* Do not allow previews of deleted images to be cached

* I've done this with a Cache-Control: no-cache header() call within UndeleteForm::showFile(), but I would appreciate a review to be sure this is the best method. It's possible for an administrator to preview a deleted image, and for this response to be cached such that a user without appropriate permissions can then access the preview.

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index a2d86f7..a958171 100644 (file)
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -442,7 +442,7 @@ it from source control: http://www.mediawiki.org/wiki/Download_from_SVN
   if possible (should not happen, though, outside interwiki transclusion... and
   maybe not even then, but it does)
 * (bug 8447) Fix SQL typo breaking non-default $wgHitcounterUpdateFreq
-
+* Do not allow previews of deleted images to be cached
 
 == Languages updated ==
 

diff --git a/includes/SpecialUndelete.php b/includes/SpecialUndelete.php
index d390ed6..e471344 100644 (file)
--- a/includes/SpecialUndelete.php
+++ b/includes/SpecialUndelete.php
@@ -578,6 +578,11 @@ class UndeleteForm {
                global $wgOut;
                $wgOut->disable();
                
+               # We mustn't allow the output to be Squid cached, otherwise
+               # if an admin previews a deleted image, and it's cached, then
+               # a user without appropriate permissions can toddle off and
+               # nab the image, and Squid will serve it
+               header( 'Cache-Control: no-cache' );                    
                $store = FileStore::get( 'deleted' );
                $store->stream( $key );
        }