Support > cpg1.5 plugin contributions

Mask URL Plugin for CPG 1.5.x

(1/8) > >>

gmc:
OK... I owed the dev team this one for a while now...
We've talked about ways to better secure your photos in the gallery - as the path to your photos is clearly visible in the html source produced by the gallery. So here is an alternative - the ability to 'mask' or 'encrypt' the filepath in the produced URLs.
There is of course a tradeoff between more secure and more overhead... read on.

This plugin adds the  ability to mask or hide the actual file location of your pictures...
Normally the delivered html contains <img> tags that can be read to find your photo locations and directory structure.
As the photos are delivered via <img> tags, http access must be provided to the album folder (and subfolders).
This allows curious (or malicious) users an easy opportunity to find your pictures and download them.
But what if the delivered html looked like this:

--- Code: ---  <img src="index.php?file=maskurl/displayimage&photokey=8dOgllfG1PqJQwj0%2BNuSOMuDNKC%2B14ABd6Rfn7nhZNXVaB9bn0V1IOUTZ%2FGw" ...>

--- End code ---
Since the path to the albums directory is configurable (doesn't have to be 'albums/') and of course you can have any subfolder structure you
want... the task of locating your pictures files is made harder... to near impossible (based on your choices configuring the plugin).

Options to 'mask' or 'encrypt' the path to photos are offered.
These options appear to have similar results - but the algorithm used has quite different results.

* The masking can be decoded by anyone that can read/understand the PHP being used (access to this plugin's source) - but it does have less overhead.
* The encryption requires encryption keys and initialization vectors that would require access to specific fields in your Coppermine database in addition to the PHP code to be able to reverse. The encryption option will use more CPU resources - but provides better protection.The choice is of course yours...

An additional benefit if masking/encrypting is that http access to the albums directory is no longer required... All CPG functions generating the picture URL drive this plugin, and all will be changed.  As a result, a .htaccess file can be placed in the albums directory denying all access - providing additonal protection for your photos. A sample .htaccess file is included in the plugin directory - named .htaccess.txt - this needs to be copied to the albums directory and named .htaccess if you wish to use it.
NOTE: If you disable this plugin - or set the option to 'Clear Text' - and have the .htaccess file in place, you will be unable to view photos in your gallery!!

All filetypes permitted by CPG are supported (based on the contents of cpg15x_filetypes table). Proper additions to that table will be automatically recognized by the plugin and supported. The 'mime' type must be correctly specified in that table!

The readme file can be viewed at: (also included in the zip file of course...):
http://greggallery.gmcdesign.com/plugins/maskurl/readme.php

The results:
I've been using this technique in my gallery for some time... using the encryption option and the .htaccess restriction.
http://gallery.gmcdesign.com
Can you tell me where my photos are?

Code is attached below.

Good luck, and let me know what you think...
Thanks!
Greg (gmc on the cpg forum)

marcelm:
When trying to activate the plug-in I get the following error:


--- Code: ---Fatal error: Call to undefined function mcrypt_get_key_size() in /var/www/site/plugins/maskurl/functions.php on line 31
--- End code ---

marcelm:
Installed now php-mcrypt and php-phpseclib-crypt-rijndael and the plug-in still not want to install.

I got some warnings on installing crypt-Rijndael


--- Code: ---  Installing : php-process-5.4.40-1.el6.remi.x86_64                                                                   1/6
  Installing : php-xml-5.4.40-1.el6.remi.x86_64                                                                       2/6
  Installing : 1:php-pear-1.9.5-10.el6.remi.noarch                                                                    3/6
  Installing : php-channel-phpseclib-1.3-1.el6.remi.noarch                                                            4/6
  Installing : php-phpseclib-crypt-base-0.3.10-1.el6.remi.noarch                                                      5/6
PHP Warning:  popen() has been disabled for security reasons in /usr/share/pear/OS/Guess.php on line 242
PHP Warning:  fgets() expects parameter 1 to be resource, null given in /usr/share/pear/OS/Guess.php on line 243
PHP Warning:  pclose() has been disabled for security reasons in /usr/share/pear/OS/Guess.php on line 252
  Installing : php-phpseclib-crypt-rijndael-0.3.10-1.el6.remi.noarch                                                  6/6
PHP Warning:  popen() has been disabled for security reasons in /usr/share/pear/OS/Guess.php on line 242
PHP Warning:  fgets() expects parameter 1 to be resource, null given in /usr/share/pear/OS/Guess.php on line 243
PHP Warning:  pclose() has been disabled for security reasons in /usr/share/pear/OS/Guess.php on line 252
  Verifying  : php-phpseclib-crypt-base-0.3.10-1.el6.remi.noarch                                                      1/6
  Verifying  : php-channel-phpseclib-1.3-1.el6.remi.noarch                                                            2/6
  Verifying  : php-xml-5.4.40-1.el6.remi.x86_64                                                                       3/6
  Verifying  : php-phpseclib-crypt-rijndael-0.3.10-1.el6.remi.noarch                                                  4/6
  Verifying  : php-process-5.4.40-1.el6.remi.x86_64                                                                   5/6
  Verifying  : 1:php-pear-1.9.5-10.el6.remi.noarch 
--- End code ---

marcelm:
After the reboot of the server the plug-in stalled fine. Selecting other than 'clear text' hides all my thumbnails and that is maybe due to that that I am using an other plug-in EnlargeIt.

gmc:

--- Quote from: marcelm on April 19, 2015, 12:19:00 pm ---After the reboot of the server the plug-in stalled fine. Selecting other than 'clear text' hides all my thumbnails and that is maybe due to that that I am using an other plug-in EnlargeIt.

--- End quote ---
I installed EnlargeIt to test - and there is a conflict...

EnlargeIt replaces the <img> tags via filter 'theme_display_thumbnails_params' overwriting any changes made earlier by the 'picture_url' filter...  So all the image thumb and normal URLs appear in clear text on the thumbnails page even when mask_url has encrypted them...
And since it replaces the <img> tages - it now needs http access to the albums folder...
So if you have the .htaccess rules in place in the albums directory - the thumbnails will display fine on the main page - but when selecting an album, the thumbnails will fail to load (as requested by .htaccess).

The cost of security...  :(
I'll take a deeper look to see what can be done - as I know EnlargeIt is a popular plugin

@devs - can a plugin call the pluginAPI??  Just a thought...

Navigation

[0] Message Index

[#] Next page

Go to full version