Announcement

#1 2011-06-22 10:39:35

Bernardr
Guest

Are files protected against access directly with URL?

I found out that the files in the /upload directory are accessable from the net as long as the file name is known.
There is a small index.html file saying "not allowed!".
Is that all the protection there is? Should not all file access run through the piwigo software and handled with the permissions set in there?
As far as I can see even ADMIN only files can be seen using the right URL.
Should I add a .htaccess file?

 

#2 2011-06-23 16:29:20

Bernardd
Guest

Re: Are files protected against access directly with URL?

E.g. a photo on the demo site:
http://albums.piwigo.net/real-VDigital/ … -17-47.jpg
can be viewed without any ristrictions. Even if the photo should be seen only by the admin, with the right url the picture can bee seen.
Should there not be more protection for the pictures?

 

#3 2011-06-23 18:42:08

grum
Former Piwigo Team
Pantin
2007-09-10
1371

Re: Are files protected against access directly with URL?

Every file uploaded on a webserver is accessible through a direct url.

Piwigo can't do anything against it.
The only thing you can is to configure your apache server with an .htaccess file (if you don't have acces on the apache config file) but I' don't have enough knowlegde to help you with it.

Only thing I know is : if you block access to a file, users have to login with an apache login/password to access the file.
I don't know if it's possible to implement something within a php file to says to apache : "it's OK, access to the file is done through a Piwigo page so you can upload it to the computer"

Maybe adding something in the url like http://(myurl)/?accesKey=xyz can work.
You have to read apache documentation ;-)


My pictures with Piwigo, of course !
[ www.grum.fr ]

Offline

 

#4 2011-06-23 23:07:25

mistic100
Former Piwigo Team
Lyon (FR)
2008-09-27
3277

Re: Are files protected against access directly with URL?

it's possible with this plugin for exemple [extension by repie38] HotBlocker
but not up to date et perhaps tricky to use (I've not tested)

Offline

 

#5 2011-06-24 00:16:40

Zaphod
Former Piwigo Team
2006-11-13
441

Re: Are files protected against access directly with URL?

This plugin seems to block hotlinks... not direct urls.

Offline

 

#6 2011-06-24 00:27:42

mistic100
Former Piwigo Team
Lyon (FR)
2008-09-27
3277

Re: Are files protected against access directly with URL?

right :s
sorry

Offline

 

#7 2011-06-24 00:37:38

plg
Piwigo Team
Nantes, France, Europe
2002-04-05
13840

Re: Are files protected against access directly with URL?

Hi think this very old MOD is an answer [extension by acp] Secure Images, but it's not compatible with Piwigo 2.2

Offline

 

#8 2011-07-31 16:38:40

Tim S
Guest

Re: Are files protected against access directly with URL?

but it's not compatible with Piwigo 2.2

Are there any plans to make it compatible?
Thank you

 

#9 2012-04-29 19:48:45

photo_friend
Member
Berlin
1970-01-01
202

Re: Are files protected against access directly with URL?

Some news about this really important topic?
I'm really happy with piwigo and I love it. But on the other hand I'm scared about this huge security issue. Nobody without permission should has any access to my photos. But looks like, everybody how knows the direct URL can access to the image files. That's strange and a problem. Why Piwigo has an user authentification, if anybody with technical knowledge can access all photos.

Offline

 

#10 2012-05-10 07:38:20

photo_friend
Member
Berlin
1970-01-01
202

Re: Are files protected against access directly with URL?

I have investigating a little bit more about this issue. Wherever you use  a public PC or a public network, it is really easy to have unauthorized access to all of you photo. You just have to look for the URL calls in the network proxy or browser history and you see the direct link to each photo that the user has been open.
This issue come up for me, because the piwigo facebook plugin publish the photo URL. Even if you have a privat server, everybody can access your photo in high resolution.

I would be glad, if a solution comes soon.

Offline

 

#11 2012-09-07 19:17:47

Kalle
Member
2012-08-17
89

Re: Are files protected against access directly with URL?

photo_friend wrote:

I would be glad, if a solution comes soon.

+1

Offline

 

#12 2012-09-11 22:07:09

K_Erwin
Guest

Re: Are files protected against access directly with URL?

As said before this is a web server diective, use something like

RewriteEngine On
RewriteRule ^upload/ - [F,L]

in the main directory .htaccess

Works fine for apache

 

#13 2012-09-12 04:14:49

JJF
Member
2011-10-06
121

Re: Are files protected against access directly with URL?

Hi,
So i put into my galleries directory an .htaccess:

Code:

RewriteEngine On
RewriteRule ^galleries/ - [F,L]

made no difference. Also put in the root of my web site. Still made no difference. Any ideas?

Offline

 

#14 2012-09-12 08:34:09

K_Erwin
Guest

Re: Are files protected against access directly with URL?

If you put it inside /galleries it won't work!

Do you use Apache? Is it configured to read .htaccess? Else put the lines in httpd.conf

It works perfectly.

 

#15 2012-09-12 09:02:07

Kalle
Member
2012-08-17
89

Re: Are files protected against access directly with URL?

K_Erwin wrote:

As said before this is a web server diective, use something like

RewriteEngine On
RewriteRule ^upload/ - [F,L]

in the main directory .htaccess

Works fine for apache

Why are you sure that this work? This does not prevent a browser to show a picture with a known direct link.

Piwigo does not use php to send a picture to the browser, and the plugin "secure images" is not updated to Piwigo 2.4.3.

Offline

 

Board footer

Powered by FluxBB

github twitter newsletter Donate Piwigo.org © 2002-2024 · Contact