![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Entry tags:
web developers who should at the very least be "educated"
So a funny thing about those running pictures. They come from a website which not only watermarks the slightly larger images, but they also attempt to prevent you from downloading them. Now, aside from the fact that doing this is blatantly silly in the face of such built-in Firefox features as "Page Info" or the optional DOM Inspector add-on, or even any one of no doubt hundreds of web developer aids, what really takes the biscuit is the extraordinary lengths they've gone to. See, the real URLs for the picture are actually pretty straightforward to discover: my picture, designated 0220_03674 (you can read this designator underneath the thumbnails), resides in /fileadmin/data/images/0220/0220_03674.JPG, which is accessible directly from their server.
What they've done, however, is use a PHP script to which this path is passed as a parameter, along with some other stuff, and that's given as the HREF tag for the image popup. Alongside that there are a few other parameters, including some javascript to close the page if you click on the image in any way (an attempt to prevent right-click theft, no doubt). And this is the best bit: to prevent you from modifying this URL, the final parameter to the PHP script is an MD5 sum based on the other parameters. Remember, all this is completely futile because they've not bothered locking down the image directory in the first place. But the really best bit is that the parameters reveal what content management system they're using through the magic of Google. Looking at this, there's a magic key added to the list of parameters to generate the MD5 sum; perhaps grabbing a bunch of URLs from the site and trying a brute force scan (doesn't someone have a database of MD5 strings? and maybe some of the much-vaunted MD5 weaknesses could be exploited, too.) would potentially reveal the key, but who cares? I'm just amazed at the amount of effort that's been put into this.
What they've done, however, is use a PHP script to which this path is passed as a parameter, along with some other stuff, and that's given as the HREF tag for the image popup. Alongside that there are a few other parameters, including some javascript to close the page if you click on the image in any way (an attempt to prevent right-click theft, no doubt). And this is the best bit: to prevent you from modifying this URL, the final parameter to the PHP script is an MD5 sum based on the other parameters. Remember, all this is completely futile because they've not bothered locking down the image directory in the first place. But the really best bit is that the parameters reveal what content management system they're using through the magic of Google. Looking at this, there's a magic key added to the list of parameters to generate the MD5 sum; perhaps grabbing a bunch of URLs from the site and trying a brute force scan (doesn't someone have a database of MD5 strings? and maybe some of the much-vaunted MD5 weaknesses could be exploited, too.) would potentially reveal the key, but who cares? I'm just amazed at the amount of effort that's been put into this.
no subject
Anyway, several gallery web-apps have anti-image-theft modules. Usually bundled with the caveat that it only goes so far but if you're really that bloody intent on it here you are.
For the end-using site administrator whose client demands this, it's an easy thing to roll in and deploy, and admin does not get tied up in knots trying to write an impossible thing. Client is happy and does not hold up the project with an unreasonable demand. The actual problem is solved, and it is not the problem you think it is.
no subject