Piwigo.org

MIDId · 2021-09-16 13:21:05

Hello/Hi/Greetings,

I have a Piwigo gallery installed on a server hosted by a webhosting company. I have a number of albums that are set to private, and some that are public. Restricting access to albums on Piwigo works well, i.e. only the selected users/groups can view them. However, if I try to access the server files of an album that is private, I can do so without any issue. I don't want to link to my gallery because I feel that this is a security issue, so I will use an example of a Piwigo gallery where access to the server files is forbidden but the images and albums are publicly accessible on the website.

This is a page from user's erAck gallery:

https://erack.net/gallery/picture/1460/category/Hamburg

I can find the URL of the image like so:

../../../_data/i/upload/2021/04/02/20210402205551-d5205baf-sm.jpg

I can then attempt to directly access the folder of the image on the server like so:

https://erack.net/gallery/upload/2021/04/02/

But I am getting the message "Not allowed!", as it should!

Or here:

https://erack.net/gallery/upload/2021/04/

I am getting "Forbidden"! Great!

Now imagine that on my website these links actually display all the files and folders within those folders, and I can go to the parent folders without any restrictions. Is that a Piwigo or a server-side issue? And if so, what could possible solutions to this issue be?

Thanks.

Piwigo URL: http://

Last edited by MIDId (2021-09-16 13:22:34)

MIDId · 2021-09-16 22:28:49

OK, so after a bit of googling I did find some sort of a solution. An .htaccess file with following content can be added to the /galleries/ folder:

Order Allow,Deny
Deny from all

<FilesMatch "\.(jpg|gif|png|php|ply|rar|zip|stl)$">
Order Deny,Allow
Allow from all
</FilesMatch>

This will deny access to the directories, but will allow access to the files with the extensions listed in the <FilesMatch> tag within those directories. However, there is still the issue that if someone has access to a file in an album that has restriced access on Piwigo, they could share the URL of the image or file to someone who shouldn't have access to it and that person will be able to access that file. This sort of access could be restricted if Piwigo somehow communicated with the Apache (or whatever) server with regards to file permissions, but it doesn't seems like it does? Or is there in fact some sort of server-Piwigo integration regarding access to files/folder on the server itself? Another option for Piwigo is to maybe generate temporary file URLs based on user access permissions?

Last edited by MIDId (2021-09-16 22:35:35)

erAck · 2021-09-17 03:04:21

Thanks for using my gallery as an example ;-)
You can get the image URL easier with a right click on the image and Copy Image Location ...

So, anyone being able to view the image has access to the image, that's quite normal, isn't it?
Be it through the URL or by copying the image in the browser.

I see that it bothers some (there were other threads), but I don't agree it would matter. Either you publish images, or you have to trust the users with access to non-public images to not pass them along by any means.

Usually you can't go up to an upload folder because Piwigo places an index.htm file with "Not allowed!" in each subdirectory it creates there. If Piwigo can't do that then it's a server-side issue. If it can but the index.htm is not used then make sure your server configuration (or at least piwigo parent .htaccess) includes index.htm (! not .html) in its DirectoryIndex directive.

If you only want to prevent directory listings then your .htaccess content is unnecessary if instead you put

Options -Indexes

Best already in the server or domain configuration.

Piwigo.org

Announcement

#1 2021-09-16 13:21:05

Access to Piwigo server files is unrestriced

#2 2021-09-16 22:28:49

Re: Access to Piwigo server files is unrestriced

#3 2021-09-17 03:04:21

Re: Access to Piwigo server files is unrestriced

Board footer