriteRule .*\.()$ - [F,NC]

 

RewriteCond %{HTTP_REFERER} !^http://([^.]+\.)?mysite.com/.*$      [NC]

RewriteCond %{HTTP_REFERER} !^http://([^.]+\.)?mysite.com$      [NC]

 

RewriteRule .*\.(jpg|jpeg|gif|png|bmp|swf|css|js|mp3|m4a)$ - [F,NC]

Hotlinking does work from mysite.com, but getimagesize() fails. If I put an empty htaccess file instead of this one, getimagesize() works. Any ideas?

 

Thanks in advance!

[requinix]

Are you using getimagesize() with an image on the same website?

[trq]

Use a file path with getimagesize(), not a url.

[Grammer]

Once again, this is about disallowing hotlinking and getimagesize for most external servers & sites, while allowing hotlinking and getimagesize for SOME external servers & sites. Making exceptions for hotlinking works, but for getimagesize, for some reason, it doesn't.

 

So are you guys essentially telling me that this is a bug of some sort, and that the below htaccess file will disallow getimagesize for ALL external sites (using a full path), and that no external site can be excluded from this?

[trq]

Sorry, I misread the question. Using the rewrite rules you have will block all http access (this includes requests from php's getimagesize()) unless they originate from the mysite.com domain.

 

There is no way to block http and still allow getimagesize() to work as it actually uses http to retrieve remote files.

[Grammer]

Well the odd thing is that the rewrite rules I have will block all http access unless they originate from the mysite.com domain. But beyond that, it will also block requests from php's getimagesize, EVEN IF they originate from the mysite.com domain.

[trq]

As I said, if your calling getimagesize() on images on the local server you should be using a file path, not a url.

[requinix]

HTTP_REFERER is something that the browser sends. It is not part of the HTTP request process itself. You do not automatically get it by virtue of the request happening. In fact, you won't get it unless it's specifically and intentionally being sent to you, and since PHP doesn't send it you don't get it.

 

As I suspected, you're trying to get the image data when it resides on the very same server that you're running the PHP from. Going over HTTP is wasteful and expensive. Like thorpe's said twice now, use the path to the image as a file, not as a URI. If you were trying mysite.com/path/to/image.jpg then you'd use something like

getimagesize($_SERVER["DOCUMENT_ROOT"] . "/path/to/image.jpg")

[Grammer]

HTTP_REFERER is something that the browser sends. It is not part of the HTTP request process itself. You do not automatically get it by virtue of the request happening. In fact, you won't get it unless it's specifically and intentionally being sent to you, and since PHP doesn't send it you don't get it.

That I understand, but I don't understand why it is a problem in combination with hotlink protection. Isn't the referer empty as well when I type the image URL into the browser (where it does show?).