forum.coppermine-gallery.net

Support => cpg1.5 plugins => cpg1.5.x Support => cpg1.5 plugin contributions => Topic started by: gmc on April 19, 2015, 06:21:37 am

Title: Mask URL Plugin for CPG 1.5.x
Post by: gmc on April 19, 2015, 06:21:37 am
OK... I owed the dev team this one for a while now...
We've talked about ways to better secure your photos in the gallery - as the path to your photos is clearly visible in the html source produced by the gallery. So here is an alternative - the ability to 'mask' or 'encrypt' the filepath in the produced URLs.
There is of course a tradeoff between more secure and more overhead... read on.

This plugin adds the  ability to mask or hide the actual file location of your pictures...
Normally the delivered html contains <img> tags that can be read to find your photo locations and directory structure.
As the photos are delivered via <img> tags, http access must be provided to the album folder (and subfolders).
This allows curious (or malicious) users an easy opportunity to find your pictures and download them.
But what if the delivered html looked like this:
Code: [Select]
  <img src="index.php?file=maskurl/displayimage&photokey=8dOgllfG1PqJQwj0%2BNuSOMuDNKC%2B14ABd6Rfn7nhZNXVaB9bn0V1IOUTZ%2FGw" ...>
Since the path to the albums directory is configurable (doesn't have to be 'albums/') and of course you can have any subfolder structure you
want... the task of locating your pictures files is made harder... to near impossible (based on your choices configuring the plugin).

Options to 'mask' or 'encrypt' the path to photos are offered.
These options appear to have similar results - but the algorithm used has quite different results.
The choice is of course yours...

An additional benefit if masking/encrypting is that http access to the albums directory is no longer required... All CPG functions generating the picture URL drive this plugin, and all will be changed.  As a result, a .htaccess file can be placed in the albums directory denying all access - providing additonal protection for your photos. A sample .htaccess file is included in the plugin directory - named .htaccess.txt - this needs to be copied to the albums directory and named .htaccess if you wish to use it.
NOTE: If you disable this plugin - or set the option to 'Clear Text' - and have the .htaccess file in place, you will be unable to view photos in your gallery!!

All filetypes permitted by CPG are supported (based on the contents of cpg15x_filetypes table). Proper additions to that table will be automatically recognized by the plugin and supported. The 'mime' type must be correctly specified in that table!

The readme file can be viewed at: (also included in the zip file of course...):
http://greggallery.gmcdesign.com/plugins/maskurl/readme.php (http://greggallery.gmcdesign.com/plugins/maskurl/readme.php)

The results:
I've been using this technique in my gallery for some time... using the encryption option and the .htaccess restriction.
http://gallery.gmcdesign.com (http://gallery.gmcdesign.com)
Can you tell me where my photos are?

Code is attached below.

Good luck, and let me know what you think...
Thanks!
Greg (gmc on the cpg forum)
Title: Re: Mask URL Plugin for CPG 1.5.x
Post by: marcelm on April 19, 2015, 11:42:53 am
When trying to activate the plug-in I get the following error:

Code: [Select]
Fatal error: Call to undefined function mcrypt_get_key_size() in /var/www/site/plugins/maskurl/functions.php on line 31
Title: Re: Mask URL Plugin for CPG 1.5.x
Post by: marcelm on April 19, 2015, 11:57:59 am
Installed now php-mcrypt and php-phpseclib-crypt-rijndael and the plug-in still not want to install.

