RC 4 Bug - needs to be looked into!

[msimonds]

Brian,

I had another developer look at your code to possibly make some custom changes to it to suit my needs and he found a problem. There maybe a solution to it already that I am not aware of, but here it goes.

I tried to post this in the bugs forum but could not!

Since this gallery system works with the usergroup permission and one of the things that I want to do is use the subscription system in vbulletin to charge my members a monthly fee to look at the large pictures. That part works fine but the problem lies on the path to the full picture being able to be viewed. If a member wanted to PM or paste the URl to the full picture on another site or whatever, then it bypasses the checks and the full image can be viewed. Here is exactly what he told me!

Quote:

If a user right-clicks one of the images they are given the direct link to the file. In other words someone who has access to a priviliged gallery can simply PM/IM/email others the link to the subsciber's content. An .htaccess blocking access would break the gallery for legit users as well.

A much better solution is to do a passthru like done in vB's own attachment system, where the PHP file first checks for adequate permission before serving the file.

To exacerbate the issue the filenames as stored on the server are too predictable. Imagine a gallery where regular members get to see all content, but only as thumbnails. All they'd have to do is strip the '_thumb' part from the filename to access the highres versions. Worse, if the original files are stored and the full-size images are resized as well, then these can be accessed by replacing _thumb with _original.

It's that simple to circumvent the gallery's permission checks, which are therefore effectively non-existent.

Had the files stored on the server been given randomized filenames this would have been less of an issue. Links to full versions would have been 'impossible' to guess. This would not however been a solution because as pointed out earlier links can be shared easily by a premium member.

I have the full image blocked to unregistered members but they can view thumbs

by right clicking on this image

Code:

Content visible to verified customers only.

you get this path
http://www.sportsrant.com/gallery/fi...038B_thumb.jpg

and if you remove the _thumb, you can view the whole image!

Is there a possible fix for this or something that can be added

TIA,

Mike
Sportsrant.com

This is something I've thought about, but the solution may not be that easy. To change things so that they work more like vB's attachment system wouldn't really be a feasible option because it will require a few new queries for each image displayed, which would add up pretty quickly on the browseimages page where you might have several dozen thumbnails displayed. We may be able to do something to where the thumbnails and normal size images could be stored in separate directories so that the normal images could be placed below the root. This is on the to-do list though to be improved.

[msimonds]

hey Brian
thanks man!!!

sorry I did not mean to be a pest about this, I STILL TOTALLY LOVE THE GALLERY SYSTEM AND WILL CONTINUE TO USE IT

You're not being a pest at all. I fully agree that more could be (and will be) done with the protection, it's just a matter of figuring out what is the best way(s) to do it that will work across all sites.

[ManagerJosh]

what about a random six digit alphanumeric prefix?

[imported_Natch]

How would you reference this prefix without adding a query to each imag displayed?

[msimonds]

Hola, here's the other developer Mike mentioned in the first post.

I'm just posting a few solutions I came up with.

Quote:

Originally Posted by Brian

This is something I've thought about, but the solution may not be that easy. To change things so that they work more like vB's attachment system wouldn't really be a feasible option because it will require a few new queries for each image displayed, which would add up pretty quickly on the browseimages page where you might have several dozen thumbnails displayed. We may be able to do something to where the thumbnails and normal size images could be stored in separate directories so that the normal images could be placed below the root. This is on the to-do list though to be improved.

On uploading the files this could happen:

- Original file -> randomise filename, store in filesystem
- Thumbnail -> randomise filename, store in filesystem
- Resized -> randomise filename, store in filesystem

then in adv_gallery_images store these as well in this image's record.

- Original file -> originalname
- Resized -> filename
- Thumbnail -> thumbname

On the matter of queries, browseimages.php selects the thumbnails it shows, right. Assuming you have an array like $imageID = array(1,15,89,23,54,123); built as a result of the intitial query to determine what thumbs are shown

then couldn't you do a

Code:

Content visible to verified customers only.

voila, 1 extra query to get the details of all images, and you can protect them with a passthru script like vb's attachment.php

Quote:

Originally Posted by msimonds

On uploading the files this could happen:

- Original file -> randomise filename, store in filesystem
- Thumbnail -> randomise filename, store in filesystem
- Resized -> randomise filename, store in filesystem

then in adv_gallery_images store these as well in this image's record.

- Original file -> originalname
- Resized -> filename
- Thumbnail -> thumbname

Then users would complain because their files on the server would not be in any kind of order at all, plus that would result in more space used in the database since that's 3 more fields of info that have to be stored.

Quote:

On the matter of queries, browseimages.php selects the thumbnails it shows, right. Assuming you have an array like $imageID = array(1,15,89,23,54,123); built as a result of the intitial query to determine what thumbs are shown

then couldn't you do a

Code:

Content visible to verified customers only.

voila, 1 extra query to get the details of all images, and you can protect them with a passthru script like vb's attachment.php

Nope, not that easy. When you're using a file to display an image then the queries have to be done in that file.

[msimonds]

(dev again) I came to the same conclusion on the queries part when I took my dinner, shortly after I posted the bit above.

On the first issue. It wouldn't be 3 extra fields, it would be the 3 fields already present in RC4 of the vba_gallery_images table.

Files not being in any kind of order... how is that an issue? If the webmaster is the only uploader they'll have offline copies, if users upload as well the webmaster won't know what files there are anyway without first browsing the galleries. Not trying to be disrespectful, but that's my POV

The second issue, queries, I have a solution for as well, it came to me while I ate. It'll take me a while to write it up, and I'll post it here when I do.