This is second post on the topic of Piwigo Security. I have discussed use of .htaccess file and how to prevent some of the common exploits earlier.

Recent discussion at the forum about image protection made me to take a look at how images are stored and what visitors can do to otherwise protected resources stored on PWG site.

Protect originals

This is probably most important step and would insure your original files are secure and cannot be accessed from outside.

Note1: You will have to disable access to HD versions of your photos. Make sure plugins and themes you are using do not try to override settings set below
Note2: I assume you do have FTP access to your site

  1. Open your “local/config/config.inc.php” file. If you do not have one yet (unlikely), you need to create one.
  2. Add the following two lines
    // one of '', 'images', 'all'
    $conf['original_url_protection'] = 'images';

    I like to keep original comment reference to the settings, but you can remove comment if desired

  3. Save the file
  4. Go to “galleries/” FTP folder and create .htaccess file with one line in it
    deny from all
  5. Save the file
  6. Please note that if you are using videoJS plugin, it requires direct access to video files as i.php proxy is not used. In order to allow access to a specific folder with video files you would need to create another .htaccess file for that folder with the following rules (adjust list of allowed extensions to enable one used on your site):
    Order Allow,Deny
    Deny from all
    
    <FilesMatch "\.(?:mp4|m4v)$">
    Order deny,allow
    Allow from all
    </FilesMatch>
  7. A bit awkward, but… go to “Users->Manage“, select all active users and under Action select “High definition enabled” and “No“, then “Apply action“. This would hide “Original” photo size where applicable.
  8. Login as admin in PWG and go to “Tools->Maintenance” and click on “Purge compiled templates
  9. Test your gallery to make sure everything is still working

Protect derivatives

As a next step we would also want to hide from curious folks content of derivatives folder.
What is derivatives in PWG? Derivatives are any photo resizes, photo thumbs, and video thumbs or any other forms of derived image data used in the gallery. Effectively it is precompiled cached data which is used to present your art work to your site’s public or registered visitors.

Please note that by doing so we do not protect, restrict access to derivative itself when it is permission protected. Current implementation of i.php does not take in consideration user permissions and only works as simple caching mechanism. If visitor can “guess” file’s location and name, image would be accessible (PWG 2.7 and below)

Since all data is store in one place we would want to make it so that it would be harder for anyone to “guess” pictures they cannot otherwise see.

  1. Open your “local/config/config.inc.php” file.
  2. Add the following two lines
    // Specify url format // 0-'auto', 1-'derivative' 2-'script'
    $conf['derivative_url_style'] = 2;
  3. Save the file
  4. Go to “_data/I/” FTP folder and create .htaccess file with one line in it
    deny from all
  5. Save the file
  6. Login as admin in PWG and go to “Tools->Maintenance” and click on “Purge compiled templates
  7. Test your gallery to make sure everything is still working
Categories: Piwigo

9 Comments

sigdor · Oct 17, 2014 at 03:26

Protect derivatives will not work 🙁

i,php deliver the thumbs and has no user permission checks.

it’s no bug and no plan for user checks
http://piwigo.org/forum/viewtopic.php?id=23568&p=1

    Serguei Dosyukov · Oct 17, 2014 at 10:58

    As discussed on the forum in link you mentioned, purpose is not to mimic G3 approach of full lock down, but hide direct link to original derived image.
    Yes, at it was said, this way does not protect it from situation when permissions are applied to the images. If visitor knows direct link to derivative, it would be accessible. There are pros and cons of this approach but it is decision by dev team to implement it this way

Ed Twohey · Nov 10, 2014 at 10:44

I have been a gallery v1/v2 user for many years. We have been concerned about security for some time, but now we are more concerned about the hibernation. Piwigo sounds like a great alternative. I am not a code guy, just an architect with a huge photo library that needs to be accessed by consultants, contractors,publishers, and clients. My previous gallery helpers have moved on. I need assistance to determine if this is right for us, then assistance making the move and setting it up. Anyone interested in this gig? Please let me know.

    Serguei Dosyukov · Nov 10, 2014 at 22:11

    if link above is to your gallery then something like PWG may suffice. Without going too technical it should be fairly simple to setup the gallery, use “m2p” plugin to import existing content and you should be good to go.
    I do not see if there is more functionality once user logged in, but on the surface should be doable in couple of days assuming there is no issues with hosting.

      Ed Twohey · Nov 11, 2014 at 07:12

      My desire is to allow only logged-in users to view, and give most users only limited access to a small group of albums. Some users can have full access. with Gallery it is everything or nothing. If possible with PWG, we will move on this very soon. If not, I will wait and see for a while. Do you know if the user setup will allow selective permissions like this?

        Serguei Dosyukov · Nov 11, 2014 at 09:27

        With G3 you could have set user level permissions. I am not sure about G1/G2, it has been long time I seen those.
        In PWG you can set group or user level permissions to access albums.
        Easiest way for me was to create user groups/roles and set permissions on that level for albums I want to protect.
        Please note, as mentioned above, that you can only protect page not a creative. If someone knows direct link to the image, it can be shared/exposed. You can however protect originals.

          Ed Twohey · Nov 11, 2014 at 10:03

          For my purpose, It would be ideal to create a group that has permission only to this example http://gallery.bbaworld.com/gallery2/main.php?g2_itemId=512306, but not allow anything upstream, only down stream. The direct link is a weakness, but is unlikely a problem, as it would make casual browsing too cumbersome. I dont feel I should invest effort in G3 at this time. So perhaps PWG is the way to go.

          Serguei Dosyukov · Nov 11, 2014 at 22:04

          yes, it is possible
          simply lock down root of the gallery, all child albums will inherit this if created after
          then when you ready to open up the level, assign guest group. now from that level down anything created will be public
          if you sync structure first, it would get public access. then you would need to traverse the tree down and set settings for each level

yonjah · Jul 25, 2015 at 08:13

I made a small script that you can use with nginx to completely block any unwanted access to piwigo static files

You can get it on github https://github.com/yonjah/piwigo-privacy

some more info on my blog https://ca.non.co.il/index.php/securing-private-piwigo-albums

Leave a Reply