I got some warnings on installing crypt-Rijndael

Code: [Select]
  Installing : php-process-5.4.40-1.el6.remi.x86_64                                                                   1/6
  Installing : php-xml-5.4.40-1.el6.remi.x86_64                                                                       2/6
  Installing : 1:php-pear-1.9.5-10.el6.remi.noarch                                                                    3/6
  Installing : php-channel-phpseclib-1.3-1.el6.remi.noarch                                                            4/6
  Installing : php-phpseclib-crypt-base-0.3.10-1.el6.remi.noarch                                                      5/6
PHP Warning:  popen() has been disabled for security reasons in /usr/share/pear/OS/Guess.php on line 242
PHP Warning:  fgets() expects parameter 1 to be resource, null given in /usr/share/pear/OS/Guess.php on line 243
PHP Warning:  pclose() has been disabled for security reasons in /usr/share/pear/OS/Guess.php on line 252
  Installing : php-phpseclib-crypt-rijndael-0.3.10-1.el6.remi.noarch                                                  6/6
PHP Warning:  popen() has been disabled for security reasons in /usr/share/pear/OS/Guess.php on line 242
PHP Warning:  fgets() expects parameter 1 to be resource, null given in /usr/share/pear/OS/Guess.php on line 243
PHP Warning:  pclose() has been disabled for security reasons in /usr/share/pear/OS/Guess.php on line 252
  Verifying  : php-phpseclib-crypt-base-0.3.10-1.el6.remi.noarch                                                      1/6
  Verifying  : php-channel-phpseclib-1.3-1.el6.remi.noarch                                                            2/6
  Verifying  : php-xml-5.4.40-1.el6.remi.x86_64                                                                       3/6
  Verifying  : php-phpseclib-crypt-rijndael-0.3.10-1.el6.remi.noarch                                                  4/6
  Verifying  : php-process-5.4.40-1.el6.remi.x86_64                                                                   5/6
  Verifying  : 1:php-pear-1.9.5-10.el6.remi.noarch 
Title: Re: Mask URL Plugin for CPG 1.5.x
Post by: marcelm on April 19, 2015, 12:19:00 pm
After the reboot of the server the plug-in stalled fine. Selecting other than 'clear text' hides all my thumbnails and that is maybe due to that that I am using an other plug-in EnlargeIt.
Title: Re: Mask URL Plugin for CPG 1.5.x
Post by: gmc on April 19, 2015, 02:54:39 pm
After the reboot of the server the plug-in stalled fine. Selecting other than 'clear text' hides all my thumbnails and that is maybe due to that that I am using an other plug-in EnlargeIt.
I installed EnlargeIt to test - and there is a conflict...

EnlargeIt replaces the <img> tags via filter 'theme_display_thumbnails_params' overwriting any changes made earlier by the 'picture_url' filter...  So all the image thumb and normal URLs appear in clear text on the thumbnails page even when mask_url has encrypted them...
And since it replaces the <img> tages - it now needs http access to the albums folder...
So if you have the .htaccess rules in place in the albums directory - the thumbnails will display fine on the main page - but when selecting an album, the thumbnails will fail to load (as requested by .htaccess).

The cost of security...  :(
I'll take a deeper look to see what can be done - as I know EnlargeIt is a popular plugin

@devs - can a plugin call the pluginAPI??  Just a thought...
Title: Re: Mask URL Plugin for CPG 1.5.x
Post by: allvip on April 19, 2015, 08:24:20 pm
Great plugin.
Is this going to stop HTTrack Website Copier to download the entire gallery?
Title: Re: Mask URL Plugin for CPG 1.5.x
Post by: marcelm on April 19, 2015, 09:19:29 pm
Is this going to stop HTTrack Website Copier to download the entire gallery?
No, but it will make them using more storage space to keep sequential version because the names differ each iteration.
Title: Re: Mask URL Plugin for CPG 1.5.x
Post by: gmc on April 19, 2015, 09:48:24 pm
Great plugin.
Is this going to stop HTTrack Website Copier to download the entire gallery?
If it drives the link in the html (which will drive the script to unencrypt) then they will get the file (and it appears to in a quick test... )  I'll have to see how usable the resulting site is (running a mirror now).
It certainly won't have the folder structure in the albums directory that it would have without the plugin.

Bottom line - Really can't stop someone from downloading a file that you make visible to the www. You can make it harder or more inconvenient - but if you made it visible - it can (and will) be downloaded by HTTrack, a browser, etc...
HTTrack by default presents itself with a user agent identifying itself - and observes robot.txt restrictions - but both can be easily overridden by the user.

What it stops is them being able to download files you DON'T make visible... ie - your original (fullsize) photos if you only allow viewing of thumbnail and intermediate.
If I know Coppermine's naming, and the path to your thumbnail... I can request the larger photo directly from the filesystem normally.  THIS action is made much more difficult (I tend not to say impossible as the world keeps making better hackers) - as they won't know the path to follow to begin with, and even if they knew the path - the .htaccess (if in place in albums to 'Deny from all') would stop them.

No, but it will make them using more storage space to keep sequential version because the names differ each iteration.
Well... each time you change encryption keys (refreshable in config) - they will think everything is new... it should get ugly for them quickly if you regularly change keys...  Wouldn't be hard to have a cron script change keys even just once a day to drive their storage use much higher... :)
Title: Re: Mask URL Plugin for CPG 1.5.x
Post by: marcelm on April 20, 2015, 01:44:57 am
Maybe you an use/rewrite the SEF support that is available in EnlargeIt.

