Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: (Solved) .htaccess to prevent direct viewing (absolute url) of CPG albums pics!  (Read 22391 times)

0 Members and 1 Guest are viewing this topic.

Bin

  • Coppermine newbie
  • Offline Offline
  • Gender: Male
  • Posts: 13

Hello all ...

I'm in a very tricky position here, and I fimrly belive .htaccess can bail me out, but I dont know how to make one. Could someone please please guide me to make one?

• I use pnCPG (Coppermine Photo Gallery 1.3.2) as a module for PostNuke version: 0.7.2.6-Phoenix on my personal website.

• I have restricted all the albums of CPG to be viewed only by registered users. But I also have (and want) CPG latest and random picture scroller blocks on my website, viewable to everyone. As in, the thumbnails of random and latest pictures can be seen by anonymous users.

• Now heres the tricky part, I as an anonymous user can right click on the thumbnail to find out its location (http://www.domain.com/modules/pnCPG/Coppermine/albums/uPlOaDEdPiCtuREs/Me/Kiddie/thumb_12.jpg) and simply paste (http://www.domain.com/modules/pnCPG/Coppermine/albums/uPlOaDEdPiCtuREs/Me/Kiddie/12.jpg) on the browser to view the actual image.

• What I want to do is to "restrict" anyone from directly requesting the image files i.e jpg, jpeg, gif png from the browser like this (i.e not a request through Coppermine) , but at the same time ... if a registered user is logged on and wants to view the pic, he can do so (will this be termed as a request from apache?)

Please let me know if this is possible? I'll be really grateful for any help from you :)
« Last Edit: September 22, 2004, 03:06:48 am by binesh »
Logged

Tranz

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: 00
  • Offline Offline
  • Gender: Female
  • Posts: 6149
Logged

Bin

  • Coppermine newbie
  • Offline Offline
  • Gender: Male
  • Posts: 13
Re: .htaccess & Coppermine albums?
« Reply #2 on: September 22, 2004, 01:54:24 am »

Hey ...

Thanks for a reply this quick and very relevant. I'm trying it and will reply here in a bit ... I think what you said should work just fine :D
Logged

Bin

  • Coppermine newbie
  • Offline Offline
  • Gender: Male
  • Posts: 13
Re: .htaccess & Coppermine albums?
« Reply #3 on: September 22, 2004, 02:15:17 am »

How about putting this in the .htaccess file? When someone attempts to enter the absolute url, it redirects to the desired destination.
Code: [Select]
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://www.YourGalleryDomain.net/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^http://www.YourGalleryDomain.net$      [NC]
RewriteRule .*\.(jpg|jpeg|gif|png|bmp.*.*jpg|jpeg|gif|png|bmp)$ http://DesiredDestination.net [R,NC]

The desired destination could be a page with a message explaining the situation, or it could just point to the gallery itself.

Coppermine Wizard that you are, your suggestion worked like a charm for me  8)

This is exactly what I was looking for, thank you so much TranzNDance :D

Although, few more queries if its ok with you.

Q1. I have placed this .htaccess in one of the albums in Coppermine, will I have to place the said .htaccess in all of the albums?
      Or can I append/add it to the .htaccess on the root folder of my website?

The current .htaccess in the root folder has this:
Code: [Select]
# -FrontPage-

IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti*

<Limit GET POST>
order deny,allow
deny from all
allow from all
</Limit>
<Limit PUT DELETE>
order deny,allow
deny from all
</Limit>
AuthName www.mydomain.net
AuthUserFile /home/domainuser/public_html/_vti_pvt/service.pwd
AuthGroupFile /home/domainuser/public_html/_vti_pvt/service.grp


Q2. Will using your suggestion restrict people from downloading the file with some download utility like Download Accelerator etc? (Just a query, for my info)


Would appreciate any reply that'd let me know what am I doing and what should I do if I need something similiar in future :)

- Regards, Binesh.
« Last Edit: September 22, 2004, 02:23:03 am by binesh »
Logged

Tranz

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: 00
  • Offline Offline
  • Gender: Female
  • Posts: 6149
Re: .htaccess & Coppermine albums?
« Reply #4 on: September 22, 2004, 02:23:59 am »

Well, I can't take credit for the code. I just entered in settings into a cPanel applet and that's what I got. :)

Subfolders will inherit their parent folder's .htaccess settings. If you want all your albums protected, you put the .htaccess file in the albums folder. If you want your entire site protected, you could add those lines to the existing file in your root folder.

I hear Front Page can be quite tempermental, so back up your .htaccess file before editing. Well, you should do that regardless.

I'm not familiar with those download utilities. If you have one, it would be great if you could test it out and report your results.
Logged

Bin

  • Coppermine newbie
  • Offline Offline
  • Gender: Male
  • Posts: 13
.htaccess to prevent direct viewing (absolute url) of CPG albums pics!
« Reply #5 on: September 22, 2004, 02:44:59 am »

Well, thank you for your time & suggestion though :)

Got all that you said right on, I'll simply added the said .htaccess in the albums folder.

Rest everything fine, the code suggested by you doesnt allow pnCPG blocks to display any Latest/Random images on PostNuke, as it calls for the images as absolutely, I guess. All the images (in the said blocks) shows up as a white box with red cross mark on it. Anything can be done as for this matter?
« Last Edit: September 22, 2004, 02:50:18 am by binesh »
Logged

Tranz

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: 00
  • Offline Offline
  • Gender: Female
  • Posts: 6149
Re: .htaccess to prevent direct viewing (absolute url) of CPG albums pics!
« Reply #6 on: September 22, 2004, 02:47:05 am »

You would have to add PostNuke domain to the whitelist of allowed domains, in this manner:
Code: [Select]
RewriteCond %{HTTP_REFERER} !^http://www.YourGalleryDomain2.net/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^http://www.YourGalleryDomain2.net$      [NC]

Also, there's a difference between the version of the domain with and without the www. Same thing if you want to allow a subdomain. I often forget about that when I add subdomains.
Logged

Bin

  • Coppermine newbie
  • Offline Offline
  • Gender: Male
  • Posts: 13
Re: .htaccess to prevent direct viewing (absolute url) of CPG albums pics!
« Reply #7 on: September 22, 2004, 03:06:09 am »

My postnuke domain is http://mydomain.net which can be http://www.mydomain.net too.

