🌍
English
Announcement
- [2024-04-17] Piwigo 14.4.0
- [2024-04-01] Piwigo in Hobbit runes
- [2024-03-01] Piwigo 14.3.0
- [2024-01-30] Piwigo 14.2.0
- [2023-12-29] Piwigo 14.1.0
#1 2011-06-22 10:39:35
- Bernardr
- Guest
Are files protected against access directly with URL?
I found out that the files in the /upload directory are accessable from the net as long as the file name is known.
There is a small index.html file saying "not allowed!".
Is that all the protection there is? Should not all file access run through the piwigo software and handled with the permissions set in there?
As far as I can see even ADMIN only files can be seen using the right URL.
Should I add a .htaccess file?
#2 2011-06-23 16:29:20
- Bernardd
- Guest
Re: Are files protected against access directly with URL?
E.g. a photo on the demo site:
http://albums.piwigo.net/real-VDigital/ … -17-47.jpg
can be viewed without any ristrictions. Even if the photo should be seen only by the admin, with the right url the picture can bee seen.
Should there not be more protection for the pictures?
#3 2011-06-23 18:42:08
- grum
- Former Piwigo Team
- Pantin
- 2007-09-10
- 1371
Re: Are files protected against access directly with URL?
Every file uploaded on a webserver is accessible through a direct url.
Piwigo can't do anything against it.
The only thing you can is to configure your apache server with an .htaccess file (if you don't have acces on the apache config file) but I' don't have enough knowlegde to help you with it.
Only thing I know is : if you block access to a file, users have to login with an apache login/password to access the file.
I don't know if it's possible to implement something within a php file to says to apache : "it's OK, access to the file is done through a Piwigo page so you can upload it to the computer"
Maybe adding something in the url like http://(myurl)/?accesKey=xyz can work.
You have to read apache documentation ;-)
Offline
#4 2011-06-23 23:07:25
- mistic100
- Former Piwigo Team
- Lyon (FR)
- 2008-09-27
- 3277
Re: Are files protected against access directly with URL?
it's possible with this plugin for exemple [extension by repie38] HotBlocker
but not up to date et perhaps tricky to use (I've not tested)
Offline
#5 2011-06-24 00:16:40
- Zaphod
- Former Piwigo Team
- 2006-11-13
- 441
Re: Are files protected against access directly with URL?
This plugin seems to block hotlinks... not direct urls.
Offline
#6 2011-06-24 00:27:42
- mistic100
- Former Piwigo Team
- Lyon (FR)
- 2008-09-27
- 3277
Re: Are files protected against access directly with URL?
right :s
sorry
Offline
#7 2011-06-24 00:37:38
- plg
- Piwigo Team
- Nantes, France, Europe
- 2002-04-05
- 13791
Re: Are files protected against access directly with URL?
Hi think this very old MOD is an answer [extension by acp] Secure Images, but it's not compatible with Piwigo 2.2
Offline
#8 2011-07-31 16:38:40
- Tim S
- Guest
Re: Are files protected against access directly with URL?
but it's not compatible with Piwigo 2.2
Are there any plans to make it compatible?
Thank you
#9 2012-04-29 19:48:45
- photo_friend
- Member
- Berlin
- 1970-01-01
- 202
Re: Are files protected against access directly with URL?
Some news about this really important topic?
I'm really happy with piwigo and I love it. But on the other hand I'm scared about this huge security issue. Nobody without permission should has any access to my photos. But looks like, everybody how knows the direct URL can access to the image files. That's strange and a problem. Why Piwigo has an user authentification, if anybody with technical knowledge can access all photos.
Offline
#10 2012-05-10 07:38:20
- photo_friend
- Member
- Berlin
- 1970-01-01
- 202
Re: Are files protected against access directly with URL?
I have investigating a little bit more about this issue. Wherever you use a public PC or a public network, it is really easy to have unauthorized access to all of you photo. You just have to look for the URL calls in the network proxy or browser history and you see the direct link to each photo that the user has been open.
This issue come up for me, because the piwigo facebook plugin publish the photo URL. Even if you have a privat server, everybody can access your photo in high resolution.
I would be glad, if a solution comes soon.
Offline
#11 2012-09-07 19:17:47
- Kalle
- Member
- 2012-08-17
- 89
Re: Are files protected against access directly with URL?
photo_friend wrote:
I would be glad, if a solution comes soon.
+1
Offline
#12 2012-09-11 22:07:09
- K_Erwin
- Guest
Re: Are files protected against access directly with URL?
As said before this is a web server diective, use something like
RewriteEngine On
RewriteRule ^upload/ - [F,L]
in the main directory .htaccess
Works fine for apache
#13 2012-09-12 04:14:49
- JJF
- Member
- 2011-10-06
- 118
Re: Are files protected against access directly with URL?
Hi,
So i put into my galleries directory an .htaccess:
Code:
RewriteEngine On RewriteRule ^galleries/ - [F,L]
made no difference. Also put in the root of my web site. Still made no difference. Any ideas?
Offline
#14 2012-09-12 08:34:09
- K_Erwin
- Guest
Re: Are files protected against access directly with URL?
If you put it inside /galleries it won't work!
Do you use Apache? Is it configured to read .htaccess? Else put the lines in httpd.conf
It works perfectly.
#15 2012-09-12 09:02:07
- Kalle
- Member
- 2012-08-17
- 89
Re: Are files protected against access directly with URL?
K_Erwin wrote:
As said before this is a web server diective, use something like
RewriteEngine On
RewriteRule ^upload/ - [F,L]
in the main directory .htaccess
Works fine for apache
Why are you sure that this work? This does not prevent a browser to show a picture with a known direct link.
Piwigo does not use php to send a picture to the browser, and the plugin "secure images" is not updated to Piwigo 2.4.3.
Offline