Link to the SEF plugin: http://forum.coppermine-gallery.net/index.php/topic,42568.0.html
Title: Re: Mask URL Plugin for CPG 1.5.x
Post by: ron4mac on April 20, 2015, 03:59:36 pm

Well... each time you change encryption keys (refreshable in config) - they will think everything is new... it should get ugly for them quickly if you regularly change keys...  Wouldn't be hard to have a cron script change keys even just once a day to drive their storage use much higher... :)
How about using a cookie key for masking/encryption that could be different for each page load, making the urls different every time?
Title: Re: Re: Mask URL Plugin for CPG 1.5.x
Post by: gmc on April 20, 2015, 04:39:47 pm
I installed EnlargeIt to test - and there is a conflict...

EnlargeIt replaces the <img> tags via filter 'theme_display_thumbnails_params' overwriting any changes made earlier by the 'picture_url' filter...  So all the image thumb and normal URLs appear in clear text on the thumbnails page even when mask_url has encrypted them...
And since it replaces the <img> tages - it now needs http access to the albums folder...
So if you have the .htaccess rules in place in the albums directory - the thumbnails will display fine on the main page - but when selecting an album, the thumbnails will fail to load (as requested by .htaccess).

The cost of security...  :(
I'll take a deeper look to see what can be done - as I know EnlargeIt is a popular plugin

@devs - can a plugin call the pluginAPI??  Just a thought...

I've posted some changes in the EnlargeIt thread that make it compatible with Mask Url - and likely any other plugin that uses the 'picture_url' filter.
EnlargeIt was recreating the thumbnail URL from scratch rather than using what may have been changed by plugins.  It was also creating new URL's for intermediate or fullsize photos - and no one else had a chance to change..

I altered the enlargeit_addparams in that plugin's codebase.php to:
(appeared to be no issue with a plugin driving the pluginAPI... as long as we don't get into a recursion issue... :) )

See this thread for details:
http://forum.coppermine-gallery.net/index.php?topic=57424.msg378225#msg378225 (http://forum.coppermine-gallery.net/index.php?topic=57424.msg378225#msg378225)

Greg
Title: Re: Mask URL Plugin for CPG 1.5.x
Post by: ron4mac on April 20, 2015, 07:38:58 pm
I also modified my slideshow plugin to be compatible with MaskUrl.
http://forum.coppermine-gallery.net/index.php/topic,75994.0.html
Title: Re: Mask URL Plugin for CPG 1.5.x
Post by: gmc on April 20, 2015, 08:46:56 pm
How about using a cookie key for masking/encryption that could be different for each page load, making the urls different every time?
Interesting idea... thinking that through a bit.

How do googlebots react to cookies? would they still be able to crawl the site - or would the picture loads all fail? (some may view that as good - others as bad...)
Right now a user doesn't need cookies enabled to view a gallery (unless restricted to registered users).

What additional protection would it provide? The user has already downloaded the picture (to view the page) - so they have the image...  What does it prevent at that point?

Does it provide any more protection than an nightly cron job that refreshes the encryption keys? (even the value of that is limited I think...)

The real protection here is not knowing the path to photos to go 'fishing' for more than is allowed... ie - if I disallow access to fullsize - without this masking/encryption the user knows the folder structure - and knows the name of the intermediate picture... finding the fullsize isn't rocket science...
This protection is accomplished even if the keys NEVER change.

As a side note to earlier comments - I did some testing with HTTrack - and while they do get a navigable copy - the entire album directory structure is missing - with all picture files as indexxxx.jpg in the root directory...
Changing keys on every page load would drive that process crazy (maybe a good thing.. :) ) as they would download the same pic repeatedly for every page it appeared on.... meta albums, random pics, album, etc...) each thumb and fullsize would look like a different URL to them...

I don't have an issue adding more options. The intent was to allow the gallery owner to pick the degree of protection (and degree of overhead) they wanted/needed...

I should be able to use an early plugin hook to optionally generate the IV (init vector) - store as a cookie that could then be read by each invocation to display... (The IV would get combined with the encryption key in the DB to successfully unencrypt...  Currently both are in the DB.
Two simultaneous page loads from the same browser might get interesting - but the timing window is quite small between setting and reading the cookie.

Additional thoughts welcome...
Have a couple of changes already in V1.1 that I can add to before releasing.

I also modified my slideshow plugin to be compatible with MaskUrl.
http://forum.coppermine-gallery.net/index.php/topic,75994.0.html
GREAT!  thanks... I'll download that and give it a try too.

Greg
Title: Re: Mask URL Plugin for CPG 1.5.x
Post by: gmc on April 22, 2015, 04:59:31 am
From the input so far... and anticipating some additional input... V1.1 is now attached to the first post in thread.