I added my domain without the www's to the whitelist, as suggested by you.

Code: [Select]
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://www.mydomain.net/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^http://www.mydomain.net$      [NC]
RewriteCond %{HTTP_REFERER} !^http://mydomain.net/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^http://mydomain.net$      [NC]
RewriteRule .*\.(jpg|jpeg|gif|png|bmp.*.*jpg|jpeg|gif|png|bmp)$ http://www.mydomain.net [R,NC]

Sorted out my entire issue. Thank you TranzNDance.

Also, I tried downloading through a download manager using the absolute URL (say: http://mydomain.net/modules/pnCPG/Coppermine/albums/0001.JPG, the file gets downloaded as a JPG alright. But for some weird reason I couldnt view it, it showed up as blank. Opened it in Notepad, its the source code of my index.php (thats where I've redirected it to), lol. Neat suggestion TranzNDance :)

Marking this topic as Solved :D
Logged

Bin

  • Coppermine newbie
  • Offline Offline
  • Gender: Male
  • Posts: 13

Oh yeah! Would like to recommend this to the developers to incorporate this in the coming releases of CPG. Also, taking this oppurtunity to thank the developers of CPG for giving us all the BEST Gallery script we could've ever asked for :)
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de

I can see no way a download manager or other client app should be able to overcome those protections, as they're server sided. However, if you allow "regular" browsing on your site, you could get leeched with an offline website copier like httrack.

This can not go into coppermine core code, as it will only work for users on apache webserver with rewrite engine turned on and a webhost allowing .htaccess files to be mofified. As this is not the case for many websites that use coppermine, it will always have to be a mod, but Omni (the dev team member who created the yet-to-come coppermine plugin API) suggested to make this into a plugin that could ship with coppermine.

Joachim
Logged

Bin

  • Coppermine newbie
  • Offline Offline
  • Gender: Male
  • Posts: 13
Re: (Solved) .htaccess to prevent direct viewing (absolute url) of CPG albums pi
« Reply #10 on: September 22, 2004, 09:17:47 pm »

I can see no way a download manager or other client app should be able to overcome those protections, as they're server sided. However, if you allow "regular" browsing on your site, you could get leeched with an offline website copier like httrack.

This can not go into coppermine core code, as it will only work for users on apache webserver with rewrite engine turned on and a webhost allowing .htaccess files to be mofified. As this is not the case for many websites that use coppermine, it will always have to be a mod, but Omni (the dev team member who created the yet-to-come coppermine plugin API) suggested to make this into a plugin that could ship with coppermine.

Joachim

Reply perfectly justified Joachim :)

Anyway, it served to suit my basic concern. I hope it does for many more users.

Thank you and your staff for the quick support :D
Logged

Extreme

  • Coppermine newbie
  • Offline Offline
  • Posts: 4
Re: .htaccess & Coppermine albums?
« Reply #11 on: November 13, 2004, 04:03:03 pm »

Quote
Q2. Will using your suggestion restrict people from downloading the file with some download utility like Download Accelerator etc? (Just a query, for my info)

Exactly what I need, a solution to prevent leechers that uses softwares such as Teleport Pro, WebStripper etc. to grab the whole site... If anyone has tips on how to take care of it, please let us know.  :-\\
Logged

Tranz

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: 00
  • Offline Offline
  • Gender: Female
  • Posts: 6149

Quote
Q2. Will using your suggestion restrict people from downloading the file with some download utility like Download Accelerator etc? (Just a query, for my info)

Exactly what I need, a solution to prevent leechers that uses softwares such as Teleport Pro, WebStripper etc. to grab the whole site... If anyone has tips on how to take care of it, please let us know.  :-\\
@Extreme, what are you talking about? This thread has been about tips on "how to take care of" leechers. Did you try the instructions/code?
Logged

Extreme

  • Coppermine newbie
  • Offline Offline
  • Posts: 4

Quote
Q2. Will using your suggestion restrict people from downloading the file with some download utility like Download Accelerator etc? (Just a query, for my info)

Exactly what I need, a solution to prevent leechers that uses softwares such as Teleport Pro, WebStripper etc. to grab the whole site... If anyone has tips on how to take care of it, please let us know.  :-\\
@Extreme, what are you talking about? This thread has been about tips on "how to take care of" leechers. Did you try the instructions/code?

Yeah you're right mate, this thread is totally wrong.  :-\\ I'll better make a new clean one instead, hehe.
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de

Yeah you're right mate [...]
Look at the gender displayed in the profile of TranzNDance  ;)

Joachim
Logged

Tranz

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: 00
  • Offline Offline
  • Gender: Female
  • Posts: 6149

Thank you for pointing it out on my behalf, Joachim. :)
Logged

kegobeer

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 4637
  • Beer - it does a body good!
    • The Kazebeer Family Website

[off topic]
When I lived in England, I often heard women calling their friends 'mate' - just like I tend to call my friends 'pal'.  No offense was meant, I'm sure.
[/off topic]
Logged
Do not send me a private message unless I ask for one.  Make your post public so everyone can benefit.

There are no stupid questions
But there are a LOT of inquisitive idiots
Pages: [1]   Go Up
 

Page created in 0.027 seconds with 20 queries.