Moved isDeleted() check down to avoid information leakage in thumb.php

Change-Id: Idcbf79ef7c82f5bcf3c0ab1002fde2201d81313f

diff --git a/thumb.php b/thumb.php
index c5da918..1f823bd 100644 (file)
--- a/thumb.php
+++ b/thumb.php
@@ -163,12 +163,6 @@ function wfStreamThumb( array $params ) {
                return;
        }
 
-       // Check if the file is hidden
-       if ( $img->isDeleted( File::DELETED_FILE ) ) {
-               wfThumbError( 404, "The source file '$fileName' does not exist." );
-               return;
-       }
-
        // Check permissions if there are read restrictions
        $varyHeader = array();
        if ( !in_array( 'read', User::getGroupPermissions( array( '*' ) ), true ) ) {
@@ -181,6 +175,12 @@ function wfStreamThumb( array $params ) {
                $varyHeader[] = 'Cookie';
        }
 
+       // Check if the file is hidden
+       if ( $img->isDeleted( File::DELETED_FILE ) ) {
+               wfThumbError( 404, "The source file '$fileName' does not exist." );
+               return;
+       }
+
        // Do rendering parameters extraction from thumbnail name.
        if ( isset( $params['thumbName'] ) ) {
                $params = wfExtractThumbParams( $img, $params );