Announcement

#31 2013-08-22 16:04:24

pewe
Member
2012-03-16
439

Re: Secure Images

Screen Capture and Screen Record allow the copying of photos, images and videos in the largest format that is visible in the web browser.

So if you don't want it copied/stolen - don't put it on the Internet ;-(

Offline

 

#32 2014-10-15 10:27:25

Konstantin
Guest

Re: Secure Images

Is the problem solved in the new release? IMHO, this problem makes piwigo unusable although it has otherwise really features!

Pictures must be protected from direct access since otherwise a user or a bot can guess the URL! Picture files mostly have a very predictable structure. I might, e.g., try http://your_piwigo_host.com/_data/i/2014/DSC_12345.jpg and voila.

Protection of the piwigo/galleries folder through htaccess seems to work but not the protection of the piwigo/_data/i folder which contains the multiple sizes. If htacess prohibits access to this folder, the pictures won't show up on the gallery. Isn't it possible to fix that??

Thanks for the effort for providing this otherwise really nice tool!

 

#33 2014-10-15 11:18:35

Konstantin
Guest

Re: Secure Images

Konstantin wrote:

Is the problem solved in the new release? IMHO, this problem makes piwigo unusable although it has otherwise really features!

Pictures must be protected from direct access since otherwise a user or a bot can guess the URL! Picture files mostly have a very predictable structure. I might, e.g., try http://your_piwigo_host.com/_data/i/2014/DSC_12345.jpg and voila.

Protection of the piwigo/galleries folder through htaccess seems to work but not the protection of the piwigo/_data/i folder which contains the multiple sizes. If htacess prohibits access to this folder, the pictures won't show up on the gallery. Isn't it possible to fix that??

Thanks for the effort for providing this otherwise really nice tool!

Ok, this seems to be solved now. See http://piwigo.org/forum/viewtopic.php?p … 53#p155153

 

#34 2014-10-23 07:08:05

thanhphan467
Translation Team
2014-10-22
16

Re: Secure Images

u need know, if browser can read , then users will be read. browser show image, then users will be copy image. it's not Secure problem.

Offline

 

#35 2015-02-04 02:34:31

bigfoot
Guest

Re: Secure Images

I agree that is a security hole.

Maybe a .htaccess with referral check can be a temporary woraroud

Code:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]

so only requests for images coming from yourdomain.com will be allowed.

 

#36 2015-05-15 03:28:20

Sarita
Guest

Re: Secure Images

How can we report someone on here who has posted photos on their "piwigo" site that don't actually belong to them? A photographer on here has posted photos of me, that I took myself, and he has NO permission to post them online, but he is refusing to take them down. What can I do? He stole my photos! Help!
-Concerned Girl in New England

 

#37 2015-05-15 07:44:54

ddtddt
Piwigo Team
Quetigny - France
2007-07-27
7201

Re: Secure Images

Sarita wrote:

How can we report someone on here who has posted photos on their "piwigo" site that don't actually belong to them? A photographer on here has posted photos of me, that I took myself, and he has NO permission to post them online, but he is refusing to take them down. What can I do? He stole my photos! Help!
-Concerned Girl in New England

Hi :-)

Thanks don't post same post on more topic ;-)


You love Piwigo so don't hesitate to participate, learn more on the "Contribute to Piwigo" page. If you don't have much time for contribution, you can also help the project with a donation.

Offline

 

#38 2015-07-25 17:21:26

Yoni Jah
Guest

Re: Secure Images

I made a small script that you can use with nginx to completely block any unwanted access to piwigo static files

You can get it on github https://github.com/yonjah/piwigo-privacy

some more info on my blog https://ca.non.co.il/index.php/securing … igo-albums

This might be a bit too advance to most users since you need to be comfortable with nginx (and actually compile your own version)

 

#39 2020-04-05 12:35:42

letterman
Member
2020-04-05
1

Re: Secure Images

bigfoot wrote:

I agree that is a security hole.

Maybe a .htaccess with referral check can be a temporary woraroud

Code:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]

so only requests for images coming from yourdomain.com will be allowed.

Thank you so much!
This worked fine - this security hole is fixed. Even in 2020 this security gap still exists without this .htaccess-entry.

Offline

 

#40 2020-05-25 11:28:14

Arnie97
Member
Beijing, China
2019-10-16
9

Re: Secure Images

letterman wrote:

bigfoot wrote:

I agree that is a security hole.

Maybe a .htaccess with referral check can be a temporary woraroud

Code:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]

so only requests for images coming from yourdomain.com will be allowed.

Thank you so much!
This worked fine - this security hole is fixed. Even in 2020 this security gap still exists without this .htaccess-entry.

This only fixes part of the problem -- it blocks hot links from other websites to your images. But it DID NOT fix the security hole -- anyone is still able to fire a HTTP request with a specified referer header, and get any private image on your site without login, if she or he know its file name (which is unfortunately fairly easy to guess if a serial number based naming scheme is used for image files).

Last edited by Arnie97 (2020-05-25 11:29:38)

Offline

 

#41 2020-05-25 11:34:43

Arnie97
Member
Beijing, China
2019-10-16
9

Re: Secure Images

thanhphan467 wrote:

u need know, if browser can read , then users will be read. browser show image, then users will be copy image. it's not Secure problem.

The user can copy (say download) the image file and send it to others, and that is not a secure problem, of course. The real problem here is that anyone is able to construct image URLs with file names and view any image in the gallery site without login.

Offline

 

#42 2020-05-25 11:48:14

Arnie97
Member
Beijing, China
2019-10-16
9

Re: Secure Images

Konstantin wrote:

Ok, this seems to be solved now. See http://piwigo.org/forum/viewtopic.php?p … 53#p155153

Thanks for the link. The undocumented derivative_url_style
flag does solve this security hole.

IMHO it should be the default configuration for Piwigo:

Code:

$conf['derivative_url_style']=2;

Offline

 

#43 2020-05-25 12:48:27

erAck
Only trying to help
2015-09-06
1998

Re: Secure Images

Arnie97 wrote:

if she or he know its file name (which is unfortunately fairly easy to guess if a serial number based naming scheme is used for image files).

You name it, if a serial number based naming scheme is used. Which can happen only in the FTP+Sync image adding process so is under the control of the admin or users allowed to ftp. Otherwise, using the Piwigo image upload it's not a serial number based scheme but date plus 8 characters of md5 of image.


Running Piwigo at https://erack.net/gallery/

Offline

 

Board footer

Powered by FluxBB

github twitter newsletter Donate Piwigo.org © 2002-2024 · Contact