Announcement

#1 2018-06-28 05:27:49

yyaghi
Member
2018-06-28
6

Pictures limited to "Admins and Family" visible with direct link

Hello/Hi/Greetings,

I'm a new user with Piwigo and loving it so far!!! Only thing I have a question about so far, is if you take the direct link of a picture and it is public to anyone with that direct link, even though the albums are marked as visible to "Admins and Family"

Is there a way to stop that?

Piwigo version: 2.9.3
PHP version: 7.1.17
MySQL version: 5.5.5-10.1.34-MariaDB-1~xenial

Offline

 

#2 2018-06-28 08:37:18

executive
Member
2017-08-16
333

Re: Pictures limited to "Admins and Family" visible with direct link

can you give an example?

Offline

 

#3 2018-06-28 16:19:15

yyaghi
Member
2018-06-28
6

Re: Pictures limited to "Admins and Family" visible with direct link

Well, if you right click on any picture and copy image address, and then go to another browser or incognito mode and paste that, the picture that is supposed to be only visible to certain groups, is visible to everyone.

URL would look like this:
https://<sitename>/upload/<year>/<month>/<day>/<image name>

It looks like piwigo is limiting from frontend UI, but not really backend. Even though I've disabled right clicking so no one can get the direct link, it doesn't mean people with harmful intent would not be attempting to scan the upload directory.

Offline

 

#4 2018-06-28 20:32:38

executive
Member
2017-08-16
333

Re: Pictures limited to "Admins and Family" visible with direct link

Take a closer look at the image names.

Offline

 

#5 2018-06-28 21:13:19

teekay
Member
2013-06-12
388

Re: Pictures limited to "Admins and Family" visible with direct link

You could use $conf['derivative_url_style']=2 which proxies everything through i.php and block direct access to /_data/i and /upload.

It requires some configuration:
https://piwigo.org/forum/viewtopic.php? … 98#p162898

https://kuther.net/blog/host-your-own-p … -and-nginx

Offline

 

#6 2018-06-29 02:19:40

yyaghi
Member
2018-06-28
6

Re: Pictures limited to "Admins and Family" visible with direct link

teekay - That is good news!
unfortunately, i'm having issues starting nginx now. I'm not familiar with nginx really to know whats going on. but here are my errors:

Code:

ginx: [emerg] "location" directive is not allowed here in /config/nginx/nginx.conf:59
nginx: [emerg] "location" directive is not allowed here in /config/nginx/nginx.conf:59
nginx: [emerg] "location" directive is not allowed here in /config/nginx/nginx.conf:59

And below is my nginx.conf. I am using docker, but I don't believe that should make any difference. Also, i'm using traefik to handle reverse proxy and SSL handling.

Code:

user abc;
worker_processes 4;
pid /run/nginx.pid;

events {
        worker_connections 768;
        # multi_accept on;
}

http {

        ##
        # Basic Settings
        ##

        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;
        # server_tokens off;

        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        client_max_body_size 0;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # Logging Settings
        ##

        access_log /config/log/nginx/access.log;
        error_log /config/log/nginx/error.log;

        ##
        # Gzip Settings
        ##

        gzip on;
        gzip_disable "msie6";

        # gzip_vary on;
        # gzip_proxied any;
        # gzip_comp_level 6;
        # gzip_buffers 16 8k;
        # gzip_http_version 1.1;
        # gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;

        #location = /robots.txt {
        #allow all;
        #log_not_found off;
        #access_log off;
        #}

        # Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
        location ~ /\. {
        deny all;
        access_log off;
        log_not_found off;
        }

        # piwigo distribution files
        location ~ ^/(README|doc)$ {
        deny all;
        }

        # prevent direct acces to uploaded images, derivates and logs
        location ~ ^/(_data/(i|logs)|upload)/ {
        deny all;
        }

        location / {
        index index.php;
        try_files $uri $uri/ @rewrite;
        }

        location @rewrite {
        rewrite ^/picture((/|$).*)$ /picture.php$1 last;
        rewrite ^/index((/|$).*)$ /index.php$1 last;
        rewrite ^/i((/|$).*)$ /i.php$1 last;
        }

        location ~ ^(?<script_name>.+?\.php)(?<path_info>/.*)?$ {
        try_files $script_name = 404;
        include /etc/nginx/fastcgi_params;
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_param PATH_INFO $path_info;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        }

        # prevent any hotlinks  and direct access to alias URIs (/i/upload/...)
        # which are not from Piwigo itself (happens when exporting from lightroom via ws.php)
        # this section needs to go _after_ the php handler, no idea why.

