Save headaches, resolve image names FIRST.

clintp

Joined: 2009-03-05
Posts: 4

Posted: Wed, 2009-03-11 20:26

When generating img tags, gallery2 requests images like this:
<img src="main.php?g2_view=core.DownloadItem&g2_itemId=5288&g2_serialNumber=2"
and have the image passed along indirectly. This causes major problems with some hosting services, eg GoDaddy (I know, you get what you pay for, but it's otherwise so freaking economical).
Why not make it possible to resolve image filenames first, so img tags would be made to point directly to the image:
<img src="g2data/album/coolimg_1.jpg">

I know this has to do with people wanting their images secured in some way, but this should be optional since it excludes even using the product at all in some cases.

What do you guys think?

nivekiam

Joined: 2002-12-10
Posts: 16503

Posted: Wed, 2009-03-11 20:51

It's not going to happen with G2 at all. That's a feature in G2 called "Image Firewall" so you can make it so people can't link directly to an image. It's also a security issue on your site if you have g2data available to the public as it appears you probably do on your site.

You were advised during your install to place your g2data directory in a non web-accessible directory:
http://codex.gallery2.org/Gallery2:Security#Short_Check_List

Read this entire list for more info:
http://codex.gallery2.org/Gallery2:Security

http://codex.gallery2.org/Gallery2:About

Quote:

# Image Firewall (Downloads are Protected Through Application-Level Permissions)

It is not and won't be optional in G2.

I can't speak for G3, it appears this isn't the case with G3 at least right now, but I bet that's going to change. It may be optional it may not be optional once G3 is feature complete, but it's still only in alpha stage and is not complete yet. They still need to add in more permissions related features. If you have an image that's web-accessible then it doesn't matter what permissions you set on it for people going through your application, people (everyone) can still access it.

If you want this feature right now then use G1 or Jallery http://jallery.com/

____________________________________________
Like Gallery? Like the support? Donate now!!! See G2 live here

nivekiam

Joined: 2002-12-10
Posts: 16503

Posted: Wed, 2009-03-11 21:09

DO NOT quote me on this.

But now that I've been thinking about it and without double checking, I do seem to recall that in G3 images can be web-accessible but will, by default, be protected by use of .htaccess. Though I don't know how the final product will end up behaving.

Again, I've only installed G3, 3 different times; once long ago, well before the first Alpha release, then Alpha 1 and again for Alpha 2. Right now there is no such protection, but it is coming.
____________________________________________
Like Gallery? Like the support? Donate now!!! See G2 live here

clintp Joined: 2009-03-05 Posts: 4	Posted: Wed, 2009-03-11 20:26
	When generating img tags, gallery2 requests images like this: `<img src="main.php?g2_view=core.DownloadItem&g2_itemId=5288&g2_serialNumber=2"` and have the image passed along indirectly. This causes major problems with some hosting services, eg GoDaddy (I know, you get what you pay for, but it's otherwise so freaking economical). Why not make it possible to resolve image filenames first, so img tags would be made to point directly to the image: `<img src="g2data/album/coolimg_1.jpg">` I know this has to do with people wanting their images secured in some way, but this should be optional since it excludes even using the product at all in some cases. What do you guys think?
	XUser login Username: * Password: * Create new account Request new password
nivekiam Joined: 2002-12-10 Posts: 16503	Posted: Wed, 2009-03-11 20:51
	It's not going to happen with G2 at all. That's a feature in G2 called "Image Firewall" so you can make it so people can't link directly to an image. It's also a security issue on your site if you have g2data available to the public as it appears you probably do on your site. You were advised during your install to place your g2data directory in a non web-accessible directory: http://codex.gallery2.org/Gallery2:Security#Short_Check_List Read this entire list for more info: http://codex.gallery2.org/Gallery2:Security http://codex.gallery2.org/Gallery2:About Quote: # Image Firewall (Downloads are Protected Through Application-Level Permissions) It is not and won't be optional in G2. I can't speak for G3, it appears this isn't the case with G3 at least right now, but I bet that's going to change. It may be optional it may not be optional once G3 is feature complete, but it's still only in alpha stage and is not complete yet. They still need to add in more permissions related features. If you have an image that's web-accessible then it doesn't matter what permissions you set on it for people going through your application, people (everyone) can still access it. If you want this feature right now then use G1 or Jallery http://jallery.com/ ____________________________________________ Like Gallery? Like the support? Donate now!!! See G2 live here

nivekiam Joined: 2002-12-10 Posts: 16503	Posted: Wed, 2009-03-11 21:09
	DO NOT quote me on this. But now that I've been thinking about it and without double checking, I do seem to recall that in G3 images can be web-accessible but will, by default, be protected by use of .htaccess. Though I don't know how the final product will end up behaving. Again, I've only installed G3, 3 different times; once long ago, well before the first Alpha release, then Alpha 1 and again for Alpha 2. Right now there is no such protection, but it is coming. ____________________________________________ Like Gallery? Like the support? Donate now!!! See G2 live here

Save headaches, resolve image names FIRST.

XUser login