* Less verbose errors from profileinfo.php when not configured
* Blacklist redirects via Special:Filepath, hard to use.
* Improved input validation on Special:Import form
-
+* Add a .htaccess to deleted images directory for additional protection
+ against exposure of deleted files with known SHA-1 hashes on default
+ installations.
=== API changes in 1.14 ===
if ( !wfMkdirParents( $dstDir ) ) {
return $this->newFatal( 'directorycreateerror', $dstDir );
}
- // In the deleted zone, seed new directories with a blank
- // index.html, to prevent crawling
if ( $dstZone == 'deleted' ) {
- file_put_contents( "$dstDir/index.html", '' );
+ $this->initDeletedDir( $dstDir );
}
}
return $status;
}
+ /**
+ * Take all available measures to prevent web accessibility of new deleted
+ * directories, in case the user has not configured offline storage
+ */
+ protected function initDeletedDir( $dir ) {
+ // Add a .htaccess file to the root of the deleted zone
+ $root = $this->getZonePath( 'deleted' );
+ if ( !file_exists( "$root/.htaccess" ) ) {
+ file_put_contents( "$root/.htaccess", "Deny from all\n" );
+ }
+ // Seed new directories with a blank index.html, to prevent crawling
+ file_put_contents( "$dir/index.html", '' );
+ }
+
/**
* Pick a random name in the temp zone and store a file to it.
* @param string $originalName The base name of the file as specified
$status->fatal( 'directorycreateerror', $archiveDir );
continue;
}
- // Seed new directories with a blank index.html, to prevent crawling
- file_put_contents( "$archiveDir/index.html", '' );
+ $this->initDeletedDir( $archiveDir );
}
// Check if the archive directory is writable
// This doesn't appear to work on NTFS