Hi,
I try to make my Piwigo more protected. I use original_url_protection and denie access to /galleries and /upload folders with Apache. Unauthorized users can view only images with direct link like /_data/i/upload/2014/09/17/20140917125309-68ab7f6c-th.jpg or /_data/i/galleries/MyTravel/DSC00320-th.JPG. Ok, that's enough for me, if I missed anything.
But unauthorized user also can access to /_data/i/, /_data/i/galleries/, /_data/i/upload/ and see my folder structure. Thats not good.
What about adding default index.html file into this folders by Piwigo? Or any other solution?
Also I need a cron job for remove cached images from /_data/i/ that older than month. Anybody have that?
Piwigo version: 2.7
Last edited by JanisV (2014-10-09 16:57:03)
Offline
Yes, the "structure" is not protected, but :
$ cat _data/i/upload/2014/08/25/index.htm
Not allowed!
There is an "index.htm" in the directory of the resized photos. Yes we could add an index.html files at each level of the structure. You can do even more secure:
$conf['derivative_url_style'] = 2;
in your local configuration (plugin LocalFiles Editor) and then add a .htaccess "deny from all" in your directory _data/i
I don't have the cron script to remove cached images. I ask rvelices who may have one. If not, I can write one but something smarter would be a Piwigo plugin which deletes big sizes (small sizes are not a problem I think) on a regular basis.
Offline
Even smarter, the plugin can check the access time of the resized photo :
$ stat _data/i/upload/2014/09/01/20140901205514-bd05ef8d-th.jpg File: `_data/i/upload/2014/09/01/20140901205514-bd05ef8d-th.jpg' Size: 15463 Blocks: 32 IO Block: 4096 regular file Device: 902h/2306d Inode: 47451864 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 33/www-data) Gid: ( 33/www-data) Access: 2014-10-09 17:17:24.558507007 +0200 Modify: 2014-09-15 10:05:14.346417310 +0200 Change: 2014-09-15 10:05:14.354417391 +0200
=> if the access time is older than X days, the file can be removed
Offline
plg wrote:
You can do even more secure:
Code:
$conf['derivative_url_style'] = 2;in your local configuration (plugin LocalFiles Editor) and then add a .htaccess "deny from all" in your directory _data/i
Fantastic! I had tried to "deny from all" in _data/i without modifying the configuration but it didn't work. The photos won't show up on the gallery after that. With this configuration it works!
Are there more such nice undocumented features that make piwigo more secure?
I think the Privacy tour of Take A Tour talk about it
Offline