From: Aaron Schulz <aschulz@wikimedia.org>
Date: Fri, 17 Oct 2014 19:32:58 +0000 (-0700)
Subject: Treat the "temp" repo zone as private
X-Git-Tag: 1.31.0-rc.0~13522^2
X-Git-Url: https://git.cyclocoop.org/%27.WWW_URL.%27admin/?a=commitdiff_plain;h=103d6f77c36d0758f5f373f4770392462ad0f927;p=lhc%2Fweb%2Fwiklou.git

Treat the "temp" repo zone as private

* The primary user is the upload stash. Both stashed originals and thumbnails can
  be viewed through Special:UploadStash, which checks the appropriate permissions.
  There is no need for direct web access.
* Note that the scaler URL has to point to something that does no authentication
  checks since the HTTP GET has no cookie headers propagated. However the file
  name is the URL is determined by us_path, which is not exposed to the author
  but rather stored in the DB and linked by the file key. The author should only
  know the key.
* Also changed getTempRepo() to set the thumb/transcoded zones to nest in
  the base repo temp zone. This way, the temp and base repo do not conflict
  as to whether a container might be private or not.

Change-Id: I403520053b2053094e5f90083b6375bc04c351f4
---

diff --git a/RELEASE-NOTES-1.25 b/RELEASE-NOTES-1.25
index 48d7b056bf..b9eb15da0d 100644
--- a/RELEASE-NOTES-1.25
+++ b/RELEASE-NOTES-1.25
@@ -132,6 +132,9 @@ changes to languages because of Bugzilla reports.
   Also, the former will now throw an MWException if called with one or more
   arguments.
 * Removed hitcounters and associated code.
+* The "temp" zone of the upload respository is now considered private. If it
+  already exists (such as under the images/ directory), please make sure that
+  the directory is not web readable (e.g. via a .htaccess file).
 
 == Compatibility ==
 
diff --git a/includes/filerepo/FileRepo.php b/includes/filerepo/FileRepo.php
index 59295257fd..58245a5dd2 100644
--- a/includes/filerepo/FileRepo.php
+++ b/includes/filerepo/FileRepo.php
@@ -114,6 +114,9 @@ class FileRepo {
 	/** @var string The URL of the repo's favicon, if any */
 	protected $favicon;
 
+	/** @var bool Whether all zones should be private (e.g. private wiki repo) */
+	protected $isPrivate;
+
 	/**
 	 * Factory functions for creating new files
 	 * Override these in the base class
@@ -269,7 +272,7 @@ class FileRepo {
 	 * @return string|bool
 	 */
 	public function getZoneUrl( $zone, $ext = null ) {
-		if ( in_array( $zone, array( 'public', 'temp', 'thumb', 'transcoded' ) ) ) {
+		if ( in_array( $zone, array( 'public', 'thumb', 'transcoded' ) ) ) {
 			// standard public zones
 			if ( $ext !== null && isset( $this->zones[$zone]['urlsByExt'][$ext] ) ) {
 				// custom URL for extension/zone
@@ -283,7 +286,6 @@ class FileRepo {
 			case 'public':
 				return $this->url;
 			case 'temp':
-				return "{$this->url}/temp";
 			case 'deleted':
 				return false; // no public URL
 			case 'thumb':
@@ -1305,7 +1307,10 @@ class FileRepo {
 		list( , $container, ) = FileBackend::splitStoragePath( $path );
 
 		$params = array( 'dir' => $path );
-		if ( $this->isPrivate || $container === $this->zones['deleted']['container'] ) {
+		if ( $this->isPrivate
+			|| $container === $this->zones['deleted']['container']
+			|| $container === $this->zones['temp']['container']
+		) {
 			# Take all available measures to prevent web accessibility of new deleted
 			# directories, in case the user has not configured offline storage
 			$params = array( 'noAccess' => true, 'noListing' => true ) + $params;
@@ -1785,9 +1790,9 @@ class FileRepo {
 	}
 
 	/**
-	 * Get an temporary FileRepo associated with this repo.
-	 * Files will be created in the temp zone of this repo and
-	 * thumbnails in a /temp subdirectory in thumb zone of this repo.
+	 * Get a temporary private FileRepo associated with this repo.
+	 *
+	 * Files will be created in the temp zone of this repo.
 	 * It will have the same backend as this repo.
 	 *
 	 * @return TempFileRepo
@@ -1798,26 +1803,26 @@ class FileRepo {
 			'backend' => $this->backend,
 			'zones' => array(
 				'public' => array(
+					// Same place storeTemp() uses in the base repo, though
+					// the path hashing is mismatched, which is annoying.
 					'container' => $this->zones['temp']['container'],
 					'directory' => $this->zones['temp']['directory']
 				),
 				'thumb' => array(
-					'container' => $this->zones['thumb']['container'],
-					'directory' => $this->zones['thumb']['directory'] == ''
-						? 'temp'
-						: $this->zones['thumb']['directory'] . '/temp'
+					'container' => $this->zones['temp']['container'],
+					'directory' => $this->zones['temp']['directory'] == ''
+						? 'thumb'
+						: $this->zones['temp']['directory'] . '/thumb'
 				),
 				'transcoded' => array(
-					'container' => $this->zones['transcoded']['container'],
-					'directory' => $this->zones['transcoded']['directory'] == ''
-						? 'temp'
-						: $this->zones['transcoded']['directory'] . '/temp'
+					'container' => $this->zones['temp']['container'],
+					'directory' => $this->zones['temp']['directory'] == ''
+						? 'transcoded'
+						: $this->zones['temp']['directory'] . '/transcoded'
 				)
 			),
-			'url' => $this->getZoneUrl( 'temp' ),
-			'thumbUrl' => $this->getZoneUrl( 'thumb' ) . '/temp',
-			'transcodedUrl' => $this->getZoneUrl( 'transcoded' ) . '/temp',
-			'hashLevels' => $this->hashLevels // performance
+			'hashLevels' => $this->hashLevels, // performance
+			'isPrivate' => true // all in temp zone
 		) );
 	}