BuddyDev

Search

[Resolved] Auto rename uploaded Mediapress files for security

Tagged: 

  • Participant
    Level: Enlightened
    Posts: 26
    Bjoern on #4942

    Hi Brajesh,
    I understand that every item in the media gallery including anything uploaded through Medapress is always accessible (despite the privacy settings) when someone knows the absolute url to the file. Very often you can simply guess the absolute url. That’s the reason why I this plugin (https://wordpress.org/plugins/wp-upload-rename/) to automatically change the name of all uploaded photos and files to a random string. The random string basically works like a password. Without knowing the string you can’t download but you can still successfully she the absolute url if someone needs to download. As I understand it the media library index is hidden to the outside so that it’s almost impossible to download anything if you are not the creator of the media. I think Facebook works similar.

    Unfortunately Mediapress media files are not renamed with the above mentioned plugin. It pretty much renames everything, even plugin zips, but doesn’t get to rename Mediapress files. Could you maybe support this or another auto upload rename plugin for better security. That would be awesome!

    Thanks!

  • Keymaster
    (BuddyDev Team)
    Posts: 24149
    Brajesh Singh on #4951

    Hi Bjoerm,
    Thank you for posting.
    A few months ago I had posted a tutorial showing how to do it with uploadplus plugin.

    The upload rename plugin is new compared to that and I haven’t looked at it.

    Please see if this post helps you
    https://buddydev.com/buddypress/obfuscate-uploaded-file-names-for-mediapress-uploads/

    Regards
    Brajesh

  • Participant
    Level: Enlightened
    Posts: 26
    Bjoern on #4980

    Thanks so much, Brajesh! That’s exactly what I was looking for. I tested the upload plus plugin with your custom code and it works great. I still think that the newer “upload rename plugin” is a little better because it is a lot smaller and still supported because it is very new. It also doesn’t change the display title of the file but only the file name. The upload plus plugin is a lot bigger and not supported anymore. Sometimes (eg. on Mediapress) it changes the display title to the random string, which is not very user friendly. Because of the Exif strip functionality it also seems to be destined to probably give some upload errors once in a while. It also doesn’t allow for customization of the random strings. Anyway I have a working solution with upload plus and I could change the string length of 20 in the code itself. Thanks again.

  • Keymaster
    (BuddyDev Team)
    Posts: 24149
    Brajesh Singh on #5006

    Thank you for the feedback.

    Will certainly add tutorials to show compatibility with the new plugin in future. Currently my hands are full, so please use the above approach for now(and you may ping me in 15 days for the new plugin).

    Thank you
    Brajesh

  • Participant
    Level: Enlightened
    Posts: 26
    Bjoern on #5330

    Just coming back to you regarding a potential wp_upload_rename tutorial regarding the newer plugin mentioned above (https://wordpress.org/plugins/wp-upload-rename/). Not a matter of urgency, only if you have some time now…

  • Keymaster
    (BuddyDev Team)
    Posts: 24149
    Brajesh Singh on #5337

    Hi Bjoern,
    I or Ravi will do it this weekend.

    Thank you for reminding.

  • Participant
    Level: Enlightened
    Posts: 26
    Bjoern on #5363

    Great, thanks so much!

  • Keymaster
    (BuddyDev Team)
    Posts: 24149
    Brajesh Singh on #5551

    Hi Bjoern,
    I had a look at the code of this plugin.

    At the moment, The plugin lacks in many ways.

    1. There is no way to access the created object
    2. If you create another object from it, The hooks will rerun because of the constructor

    Until the plugin exposes some way to access the created object or avoid resetting up of hooks, I don’t think I should post any code.

    If you still want it, Please modify the plugin and add a line below this

    
    add_filter('wp_handle_upload_prefilter', array(&$this, 'rename'));
    
    

    Like this

    
    add_filter('mpp_handle_upload_prefilter', array($this, 'rename'));
    

    That will do it. It’s a bad idea anyway.

  • Participant
    Level: Enlightened
    Posts: 26
    Bjoern on #5558

    Thanks Brajesh! I don’t know how to code so that I can’t judge the plugin’s code. If I understand you correctly it wouldn’t be a good idea to even add the filter in the plugin itself? I understand that it’s not perfect to modify a plugin itself because of the upgradeability and all changes being wiped out after an update. But besides that problem could it cause any issues by applying the filter in the plugin itself?

  • Keymaster
    (BuddyDev Team)
    Posts: 24149
    Brajesh Singh on #5642

    The plugin is very lightweight and I would have recommended it wholeheartedly if it allowed using it by 3rd party. For now, Please avoid it. May be I will try to send them a pull request on github in future when I have some free time.

You must be logged in to reply to this topic.

This topic is: resolved