Is it bad for a photos folder to be publicly accessible?

[moose-en-a-gant]

I'm talking like /uploads at the main folder where index.php or index.html goes

 

These photos theoretically are meant to be publicly viewed anyway so what is bad about that?

 

Let's say profile pictures.

 

I mean couldn't anyone scrape facebook and "steal" profile pictures? I don't know why but I'm just wondering.

[requinix]

The directory shouldn't be indexed (as in going to /uploads doesn't show a directory listing) but otherwise sure. But make sure you've validated uploads very, very well.

 

A safer course would be to keep the directory private, such as by locating it outside the web root, and use a script to pass-through the information. The advantage there is that the web server plays no part in interpreting the file and your script would force everything to "be" an image - even if someone got past your validation and uploaded something different.

Edited February 3, 2015 by requinix

[moose-en-a-gant]

The directory shouldn't be indexed (as in going to /uploads doesn't show a directory listing) but otherwise sure. But make sure you've validated uploads very, very well.

 

A safer course would be to keep the directory private, such as by locating it outside the web root, and use a script to pass-though the information. The advantage there is that the web server plays no part in interpreting the file and your script would force everything to "be" an image - even if someone got past your validation and uploaded something different.

 

Yet another can of worms has been opened haha.

 

Great suggestion / advice, I'll need to look into this.