        set $check_referal "";

        # very restrictive
        valid_referers *.domain.tld;
        # if you want google etc to be able to show your images:
        #valid_referers ~google\.com ~bing\.com *.domain.tld

        if ($invalid_referer) {
        set $check_referal "invalid";
        }
        if ($http_user_agent !~ "Piwigo") {
        set $check_referal "${check_referal}+not_piwigo";
        }

        location ~* \.(gif|png|jpe?g)$ {
        if ($check_referal = "invalid+not_piwigo") {
         return 403;
        }
        try_files $uri $uri/ @rewrite;
        }
        ##
        # nginx-naxsi config
        ##
        # Uncomment it if you installed nginx-naxsi
        ##

        #include /etc/nginx/naxsi_core.rules;

        ##
        # nginx-passenger config
        ##
        # Uncomment it if you installed nginx-passenger
        ##

        #passenger_root /usr;
        #passenger_ruby /usr/bin/ruby;

        ##
        # Virtual Host Configs
        ##
        include /etc/nginx/conf.d/*.conf;
        include /config/nginx/site-confs/*;
}


#mail {
#       # See sample authentication script at:
#       # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
#       # auth_http localhost/auth.php;
#       # pop3_capabilities "TOP" "USER";
#       # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
#       server {
#               listen     localhost:110;
#               protocol   pop3;
#               proxy      on;
#       }
#
#       server {
#               listen     localhost:143;
#               protocol   imap;
#               proxy      on;
#       }
#}
daemon off;

Last edited by yyaghi (2018-06-29 02:21:13)

Offline

 

#7 2018-06-29 12:27:35

teekay
Member
2013-06-12
388

Re: Pictures limited to "Admins and Family" visible with direct link

All those piwigo specific location rules etc need to go into a server{ ... } block.

Offline

 

#8 2018-06-29 21:25:20

yyaghi
Member
2018-06-28
6

Re: Pictures limited to "Admins and Family" visible with direct link

hmm. it didn't like that.

I'm getting the following error:

Code:

nginx: [emerg] "server" directive is not allowed here in /config/nginx/nginx.conf:76

I am running this in a docker container, I don't think it would really make a difference. I'm running the linuxserver/piwigo version since I didn't see an "offical" version.

This is my "new" nginx.conf file:

Code:

user abc;
worker_processes 4;
pid /run/nginx.pid;

events {
        worker_connections 768;
        # multi_accept on;
}

http {

        ##
        # Basic Settings
        ##

        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;
        # server_tokens off;

        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        client_max_body_size 0;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # Logging Settings
        ##

        access_log /config/log/nginx/access.log;
        error_log /config/log/nginx/error.log;

        ##
        # Gzip Settings
        ##

        gzip on;
        gzip_disable "msie6";

        # gzip_vary on;
        # gzip_proxied any;
        # gzip_comp_level 6;
        # gzip_buffers 16 8k;
        # gzip_http_version 1.1;
        # gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;

        ##
        # nginx-naxsi config
        ##
        # Uncomment it if you installed nginx-naxsi
        ##

        #include /etc/nginx/naxsi_core.rules;

        ##
        # nginx-passenger config
        ##
        # Uncomment it if you installed nginx-passenger
        ##

        #passenger_root /usr;
        #passenger_ruby /usr/bin/ruby;

        ##
        # Virtual Host Configs
        ##
        include /etc/nginx/conf.d/*.conf;
        include /config/nginx/site-confs/*;
}

server {

 client_max_body_size 500m;
 client_body_buffer_size 100m;

 location ~ ^/favicon.ico$ {
   log_not_found off;
   access_log off;
 }
 location = /robots.txt {
   log_not_found off;
   access_log off;
 }

 # Deny Piwigo distribution files
 location ~ ^/(README|doc)$ {
   deny all;
 }
 # Deny hidden dot files
 location ~ /\. {
   deny all;
   access_log off;
   log_not_found off;
 }

 # Prevent direct access to Piwigo images and logs on filesystem
 location ~ ^/(_data/(i|logs)|upload)/ {
   return 403;
 }