The additions:
Added validation of encryption functions, requested algorithm and mode to install to prevent install failure
- plugin will initialize, but will disable encryption support (masking support still available)
- config messages will indicate failure and show requested and available support
- specify 'Refresh Encryption Keys' to redrive initialization
(avoids install problem noted by marcelm - when encryption wasn't available)

Added 4th mask option - Encrypt URL with Dynamic IV
- new initialization vector for every page load - URL for same image will be different on every page load
- IV sent to client as cookie and retrieved to decrypt
(suggestion from ron4mac for use of dynamic keys)

Add configuration parms for encryption algorithm and mode - selectable via config page
- options dynamic based on installed algorithms and modes on your webserver

Add configuration parm for OS type, initially populated by PHP_OS constant - but overrideable.
- used by maskurl_encrypt_keys to take alternate actions for windows platform required if php version < 5.3

Add configuration parm for URL format, by default (internal) driving normal CPG initialization
- default is incompatible with plugins like EnlargeIt *IF* using 'Encrypt URL with Dynamic IV'
- select 'external' URL format for alternate format that works with EnlargeIt. 

Happy encrypting...  :)
Greg
Title: Re: Mask URL Plugin for CPG 1.5.x
Post by: marcelm on April 22, 2015, 11:14:18 am
Works great with my site (Blankstraped). The Dynamic IV will show the first picture from my slider but the second one I get a endless wait.

I noticed also that one of my albums was not show and it workes out that I have spaces in directory name and that is maybe the cause of that it is not being show.

Will also install the adapted version of Slideshow by ron4mac later today.

My site is: www. mmmfotografie. nl

Many thanks for this great plug-in!
Title: Re: Mask URL Plugin for CPG 1.5.x
Post by: gmc on April 22, 2015, 01:32:30 pm
Works great with my site (Blankstraped). The Dynamic IV will show the first picture from my slider but the second one I get a endless wait.
Did you try the new option to "Use 'external' URL format"?  With Dynamic IV - any interaction with CPG will regenerate the IV for that session (new cookie) - rendering all previous URLs that client has unusable... The 'external' URL format does NOT drive normal CPG initialization - and may allow the slider to work (it worked with EnlargeIt..)
default:
Code: [Select]
index.php?file=maskurl/displayimage&photokey=9qswIIbX6EWWXbFHPVYWjzYSqKD4CoM%2F3wWXW54rxjocdPEh2yoMMONtooUt204P
external:
Code: [Select]
plugins/maskurl/displayimage.php?photokey=9qswIIbX6EWWXbFHPVYWjzYSqKD4CoM%2F3wWXW54rxjocdPEh2yoMMONtooUt204P

Quote
I noticed also that one of my albums was not show and it workes out that I have spaces in directory name and that is maybe the cause of that it is not being show.
Yes... the space makes it through encrypt/decrypt - but comes out as a %20 in the <img> tag.
In displayimage.php (the plugins version!), find (in either 1.0 or 1.1):
Code: [Select]
    $debug_trace[] = "Generated Photopath Prefix: ".substr($photopath, 0, 10);
and insert before:
Code: [Select]
    $photopath = urldecode($photopath);

Quote
Many thanks for this great plug-in!
You're welcome... glad you like it!

Greg
Title: Re: Mask URL Plugin for CPG 1.5.x
Post by: marcelm on April 22, 2015, 02:22:01 pm
Some times I have to click three times on different pictures to have go into wait.

My error log is showing entries starting with clicking the second picture:

Code: [Select]
[Wed Apr 22 14:06:26 2015] [error] [client x.x.x.x] PHP Warning:  filesize(): stat failed for ../../plugins/maskurl/sample.jpg in /var/www/site/plugins/maskurl/displayimage.php on line 123, referer: http://www.site.nl/plugins/maskurl/displayimage.php?photokey=6OVkO%2FNZsjemsBdON0WvViMjTRq0jmzXuxhlidLVoICzxJBClRT8GPGk9QjLezXXsLg%3D
[Wed Apr 22 14:06:26 2015] [error] [client x.x.x.x] PHP Warning:  readfile(../../plugins/maskurl/sample.jpg): failed to open stream: No such file or directory in /var/www/site/plugins/maskurl/displayimage.php on line 124, referer: http://www.site.nl/plugins/maskurl/displayimage.php?photokey=6OVkO%2FNZsjemsBdON0WvViMjTRq0jmzXuxhlidLVoICzxJBClRT8GPGk9QjLezXXsLg%3D
[Wed Apr 22 14:07:21 2015] [error] [client x.x.x.x] PHP Warning:  filesize(): stat failed for ../../plugins/maskurl/sample.jpg in /var/www/site/plugins/maskurl/displayimage.php on line 123, referer: http://www.mmmfotografie.nl/plugins/maskurl/displayimage.php?photokey=6OVkO%2FNZsjemsBdON0WvViMjTRq0jmzXuxhlidLVoICzxJBClRT8GPGk9QjLezXXsLg%3D
[Wed Apr 22 14:07:21 2015] [error] [client x.x.x.x] PHP Warning:  readfile(../../plugins/maskurl/sample.jpg): failed to open stream: No such file or directory in /var/www/sit/plugins/maskurl/displayimage.php on line 124, referer: http://www.site.nl/plugins/maskurl/displayimage.php?photokey=6OVkO%2FNZsjemsBdON0WvViMjTRq0jmzXuxhlidLVoICzxJBClRT8GPGk9QjLezXXsLg%3D

