Can Coppermine use images stored above the web root? Can Coppermine use images stored above the web root?
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Can Coppermine use images stored above the web root?

Started by Waylon, March 27, 2004, 04:49:39 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Waylon

I'm interested in using Coppermine to replace an existing image gallery. Currently all my images are stored above the web root. Can Coppermine access and display images that are stored above the web root?

I ask because I've installed Coppermine and have batch-added some images. The batch-adding process seemed to go fine, but the pictures don't appear.

When I view the source for the image, it's adding the system path to the SRC parameter. Normally it would be something like:

http://www.mydomain.com/gal01/thumb_0033.JPG

But because I'm storing the images above the web root, it's coming out something like this

http://www.mydomain.com/home/domain/album/gal01/thumb_0033.JPG

Is there a work around for this, or a way for me to set the configuration so I can store my images above the web root? If not, is there a way to set permissions so people can't access the Coppermine 'album' directory directly? I'm trying to prevent people from mass downloading my images with a web-vacuum like PicGrab or something similar.

Thanks in advance for any assistance you can offer, and for creating such a truly superb image gallery script!

Nibbler

It will require quite a lot of work to use images from above the webroot. You should have a blank index.html file in your albums dir which will stop people getting a file listing though.

Waylon

Quote from: "Nibbler"I dont think it is possible to use images stored above the web root.

You mean in general, or with Coppermine? I know it's possible, because I run a site with ~3000 images now, and all of them are stored above the web root. Unfortunately the script that was in use until recently is susceptible to hacking (which is why I can't use it and am looking for a replacement).


Quote from: "Nibbler"You should have a blank index.html file in your albums dir which will stop people getting a file listing though.

Yes, but it won't stop web-vacuums like PicGrab and similar utilities.


Quote from: "Nibbler"Easy enough to get a script to crawl your site and dl any images it finds however much you try to avoid whole site downloads.

True, but I'm more interested in stopping the casual user who has the 'skills' to use something like PicGrab but who isn't smart enough to custom write a script to pillage my site.

I suspect I could probably modify Coppermine to serve images from above the root, I'm just trying to find out if it's already been done or if I'll have to spend all the time it would take to code the changes (which I'd rather not have to do).

Nibbler

Apologies for editing after you quoted, didnt notice.

There is no simple way to do this, nor is it available as a mod as far as i know.

Tarique Sani

However there is a mod available which does not reveal the image path for the fullsize  files - see

http://forum.coppermine-gallery.net/viewtopic.php?p=13483
SANIsoft PHP applications for E Biz

Waylon

I was thinking of using something like this:

// get the filename  
$filename = "/home/mydomain/album/gallery1/$picturename";

// show the image
<img src="/util/output.php?filename=$filename">


"output.php" would contain this:

<?php
if&#40;$f_ext == "gif"&#41;&#123;
header&#40;'Content-type&#58; image/gif'&#41;;
&#125;else&#123;
header&#40;'Content-type&#58; image/jpeg'&#41;;
&#125;
header&#40;'Content-transfer-encoding&#58; binary'&#41;;
header&#40;'Content-length&#58; '.filesize&#40;$filename&#41;&#41;;
readfile&#40;$filename&#41;;
?>


This just streams the image to the browser. It has to be done this way as an include file due to the way headers are handled in the browser.  

This approach is working in another web application I have, so I think it could be applied to Coppermine as well.  My problem is I don't know where to start looking in Coppermine (I'm not at all familiar with the code), but I may poke around a bit tonight and see if I can find where to make some changes.

If anyone wants to offer suggestions on where to start (or even take a whack at it yourselves), please do.

Tarique Sani

What you have stated is almost exactly what the mod in the previously mentioned topic does
SANIsoft PHP applications for E Biz

Waylon

Quote from: "tarique"What you have stated is almost exactly what the mod in the previously mentioned topic does

Thank you, tarique!

I tried this mod and it worked like a charm for the most part. I may add some additional security code into it (just because I'm paranoid, see below) and if I do, I'll post the code here in case anyone else wants it.

I should also mention that this mod works just fine when your images are stored above the web root. There are a couple of places where images are missing, such as at the top of the front page where it lists all the galleries with a thumbnail beside the gallery name. The missing images are referenceing an image in this location (for example):

http://mydomain.com/home/mydomain/album/gal04/thumb_0199.JPG

The real image is in /home/mydomain/album/gal04

My guess is this won't be too hard to track down and fix.

Now, why am I paranoid? Well, the previous gallery script I was using had a security hole. Some little hacker maggot used the security hole to upload code to my site, and then he used it to stage an attack on another site. Soooo, it was time to find a more secure script. I hope Coppermine is secure, because the hacking of my site cost me a ton of time and trouble (and yes, some money too).

Waylon

I applied the modification that hides the image path from the user (http://forum.coppermine-gallery.net/viewtopic.php?p=13483). The modification makes use of a file called 'get_file.php' to stream the image to the browser.

Unforunately, although it hides the actual path of the image well, it doesn't stop people from hot-linking to an image *through* the 'get_file.php' code. I want to prevent people from hot-linking to my images and clobbering my bandwidth, so I added the following code to 'get_file.php' to prevent that. It just does a simple referer check and validates on that. It's not foolproof but it'll knock out the majority of hot-links to your images.

Just paste the following code in at the very top of the 'get_file.php' file, right after the opening <?php tag.

// Hot-Link Stopper by Waylon 3-2004
// is the domain name in the REFERER string?
$legit = strpos ( $HTTP_REFERER, "mydomain.com");

// if not, display the error image
if($legit == ""){

// the error image to display...
$filename = "/path/to/your/error/image.gif";

// stream image out to browser
header('Content-type: image/gif');
header('Content-transfer-encoding: binary');
header('Content-length: '.filesize($filename));
readfile($filename);

// crash-o-la...
exit;

}



1) Make sure you change the 'mydomain.com' text to match your domain.

2) Set the system path to an 'error' image. If the referer check fails, the error image is shown instead. My error image just says "To view this picture go to....", but if you wanted to you could be cruel and use a nasty XXX image to give the hot-linker a rude awakening. ;)

Please feel free to use this this code  any way you want; no credit to me is needed or asked for.

Tarique Sani

Oh! I had forgotten to mention that the code does not honour privacy / permissions so people can see pictures in private albums by just changing the pid...

function  get_private_album_set() will help in that regard if you want to implement that...
SANIsoft PHP applications for E Biz