News:

Wondering if this will always be free?  See why free is better.

Main Menu

make avatar folder public

Started by marco_fera, March 02, 2015, 04:27:37 AM

Previous topic - Next topic

marco_fera

Hi all, I'd need to let users download everyone else's avatar, the reason is want an external client to be able to retrieve some informations from the forum data and display it inside a sort of custom browser (it should show people's names, avatars and other stats).
Do you think this is safe? or is there any security reason not to allow this? I guess that the easiest way is to edit or remove the htaccess file from the avatars folder right?

Chas Large

By default, if your forum is open to guests then anyone can download an avatar image, it's a modified version of the file they choose to use, so not the original - assuming you set the right conditions in the Forum > Avatar Settings.

If someone is being prevented from downloading them, then you may have a mod which is stopping it.

Generally, if they can see it, they can download it.

Or are you suggesting giving someone direct access to the avatar directory on your host platform? is which case, no, that's not a good idea.
My Modifications :)  My Forum

Please DO NOT PM me with support requests. Post the problem in the appropriate Support Board so everyone can benefit from the advice given.

marco_fera

Quote from: Chas Large on March 02, 2015, 06:00:31 AM
Or are you suggesting giving someone direct access to the avatar directory on your host platform? is which case, no, that's not a good idea.

Correct I'd like to let the people see forum avatars inside a game, so the game client should have a way to load the images.
What about copying all the images in the avatar directory to another website every few hours and let the people access this other dumb site?
Other ideas to obtain the same result?

Kindred

If you just want another script to pull the avatar image file, then it's pretty simple. The information for each user, including avatar filename, can be pulled using SSI and the user_info array
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

marco_fera

Quote from: Kindred on March 02, 2015, 06:36:36 AM
If you just want another script to pull the avatar image file, then it's pretty simple. The information for each user, including avatar filename, can be pulled using SSI and the user_info array

Ok but then I must let users download the various avatars. Why is this dangerous?

Kindred

because information can be encoded into graphics (or supposed graphics) files. If you give them access to download the DIRECT file (rather than the system parsed detail) it is potentially an issue.

Why do users need to download the file?  I thought your game script was pulling the details form your system for display in the game script itself....
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Burke ♞ Knight

Tell them to right click each avatar, and save image as...

marco_fera

Quote from: Kindred on March 02, 2015, 07:29:46 AM
because information can be encoded into graphics (or supposed graphics) files. If you give them access to download the DIRECT file (rather than the system parsed detail) it is potentially an issue.

Why do users need to download the file?  I thought your game script was pulling the details form your system for display in the game script itself....

Ok, but if I give them the ability to download the system parsed files? there's no more embedded info in the image file so no danger anymore.
Users should download the file so that they can see the forum avatar in the game.

marco_fera

In the end I modified the htaccess like this
------------------------------------------------------------------
<Files ~ "\.(jpq|jpeg|png|gif)$">
   order deny,allow
   allow from all
</Files>

RemoveHandler .php .php3 .phtml .cgi .fcgi .pl .fpl .shtml
------------------------------------------------------------------
It will be possible to access the image files which are put in the folder my smf, is this safe?

margarett

If one knows the file name of the avatar, then it's always possible to dowload it.
Eg, the standard avatars that SMF ships with (note that these are links to MY localhost):
http://localhost/smf2/avatars/Actors/Brad_Pitt.jpg --> this shows the image, always.

But if I try to *LIST* the files in the folder:
http://localhost/smf2/avatars
It returns me to SMF's main page. This happens because there is a index.php file inside each folder that deals with this redirection. So if you remove that file, it will list you the files.

Also, you should note that these are just the avatars that YOU make available in SMF. User uploaded avatars are treated by SMF as attachments and are put inside "attachments" folder with a hashed name. These you can't really download easily. It *is* possible but it requires some extra coding.
Se forem conduzir, não bebam. Se forem beber... CHAMEM-ME!!!! :D

QuoteOver 90% of all computer problems can be traced back to the interface between the keyboard and the chair

marco_fera

Quote from: margarett on March 04, 2015, 06:23:36 AM
User uploaded avatars are treated by SMF as attachments and are put inside "attachments" folder with a hashed name. These you can't really download easily. It *is* possible but it requires some extra coding.

Yep I made a query that via php retrieves attachment id plus hash, and then feeds the result to the game code that picks up the exact filename.
But in the end do you think the htaccess can be improved, made safer etc.? I mean is it so dangerous to let the people have an indirect access to the avatars folder? there's a double layer of protection, php and htaccess. What is the possible risk?

margarett

It depends...

Just for download the files, there is no real risk. But it *is* possible (although SMF has protection mechanisms for that) for a user to upload a malicious code disguised as an avatar (as Kindred said) and *that* is a real risk. There is no .htaccess that protect you from that...
Se forem conduzir, não bebam. Se forem beber... CHAMEM-ME!!!! :D

QuoteOver 90% of all computer problems can be traced back to the interface between the keyboard and the chair

Arantor

I'd use a custom folder where the files end up with a different filename, which is avatar_xyz_abc.png instead - so it's a public folder, xyz is the user id, abc is a timestamp.

Avatars generally should be served from such a folder because they're sanitised to be images on upload, and there's no point shoving them through PHP + multiple DB queries when you don't have to.

An .htaccess file wouldn't protect you anyway from such situations even if served via SMF, not even from a public folder per se.

Advertisement: