We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
MODX Community Forums Archive

Hashing image filenames

    • 53460
    • 69 Posts
    jeffsydor Reply #1, 5 years, 2 months ago
    What would be a good way to hash image filenames? I want to prevent a potential hacker from gathering specific information that could be used against us.

    NOTE: I know my code has background-image misspelled. When I spell it correctly, the forum adds additional code to my text for some reason. lol

    Let's say I have this:
    <div class="photo" style="backgrund-image: url('/assets/pictures/team/[[*MyID:default=`default`]].jpg');">
    <img src="/assets/pictures/team/[[*MyID:default=`default`]].jpg" alt="[[*pagetitle]]">
</div>


    Which outputs to this:
    <div class="photo" style="backgrund-image: url('/assets/pictures/team/Jeff1.jpg');">
    <img src="/assets/pictures/team/Jeff1.jpg" alt="Jeff's Bio">
</div>


    Suppose I have dozens of users with bios like this, but I don't want someone to be able to pull all our usernames just from using the element inspector. I tried using the output filter md5, [[*MyID:md5:default=`default`]], which resulted in broken image links:
    <div class="photo" style="backgrund-image: url('/assets/pictures/team/933e66335a0397da1d8e324b2815428e.jpg');">
    <img src="/assets/pictures/team/933e66335a0397da1d8e324b2815428e.jpg" alt="Jeff's Bio">
</div>


    How can I do this correctly so that MODX knows how to find this file? Or is there a better way?

    Thanks in advance!
    [ed. note: jeffsydor last edited this post 5 years, 2 months ago.]
      • 42562
      • 1,145 Posts
      donshakespeare Reply #2, 5 years, 2 months ago
      Is this around what you might be possibly asking about?

      A PHP file that would manage your image/file requests.

      So, a http request to
      /assets/mysnippets/file.php?filename=933e66335a0397da1d8e324b2815428e.jpg

      Would be dehashed and addressed to
      /assets/unwise/sensitive/material/mySocialSecurityNumberLOL.jpg

      Look here for inspiration and further search keywords
      https://stackoverflow.com/questions/5762523/protect-image-path-php

      The issue is that once the image or its cloak has been served to the greedy internet, the toothpaste is already out the tube.

      Your bestest bet is to nip the issue before it is an issue.
      If this were an issue for me, I'd force all uploads through a PHP script that renamed the files right there on the server.
      So that, my-wifes-maiden-name.jpg before upload becomes 2323232332u32iu3823u23u2832y38y823u82832832832323.jpg on the server.
      And of course I'd lock up access to that folder to prevent renaming or some sort of mishap.

      But it seems you might be dealing with an already established system ...
        TinymceWrapper: Complete back/frontend content solution.
        Harden your MODX site by passwording your three main folders: core, manager, connectors and renaming your assets (thank me later!)
        5 ways to sniff / hack your own sites; even with renamed/hidden folders, burst them all up, to see how secure you are not.
        • 3749
        • 24,544 Posts
        BobRay Reply #3, 5 years, 2 months ago
        I think pThumb does this for you. Gallery may as well.

        You can also prevent direct access to images with directives in .htaccess: https://stackoverflow.com/questions/3990337/how-to-protect-against-direct-access-to-images
          Did I help you? Buy me a beer
          Get my Book: MODX:The Official Guide
          MODX info for everyone: http://bobsguides.com/modx.html
          My MODX Extras
          Bob's Guides is now hosted at A2 MODX Hosting