|
| 1 | +--- |
| 2 | +title: "Secure Image Viewer (Central show_image.php)" |
| 3 | +sidebar_label: Secure Image Viewer |
| 4 | +sidebar_position: 3 |
| 5 | +--- |
| 6 | + |
| 7 | +The `show_image.php` script located in the `central/common/` directory is a robust, security-hardened mechanism for displaying digital assets within the ABCD Central administrative interface and the OPAC. Unlike standard file links, this script is designed to serve media located **outside** the web server's public `DOCUMENT_ROOT`, protecting sensitive files from direct exposure. |
| 8 | + |
| 9 | +Recent updates have significantly improved its security posture, making it a "safe than sorry" solution against modern web vulnerabilities. |
| 10 | + |
| 11 | +## Key Security Features |
| 12 | + |
| 13 | +* **Path Traversal Prevention:** The script strictly forbids the use of `..` in URLs and uses PHP's `realpath()` to ensure requested files remain within the authorized base directory. |
| 14 | +* **Referrer Validation:** To prevent hotlinking and direct URL manipulation, the script only executes if the request originates from a recognized ABCD `central` or `opac` host. |
| 15 | +* **Session-Based Access:** For administrative requests, the script verifies that the user is actively logged into ABCD with a valid profile and permissions. |
| 16 | +* **Strict Sanitization:** Input parameters undergo rigorous cleaning; only alphanumeric characters, slashes (`/`), dots (`.`), underscores (`_`), and dashes (`-`) are permitted. |
| 17 | +* **MIME Type Whitelisting:** The script only serves files with recognized extensions (e.g., jpg, pdf, mp3, zip) and maps them to their correct Content-Type. |
| 18 | + |
| 19 | +--- |
| 20 | + |
| 21 | +## Configuration |
| 22 | + |
| 23 | +To serve files, the script requires a defined **ROOT** directory. This is configured in the `dr_path.def` file located in your database folder: |
| 24 | +`.../bases/[database_name]/dr_path.def`. |
| 25 | + |
| 26 | +### The ROOT Parameter |
| 27 | + |
| 28 | +The `ROOT` parameter defines the starting point for media searches. It supports the `%path_database%` variable for portability. |
| 29 | + |
| 30 | +```ini |
| 31 | +/* Example 1: Standard images folder */ |
| 32 | +ROOT=%path_database%nvbsodr/images |
| 33 | + |
| 34 | +/* Example 2: Secure FTP upload folder */ |
| 35 | +ROOT=%path_database%nvbsodr/ftp_nvbsodr/files |
| 36 | + |
| 37 | +``` |
| 38 | + |
| 39 | +:::important Configuration Logic |
| 40 | + |
| 41 | +1. **If `dr_path.def` exists:** The `ROOT` parameter is **mandatory**. If it is missing or empty, the script will terminate with a configuration error. |
| 42 | +2. **If `dr_path.def` does not exist:** The script defaults to the database's root folder (`%path_database%[databasename]`). |
| 43 | +::: |
| 44 | + |
| 45 | +--- |
| 46 | + |
| 47 | +## Usage in PFT (ISIS Formatting Language) |
| 48 | + |
| 49 | +You can call this script within your `.pft` display files to render links or embedded media. The script requires two URL parameters: `image` (the path) and `base` (the database name). |
| 50 | + |
| 51 | +### 1. Simple Download/View Link |
| 52 | + |
| 53 | +This creates a text link that opens the file in the current window. |
| 54 | + |
| 55 | +```pft |
| 56 | +if p(v160) then |
| 57 | + '<tr><td><b>File:</b></td>' |
| 58 | + '<td><a href="/central/common/show_image.php?image='v160'&base=nvbsodr">'v160'</a></td></tr>' |
| 59 | +fi/ |
| 60 | +
|
| 61 | +``` |
| 62 | + |
| 63 | +### 2. Intelligent Media Embedding (PDF vs. Images) |
| 64 | + |
| 65 | +This advanced example detects the file extension to decide whether to use an `<embed>` tag for PDFs or a clickable thumbnail for images. |
| 66 | + |
| 67 | +```pft |
| 68 | +'<tr><td style="text-align:center" width="250px">' |
| 69 | +(if right(v160,4)='.pdf' then |
| 70 | + /* PDF View */ |
| 71 | + '<a href="/central/common/show_image.php?image='v160'&base=nvbsodr">Show PDF</a>' |
| 72 | + '<embed src="/central/common/show_image.php?image='v160'&base=nvbsodr" width=350 height=300>' |
| 73 | +else if p(v160) then |
| 74 | + /* Image View */ |
| 75 | + '<a href="/central/common/show_image.php?image='v160'&base=nvbsodr">' |
| 76 | + '<embed src="/central/common/show_image.php?image='v160'&base=nvbsodr" width=225></a>' |
| 77 | +fi/ /fi/) |
| 78 | +
|
| 79 | +/* Default image if field is empty */ |
| 80 | +(if a(v160) then '<img src="/assets/images/no_image_nl.jpg" width=120>' fi/) |
| 81 | +'</td>' |
| 82 | +
|
| 83 | +``` |
| 84 | + |
| 85 | +--- |
| 86 | + |
| 87 | +## Technical Specifications |
| 88 | + |
| 89 | +### Supported File Types |
| 90 | + |
| 91 | +The script includes a comprehensive `switch` block to handle various formats: |
| 92 | + |
| 93 | +* **Images:** jpg, jpeg, gif, png, bmp, tiff. |
| 94 | +* **Documents:** pdf, doc, txt, rtf, html, xls, xlsx, ppt. |
| 95 | +* **Archives/Multimedia:** zip, exe, mp3, wav, avi, mpeg. |
| 96 | + |
| 97 | +### Security Updates |
| 98 | + |
| 99 | +* **2023-01-04:** Added lowercase extension conversion to ensure compatibility with Linux servers. |
| 100 | +* **2026-02-28:** Implemented `realpath` validation to block Path Traversal. |
| 101 | +* **2026-03-08:** Added `HTTP_REFERER` checks and enhanced filename sanitization. |
| 102 | + |
| 103 | +Would you like me to generate a specific PFT example for a different database field or explain how to customize the error messages in this script? |
| 104 | + |
| 105 | +Aliás, para liberar as funcionalidades de todos os apps, ative a [Atividade nos apps do Gemini](https://myactivity.google.com/product/gemini). |
0 commit comments