Skip to content
Snippets Groups Projects

Photon origin restrictions

  • Clone with SSH
  • Clone with HTTPS
  • Embed
  • Share
    The snippet can be accessed without any authentication.
    Authored by Erick Hitter
    Edited
    photon-config.php 1.24 KiB
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50 
    <?php

// Rebuild Photon URL
$url = sprintf( '%s://%s?%s',
	array_key_exists( 'ssl', $_GET ) ? 'https' : 'http',
	substr( parse_url( 'scheme://host' . $_SERVER['REQUEST_URI'], PHP_URL_PATH ), 1 ), // see https://bugs.php.net/bug.php?id=71112 (and #66813)
	$_SERVER['QUERY_STRING']
);

// Don't bother if bad data is passed
$host = parse_url( $url, PHP_URL_HOST );

if ( false === $host ) {
	header( 'HTTP/1.1 400' );
	die( '400 Bad Request' );
}

// Whitelist requests, with a bypass for certain referers
$referer = parse_url( $_SERVER['HTTP_REFERER'], PHP_URL_HOST );

$hosts_whitelist = array(
	's2.e15r.co',
);

if ( PRIVATE_SERVICE_REFERER === $referer ) {
	$hosts_whitelist = array();
}

// Whitelist file types for redirection
$type = parse_url( $url, PHP_URL_PATH );
$type = pathinfo( $type, PATHINFO_EXTENSION );

$allowed_types = apply_filters( 'allowed_types', array(
	'gif',
	'jpg',
	'jpeg',
	'png',
) );

// Redirect to the original URL if not whitelisted
if ( ! empty( $hosts_whitelist ) && ! in_array( $host, $hosts_whitelist, true ) ) {
	// Check type before redirecting
	if ( ! in_array( $type, $allowed_types, true ) ) {
		@header( 'HTTP/1.1 400' );
		die( '400 Bad Request' );
	}

	@header( 'HTTP/1.1 302' );
	header( "Location: $url", true, 302 );
}
    0% or .
    You are about to add 0 people to the discussion. Proceed with caution.
    Finish editing this message first!
    Please register or to comment