Full Size Pics Outside web root Full Size Pics Outside web root
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Full Size Pics Outside web root

Started by kper, May 12, 2005, 07:36:28 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

kper

This may require too much restructuring, and may be beyond what Coppermine is intended to achieve, but it would be good to be able to store the full-size images in a folder outside the web root (for those who have this facility with their host), and therefore not directly accessible to the world.

This would mean that Coppermine could be used more securely for applications where you only want some people to be able to access full-size images (in conjunction, for example, with the mod to download them rather than displaying them in a javascript popup).

At the moment, Coppermine cannot be truly secure in this respect. The url for the full-size image can be guessed by looking at the properties of the thumbnail images, and then all you can do is use .htaccess and check for the referer (having disabled full-size popup windows etc.). The referer can, of course, be spoofed by determined image thieves.

I suspect that this design-feature is applicable to more Coppermine users than one might imagine - small image libraries, semi-pro photographers and the like, - which is why I make the suggestion.

Joachim Müller

good point, and yes, I agree that it would be nice if coppermine had the ability to store stuff outside of the web root and dynamically show this stuff (if permissions apply), but as you already suggested: this is hard to accomplish, so I'm not sure it will go into the core code. Mods/hacks that can do what you suggest would be very welcome.

kper

How about if it were possible simply to store the full-size images in a different  folder from the thumbs and intermediate size ones (though still under the web root), via a config option, just like it is currently possible to change file prefixes and, indeed, the name  of the albums directory?

Then chmod (or Windows permissions) could be used to make that directory not world-accessible.

Then someone who needed this feature could disable the javascript popups and apply the download mod
http://forum.coppermine-gallery.net/index.php?topic=6464.0

Would that work?


mickey174

My request is similar to be able to store all images in a configurable directory either within my public web space orin my private space outside of my web space. This way I can choose where my images are placed. Functionality would include:

1) Configuration options for all album & image locations
2) Utilities to move the images to a different albuma or locations

kegobeer

I am experimenting with locating images outside of the document root, and it looks promising.  I work on it when time allows, so there is no timeframe when it will be complete or ready for testing.  Large filesizes can cause problems, but I'm looking into ways around potential problems.

There is a way to prevent hotlinking without images being stored outside the document root: htaccess file with deny all in it, and then use a php script to fetch and display the image.  A sample script would be like this: <img src="showimg.php?file=location\file"> - the showimg.php file would have the actual document location, then add the file variable to it and fetch the image.  The address shown would be "showimg.php?file=location\file", and the user wouldn't know where the picture is located.  For users without the ability to store files outside the document root, this would be a way to secure the images from hotlinking.  I may incorporate this into my code at some point to give another way to secure images.  IIS users may be left out in the cold unless there's a similar way to do it.

Moving images around isn't in my plans, as I believe images should be left alone once they are placed, and then let the database worry about what images are where.  It wouldn't be too hard to write a script to change database information if an admin decides to FTP the images to different locations, especially since FTP is much more efficient than letting PHP do the file moves.

Please don't respond asking for sample code or asking where I am in the coding process.  When I have something ready I'll post it.
Do not send me a private message unless I ask for one.  Make your post public so everyone can benefit.

There are no stupid questions
But there are a LOT of inquisitive idiots

kper


I notice that the new Gallery2 allows you to set up a data folder outside your web root as part of the install routine, which is very nice. It also suggests that others think it is a v useful option to have.

But G2 is SLOOOOOOW...

Thanks for looking into this kegobeer. I don't suppose it might go into the stable release of 1.4 ?


Tarique Sani

This should not be too hard to code BUT this will also make CPG slower

#The basic code flow would involve - storing the fullsize files outside webroot
# Creating a file which goes into the img src in the displayimage.php instead of the URL for actual image.
What this new file will do is check if the user has permissions, then check what kind of file is requested send appropriate headers and use readfile() to output the image

But I do wonder how other media types will be handled... that is where the it gets P2C2E (process too complicated to explain)

So you are right this is not going into core code - but I would love to see such a mod :)
SANIsoft PHP applications for E Biz

kper

Quote
How about if it were possible simply to store the full-size images in a different  folder from the thumbs and intermediate size ones (though still under the web root)

That wouldn't impact performance, would it?

Webserver access controls could be specified on that folder (file permissions, plus htaccess, assuming Apache is being used); then pop-ups for full-size images could be disabled and the download mod applied instead ( http://forum.coppermine-gallery.net/index.php?topic=6464.0 )

Would that be a problem for other media types?


kegobeer

I have some cool things I've done - but my lack of time has prevented me from posting anything yet.  It's nice... and there aren't any slowdows that I've seen.  Plus, it allows you to put files anywhere you want, not just in the /albums directory.  It handles all media files just fine.
Do not send me a private message unless I ask for one.  Make your post public so everyone can benefit.

There are no stupid questions
But there are a LOT of inquisitive idiots

kper

Fantastic! I'll wait...

Thanks for putting the time into it, kegobeer.

Looking forward to it.

Will it be compatible with 1.4 when it comes? Or are you just doing for 1.3 ?


kegobeer

1.4+.  It will not be available for 1.3.x.
Do not send me a private message unless I ask for one.  Make your post public so everyone can benefit.

There are no stupid questions
But there are a LOT of inquisitive idiots

Titooy

RatKing is also working on something similar. Maybe you should gather your knowledge...
http://forum.coppermine-gallery.net/index.php?topic=13732.20

radianation

Sorry for the late reply, but did this ever go anywhere?

Joachim Müller

Hasn't been done for cpg1.4.x.
Might go into future versions, but currently hasn't been implemented into any version at all.

RatKing

 :o I'm back...

Yes I have been working on something like this but the brief there included counting the amount of data used and giving the administrator the ability to prevent user groups (i believe it was) from viewing certain types of images. In other words a group would be able to see thumbnails but not intermediate or full size (they would get a no access image instead), where another group would get thembnails and intermediate but not the full size... etc.
Included in this was counting the exact amount of data used by each user to download the image files (not the rest of the page) and producing nice stats with that of course with the aim at sending bills out for each Mb or so  ;)

Anyway, this was a mod done for 1.3.X which was never completely finished. I'll have a looksy at what it was that I had done and see if I can push this into 1.4.9 (should not be very hard I hope)

I will limit the scoope of the thing or finish it on 1.3.X and port it to 1.4.9 later not sure. I should have some time on my hands in the near future so I hope to have this all done in a week or 2.


Paver

@RatKing: Depending upon how much code you have written already, you might consider looking at writing the 1.4 version as a plugin so it's easy to apply, especially during upgrades.  Here's a plugin that might give you a starting point or some suggestions: Full-Size & Intermediate Photos Access Control.

I do realize that mods/hacks are much easier to write, but there a good number of ways to use the plugin system to do the same thing.

RatKing

Quote from: Paver on October 01, 2006, 06:06:28 PM
@RatKing: Depending upon how much code you have written already, you might consider looking at writing the 1.4 version as a plugin so it's easy to apply, especially during upgrades.  Here's a plugin that might give you a starting point or some suggestions: Full-Size & Intermediate Photos Access Control.

I do realize that mods/hacks are much easier to write, but there a good number of ways to use the plugin system to do the same thing.

You are right the code is all there I need to make a slight alteration but using the basics that I can see in the example plugins I think I should be able to make it into a plugin. All that is needed is changing source of every single photo that is shown on the site :-) (if someone has an real life example of such a plugin it would safe a lot of time)
All that the code does it is calls a php script that reads a file on the local file system, this file is then served to the browser as a image. So as long as the http server process is able to read the directory it will be able to serve the file from any location on your file system.