From 5252460f1dad0cb50a72d0e98b8c03b401ddea24 Mon Sep 17 00:00:00 2001 From: Aaron Schulz Date: Mon, 21 Apr 2014 13:02:23 -0700 Subject: [PATCH] Removed $wgImgAuthPublicTest * For public wikis, using img_auth.php cannot hurt, and thumb.php is already available anyway. Treat it as always "false". Change-Id: I1240e00386a76593c37c9ac7b4c1f547c655452d --- img_auth.php | 11 +---------- includes/DefaultSettings.php | 7 ------- 2 files changed, 1 insertion(+), 17 deletions(-) diff --git a/img_auth.php b/img_auth.php index dc3dcd8f6d..f7daedde3b 100644 --- a/img_auth.php +++ b/img_auth.php @@ -12,8 +12,6 @@ * - Set $wgImgAuthDetails = true if you want the reason the access was denied messages to * be displayed instead of just the 403 error (doesn't work on IE anyway), * otherwise it will only appear in error logs - * - Set $wgImgAuthPublicTest false if you don't want to just check and see if all are public - * must be set to false if using specific restrictions such as LockDown or NSFileRepo * * For security reasons, you usually don't want your user to know *why* access was denied, * just that it was. If you want to change this, you can set $wgImgAuthDetails to 'true' @@ -52,18 +50,11 @@ wfImageAuthMain(); wfLogProfilingData(); function wfImageAuthMain() { - global $wgImgAuthPublicTest, $wgImgAuthUrlPathMap; + global $wgImgAuthUrlPathMap; $request = RequestContext::getMain()->getRequest(); $publicWiki = in_array( 'read', User::getGroupPermissions( array( '*' ) ), true ); - // See if this is a public Wiki (no protections). - if ( $wgImgAuthPublicTest && $publicWiki ) { - // This is a public wiki, so disable this script (for private wikis only) - wfForbidden( 'img-auth-accessdenied', 'img-auth-public' ); - return; - } - // Get the requested file path (source file or thumbnail) $matches = WebRequest::getPathInfo(); if ( !isset( $matches['title'] ) ) { diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index b6860b93d5..b3c6f07c56 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -361,13 +361,6 @@ $wgDeletedDirectory = false; */ $wgImgAuthDetails = false; -/** - * If this is enabled, img_auth.php will not allow image access unless the wiki - * is private. This improves security when image uploads are hosted on a - * separate domain. - */ -$wgImgAuthPublicTest = true; - /** * Map of relative URL directories to match to internal mwstore:// base storage paths. * For img_auth.php requests, everything after "img_auth.php/" is checked to see -- 2.20.1