Issue: FILE URL CAN BE GUESSED!
All original uploaded files and cached images to be be easily guessed from the URL in an public album.
(obscured or not, as the obscured cache option only adds some hash to the URL and does not fully cloak the filename)
I would really like to use the gallery for my portfolio but the big thing is that the original files are not very secure.
williamz already posted on this but in relation to the cache image filename in http://www.zenphoto.org/support/topic.php?id=2841
but i don't think this is the right way to protect the original uploads.
So what to do?
What I'd like to achieve is NOT to cloak the image part in the URLs but to add a md5() or whatever unique part to the image itself that can't be guessed by humans, eg:
URL: localhost/Album-Name-1/IMG_0001.jpg
FILENAME: IMG_0001-zgafsuha7fz2938zt92ghwuhef79uZfgzuas34gfhUZFGASZUFG.jpg
TITLE(already auto-processed): IMG 0001
...
By that one would need to store the URL Filename and a obscure REAL filesystem filename in the db for every image.
Same goes for the cached images, but the focus is on the original fullsize uploads here.
Zenphoto uses scripted protection to limit access to URLs - but this is not effective against scripted hacks that rip off all my full sized images in one night based on direct file access and guessing filenames.
Currently the only thing one must know to write a downloader (even for a unpublished and password protected album) is the albumname and guess standard filenames... eg: IMG_0001, PIC__...
I think this is a very effective and important feature on file security and should at least limit the use of easy hacks.
Can anybody with the core knowledge help here?