My ModSecurity for Apache is also having a go at Photokey but that can loosened in ModSecurity:

Code: [Select]
[Wed Apr 22 13:57:50 2015] [error] [client x.x.x.x] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i)([\\\\s\\"'`;\\\\/0-9\\\\=]+on\\\\w+\\\\s*=)" at ARGS:photokey. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "21"] [id "973337"] [rev "1"] [msg "XSS Filter - Category 2: Event Handler Vector"] [data "Matched Data: 8ONVtVoshWtxGfzfmRe6oW7ftGKq48EHwWdsEADS5qjIVQ= found within ARGS:photokey: wQaZrym5XqYbYw5DApCNI7vBSd Di8ONVtVoshWtxGfzfmRe6oW7ftGKq48EHwWdsEADS5qjIVQ="] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "1"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname "www.site.nl"] [uri "/plugins/maskurl/displayimage.php"] [unique_id "VTeMvsCoFR4AAH3Zmu0AAAAP"]
The adaptation that ron4mac made in his html4slideshow plug-in to also work with maskURL works great.
Title: Re: Mask URL Plugin for CPG 1.5.x
Post by: marcelm on April 22, 2015, 03:44:01 pm
I have looked into ModSecurity and made a configuration file which disable that specific combination of rule and file.

created a file named 999_user_exclude.conf in the active rules with the content:

Code: [Select]
<LocationMatch /plugins/maskurl/displayimage.php>
   <IfModule mod_security2.c>
     SecRuleRemoveById 973337
   </IfModule>
</LocationMatch>

<LocationMatch delete.php>
   <IfModule mod_security2.c>
     SecRuleRemoveById 981173
   </IfModule>
</LocationMatch>

LocationMatch is the location of the to ignored file and SecRuleRemoveBtId is the number of the security id which can be found back in the error log of the httpd/apache and you can see such a line in my posting directly above.

Location: [uri "/plugins/maskurl/displayimage.php"]
Security id: [id "973337"]
Title: Re: Mask URL Plugin for CPG 1.5.x
Post by: gmc on April 22, 2015, 03:54:52 pm
My error log is showing entries starting with clicking the second picture:

Code: [Select]
[Wed Apr 22 14:06:26 2015] [error] [client x.x.x.x] PHP Warning:  filesize(): stat failed for ../../plugins/maskurl/sample.jpg in /var/www/site/plugins/maskurl/displayimage.php on line 123, referer: http://www.site.nl/plugins/maskurl/displayimage.php?photokey=6OVkO%2FNZsjemsBdON0WvViMjTRq0jmzXuxhlidLVoICzxJBClRT8GPGk9QjLezXXsLg%3D
[Wed Apr 22 14:06:26 2015] [error] [client x.x.x.x] PHP Warning:  readfile(../../plugins/maskurl/sample.jpg): failed to open stream: No such file or directory in /var/www/site/plugins/maskurl/displayimage.php on line 124, referer: http://www.site.nl/plugins/maskurl/displayimage.php?photokey=6OVkO%2FNZsjemsBdON0WvViMjTRq0jmzXuxhlidLVoICzxJBClRT8GPGk9QjLezXXsLg%3D
[Wed Apr 22 14:07:21 2015] [error] [client x.x.x.x] PHP Warning:  filesize(): stat failed for ../../plugins/maskurl/sample.jpg in /var/www/site/plugins/maskurl/displayimage.php on line 123, referer: http://www.mmmfotografie.nl/plugins/maskurl/displayimage.php?photokey=6OVkO%2FNZsjemsBdON0WvViMjTRq0jmzXuxhlidLVoICzxJBClRT8GPGk9QjLezXXsLg%3D
[Wed Apr 22 14:07:21 2015] [error] [client x.x.x.x] PHP Warning:  readfile(../../plugins/maskurl/sample.jpg): failed to open stream: No such file or directory in /var/www/sit/plugins/maskurl/displayimage.php on line 124, referer: http://www.site.nl/plugins/maskurl/displayimage.php?photokey=6OVkO%2FNZsjemsBdON0WvViMjTRq0jmzXuxhlidLVoICzxJBClRT8GPGk9QjLezXXsLg%3D

