**/
define( 'MW_NO_OUTPUT_COMPRESSION', 1 );
-require_once( dirname( __FILE__ ) . '/includes/WebStart.php' );
+if ( isset( $_SERVER['MW_COMPILED'] ) ) {
+ require ( 'phase3/includes/WebStart.php' );
+} else {
+ require ( dirname( __FILE__ ) . '/includes/WebStart.php' );
+}
wfProfileIn( 'img_auth.php' );
require_once( dirname( __FILE__ ) . '/includes/StreamFile.php' );
wfForbidden('img-auth-accessdenied','img-auth-public');
}
+$matches = WebRequest::getPathInfo();
+$path = $matches['title'];
+
// Check for bug 28235: QUERY_STRING overriding the correct extension
-if ( isset( $_SERVER['QUERY_STRING'] )
- && preg_match( '/\.[a-z0-9]{1,4}(#|\?|$)/i', $_SERVER['QUERY_STRING'] ) )
+$dotPos = strrpos( $path, '.' );
+$whitelist = array();
+if ( $dotPos !== false ) {
+ $whitelist[] = substr( $path, $dotPos + 1 );
+}
+if ( !$wgRequest->checkUrlExtension( $whitelist ) )
{
- wfForbidden( 'img-auth-accessdenied', 'img-auth-bad-query-string' );
-}
+ return;
+}
-$matches = WebRequest::getPathInfo();
-$path = $matches['title'];
$filename = realpath( $wgUploadDirectory . $path );
$realUpload = realpath( $wgUploadDirectory );