diff --git a/redirect.php b/redirect.php index c2038a6..c6c6537 100644 --- a/redirect.php +++ b/redirect.php @@ -83,6 +83,34 @@ function dxw_members_only_current_ip_in_whitelist() return false; } +function dxw_members_only_referrer_in_allow_list() +{ + $referrer_list = explode("\n", get_option('dxw_members_only_referrer_allow_list')); + /* + * If there is no referrer header, or if we have no configured referrers to + * whitelist we can stop here. + */ + if (isset($_SERVER['HTTP_REFERER']) && count($referrer_list) > 0) { + foreach ($referrer_list as $referrer) { + /* + * Add the site url to the referrer string to ensure that external + * referrers can't be used here. + */ + $whitelisted_referrer = get_site_url().$referrer; + $referrer_check = strpos($_SERVER['HTTP_REFERER'],$whitelisted_referrer); + /* + * Check that there is a match, and that match is at the start of the referrer string. + * This is to ensure that the referrer being whitelisted can't be fooled by having + * a whitelisted referrer passed in as a parameter on the referrer string. + */ + if ($referrer_check !==false && $referrer_check == 0){ + return true; + } + } + } + return false; +} + add_action('init', function () { // Fix for wp-cli if (defined('WP_CLI_ROOT')) { @@ -122,6 +150,13 @@ function dxw_members_only_current_ip_in_whitelist() return; } + // Referrer whitelist + if (dxw_members_only_referrer_in_allow_list()) { + header('Cache-Control: private, max-age=' . $max_age); + dxw_members_only_serve_uploads(); + return; + } + // List $hit = false; $list = explode("\n", get_option('dxw_members_only_list_content')); diff --git a/settings.php b/settings.php index c157c1d..6b4a142 100644 --- a/settings.php +++ b/settings.php @@ -5,7 +5,7 @@ function dxw_members_only_metasettings() { $ms = new dmometasettings(__FILE__, 'dxw_members_only'); - $ms->add_settings(__('dxw Members Only', 'dxwmembersonly'), ['list_type', 'list_content', 'ip_whitelist', 'redirect', 'redirect_root', 'upload_default', 'max_age'], 'dxw_members_only_options_page'); + $ms->add_settings(__('dxw Members Only', 'dxwmembersonly'), ['list_type', 'list_content', 'ip_whitelist', 'referrer_allow_list', 'redirect', 'redirect_root', 'upload_default', 'max_age'], 'dxw_members_only_options_page'); } /** @@ -53,6 +53,24 @@ function dxw_members_only_options_page() +

+

+

+ + + + + + + + +
+ +
+ +
+ +

%return_path% will be converted to the URL that was originally visited. i.e. /wp-login.php?redirect_to=http://example.com/private-page', 'dxwmembersonly') ?>