-// Extract path and image information
-if( !isset( $_SERVER['PATH_INFO'] ) ) {
- if( isset( $_GET['path'] ) ) $path = $_GET['path'];
- else wfForbidden('img-auth-accessdenied','img-auth-nopathinfo');
-} else {
- $path = $_SERVER['PATH_INFO'];
+$matches = WebRequest::getPathInfo();
+$path = $matches['title'];
+
+// Check for bug 28235: QUERY_STRING overriding the correct extension
+$dotPos = strpos( $path, '.' );
+$whitelist = array();
+if ( $dotPos !== false ) {
+ $whitelist[] = substr( $path, $dotPos + 1 );
+}
+if ( !$wgRequest->checkUrlExtension( $whitelist ) )
+{
+ return;