Well - the image won't display in those cases - but we shouldn't be filling up logs with errors...
(sample.jpg was an image used in the code I based this plugin I based this on... and referenced in the event we encountered an error. An 'old' IV would produce an invalid URL and be changed to sample.jpg.  I didn't include in this plugin as I didn't think it was still used... A better choice in this case is the system nopic..)

for now... in displayimage.php (plugin version)
Find:
Code: [Select]
$sampleimage = 'plugins/maskurl/sample.jpg';
Replace with:
Code: [Select]
$sampleimage = 'images/thumbs/thumb_nopic.png';
The next line - $samplethumbimage is not referenced anywhere else...

I'll make this either configurable - or use the system (or theme override) image in the next release.. (opinions welcome...)
Title: Re: Mask URL Plugin for CPG 1.5.x
Post by: marcelm on April 22, 2015, 04:43:07 pm
The thumbnails are displayed in one go however the full size is not. This starts after 'enlarging' the second and consecutive pictures.

I found some code that gets information through the 'du' command and so only for Linux servers:

Code: [Select]
exec( ( 'du -b "'.__Directory__.escapeshellcmd( $curFolder ).'/"*'), $filenames );
foreach( $filenames as $key => $val )
{
    $size = substr( $val, 0, strpos( $val, '/' ) );
    $filename = substr( $val, strpos( $val, __Directory__ ) + strlen(__Directory__) );
    $filenames[$filename] = $size;
    unset( $filenames[$key] );
}
print_r( $filenames );

This probably not the way to go if you are in a hosted setting with your server.
Title: Re: Mask URL Plugin for CPG 1.5.x
Post by: gmc on April 22, 2015, 06:41:03 pm
The thumbnails are displayed in one go however the full size is not. This starts after 'enlarging' the second and consecutive pictures.
I can't reproduce your issue this time...
I've tried with/without EnlargeIt... going from thumb to intermediate to fullize... browser back from intermediate to thumb... choosing another thumb to view... using both Encrypt, and Dynamic IV - with no failures...

With Dynamic IV and 'internal' (ie - not 'external') URLs - I cannot right click on an image and say 'view image' - but that isn't Coppermine functionality...

If you can share your config options, any relevant plugins, and how you create the error - I'd be happy to look further..
Title: Re: Mask URL Plugin for CPG 1.5.x
Post by: marcelm on April 22, 2015, 10:08:58 pm
Solved the problem with the second or third picture not being displayed. It the entl_cnt.php file that is advised by Timo to put in the root (plugins/enlargeit/sub-dir CopyToRoot) where the other php files are. I put it in there as advised because a time ago I saw this one cropping up into the log files.

On second thought it could be obsolete in Coppermine 1.5.x and I have to check it by downloading the latest version. I noticed that in the enl_*.php files the Coppermine version is 1.4.x

