From 0eb52399689df5fd1401eab951f3a8ef460f7665 Mon Sep 17 00:00:00 2001 From: Aaron Schulz Date: Wed, 13 Nov 2013 15:25:37 -0800 Subject: [PATCH] Added support to img_auth.php for non-repo containers * This adds a new $wgImgAuthUrlPathMap config variable * Also fixed ImgAuthBeforeStream hook msg formatting bug: 51136 Change-Id: I77528f92b20670e3b09adc79c49e62060f1614f3 --- img_auth.php | 27 +++++++++++++++++++++++---- includes/DefaultSettings.php | 16 ++++++++++++++++ 2 files changed, 39 insertions(+), 4 deletions(-) diff --git a/img_auth.php b/img_auth.php index c8759ec82a..2d2db9a5ed 100644 --- a/img_auth.php +++ b/img_auth.php @@ -52,7 +52,7 @@ wfImageAuthMain(); wfLogProfilingData(); function wfImageAuthMain() { - global $wgImgAuthPublicTest, $wgRequest; + global $wgImgAuthPublicTest, $wgImgAuthUrlPathMap, $wgRequest; // See if this is a public Wiki (no protections). if ( $wgImgAuthPublicTest @@ -77,14 +77,32 @@ function wfImageAuthMain() { // Check for bug 28235: QUERY_STRING overriding the correct extension $whitelist = array(); - $dotPos = strrpos( $path, '.' ); - if ( $dotPos !== false ) { - $whitelist[] = substr( $path, $dotPos + 1 ); + $extension = FileBackend::extensionFromPath( $path ); + if ( $extension != '' ) { + $whitelist[] = $extension; } if ( !$wgRequest->checkUrlExtension( $whitelist ) ) { return; } + // Various extensions may have their own backends that need access. + // Check if there is a special backend and storage base path for this file. + foreach ( $wgImgAuthUrlPathMap as $prefix => $storageDir ) { + $prefix = rtrim( $prefix, '/' ) . '/'; // implicit trailing slash + if ( strpos( $path, $prefix ) === 0 ) { + $be = FileBackendGroup::singleton()->backendFromPath( $storageDir ); + $filename = $storageDir . substr( $path, strlen( $prefix ) ); // strip prefix + if ( $be->fileExists( array( 'src' => $filename ) ) ) { + wfDebugLog( 'img_auth', "Streaming `" . $filename . "`." ); + $be->streamFile( array( 'src' => $filename ), + array( 'Cache-Control: private', 'Vary: Cookie' ) ); + } else { + wfForbidden( 'img-auth-accessdenied', 'img-auth-nofile', $filename ); + } + return; + } + } + // Get the local file repository $repo = RepoGroup::singleton()->getRepo( 'local' ); @@ -145,6 +163,7 @@ function wfForbidden( $msg1, $msg2 ) { $args = func_get_args(); array_shift( $args ); array_shift( $args ); + $args = ( isset( $args[0] ) && is_array( $args[0] ) ) ? $args[0] : $args; $msgHdr = wfMessage( $msg1 )->escaped(); $detailMsgKey = $wgImgAuthDetails ? $msg2 : 'badaccess-group0'; diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index 3102384dd1..e9e4545641 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -361,6 +361,22 @@ $wgImgAuthDetails = false; */ $wgImgAuthPublicTest = true; +/** + * Map of relative URL directories to match to internal mwstore:// base storage paths. + * For img_auth.php requests, everything after "img_auth.php/" is checked to see + * if starts with any of the prefixes defined here. The prefixes should not overlap. + * The prefix that matches has a corresponding storage path, which the rest of the URL + * is assumed to be relative to. The file at that path (or a 404) is send to the client. + * + * Example: + * $wgImgAuthUrlPathMap['/timeline/'] = 'mwstore://local-fs/timeline-render/'; + * The above maps ".../img_auth.php/timeline/X" to "mwstore://local-fs/timeline-render/". + * The name "local-fs" should correspond by name to an entry in $wgFileBackends. + * + * @see $wgFileBackends + */ +$wgImgAuthUrlPathMap = array(); + /** * File repository structures * -- 2.20.1