From: Tim Starling <tstarling@wikimedia.org>
Date: Tue, 31 Mar 2020 06:02:49 +0000 (+1100)
Subject: SECURITY: Fix accidental public CC headers in img_auth.php
X-Git-Tag: 1.31.8~1
X-Git-Url: http://git.cyclocoop.org/?a=commitdiff_plain;h=d5aeff51afd8a451c9185f0f754f86408185c876;hp=d5aeff51afd8a451c9185f0f754f86408185c876;p=lhc%2Fweb%2Fwiklou.git

SECURITY: Fix accidental public CC headers in img_auth.php

Incorrect parameters to FileBackend::streamFile() caused
Cache-Control:private and Vary:Cookie response headers to be omitted
when requesting a file in a path configured by $wgImgAuthUrlPathMap.
Typically this is used to deliver images generated by extensions.

CVE-2020-15005

Bug: T248947
Change-Id: I404d9462e4b35d3d832bfab21954ff87e46e3eb2
---