AuditImages

Summary: View the images that have been uploaded to your wiki.
Version: 1.1
Prerequisites: Uploads enabled
Status: Stable
License: N/A
Maintainer: Hagan Fox
Discussion: AuditImages-Talk
Categories: Images, Security, Uploads

Question

Is there a quick and easy way to see if someone has uploaded some undesirable images to my wiki?

Answer

Install Qdig (Quick DIGital image gallery) in your uploads directory. All it takes is copying one file.

Qdig is a simple script that turns directories with images into galleries. Like PmWiki, Qdig is GNU GPL-licensed free software.

NOTE: QDig was last updated in 2007 and was written for PHP 4. It may not work properly on you version of PHP.

Instructions

  1. Download and unpack Qdig.
  2. Put index.php in your uploads/ directory.

When you visit the script you'll see links to all of your group directories that contain image files. Each link leads a dynamic gallery. Supported formats are JPEG, GIF, PNG and sometimes BMP.

Optional Qdig Configuration

  • Rename the Qdig script (say, to qdig.php) if you want to be able to explore the directories to look for other types of files.
  • Create a link to your wiki on each gallery page by setting
     $site_lnk_title = 'My Wiki';
     $site_lnk_url   = '../pmwiki.php';
  • See the images sorted by date (rather than alphabetically) by setting
     $img_links['sort_date'] = TRUE;
  • Disable creating empty .txt files (although they won't hurt anything) by setting
     $touch_captions = FALSE;
  • Disable image conversion (thumbnails and alternate-sized images) by setting
     $convert_magick = TRUE;
     $convert_GD     = TRUE;
  • Use thumbnails, but not alternate-sized images by setting
     $disp_size['1'] = FALSE;
     $disp_size['2'] = FALSE;

Security

IMPORTANT: The default installation method allows anyone who browses your /uploads directory to view the images and possibly reveals otherwise-hidden group names (or page names if you use per-page uploads).

There are some things you can do to make it more secure.

Rename the Qdig Script

You should rename the script from index.php to some hard-to-guess name. Someone would need to know your /uploads directory's URL (easy to determine) and the script name (much harder to determine).

A hard-to-guess script name is "security by obscurity", which some would say is not much security.

Add HTTP Authentication

For much better security than just renaming the script, use HTTP Authentication also. See http://qdig.sourceforge.net/Tips/HttpAuthGuide for instructions on how to set up HTTP-Auth.

Notes and Comments

  • If you're using thumbnails, the thumbnail will not update itself automatically if someone replaces an image. Be sure to surf through the actual images or delete uploads/qdig-files/ and the thumbnails will be created afresh.
  • This recipe was last tested on PmWiki version: 2.0.beta35

* This recipe requires at least PmWiki version: and (any other recipes)

See Also

Contributors

Comments

See discussion at AuditImages-Talk

User notes? : If you use, used or reviewed this recipe, you can add your name. These statistics appear in the Cookbook listings and will help newcomers browsing through the wiki.