Flash app must read from "Images" folder, user mustn't

nevvermind · 2010-09-15T17:57:47+00:00

Say you have a Flash app, a slide-show. Say you want that certain app to be able to read from a folder with images, to "load" its... show. Then, say you mus...

Flash app must read from "Images" folder, user mustn't

nevvermind

Say you have a Flash app, a slide-show.
Say you want that certain app to be able to read from a folder with images, to "load" its... show.
Then, say you must prevent users from directly accessing that folder with images (so they don't save them, see them before slide-show etc.).

Some say you must use PHP's GD to access those files from the database, if they were to be protected via .htaccess. The downside to this is that users must be registered and logged in bla bla. I hate this method, to say the least.

Well, you can't use .htaccess, because Flash is client-side. Or so I've heard. 😛

What would you do? What would you be using?
Store images to db? In a protected folder? Then how would the flash app access them?

dagon

is obfuscation possible, does the flash app reveal the path\file name? They will always be able to print screen if they really want them so you will never protect them completely.

nevvermind

I guess it's more a matter of programming methods.
I don't care if they could printscreen pictures. I just needed to know if there's a way to <read thread title>.

It's not my app. Just picked it up from another forum, and I found it interesting.
What do you mean revealing path/file name? As in showing those in the slideshow? Let's consider that's not the case.

dagon

well if they don't know the file name path, what's the chance of them guessing it?

nevvermind

Knowing the path and showing the path are two different things.
Of course they know the path.

It's like this: he doesn't want users to access images like "http://server.com/dir/img.jpg", but his flash app should be able.

cretaceous

"of course they know the path" - not neccessarily, if you obfuscate..
if you have control of the picture upload process, pics can be renamed on upload with a random string (or could be post processed)
that image name is then accessed by Flash either through directory reading or via the db - but never divulged to the viewer

nevvermind

By "they" I was referring to the guys making this web app, not the users.

@ - that's a great idea!
But it's not full-proof, is it? What if they find out the folder? (I know I'm pushing it, but I wonder).

I think now I know what you all meant by obfuscation (yeah, well, sorry. I didn't tell you I hadn't a clue about what that is). I think the best bet here is to make a wtf folder name with wtf image names.

cretaceous

public cant see the list of files if you have a file named index.html or index.php file in there
or add this to your htaccess file :
Options -Indexes

but you're right it's not ultra secure if they know the name of the file and folder

sneakyimp

If you have a slideshow in flash that loads images directly from the server, all one needs is firebug to see exactly where those images are located.

What you can do is to make all of your image requests through a php script which controls access based on some critieria -- that criteria can be whatever you want but you are going to have to be more specific about what your demands are.

Example script:

<?php

// This script is a gatekeeper for images

// this should be the path to your images
// they should not be in your web root
// and this value should have a trailing slash
define('IMAGE_DIR', '/path/to/my/images/');

// === PUT YOUR GATE KEEPING CODE HERE ===

if (!isset($_GET['img'])) {
  // alternatively, you could spit out a generic 'not found' image.
  die('Image not specified');
}

// this makes sure that the requested filename ends in jpg, gif, png, or jpeg
if (!preg_match('/\.jpg|\.gif|\.png|\.jpeg$/i', $_GET['img'])) {
  die('invalid image request');
}

// this one prevents anyone from trying to go "up a directory"
// it also means you can't have any image paths with two periods in a row
if (preg_match('/\.\./i', $_GET['img'])) {
  die('you sneak.  no looking outside the image dir');
}

// this one prevents anyone from using an absolute path
// only works on *nix
if (preg_match('/^\//', $_GET['img'])) {
  die('you bastard.  how dare you use an absolute path');
}


$complete_path = IMAGE_DIR . $_GET['img'];

// make sure it exists
if (!file_exists($complete_path)) {
  die('image does not exist');
}

// you should probably sniff out what kind of image it is and send a header first

header('Content-Length: ' . filesize($complete_path));
readfile($complete_path);
?>

The point of this script is that you could check anything you want. You could check $_SERVER['HTTP_REFERER] but this is reported by the client so you are still vulnerable to cheats, but the cheaters would have to figure out what you are checking.

You could set a value in $_SESSION on a previous page and then make sure that session var still exists in this script before coughing up the image -- that would require them to visit at least one other page.

You could require a login.

You could do pretty much anything you want in PHP. You just need to be more clear about what it is you want.

nevvermind

You know us noobs: we don't know what to be clear about in the first place. Now I know how some people manage these tasks, so now I'm able to ask more specific questions regarding this subject.

Thank you all for your time.