Code: [Select]
x.x.x.x - - [22/Apr/2015:21:49:12 +0200] "GET /plugins/maskurl/displayimage.php?photokey=YtvJTbYpREEKfV6yz5Amoq4%2F83baHifyjFev4OyLn6cipjyqopJCZDECcFVF1V78OX580QlUUf1spl7mDA%3D%3D HTTP/1.1" 200 250849 "http://site.nl/plugins/maskurl/displayimage.php?photokey=YtvJTbYpREEKfV6yz5Amoq4%2F83baHifyjFev4OyLn6cipjyqopJCZDECcFVF1V78OX580QlUUf1spl7mDA%3D%3D" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:39.0) Gecko/20100101 Firefox/39.0"
x.x.x.x - - [22/Apr/2015:21:49:14 +0200] "GET /plugins/maskurl/displayimage.php?photokey=YtvJTbYpREEKfV6yz5Amoq4%2F83baHifyjFev4OyLn6cipjyqopJCZDECcFVF1V78OX580QlUVoCFjelAVw%3D%3D HTTP/1.1" 200 237390 "http://site.nl/plugins/maskurl/displayimage.php?photokey=YtvJTbYpREEKfV6yz5Amoq4%2F83baHifyjFev4OyLn6cipjyqopJCZDECcFVF1V78OX580QlUVoCFjelAVw%3D%3D" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:39.0) Gecko/20100101 Firefox/39.0"
x.x.x.x - - [22/Apr/2015:21:49:14 +0200] "GET /enl_cnt.php?a=4899 HTTP/1.1" 200 - "http://site.nl/enl_cnt.php?a=4899" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:39.0) Gecko/20100101 Firefox/39.0"
x.x.x.x - - [22/Apr/2015:21:49:19 +0200] "GET /plugins/maskurl/displayimage.php?photokey=YtvJTbYpREEKfV6yz5Amoq4%2F83baHifyjFev4OfZoEOA5PUcCOweKO4Z2a7UQd5U2Lc%3D HTTP/1.1" 200 - "http://site.nl/plugins/maskurl/displayimage.php?photokey=YtvJTbYpREEKfV6yz5Amoq4%2F83baHifyjFev4OfZoEOA5PUcCOweKO4Z2a7UQd5U2Lc%3D" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:39.0) Gecko/20100101 Firefox/39.0"
x.x.x.x - - [22/Apr/2015:21:49:19 +0200] "GET /enl_cnt.php?a=4898 HTTP/1.1" 200 - "http://site.nl/enl_cnt.php?a=4898" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:39.0) Gecko/20100101 Firefox/39.0"
x.x.x.x - - [22/Apr/2015:21:49:22 +0200] "GET /plugins/maskurl/displayimage.php?photokey=YtvJTbYpREEKfV6yz5Amoq4%2F83baHifyjFev4OfZoEOA5PUcCOweKO4Z2a7UQd5U2Lc%3D HTTP/1.1" 200 - "http://site.nl/plugins/maskurl/displayimage.php?photokey=YtvJTbYpREEKfV6yz5Amoq4%2F83baHifyjFev4OfZoEOA5PUcCOweKO4Z2a7UQd5U2Lc%3D" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:39.0) Gecko/20100101 Firefox/39.0"

On the first picture you see two lines using displayimage.php and on picture two and three you see enl_cnt.php being called first.

Always nice riddles and due to the excellent logging system, just reading gives a lot of insight and help. It also helps to have a break so you have new ideas were to look and how to test.  :D
Title: Re: Mask URL Plugin for CPG 1.5.x
Post by: marcelm on April 22, 2015, 11:22:07 pm
hmmmmmm, bit tired and doing things at the same time is no good. So some corrections on my previous posting.

First line I write 'entl_cnt.php' and that should have been 'enl_cnt.php'
Last line, Always nice those riddles, thanks to the excellent logging system. Just reading the log gives a lot of insight and help so that even I can make heads and tails of it...most of the time. It also helps to take a break if you have to solve a problem so that you have new ideas were to look and how to test better. Often the solution is just sitting in front of you. You just not see it, when you are to fixated and did the same test over and over and over to no avail.  ;)

I am very please with the plug-in and hope that others are going to use it now.
Title: Re: Mask URL Plugin for CPG 1.5.x
Post by: marcelm on April 24, 2015, 11:23:30 pm
Dutch translation added.
Title: Re: Mask URL Plugin for CPG 1.5.x
Post by: marcelm on April 24, 2015, 11:50:47 pm
To solve my errorlog being filled up with messages about enl_cnt.php in I changed the counter setting in EnlargeIt:

File: codebase.php in EnlargeIt plugin directory

Find: enl_usecounter and change it to 0

Code: [Select]
// disable counter by setting "enl_usecounter to 0 this is for using the Mask URL plugin with Dynamic IV
    $enlargeit_headcode .= "enl_usecounter = 0;
    ";
    $enlargeit_headcode .= "enl_counterurl = 'enl_cnt.php?a=';
    ";
Title: Re: Mask URL Plugin for CPG 1.5.x
Post by: marcelm on April 25, 2015, 12:04:52 am
I found a problem with Dynamic IV. When browsing through pages Dynamic IV block itself when you use history-1/backspace the encrypted string has become invalid for Mask URL. The browser just servers the cached page.

After doing a reload/pressing F5 all encrypted strings are generated again and all is fine again.
Title: Re: Mask URL Plugin for CPG 1.5.x
Post by: gmc on April 25, 2015, 03:28:33 am
Dutch translation added.
Thank you!  I will include in the next package.

I found a problem with Dynamic IV. When browsing through pages Dynamic IV block itself when you use history-1/backspace the encrypted string has become invalid for Mask URL. The browser just servers the cached page.

