From: Aaron Schulz <aschulz@wikimedia.org>
Date: Wed, 30 Apr 2014 07:51:35 +0000 (-0700)
Subject: Moved isDeleted() check down to avoid information leakage in thumb.php
X-Git-Tag: 1.31.0-rc.0~15954
X-Git-Url: http://git.cyclocoop.org/%22%20.%20generer_url_aide%28?a=commitdiff_plain;h=40e5324ece9e4d1bdefa48c1e800d42dd1cbec2f;p=lhc%2Fweb%2Fwiklou.git

Moved isDeleted() check down to avoid information leakage in thumb.php

Change-Id: Idcbf79ef7c82f5bcf3c0ab1002fde2201d81313f
---

diff --git a/thumb.php b/thumb.php
index c5da918e08..1f823bd866 100644
--- a/thumb.php
+++ b/thumb.php
@@ -163,12 +163,6 @@ function wfStreamThumb( array $params ) {
 		return;
 	}
 
-	// Check if the file is hidden
-	if ( $img->isDeleted( File::DELETED_FILE ) ) {
-		wfThumbError( 404, "The source file '$fileName' does not exist." );
-		return;
-	}
-
 	// Check permissions if there are read restrictions
 	$varyHeader = array();
 	if ( !in_array( 'read', User::getGroupPermissions( array( '*' ) ), true ) ) {
@@ -181,6 +175,12 @@ function wfStreamThumb( array $params ) {
 		$varyHeader[] = 'Cookie';
 	}
 
+	// Check if the file is hidden
+	if ( $img->isDeleted( File::DELETED_FILE ) ) {
+		wfThumbError( 404, "The source file '$fileName' does not exist." );
+		return;
+	}
+
 	// Do rendering parameters extraction from thumbnail name.
 	if ( isset( $params['thumbName'] ) ) {
 		$params = wfExtractThumbParams( $img, $params );