From 0d762bb4166ec127b2cd27eb9cbe3c949c7f749d Mon Sep 17 00:00:00 2001
From: Jonathan Cremin <jonathan@crem.in>
Date: Sun, 9 Aug 2015 01:11:48 +0100
Subject: [PATCH] Block hotlinking of non-image files.

---
 web/routes/file.js | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/web/routes/file.js b/web/routes/file.js
index 8e4c455..e154c0f 100644
--- a/web/routes/file.js
+++ b/web/routes/file.js
@@ -16,10 +16,17 @@ const userAgentCheck = function(userAgent) {
   return userAgent.match(/^(wget|curl|vagrant)/i);
 };
 
+const hotlinkCheck = function(file, userAgent, referrer) {
+  debug(file, userAgent, referrer);
+  return !userAgentCheck(userAgent) && !file.width && !(referrer.match(/^https:\/\/hostr.co/) || referrer.match(/^http:\/\/localhost:4040/))
+};
+
 export function* get(id, name, size) {
-  debug('%s, %s, %s', id, name, size);
   const file = yield this.db.Files.findOne({_id: id, 'file_name': name, 'status': 'active'});
   this.assert(file, 404);
+  if (hotlinkCheck(file, this.headers['user-agent'], this.headers['referer'])) {
+    this.redirect('/' + id);
+  }
   let localPath = path.join(storePath, file._id[0], file._id + '_' + file.file_name);
   let remotePath = path.join(file._id[0], file._id + '_' + file.file_name);
   if (size > 0) {
@@ -50,7 +57,7 @@ export function* landing(id, next) {
   const file = yield this.db.Files.findOne({_id: id});
   this.assert(file, 404);
   if(userAgentCheck(this.headers['user-agent'])) {
-    return direct(file._id, file.file_name);
+    return yield get.call(this, file._id, file.file_name);
   }
 
   const formattedFile = formatFile(file);