From a8887d2a5e980bc356c5708a5a3fc316abacc179 Mon Sep 17 00:00:00 2001 From: Deltik Date: Tue, 5 Nov 2019 13:33:48 -0600 Subject: [PATCH] Support NGINX $host in Downloads hotlink protection Fixes: #4010 Related: #3111 ==== Problem ==== If there are two download mirrors, `slow.example.com` and `fast.example.com`, hotlink protection using an NGINX `secure_link_md5` expression in the Downloads plugin cannot distinguish between these hostnames. This means that a user limited to `slow.example.com` can change the download host to `fast.example.com` and download from the better mirror. ==== Solution ==== To solve this, `NginxSecureLinkMd5Decorator` needs to support the NGINX `$host` variable. Having this variable in the expression will lock down the secure link to the specific download host. --- .../download/handlers/NginxSecureLinkMd5Decorator.php | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/e107_plugins/download/handlers/NginxSecureLinkMd5Decorator.php b/e107_plugins/download/handlers/NginxSecureLinkMd5Decorator.php index a3b62c955..a1d0c2059 100644 --- a/e107_plugins/download/handlers/NginxSecureLinkMd5Decorator.php +++ b/e107_plugins/download/handlers/NginxSecureLinkMd5Decorator.php @@ -9,7 +9,8 @@ class NginxSecureLinkMd5Decorator implements SecureLinkDecorator public static $SUPPORTED_VARIABLES = array( '$secure_link_expires', '$uri', - '$remote_addr' + '$remote_addr', + '$host', ); static function supported_variables() { @@ -37,7 +38,8 @@ class NginxSecureLinkMd5Decorator implements SecureLinkDecorator array( $expiry, $url_parts['path'], - $_SERVER['REMOTE_ADDR'] + $_SERVER['REMOTE_ADDR'], + $url_parts['host'], ), $prefs['download_security_expression'] );