SECURITY: Added missing auth check in img_auth.php

author Aaron Schulz <aschulz@wikimedia.org>

Tue, 7 Jan 2014 19:32:40 +0000 (11:32 -0800)

committer csteipp <csteipp@wikimedia.org>

Tue, 14 Jan 2014 06:07:59 +0000 (22:07 -0800)
author Aaron Schulz <aschulz@wikimedia.org>
Tue, 7 Jan 2014 19:32:40 +0000 (11:32 -0800)
committer csteipp <csteipp@wikimedia.org>
Tue, 14 Jan 2014 06:07:59 +0000 (22:07 -0800)
diff --git a/img_auth.php b/img_auth.php

index 2d2db9a..72a7dab 100644 (file)
--- a/img_auth.php
+++ b/img_auth.php
@@ -92,12 +92,17 @@ function wfImageAuthMain() {
                 if ( strpos( $path, $prefix ) === 0 ) {
                         $be = FileBackendGroup::singleton()->backendFromPath( $storageDir );
                         $filename = $storageDir . substr( $path, strlen( $prefix ) ); // strip prefix
+                       // Check basic user authorization
+                       if ( !RequestContext::getMain()->getUser()->isAllowed( 'read' ) ) {
+                               wfForbidden( 'img-auth-accessdenied', 'img-auth-noread', $path );
+                               return;
+                       }
                         if ( $be->fileExists( array( 'src' => $filename ) ) ) {
                                 wfDebugLog( 'img_auth', "Streaming `" . $filename . "`." );
                                 $be->streamFile( array( 'src' => $filename ),
                                         array( 'Cache-Control: private', 'Vary: Cookie' ) );
                         } else {
-                               wfForbidden( 'img-auth-accessdenied', 'img-auth-nofile', $filename );
+                               wfForbidden( 'img-auth-accessdenied', 'img-auth-nofile', $path );
                         }
                         return;
                 }
author	Aaron Schulz <aschulz@wikimedia.org>
	Tue, 7 Jan 2014 19:32:40 +0000 (11:32 -0800)
committer	csteipp <csteipp@wikimedia.org>
	Tue, 14 Jan 2014 06:07:59 +0000 (22:07 -0800)