From d42ac6ddba4a463a9382cb503e7b6645b02631ac Mon Sep 17 00:00:00 2001
From: Esenjin <esenjin@sangigi-fuchsia.fr>
Date: Fri, 10 Jan 2025 15:37:04 +0100
Subject: [PATCH] =?UTF-8?q?l'acc=C3=A8s=20aux=20images=20priv=C3=A9es=20es?=
 =?UTF-8?q?t=20correctement=20prot=C3=A9g=C3=A9?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .htaccess            |  6 ++++++
 arbre-img-prive.php  |  5 ++++-
 galeries-privees.php |  4 ++--
 images.php           | 34 ++++++++++++++++++++++++++++++++++
 partage.php          | 32 +++++++++++++++++++++++++++++---
 version.txt          |  2 +-
 6 files changed, 76 insertions(+), 7 deletions(-)
 create mode 100644 images.php

diff --git a/.htaccess b/.htaccess
index 714e49b..9837be1 100644
--- a/.htaccess
+++ b/.htaccess
@@ -37,4 +37,10 @@ Options -Indexes
     Header set X-Content-Type-Options "nosniff"
     Header set X-Frame-Options "SAMEORIGIN"
     Header set X-XSS-Protection "1; mode=block"
+</IfModule>
+
+# Bloquer l'accès direct aux images privées
+<IfModule mod_rewrite.c>
+    RewriteEngine On
+    RewriteRule ^liste_albums_prives/.+\.(jpg|jpeg|png|gif)$ - [F]
 </IfModule>
\ No newline at end of file
diff --git a/arbre-img-prive.php b/arbre-img-prive.php
index 617ca7c..661669b 100644
--- a/arbre-img-prive.php
+++ b/arbre-img-prive.php
@@ -228,7 +228,10 @@ $config = getSiteConfig();
             <div class="images-grid">
                 <?php foreach($images as $image):
                     $imagePath = str_replace('\\', '/', substr($currentPath, strpos($currentPath, '/liste_albums_prives/') + strlen('/liste_albums_prives/')));
-                    $imageUrl = getBaseUrl() . '/liste_albums_prives/' . ($imagePath ? $imagePath . '/' : '') . $image;
+                    $imageUrl = getBaseUrl() . '/images.php?path=' . urlencode($currentPath . '/' . $image);
+                        if (isset($_SESSION['admin_id'])) {
+                            $imageUrl .= '&admin_session=' . session_id();
+                        }
                 ?>
                     <div class="image-item">
                         <input type="checkbox" name="images[]" value="<?php echo htmlspecialchars($image); ?>" 
diff --git a/galeries-privees.php b/galeries-privees.php
index 5f516cf..7f20305 100644
--- a/galeries-privees.php
+++ b/galeries-privees.php
@@ -34,7 +34,7 @@ if (empty($shareKey)) {
                     if (in_array($extension, ALLOWED_EXTENSIONS)) {
                         // Obtenir le chemin relatif depuis la racine du projet
                         $relativePath = str_replace('\\', '/', substr($file->getPathname(), strlen(realpath('./'))));
-                        $url = $baseUrl . '/' . ltrim($relativePath, '/');
+                        $url = $baseUrl . '/images.php?path=' . urlencode($file->getPathname()) . '&key=' . urlencode($shareKey);
                         // Vérifier que le fichier existe et est accessible
                         if (file_exists($file->getPathname())) {
                             $images[] = $url;
@@ -148,7 +148,7 @@ $config = getSiteConfig();
             }
         ?>
         <div class="gallery-item <?php echo $isTop ? 'gallery-item-top' : ''; ?> <?php echo $spanClass; ?>">
-            <a href="partage.php?image=<?php echo urlencode($image); ?>" target="_blank">
+            <a href="partage.php?image=<?php echo urlencode($image); ?>&key=<?php echo urlencode($shareKey); ?>" target="_blank">
                 <img src="<?php echo htmlspecialchars($image); ?>" 
                      alt="Image de la galerie"
                      loading="lazy">
diff --git a/images.php b/images.php
new file mode 100644
index 0000000..f215e48
--- /dev/null
+++ b/images.php
@@ -0,0 +1,34 @@
+<?php
+// images.php
+require_once 'fonctions.php';
+session_start();
+
+$path = $_GET['path'] ?? '';
+$key = $_GET['key'] ?? '';
+$adminSession = $_GET['admin_session'] ?? '';
+
+// Vérifier que le chemin est valide et dans un album privé
+if (!isSecurePrivatePath($path) || !file_exists($path)) {
+    header("HTTP/1.0 404 Not Found");
+    exit;
+}
+
+// Vérifier l'authentification (admin ou clé de partage valide)
+if ($adminSession) {
+    session_id($adminSession);
+    session_start();
+    if (!isset($_SESSION['admin_id'])) {
+        header("HTTP/1.0 403 Forbidden");
+        exit;
+    }
+} else {
+    if (!$key || !validateShareKey($key)) {
+        header("HTTP/1.0 403 Forbidden");
+        exit;
+    }
+}
+
+// Servir l'image avec le bon Content-Type
+$mime = mime_content_type($path);
+header("Content-Type: $mime");
+readfile($path);
\ No newline at end of file
diff --git a/partage.php b/partage.php
index 82181ba..d5b13ae 100644
--- a/partage.php
+++ b/partage.php
@@ -3,12 +3,36 @@ require_once 'fonctions.php';
 
