X-Git-Url: https://git.cyclocoop.org/%27.WWW_URL.%27admin/?a=blobdiff_plain;f=img_auth.php;h=3999bf3e80e2a3b2dc2360e34cc57b613b9cf501;hb=1afbfbfaa96b2921936b73fe5e4a38dd2a45df51;hp=64910e349c06083ec97c56c57903411695ee383f;hpb=e0da5c113c468fed5d1c98fa6bf701f7d98dedea;p=lhc%2Fweb%2Fwiklou.git diff --git a/img_auth.php b/img_auth.php index 64910e349c..3999bf3e80 100644 --- a/img_auth.php +++ b/img_auth.php @@ -36,13 +36,14 @@ wfProfileIn( 'img_auth.php' ); # Set action base paths so that WebRequest::getPathInfo() # recognizes the "X" as the 'title' in ../image_auth/X urls. -$wgActionPaths[] = $_SERVER['SCRIPT_NAME']; +$wgArticlePath = false; # Don't let a "/*" article path clober our action path +$wgActionPaths = array( "$wgUploadPath/" ); wfImageAuthMain(); wfLogProfilingData(); function wfImageAuthMain() { - global $wgImgAuthPublicTest, $wgRequest, $wgUploadDirectory; + global $wgImgAuthPublicTest, $wgRequest; // See if this is a public Wiki (no protections). if ( $wgImgAuthPublicTest @@ -55,7 +56,15 @@ function wfImageAuthMain() { // Get the requested file path (source file or thumbnail) $matches = WebRequest::getPathInfo(); - $path = $matches['title']; // path with leading '/' + if ( !isset( $matches['title'] ) ) { + wfForbidden( 'img-auth-accessdenied', 'img-auth-nopathinfo' ); + return; + } + $path = $matches['title']; + if ( $path && $path[0] !== '/' ) { + // Make sure $path has a leading / + $path = "/" . $path; + } // Check for bug 28235: QUERY_STRING overriding the correct extension $whitelist = array(); @@ -67,35 +76,26 @@ function wfImageAuthMain() { return; } - // Get the full file path - $filename = realpath( $wgUploadDirectory . $path ); - $realUpload = realpath( $wgUploadDirectory ); + // Get the local file repository + $repo = RepoGroup::singleton()->getRepo( 'local' ); - // Basic directory traversal check - if ( substr( $filename, 0, strlen( $realUpload ) ) != $realUpload ) { - wfForbidden( 'img-auth-accessdenied', 'img-auth-notindir' ); - return; + // Get the full file storage path and extract the source file name. + // (e.g. 120px-Foo.png => Foo.png or page2-120px-Foo.png => Foo.png). + // This only applies to thumbnails, and all thumbnails should + // be under a folder that has the source file name. + if ( strpos( $path, '/thumb/' ) === 0 ) { + $name = wfBaseName( dirname( $path ) ); // file is a thumbnail + $filename = $repo->getZonePath( 'thumb' ) . substr( $path, 6 ); // strip "/thumb" + } else { + $name = wfBaseName( $path ); // file is a source file + $filename = $repo->getZonePath( 'public' ) . $path; } // Check to see if the file exists - if ( !file_exists( $filename ) ) { + if ( !$repo->fileExists( $filename, FileRepo::FILES_ONLY ) ) { wfForbidden( 'img-auth-accessdenied','img-auth-nofile', $filename ); return; } - - // Check to see if tried to access a directory - if ( is_dir( $filename ) ) { - wfForbidden( 'img-auth-accessdenied','img-auth-isdir', $filename ); - return; - } - - // Extract the file name and chop off the size specifier - // (e.g. 120px-Foo.png => Foo.png or page2-120px-Foo.png => Foo.png). - // This only applies to thumbnails, and all thumbnails have a -px specifier. - $name = wfBaseName( $path ); - if ( preg_match( '!(?:[^-]*-)*?\d+px-(.*)!i', $name, $m ) ) { - $name = $m[1]; // this file is a thumbnail - } $title = Title::makeTitleSafe( NS_FILE, $name ); if ( !$title instanceof Title ) { // files have valid titles @@ -108,17 +108,17 @@ function wfImageAuthMain() { wfForbidden( $result[0], $result[1], array_slice( $result, 2 ) ); return; } - + // Check user authorization for this title - // UserCanRead Checks Whitelist too - if( !$title->userCanRead() ) { + // Checks Whitelist too + if ( !$title->userCan( 'read' ) ) { wfForbidden( 'img-auth-accessdenied', 'img-auth-noread', $name ); return; } // Stream the requested file wfDebugLog( 'img_auth', "Streaming `".$filename."`." ); - StreamFile::stream( $filename, array( 'Cache-Control: private', 'Vary: Cookie' ) ); + $repo->streamFile( $filename, array( 'Cache-Control: private', 'Vary: Cookie' ) ); } /**