After doing a reload/pressing F5 all encrypted strings are generated again and all is fine again.
Well - the tighter the security, the more things will get caught...
I can't recreate what you are seeing - the only time I see an error (non-displayed image) is at times trying to right click and view image - which is going outside Coppermine...  Even use of my browser's Back button hasn't caused additional errors.
Perhaps another plugin getting in the way?
Let me know the details of what other plugins you use and exactly how you get the error - and I will look into it.

I think with the combination of options available, an appropriate balance can be found by someone wishing to use this.
The mask/encryption options combined with the URL options give a variety of choices.
And if not - I welcome ideas for additional choices (Dynamic IV being one of them I added at other's suggestion...)

Title: Re: Mask URL Plugin for CPG 1.5.x
Post by: marcelm on April 25, 2015, 11:36:29 am
It is not that difficult to reproduce. Install EnlargeIt and go the last uploads. You get a display of thumbnails and go to the next page. When you use the back key to the previous it page will be displayed from cache and the strings are already invalid on the servers because the page was not reloaded.

I am using EnlargeIt, html5slider, slider and linktarget
Title: Re: Mask URL Plugin for CPG 1.5.x
Post by: gmc on April 26, 2015, 04:08:12 am
Interesting... I wasn't able to recreate the issue with Firefox - or with the browser on a WebOS device...  I tried Chrome and can see the issue - and same with Android browser (running lollipop).
Seems the browsers handle 'Back' processing differently. 
Firefox appears to restore the cookie values as part of 'Back' processing? or is reloading the page?

(Using 'Encryption' instead of 'Encryption with Dynamic IV' won't have this issue... I'll add a script that can be used via cron to change keys once a day as an alternative for something 'in between'...)

May have to find a way to force a page reload on 'Back' processing... Could be doable via javascript or header Cache Control like:
header("Cache-Control: no-store").. Have to see if either of these will help - and best way to implement...
Title: Re: Mask URL Plugin for CPG 1.5.x
Post by: marcelm on April 26, 2015, 10:47:33 am
If I get it right Encytion is refreshed when I prees submit in the MaskURL page. Dynamic IV is every loaded page. So why not refresh on start of a session.

Each time I visit the website I get a new encryption. Someone can share the picture as long as the browser session is active. If you want to limit the duration of the exposure you can refresh every so minutes after start of the start of the session.

The administrator of the website can choose then for session or for session plus encryption.
Title: Re: Mask URL Plugin for CPG 1.5.x
Post by: gmc on April 26, 2015, 05:48:41 pm
If I get it right Encytion is refreshed when I prees submit in the MaskURL page. Dynamic IV is every loaded page.
With the first 'Encrypt URL' option, the keys are refreshed when the plugin is installed - and anytime you 'Submit' configuration changes with 'Refresh Encryption Keys' checked...
With the 'Dynamic IV option, one component is regenerated on every page load that drives true Coppermine initialization (use of 'external urls' bypasses this for some displays - allowing plugins like EnlargeIt to still function... but every Coppermine page load will still refresh keys.)

Quote
So why not refresh on start of a session.
Each time I visit the website I get a new encryption. Someone can share the picture as long as the browser session is active. If you want to limit the duration of the exposure you can refresh every so minutes after start of the start of the session.
I like the idea... Working on it...

Quote
The administrator of the website can choose then for session or for session plus encryption.
And that is the whole idea - admin's choice for what level of complexity (and overhead) they want to use.
Title: Re: Mask URL Plugin for CPG 1.5.x
Post by: JohannM on February 28, 2019, 02:15:55 am
Hello Greg

Any possibility to fix this script for v 6 ?

I did try it but got some minor errors.

Thanx in advance.

Regards

Jo
Title: Re: Mask URL Plugin for CPG 1.5.x
Post by: gmc on February 28, 2019, 03:51:00 am
Hello Greg

Any possibility to fix this script for v 6 ?

I did try it but got some minor errors.

Thanx in advance.

Regards

Jo
OK... Let me take a look.  Not thinking of anything I did that should be an issue.  Needs a few tweaks I'm sure, but shouldn't be anything major. 
Probably be over the weekend to let me code and test.

Greg
Title: Re: Mask URL Plugin for CPG 1.5.x
Post by: JohannM on March 10, 2019, 06:14:55 pm
Hello all

Any change to convert this plugin for version 1.6 ?

Thanx
Title: Re: Mask URL Plugin for CPG 1.5.x
Post by: gmc on March 14, 2019, 05:33:25 pm
Hello all

Any change to convert this plugin for version 1.6 ?

Thanx
Well... I didn't say which weekend...  :P
It's coming!!
Greg