Solution for preventing direct access to album images

[saivert]

PREFACE: cpg can be set up to allow only registered users access to the site, but does not protect the actual image files itself.
This is a mod to cpg that will require you to be logged in to get access to the image files in the albums folder.
This guide assumes that you are using Coppermine version 1.4.16


First we have to lock down the albums folder by making a new .htaccess with the following two lines:

Code Select Expand


Order Allow,Deny
Deny from All


Then you modify functions.inc.php and change the get_pic_url return statement into this (line 2015 in revision 4233):

Code Select Expand


return "getimage.php?file=".base64_encode($pic_row['url']);


Then create a new PHP script called getimage.php in the cpg root with this content:

Code Select Expand


<?php
/* getimage.php - Restrict access to images to logged in users only
for Coppermine image gallery
Written by Saivert */

define('IN_COPPERMINE', true);
define('GETIMAGE_PHP', true);

require('include/init.inc.php');

if (!USER_ID && $CONFIG['allow_unlogged_access'] == 0) {
header('Content-type: image/png');
readfile('images/no_access.png');
    exit();
}

if (isset($_GET['file'])) {
$path = base64_decode($_GET['file']);
if (preg_match('/\.(.+)$/',$path,$m)) {
switch ($m[1]) {
case 'jpg': $mt = 'image/jpeg'; break;
case 'png': $mt = 'image/png'; break;
case 'gif': $mt = 'image/gif'; break;
}
} else {
$mt = 'image/jpeg'; // we fallback to JPEG. should work most of the time.
}

header('Content-type: ' . $mt);
readfile($path);

} else die('missing filename');


?>


(Note please ensure the regular expression above is correct. It's supposed to grab the file extension. I quickly did a test and it seemed like it was working. But you never know..)

You will have to create a image that will be shown to users who has not logged in yet or grab this one: [Edit GauGau ] Replaced hotlinked image with attachment [/Edit]
Anyways it has to be named no_access.png and reside in the images subfolder of your cpg root.


That's it, nobody will be able to access images without logging in.

[Joachim Müller]

Thanks for your contribution. Let me post a warning with this mod: using this mod will burn a great amount of resources on your server, so only use it if you have the server-sided power to do so.

[Timos-Welt]

Beautiful - just do a

http://yourgallery.com/cpg/getimage.php?file=include/config.inc.php

and have fun with admin username and password. Saves a lot of time - no need to hack anything anymore.

[saivert]

Timos-Welt: You are right, altought you would need to base64 encode the path first..
include/config.inc.php --> aW5jbHVkZS9jb25maWcuaW5jLnBocA==
but that is not hard to do either

Here is an updated getimage.php script that fixes this exploit:

Code Select Expand


<?php
/* getimage.php - Restrict access to images to logged in users only
for Coppermine image gallery
Written by Saivert */

define('IN_COPPERMINE', true);
define('GETIMAGE_PHP', true);

require('include/init.inc.php');

if (!USER_ID && $CONFIG['allow_unlogged_access'] == 0) {
header('Content-type: image/png');
readfile('images/no_access.png');
    exit();
}

if (isset($_GET['file'])) {
$path = base64_decode($_GET['file']);
if ($isimg=preg_match('/\.(.+)$/',$path,$m)) {
switch ($m[1]) {
case 'jpg': $mt = 'image/jpeg'; break;
case 'png': $mt = 'image/png'; break;
case 'gif': $mt = 'image/gif'; break;
}
} else {
$mt = 'image/jpeg'; // we fallback to JPEG. should work most of the time.
}

if (preg_match('#$albums/#',$path) and $isimg) {
header('Content-type: ' . $mt);
readfile($path);
} else die('not an album');

} else die('missing filename');


?>


Sorry for that.

[Joachim Müller]

You need to explicitely sanitize user input...

[primera]

Then you modify functions.inc.php and change the get_pic_url return statement into this (line 2015 in revision 4233):

change this one :        return $pic_row['url'];


i don't know which return statement is ....could you tell me more detial? thx ~

[ch33p0x]

this s*** won't work!!!!


[Edited: I placed the asterisk above  - Fabricio]

[Fabricio Ferrero]

It works for others.. So, there is no reason to insult people.

If you use that word again, I'll ban you forever. OK?


Good Luck,

[ch33p0x]

but dude, i been trying and trying for many days now..
first i found out i had 4.1.22. so i downgraded to 4.1.16 (wich this is for)
i was with saivert when he made this, so i know it worked. now many months later ill start a site for my own. Now he won't answer me, or help me.
im so sick of trying and failing. i dont know what im doing wrong here. he should giving feedback since its his script!

[Fabricio Ferrero]

I'm not your dude, I don't even know you.

Then, no, the MOD are offered "as is" you have to deal with it if you want to use it. Some of the contributors offers support, but there is no obligation on do it.

Now he won't answer me, or help me.

I see this very hard, since he last visited the Forum on April 20, 2008, 06:12:41 PM.

Anyways, the only thing I remarked is your attitude. Do you think he is going to support you if you use those kind of words? I think not.

End of discussion please!