Announcement

  •  » Requests
  •  » Some folders without protection?

#1 2014-10-09 16:52:54

JanisV
Member
2013-09-25
85

Some folders without protection?

Hi,

I try to make my Piwigo more protected. I use original_url_protection and denie access to /galleries and /upload folders with Apache. Unauthorized users can view only images with direct link like /_data/i/upload/2014/09/17/20140917125309-68ab7f6c-th.jpg or /_data/i/galleries/MyTravel/DSC00320-th.JPG. Ok, that's enough for me, if I missed anything.

But unauthorized user also can access to /_data/i/, /_data/i/galleries/, /_data/i/upload/ and see my folder structure. Thats not good.

What about adding default index.html file into this folders by Piwigo? Or any other solution?

Also I need a cron job for remove cached images from /_data/i/ that older than month. Anybody have that?

Piwigo version: 2.7

Last edited by JanisV (2014-10-09 16:57:03)

Offline

 

#2 2014-10-09 17:13:44

plg
Piwigo Team
Nantes, France, Europe
2002-04-05
13821

Re: Some folders without protection?

Yes, the "structure" is not protected, but :

$ cat _data/i/upload/2014/08/25/index.htm
Not allowed!

There is an "index.htm" in the directory of the resized photos. Yes we could add an index.html files at each level of the structure. You can do even more secure:

Code:

$conf['derivative_url_style'] = 2;

in your local configuration (plugin LocalFiles Editor) and then add a .htaccess "deny from all" in your directory _data/i

I don't have the cron script to remove cached images. I ask rvelices who may have one. If not, I can write one but something smarter would be a Piwigo plugin which deletes big sizes (small sizes are not a problem I think) on a regular basis.

Offline

 

#3 2014-10-09 17:19:22

plg
Piwigo Team
Nantes, France, Europe
2002-04-05
13821

Re: Some folders without protection?

Even smarter, the plugin can check the access time of the resized photo :

Code:

$ stat _data/i/upload/2014/09/01/20140901205514-bd05ef8d-th.jpg 
  File: `_data/i/upload/2014/09/01/20140901205514-bd05ef8d-th.jpg'
  Size: 15463           Blocks: 32         IO Block: 4096   regular file
Device: 902h/2306d      Inode: 47451864    Links: 1
Access: (0644/-rw-r--r--)  Uid: (   33/www-data)   Gid: (   33/www-data)
Access: 2014-10-09 17:17:24.558507007 +0200
Modify: 2014-09-15 10:05:14.346417310 +0200
Change: 2014-09-15 10:05:14.354417391 +0200

=> if the access time is older than X days, the file can be removed

Offline

 

#4 2014-10-15 11:16:13

Konstantin
Guest

Re: Some folders without protection?

plg wrote:

You can do even more secure:

Code:

$conf['derivative_url_style'] = 2;

in your local configuration (plugin LocalFiles Editor) and then add a .htaccess "deny from all" in your directory _data/i

Fantastic! I had tried to "deny from all" in _data/i without modifying the configuration but it didn't work. The photos won't show up on the gallery after that. With this configuration it works!

Are there more such nice undocumented features that make piwigo more secure?

 

#5 2014-10-15 13:05:01

flop25
Piwigo Team
2006-07-06
7037

Re: Some folders without protection?

I think the Privacy tour of Take A Tour talk about it


To get a better help : Politeness like Hello-A link-Your past actions precisely described
Check my extensions : more than 30 available
who I am and what I do : http://fr.gravatar.com/flop25
My gallery : an illustration of how to integrate Piwigo in your website

Offline

 
  •  » Requests
  •  » Some folders without protection?

Board footer

Powered by FluxBB

github twitter newsletter Donate Piwigo.org © 2002-2024 · Contact