 # the @rewrite is required when using
 # $conf['question_mark_in_urls'] = false;
 # $conf['php_extension_in_urls'] = false;
 #
 location / {
   index index.php;
   try_files $uri $uri/ @rewrite;
 }

 location @rewrite {
   rewrite ^/picture((/|$).*)$ /picture.php$1 last;
   rewrite ^/index((/|$).*)$ /index.php$1 last;
   rewrite ^/i((/|$).*)$ /i.php$1 last;
   # for piwigo-openstreetmap
   rewrite ^/osmmap((/|$).*)$ /osmmap.php$1 last;
 }

 location ~ ^(?<script_name>.+?\.php)(?<path_info>/.*)?$ {
   try_files $script_name =404;
   include /etc/nginx/fastcgi_params;
   fastcgi_pass 127.0.0.1:9000;
   fastcgi_param PATH_INFO $path_info;
   fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
 }

 ### Prevent hotlinks - this section needs to be _after_ the php handler above
 #
 # When uploading images via ws.php (e.g. from Lightroom), the are requests from Piwigo
 # itself to /i/upload using the servers own IP and "Piwigo" user agent. We need to allow those
 ###

 # Only the site's own URL is a valid referer.
 # Empty referers and others like google etc are invalid, see Nginx docs for more info
 valid_referers gallery.domain.tld;
 # initialize empty variable
 set $check_referal "";
 # if referer is not our own hostname, set variable's value to "invalid"
 if ($invalid_referer) {
  set $check_referal "invalid";
 }
 # if the user agent is not "Piwigo", append "not_piwigo" to the value
 if ($http_user_agent !~ "Piwigo") {
  set $check_referal "${check_referal}+not_piwigo";
 }
 # Now, for all images, test if referer is invalid and user agent is not piwigo
 # If so, block the request
 location ~* \.(gif|png|jpe?g)$ {
   if ($check_referal = "invalid+not_piwigo") {
     return 403;
   }
   try_files $uri $uri/ @rewrite;
 }

}

#mail {
#       # See sample authentication script at:
#       # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
#       # auth_http localhost/auth.php;
#       # pop3_capabilities "TOP" "USER";
#       # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
#       server {
#               listen     localhost:110;
#               protocol   pop3;
#               proxy      on;
#       }
#
#       server {
#               listen     localhost:143;
#               protocol   imap;
#               proxy      on;
#       }
#}
daemon off;

Offline

 

#9 2018-07-01 13:07:39

teekay
Member
2013-06-12
388

Re: Pictures limited to "Admins and Family" visible with direct link

The server block needs to be inside the http block. If this is using the standard nginx image you‘d need to override conf.d/default.conf not the whole nginx.conf

Offline

 

#10 2018-07-02 06:43:25

yyaghi
Member
2018-06-28
6

Re: Pictures limited to "Admins and Family" visible with direct link

So, your tip about the default file was perfect! No server errors being thrown now...but now all pictures are like this:


Uploaded Images

Offline

 

#11 2018-07-02 19:15:59

teekay
Member
2013-06-12
388

Re: Pictures limited to "Admins and Family" visible with direct link

Did you configure the $conf... settings for Piwigo, too?

Offline

 

#12 2018-07-03 09:25:21

samwilson
Member
Fremantle, Western Australia
2014-02-06
30

Re: Pictures limited to "Admins and Family" visible with direct link

yyaghi wrote:

URL would look like this:
https://<sitename>/upload/<year>/<month>/<day>/<image name>

This is a common pattern for photo gallery software (e.g. Flickr does a similar thing, albeit with a different URL structure). The security is all based on the idea that the <image name> is not guessable. You're right, someone could try to iterate through the directories, but there is an 8-character random string in each filename, so it makes it hard.

Offline

 

#13 2018-07-03 20:58:58

executive
Member
2017-08-16
333

Re: Pictures limited to "Admins and Family" visible with direct link

That's what I was getting at. The security is good enough for most people. It's a sharing program, not a vault.

Offline

 

#14 2018-07-04 06:29:24

yyaghi
Member
2018-06-28
6

Re: Pictures limited to "Admins and Family" visible with direct link

teekay - I need to check that again. The servers are down right now for maint.

samwilson & executive - Actually, the file names are the names that are uploaded originally. No deviation or anything. I'll double check tomorrow, but that's why I was like...I need to close this up.

Offline

 

#15 2018-07-04 16:27:56

flop25
Piwigo Team
2006-07-06
6826

Re: Pictures limited to "Admins and Family" visible with direct link

If you are using the web upload the file name has a randomized number


To get a better help : Politeness like Hello-A link-Your past actions precisely described
Check my extensions : more than 30 available
who I am and what I do : http://fr.gravatar.com/flop25
My gallery : an illustration of how to integrate Piwigo in your website

Offline

 

Board footer

Powered by FluxBB

github twitter facebook google+ newsletter Donate Piwigo.org © 2002-2018 · Contact