Screen Capture and Screen Record allow the copying of photos, images and videos in the largest format that is visible in the web browser.

So if you don't want it copied/stolen - don't put it on the Internet ;-(

Konstantin wrote:

Is the problem solved in the new release? IMHO, this problem makes piwigo unusable although it has otherwise really features!

Pictures must be protected from direct access since otherwise a user or a bot can guess the URL! Picture files mostly have a very predictable structure. I might, e.g., try http://your_piwigo_host.com/_data/i/2014/DSC_12345.jpg and voila.

Protection of the piwigo/galleries folder through htaccess seems to work but not the protection of the piwigo/_data/i folder which contains the multiple sizes. If htacess prohibits access to this folder, the pictures won't show up on the gallery. Isn't it possible to fix that??

Thanks for the effort for providing this otherwise really nice tool!

Ok, this seems to be solved now. See http://piwigo.org/forum/viewtopic.php?p … 53#p155153

I agree that is a security hole.

Maybe a .htaccess with referral check can be a temporary woraroud

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]

so only requests for images coming from yourdomain.com will be allowed.

Sarita wrote:

How can we report someone on here who has posted photos on their "piwigo" site that don't actually belong to them? A photographer on here has posted photos of me, that I took myself, and he has NO permission to post them online, but he is refusing to take them down. What can I do? He stole my photos! Help!
-Concerned Girl in New England

Hi :-)

Thanks don't post same post on more topic ;-)

bigfoot wrote:

I agree that is a security hole.

Maybe a .htaccess with referral check can be a temporary woraroud

Code:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]

so only requests for images coming from yourdomain.com will be allowed.

Thank you so much!
This worked fine - this security hole is fixed. Even in 2020 this security gap still exists without this .htaccess-entry.

thanhphan467 wrote:

u need know, if browser can read , then users will be read. browser show image, then users will be copy image. it's not Secure problem.

The user can copy (say download) the image file and send it to others, and that is not a secure problem, of course. The real problem here is that anyone is able to construct image URLs with file names and view any image in the gallery site without login.

Arnie97 wrote:

if she or he know its file name (which is unfortunately fairly easy to guess if a serial number based naming scheme is used for image files).

You name it, if a serial number based naming scheme is used. Which can happen only in the FTP+Sync image adding process so is under the control of the admin or users allowed to ftp. Otherwise, using the Piwigo image upload it's not a serial number based scheme but date plus 8 characters of md5 of image.