[nycbug-talk] direct file access denied via htaccess

Marc Spitzer mspitzer
Wed Jun 15 22:01:27 EDT 2005


On 6/15/05, Francisco Reyes <lists at natserv.com> wrote:
> On Wed, 15 Jun 2005, Isaac Levy wrote:
> 
> > In a big-picture nutshell, I'm sad to report you cannot both provide access
> > and deny access to the image files- the usual suite of obfuscation tricks are
> > trivially bypassed by anyone who wants the images and has 20 minutes to spare
> > figuring it out.
> 
> Not sure if this is possible, but....
> How about having them in a directory outside the "root" for the domain and
> have PHP get them..
> 
> ie
> document root /usr/local/www/somedomain
> 
> images in
> /usr/local/www/somedomain-picse
> 
> PHP would have to send the HTTP requests for the images though..
> 

besides the point,  Remember he wants people to see the images so they
must be delivered to the far end to be viewed.  Once that happens he
has absolutly zero control over what happens to the image.  Now lsts
say he figures out how to prevent them from being cached by the
browser it makes no difference because the full and complete image
goes over the wire so all you need is an image grabbing packet sniffer
and that has been done.

marc




More information about the talk mailing list