Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1] 2   Go Down

Author Topic: Prevent direct access to images?  (Read 19995 times)

0 Members and 1 Guest are viewing this topic.

Shaar

  • Coppermine newbie
  • Offline Offline
  • Posts: 12
Prevent direct access to images?
« on: November 09, 2010, 10:04:25 am »

I have it set up now so that users can only view thumbnails unless I move the user account to a group named 'PAID MEMBERS'.  Well, I noticed a little problem with this.  I can right click and view source, scroll down to the thumbnail path, and remove the word thumb and the images are all fully accessible this way.  Is there a way to prevent direct access to the images without viewing each image on the pages and albums directly on the site?  I'd prefer this to be blocked completely for ALL users even admins. 

Thanks a million!
Logged

Αndré

  • Administrator
  • Coppermine addict
  • *****
  • Country: de
  • Offline Offline
  • Gender: Male
  • Posts: 15765
Re: Prevent direct access to images?
« Reply #1 on: November 09, 2010, 12:24:20 pm »

That has been discussed here before and is possible with an appropriate .htaccess rule that checks the referrer. But that's neither 100% secure nor works for all your visitors (especially people with pseudo security software that hides the referrer). Maybe it's possible if you use everywhere the readfile function instead of accessing images directly.
Logged

Shaar

  • Coppermine newbie
  • Offline Offline
  • Posts: 12
Re: Prevent direct access to images?
« Reply #2 on: November 09, 2010, 04:10:30 pm »

The .htaccess file is a route I would like to take.  I found a couple different lines of code on here and online and i added it to the .htaccess file and when I do that, none of the images work even when logged in.  I also had it redirect the images to a single default image, but it replaced all the images on my gallery with that default image.

What would be the proper way to block external image use using .htaccess?  But still allowing access when viewing the photo through the gallery pages?
Logged

Αndré

  • Administrator
  • Coppermine addict
  • *****
  • Country: de
  • Offline Offline
  • Gender: Male
  • Posts: 15765
Re: Prevent direct access to images?
« Reply #3 on: November 09, 2010, 05:00:49 pm »

Something like that should work.

Logged

Shaar

  • Coppermine newbie
  • Offline Offline
  • Posts: 12
Re: Prevent direct access to images?
« Reply #4 on: November 09, 2010, 05:08:40 pm »

I tried that initially before posting this and it blocks everything with those file types even when viewing them from the gallery. 
Logged

Nibbler

  • Guest
Re: Prevent direct access to images?
« Reply #5 on: November 09, 2010, 05:26:40 pm »

You need to change mydomain.com to the allowed domain. Post your .htaccess file.
Logged

Shaar

  • Coppermine newbie
  • Offline Offline
  • Posts: 12
Re: Prevent direct access to images?
« Reply #6 on: November 09, 2010, 05:28:35 pm »

Here is my .htaccess file:

Code: [Select]
RewriteEngine on
Rewritecond %{HTTP_HOST} !^www\.5glibrary\.com
RewriteRule (.*) http://www.5glibrary.com/$1 [R=301,L]
RewriteRule \.(jpg)$ - [F]
Logged

Αndré

  • Administrator
  • Coppermine addict
  • *****
  • Country: de
  • Offline Offline
  • Gender: Male
  • Posts: 15765
Re: Prevent direct access to images?
« Reply #7 on: November 09, 2010, 06:28:32 pm »

You have to check for %{HTTP_REFERER} as described in the tutorial. You cannot just copy the last line ::)

Try to replace
Code: [Select]
RewriteRule \.(jpg)$ - [F]with
Code: [Select]
RewriteCond %{HTTP_REFERER} !^http://www\.5glibrary\.com/.*$ [NC]
RewriteRule \.(jpg)$ - [F]
Logged

Shaar

  • Coppermine newbie
  • Offline Offline
  • Posts: 12
Re: Prevent direct access to images?
« Reply #8 on: November 09, 2010, 06:50:05 pm »

Thank you.  I will try it when I get home.  I need to learn more about this sort of thing.  Even though it can be outlined in a tutorial I am very apt to overlook terms and key instructions.

