blocking image access

sssphp

I have a php script that displays images on a page via tags like this in my HTML:

Is there some code I can add to picviewer.php so that it only displays the pic when called from an HTML page, and NOT when a user directly types the image URL in the address bar, i.e.:

http://mysite.com/picviewer.php?image=pic1.gif

frost110

I would need to look at your code but I am sure something like this might work:

<?

if (!stristr($_SERVER['HTTP_REFERER'], ".html") {
     die("You are not allowed to view this page");
}

?>

--FrosT

Wynder

Something like this can be very dangerous if you don't handle it properly... for example, if someone did http://mysite.com/picviewer.php?image=../../etc/passwd they could very well be looking at the password file in linux.

Be sure to lookup the basename() function: http://us2.php.net/manual/en/function.basename.php

As for being clicked on vs. a typed URL, you may have some success with checking $_SERVER['HTTP_REFERER'] (however, if they're already on that view page, if they type it into the URL there, it'll go through), but you may be better off doing a very simple encoding to the file name... something like:

$file = urlencode(base64_encode("filename.jpg")); so image=$file which makes it: ZmlsZW5hbWUuanBn

Then, if there's $_GET data, just reverse it: urldecode(base64_decode($file)); which would revert it to filename.jpg.

frost110

Great information Wynder =) I love to learn new techniques.

--FrosT

Wynder

frost110 wrote:
Great information Wynder =) I love to learn new techniques.

--FrosT

Thanks!

I have a few apps here that I do input scrubbing/validation and really basic, reversible encoding on just to prevent the 'determined beginners' from experimenting with URL hacking. 🙂

frost110

Would love to take a look at them if possible, send pm or email if you could frost110 [-at-] gmail [-dot-] com If not thats cool understand =)

--FrosT

Wynder

frost110 wrote:
Would love to take a look at them if possible, send pm or email if you could frost110 [-at-] gmail [-dot-] com If not thats cool understand =)

--FrosT

They're actually intranet web applications that I wrote at the college where I work. 🙁 But by using a combination of those two functions, like: base64 urlencode urlencode base64 urlencode (always ending with urlencode), you can create a very difficult encoding to reverse, unless you know the order in which did the encoding.

Also, at some point in the middle of the encoding, you can also add a hash (or a secret key) that further obscures it. Kinda neat.

frost110

Yea, awesome I will have to look into that. Right now for my current site it is not really necessary but I know I will be making a few sites in the near future where this would be very handy. Thanks again!

--FrosT

sssphp

Thanks for the information -- I'm a little overwhelmed as I'm not a programmer, just a website owner. Below is the basic code; I'd like to know 1) if there are security holes in it, and 2) best way to block display of a pic URL typed directly in the address bar:

$imagedir = // set by me - my image directory
$validprefixes = array(... // set by me - image path prefixes to prevent hotlinking

// referrer check:

// main program:

$image = $_GET['image'] ;
$referrer = getenv( "HTTP_REFERER" );

if (isset($_GET['image'])) {

if (empty($referrer) ||
  isreferrerokay( $referrer, $validprefixes )) {

  $imagepath = $imagedir . $image ;

  $imageinfo = getimagesize( $imagepath );
  if ($imageinfo[2] == 1) {
    $imagetype = "gif" ;
  }
  elseif ($imageinfo[2] == 2) {
    $imagetype = "jpeg" ;
  }
  elseif ($imageinfo[2] == 3) {
    $imagetype = "png" ;
  }
  else {
    header( "HTTP/1.0 404 Not Found" );
    exit ;
  }

  header( "Content-type: image/$imagetype" );
  @readfile( $imagepath );
  }

}