Package: gallery Version: 1.5-1sarge1 Severity: important Normally, accessing photos in a password protected albums require logging in. If you try to access http://hostname/gallery/album01/aaa, and the album requires logging in, you are redirected to "Attention" page. But if you type http://hostname/albums/album01/aaa or http://hostname/albums/album01/ aaa.jpg, you can directly see the picture without logging in.
This problem can be partially fixed by adding something like, SetEnvIf REFERER "http://hostname" OK Order deny,allow Deny from all Allow from env=OK to apache config file. But if you do this you probably can't access movie files, which are often opened by external programs. -- System Information: Debian Release: 3.1 APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.4.27-2-686 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages gallery depends on: ii apache 1.3.33-6sarge1 versatile, high-performance HTTP s ii apache-ssl 1.3.33-6sarge1 versatile, high-performance HTTP s ii debconf 1.4.30.13 Debian configuration management sy ii netpbm 2:10.0-8sarge2 Graphics conversion tools ii php4 4:4.3.10-16 server-side, HTML-embedded scripti -- debconf information: * gallery/restart: true * gallery/webserver: apache -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]