I will let you know if it works.  Thanks again!
Logged

Shaar

  • Coppermine newbie
  • Offline Offline
  • Posts: 12
Re: Prevent direct access to images?
« Reply #9 on: November 09, 2010, 10:16:00 pm »

I just tried it and I still have the same problem.  It will block the image from directly typing the path in the address bar, but it also prevents images from being viewed on the gallery pages.
Logged

Αndré

  • Administrator
  • Coppermine addict
  • *****
  • Country: de
  • Offline Offline
  • Gender: Male
  • Posts: 15765
Re: Prevent direct access to images?
« Reply #10 on: November 10, 2010, 11:37:13 am »

I just tried it and I still have the same problem.  It will block the image from directly typing the path in the address bar, but it also prevents images from being viewed on the gallery pages.
Cannot confirm on my local testbed. This is my entire .htaccess file:
Code: [Select]
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://localhost:88/.*$ [NC]
RewriteRule \.(jpg)$ - [F]
I can view images in the gallery, but cannot access them directly.
Logged

Stramm

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: 00
  • Offline Offline
  • Gender: Male
  • Posts: 6006
    • Bettis Wollwelt
Re: Prevent direct access to images?
« Reply #11 on: November 10, 2010, 12:16:24 pm »

mod_rewrite needs to be enabled. Talk to your host if that's true for your account.

Shaar

  • Coppermine newbie
  • Offline Offline
  • Posts: 12
Re: Prevent direct access to images?
« Reply #12 on: November 10, 2010, 02:10:55 pm »

I just sent a help ticket to my host asking about the mod rewrite issue.  Thanks guys.  I will update as this progresses!
Logged

Shaar

  • Coppermine newbie
  • Offline Offline
  • Posts: 12
Re: Prevent direct access to images?
« Reply #13 on: November 10, 2010, 02:27:54 pm »

Got a fast response from them.  Here was their reply:

Quote
Mod_rewrite is not enabled because this server does not use Apache. However, the rewriting capability is most certainly active. You can activate it for your domain via the .htaccess with the following two lines. You may still need to turn on rewrites via your CMS however.

Options +FollowSymLinks
RewriteEngine on

Let us know if you have any further questions and we would be glad to help. Thank you.
Logged

Shaar

  • Coppermine newbie
  • Offline Offline
  • Posts: 12
Re: Prevent direct access to images?
« Reply #14 on: November 10, 2010, 02:30:50 pm »

And I just tried adding the options line to the .htaccess and it still doesn't display images in the gallery :(  sadface
Logged

Αndré

  • Administrator
  • Coppermine addict
  • *****
  • Country: de
  • Offline Offline
  • Gender: Male
  • Posts: 15765
Re: Prevent direct access to images?
« Reply #15 on: November 10, 2010, 02:57:07 pm »

Please fill your existing .htaccess file with only that content
Code: [Select]
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://www\.5glibrary\.com/.*$ [NC]
RewriteRule \.(jpg)$ - [F]
and access your website with the leading 'www.'. If that doesn't work, we cannot do anything for you.
Logged

Αndré

  • Administrator
  • Coppermine addict
  • *****
  • Country: de
  • Offline Offline
  • Gender: Male
  • Posts: 15765
Re: Prevent direct access to images?
« Reply #16 on: November 10, 2010, 02:58:14 pm »

Maybe it's a client-side issue?
nor works for all your visitors (especially people with pseudo security software that hides the referrer).

Please report if you have replaced your .htaccess file, so we can also test.
Logged

Shaar

  • Coppermine newbie
  • Offline Offline
  • Posts: 12
Re: Prevent direct access to images?
« Reply #17 on: November 10, 2010, 03:01:58 pm »

I just replaced it with what you recommended.  No change here still.

www.5glibrary.com
Logged

Αndré

  • Administrator
  • Coppermine addict
  • *****
  • Country: de
  • Offline Offline
  • Gender: Male
  • Posts: 15765
Re: Prevent direct access to images?
« Reply #18 on: November 10, 2010, 03:07:56 pm »

Works as expected for me. See attached screenshot.
Logged

Shaar

  • Coppermine newbie
  • Offline Offline
  • Posts: 12
Re: Prevent direct access to images?
« Reply #19 on: November 10, 2010, 03:11:16 pm »

That is very odd.  I tried clearing my internet history here just in case, and tried both IE and firefox and I just get red x's in IE and just the file name in firefox.  Very very strange.
Logged
Pages: [1] 2   Go Up
 

Page created in 0.02 seconds with 20 queries.