I found out that the files in the /upload directory are accessable from the net as long as the file name is known.
There is a small index.html file saying "not allowed!".
Is that all the protection there is? Should not all file access run through the piwigo software and handled with the permissions set in there?
As far as I can see even ADMIN only files can be seen using the right URL.
Should I add a .htaccess file?
E.g. a photo on the demo site:
http://albums.piwigo.net/real-VDigital/ … -17-47.jpg
can be viewed without any ristrictions. Even if the photo should be seen only by the admin, with the right url the picture can bee seen.
Should there not be more protection for the pictures?
Every file uploaded on a webserver is accessible through a direct url.
Piwigo can't do anything against it.
The only thing you can is to configure your apache server with an .htaccess file (if you don't have acces on the apache config file) but I' don't have enough knowlegde to help you with it.
Only thing I know is : if you block access to a file, users have to login with an apache login/password to access the file.
I don't know if it's possible to implement something within a php file to says to apache : "it's OK, access to the file is done through a Piwigo page so you can upload it to the computer"
Maybe adding something in the url like http://(myurl)/?accesKey=xyz can work.
You have to read apache documentation ;-)
Offline
it's possible with this plugin for exemple [extension by repie38] HotBlocker
but not up to date et perhaps tricky to use (I've not tested)
Offline
This plugin seems to block hotlinks... not direct urls.
Offline
right :s
sorry
Offline
Hi think this very old MOD is an answer [extension by acp] Secure Images, but it's not compatible with Piwigo 2.2
Offline
but it's not compatible with Piwigo 2.2
Are there any plans to make it compatible?
Thank you
Some news about this really important topic?
I'm really happy with piwigo and I love it. But on the other hand I'm scared about this huge security issue. Nobody without permission should has any access to my photos. But looks like, everybody how knows the direct URL can access to the image files. That's strange and a problem. Why Piwigo has an user authentification, if anybody with technical knowledge can access all photos.
Offline
I have investigating a little bit more about this issue. Wherever you use a public PC or a public network, it is really easy to have unauthorized access to all of you photo. You just have to look for the URL calls in the network proxy or browser history and you see the direct link to each photo that the user has been open.
This issue come up for me, because the piwigo facebook plugin publish the photo URL. Even if you have a privat server, everybody can access your photo in high resolution.
I would be glad, if a solution comes soon.
Offline
photo_friend wrote:
I would be glad, if a solution comes soon.
+1
Offline
As said before this is a web server diective, use something like
RewriteEngine On
RewriteRule ^upload/ - [F,L]
in the main directory .htaccess
Works fine for apache
Hi,
So i put into my galleries directory an .htaccess:
RewriteEngine On RewriteRule ^galleries/ - [F,L]
made no difference. Also put in the root of my web site. Still made no difference. Any ideas?
Offline
If you put it inside /galleries it won't work!
Do you use Apache? Is it configured to read .htaccess? Else put the lines in httpd.conf
It works perfectly.
K_Erwin wrote:
As said before this is a web server diective, use something like
RewriteEngine On
RewriteRule ^upload/ - [F,L]
in the main directory .htaccess
Works fine for apache
Why are you sure that this work? This does not prevent a browser to show a picture with a known direct link.
Piwigo does not use php to send a picture to the browser, and the plugin "secure images" is not updated to Piwigo 2.4.3.
Offline