Print

[heinrich]

This isn't really a question for the coppermine team, but for all apache2 specialists who might read this...

Coppermine has a user and password system, but nothing stops apache from answering any request to the /album/userpics/1000xxx/ directory, so basically one could simply brute force the server with requests in hopes of finding pictures without logging in. With educated guessing one could reduce the effort.

So, how would one set up a VirtualServer directive in apache2 to only allow requests by those users, who have a valid coppermine cookie?

Or, the other way round, how do I block access to all files in /albums/ to everyone who has not successfully logged in ?

Best regards,
Heinrich Krebs

[phill104]

Did you search the plugins contributions board for something that might help? Maybe this? - http://forum.coppermine-gallery.net/index.php/topic,74870.0.html

[heinrich]

I have not, for I wrongly assumed, nobody had ever had the need for such a thing.

Thanks, it seems the Plugin does what I want. Will try it within the next days...

[heinrich]

Okay, the plugin doesn't do what I want properly.
First, I can't use FTP without TLS so this part of the plugin failed, but I rewrote it to use the exec-Command to change the File-attributes directly, instead of using FTP to do so.

But, now the pictures aren't shown in the gallery either. That's not what I want. I would have to alter the plugin in a way, that it sets any file displayed in the gallery to "unsecure" but at the same time stores all files currently unsecured in a table, with a timestamp.

Then I might establish a scrip that secures all files again, run every second or so, possibly a cronjob.

Seems like an awful way to keep the server busy....

A apache directive that only clients are served who logged into coppermine would have be way more elegant...

[phill104]

Yep, sounds like a good way to achieve things. Currently there is no plugin to do it that way, maybe someone could come up with one.

[heinrich]

So, I keep thinking about this and started my own Plugin, based on the posts here.

I figured I wanted the browser of any client to ask for any picture not with path and filename, but with a specific ID, that can't be guessed or something.

I saw that the pictures table has a column MD5, but it seems empty. Why is that?
Although md5 isn't considered secure anymore, it is probably secure enough to grant every image in the database it's own unique hash...

[Αndré]

If you already query the database for that ID, it doesn't need to be secure and can simply be the picture ID which already exists (I assume you want to do something like "showpic.php?pid=123", which also already exist as mod or plugin somewhere in our board if I remember correctly). If the browser submit the ID to that script, it can check if the user has permission to view the picture in the first place.

At least one of our devs (gmc) uses a plugin to secure the pictures' file paths and names, but as far as I know it isn't publicly available (yet).

[gmc]

it is on my list to release... Have a little cleanup to do for it to work with all galleries...
Was my first plugin attempt... And learned a lot since

Configurable to mask or encrypt the filepath (you decide on acceptable overhead), and does not require http access to the albums folder (can use .htaccess to DENY FROM ALL)..
Only supports displaying image types supported by GD/Imagemajick - other formats pass through as they do today, and will require http access.

I currently have it bundled with dynamic watermarking (text) options, but was suggested to separate.

I am traveling for next week+.. But will take a look at it when I get home...
(One of a couple of plugins I need to release...)

You can take a look at gallery.gmcdesign.com to see what it looks like.. That uses the encryption method. View page source and let me know if you can figure out the full path to any of my photos...

Greg

[heinrich]

If you already query the database for that ID, it doesn't need to be secure and can simply be the picture ID which already exists

The pid is guessable, that's why I didn't want tu use it, but you are right, if I check permissions in the script, that could be easier if the functions to do so are already in place...

(I assume you want to do something like "showpic.php?pid=123", which also already exist as mod or plugin somewhere in our board if I remember correctly). If the browser submit the ID to that script, it can check if the user has permission to view the picture in the first place.

Yes, that is pretty much what I try to do...

it is on my list to release... Have a little cleanup to do for it to work with all galleries...
Was my first plugin attempt... And learned a lot since

I'd love to take a look at it... possibly it already does everything I want...

[sindbad5]

Encrypting the filepath is fine. That's exactly the plugin I'm wating for.

Tom

[gmc]

Thank you for 'bumping' this.. It fell off my radar.
I am traveling this week, but will get something ready to share next week.
Greg

[gmc]

OK... it took me longer than a week... lol...
Take a look at the new Mask URL Plugin - which gives options to 'mask' or 'encrypt' the path to your pictures in the generated URLs.

http://forum.coppermine-gallery.net/index.php/topic,78168.msg378179.html#msg378179

Greg