Elter Family Forum
Coppermine Development Staff - Printable Version

+- Elter Family Forum (https://elterfamily.ca/Elter/Forum)
+-- Forum: Battle Room (https://elterfamily.ca/Elter/Forum/forumdisplay.php?fid=6)
+--- Forum: Who gives a Sh$$ (https://elterfamily.ca/Elter/Forum/forumdisplay.php?fid=24)
+--- Thread: Coppermine Development Staff (/showthread.php?tid=11)



Coppermine Development Staff - belter - 12-17-2020

Worst customer service skills on the planet.  Yes they might have some policies that prevent such behavior but the freelancer staff exhibits the behavior they frown on.  Asshole admins block.  It’s a rite! Forum history even shows it.  I’ve never seen a site with 0 users online with over 300 guests lurking.  This sheer number shows people have questions but they are afraid to ask. I don’t blame them.  Huh

I’m now forced to support something with my own change log.  So I can apply my changes with updates. Angry Until I find a decent rip off so nothing will change much here.  They have this problem because of there attitude towards setup questions.  I took one for the team, the lurkers and told them off right from the first post pointing out the flaws.  Wasn't taken well.  Plugin that didn't work was sent to me, fixed it was horrible output and then fixed it again.  Made enough of a change i think its mine under the GNU. 

I have posted my stuff in category 11 on the site.  Its for people that lurk and need fixes but are intellectual enough to figure things out on there own. 
https://elterfamily.ca/Elter/Albums/index.php?cat=11

Installation is simple:

** FFMPEG plugin requires in PATH the executable.  you can find builds for your platform online.  It allows the admin when editing the thumb to take a snapshot at a defined time.  No error checking in the code yet.  Default is 3 seconds.

** core change to uliupload requires ClamAV to be installed at C:\Program Files\ClamAV and clamd should be loaded as a service.  Clamdscan is called to scan a file  If clamd has not loaded its virus definition uliupload will detect it and an error is displayed for the file as being offline.  If the service is stopped, same deal.  It doesn't detect the service; yet.  Its based on the lack of a string output OR one that has OK in it.  That simple.  First if detects empty, means no service or definition.  sees OK upload is great, anything else don't allow it and consider it a virus.  There also is a good chance if a virus  was found the script would halt after its quarantine as im not checking that yet here.  i unlink the temp if it hits the logic.  My only concern is if a virus was in a file its not posted and an error or die is acceptable for me.  the unlink can fail for all i care; which gives me a troubleshooting action for the website; scan your system and try again please when i get a call saying i cant post.  If you dont have the GB of ram to load clamAV and retain it; clamscan can scan but it has to load.   you will get a continual "loading virus file"  until it spits out OK.  Clamscan also outputs more info than clamdscan.  clamd is meant for this purpose and i personally recommend its use over the other as it can take 2 minutes for a single small jpg and its per file.  So imagine a large drop of files.
FFMPEG should be loaded as a PATH variable. 

I am finding the strangest errors in whats allowed and find it funny that i have to type a windows path backwards in any of its config.  Cant report the issues because of my hot headed attitude towards asshole programmers.


RE: Coppermine Development Staff - belter - 12-19-2020

How to block guests and determined users from hotlinking?

One of the things with hosting a website is you also have to decide is your data worth protecting or not.  Without hot linking block scripts running your data is accessible by all.  Is this data maybe only intended for certain registered users? Maybe you have protected albums?  Thing with coppermine is it does not protect your files.  It can however if you incorporate URL rewriter. Scripts are circumvented by simply knowing the file structure or reading the client HTML script.  It’s really up to the user to  utilise the webservers features to facilitate a block.

So how do you do this?

For Apache I don’t have the foggiest idea(htaccess files) but in windows it’s as simple as using the URL rewriter and creating a rule over the userpics directory.   However if you cause to much of a delay you can actually cause the rule to fail completely due to the nature of supercage.  So when writing rules never include local host unless you intend to use it.  And even then it could sit on it which you will now have to adjust timeouts to get it to work which this article will not go into depth on.

Your rule should match and look for your domain or any domain you want to allow access.   The final rule is plain all ^$ which captures an empty string.  With this you can facilitate blocking of your userfiles directory and this should work on any website running IIS.

Basically a rule is looking for file types you share and has conditions that have to be met to display it.  

You will want a condition I. Http referer that does not match your domain or others you want access and then the final blow to $ matches.  Lots of examples on Microsoft’s support site.  The final result is a redirect to a page of your choosing.


How to test if your system is compromised and needs this feature?  How to test implementation?

  1. Create a test link at your root and point it at a ruled usefile and display with HTML.  It doesn’t work your rules need to be fixed.  There also is a tester in iis to test links as you design your rules.

  2. Find a script with photos (display image works great) and open its client script in the browser.  Copy a full URL to a user file.

  3. Paste in the browser new window to trigger an empty referer.  If it displays, your compromised.

  4. Your job is to make rules to block step 3, but allow step 1.  Once it’s done clear your cache and load the page.  Your protected.
    [attachment=5]
  5. Apply to any user folder to protect.  Works with any folder that needs protection.  Just change the extension to match but be sure windows knows what the extension is or it ignores it.

Update:  After sending this to a developer that emailed I discovered the order of solve is very important.  You put what your after at the top and your own domain should be the last one.  Matching all or any is also important depending on your order so adjust it as needed.  Testing with each change.


Sent from.... and