From: Tim Starling Date: Tue, 31 Mar 2020 06:02:49 +0000 (+1100) Subject: SECURITY: Fix accidental public CC headers in img_auth.php X-Git-Tag: 1.31.8~1 X-Git-Url: http://git.cyclocoop.org/?p=lhc%2Fweb%2Fwiklou.git;a=commitdiff_plain;h=d5aeff51afd8a451c9185f0f754f86408185c876 SECURITY: Fix accidental public CC headers in img_auth.php Incorrect parameters to FileBackend::streamFile() caused Cache-Control:private and Vary:Cookie response headers to be omitted when requesting a file in a path configured by $wgImgAuthUrlPathMap. Typically this is used to deliver images generated by extensions. CVE-2020-15005 Bug: T248947 Change-Id: I404d9462e4b35d3d832bfab21954ff87e46e3eb2 --- diff --git a/RELEASE-NOTES-1.31 b/RELEASE-NOTES-1.31 index 5d7f0c52e8..2b48c93dab 100644 --- a/RELEASE-NOTES-1.31 +++ b/RELEASE-NOTES-1.31 @@ -16,6 +16,8 @@ THIS IS NOT A RELEASE YET * (T206476) Call ob_start() before running tests. * (T234450) Per-user concurrency in SpecialContributions can now be limited by setting $wgPoolCounterConf['SpecialContributions'] appropriately. +* (T248947) SECURITY: img_auth.php may leak private extension images into the + public cache. == MediaWiki 1.31.7 == diff --git a/img_auth.php b/img_auth.php index 70570d8649..2caf57ad58 100644 --- a/img_auth.php +++ b/img_auth.php @@ -92,8 +92,10 @@ function wfImageAuthMain() { } if ( $be->fileExists( [ 'src' => $filename ] ) ) { wfDebugLog( 'img_auth', "Streaming `" . $filename . "`." ); - $be->streamFile( [ 'src' => $filename ], - [ 'Cache-Control: private', 'Vary: Cookie' ] ); + $be->streamFile( [ + 'src' => $filename, + 'headers' => [ 'Cache-Control: private', 'Vary: Cookie' ] + ] ); } else { wfForbidden( 'img-auth-accessdenied', 'img-auth-nofile', $path ); }