 // Vérifier que nous avons une URL d'image
 $imageUrl = isset($_GET['image']) ? $_GET['image'] : null;
-$imagePath = realpath('.') . str_replace(getBaseUrl(), '', $imageUrl);
-if (!$imageUrl || !file_exists($imagePath)) {
+
+if (!$imageUrl) {
     header('Location: index.php');
     exit;
 }
 
+// Si c'est une image privée
+if (strpos($imageUrl, 'images.php') !== false) {
+    // On récupère les paramètres de l'URL de l'image
+    parse_str(parse_url($imageUrl, PHP_URL_QUERY), $params);
+    $path = $params['path'] ?? '';
+    $key = $params['key'] ?? '';
+    
+    if (strpos($path, 'liste_albums_prives') !== false) {
+        $isPrivateImage = true;
+        if (!isset($_SESSION['admin_id'])) {
+            if (!$key || !validateShareKey($key)) {
+                header('Location: index.php');
+                exit;
+            }
+        } elseif (isset($_SESSION['admin_id'])) {
+            // Pour les admins, on remplace la clé par la session admin
+            $imageUrl = preg_replace('/&key=[^&]*/', '', $imageUrl) . '&admin_session=' . session_id();
+        }
+    }
+}
+
+// Récupérer le nom du fichier pour le téléchargement
+$filename = basename(parse_url($imageUrl, PHP_URL_PATH));
+
 // Si pas d'image, redirection
 if (!$imageUrl) {
     header('Location: index.php');
@@ -30,7 +54,7 @@ $config = getSiteConfig();
     <link rel="stylesheet" href="styles.css">
 </head>
 <body class="share-page">
-    <button onclick="var referrer = document.referrer; if (referrer.includes('galeries.php')) { window.close(); } else { window.location.href='index.php'; }" class="back-button">Retour</button>
+    <button onclick="var referrer = document.referrer; if (referrer.includes('galeries.php') || referrer.includes('galeries-privees.php')) { window.close(); } else { window.location.href='index.php'; }" class="back-button">Retour</button>
 
     <div class="share-container">
         <div class="share-image">
@@ -47,6 +71,7 @@ $config = getSiteConfig();
                 Partager
             </button>
 
+            <?php if (!$isPrivateImage): ?>
             <button class="action-button" onclick="embedImage()">
                 <svg xmlns="http://www.w3.org/2000/svg" class="icon" viewBox="0 0 24 24" width="24" height="24" fill="none" stroke="currentColor" stroke-width="2">
                     <polyline points="16 18 22 12 16 6"></polyline>
@@ -54,6 +79,7 @@ $config = getSiteConfig();
                 </svg>
                 Intégrer
             </button>
+            <?php endif; ?>
 
             <a href="<?php echo htmlspecialchars($imageUrl); ?>" 
                download="<?php echo htmlspecialchars($filename); ?>" 
diff --git a/version.txt b/version.txt
index 1cc5f65..8cfbc90 100644
--- a/version.txt
+++ b/version.txt
@@ -1 +1 @@
-1.1.0
\ No newline at end of file
+1.1.1
\ No newline at end of file