img_auth.php

   1 <?php
   2 # Image download authorisation script
   3 # To use, in LocalSettings.php set $wgUploadDirectory to point to a non-public directory, and
   4 # $wgUploadPath to point to this file. Also set $wgWhitelistRead to an array of pages you want
   5 # everyone to be able to access. Your server must support PATH_INFO, CGI-based configurations
   6 # generally don't.
   7
   8 # Valid web server entry point, enable includes
   9 define( "MEDIAWIKI", true );
  10
  11 require_once( "includes/Defines.php" );
  12 require_once( "./LocalSettings.php" );
  13 require_once( "includes/Setup.php" );
  14
  15 if( !isset( $_SERVER['PATH_INFO'] ) ) {
  16         wfForbidden();
  17 }
  18
  19 # Get filenames/directories
  20 $filename = realpath( $wgUploadDirectory . $_SERVER['PATH_INFO'] );
  21 $realUploadDirectory = realpath( $wgUploadDirectory );
  22 $imageName = $wgLang->getNsText( NS_IMAGE ) . ":" . basename( $_SERVER['PATH_INFO'] );
  23
  24 # Check if the filename is in the correct directory
  25 if ( substr( $filename, 0, strlen( $realUploadDirectory ) ) != $realUploadDirectory ) {
  26         wfForbidden();
  27 }
  28
  29 if ( is_array( $wgWhitelistRead ) && !in_array( $imageName, $wgWhitelistRead ) && !$wgUser->getID() ) {
  30         wfForbidden();
  31 }
  32
  33 if( !file_exists( $filename ) ) {
  34         wfForbidden();
  35 }
  36 if( is_dir( $filename ) ) {
  37         wfForbidden();
  38 }
  39
  40 # Write file
  41 $type = wfGetType( $filename );
  42 if ( $type ) {
  43         header("Content-type: $type");
  44 } else {
  45         header("Content-type: application/x-wiki");
  46 }
  47
  48 readfile( $filename );
  49
  50 function wfGetType( $filename ) {
  51         # There's probably a better way to do this
  52         $types = <<<END_STRING
  53 application/andrew-inset ez
  54 application/mac-binhex40 hqx
  55 application/mac-compactpro cpt
  56 application/mathml+xml mathml
  57 application/msword doc
  58 application/octet-stream bin dms lha lzh exe class so dll
  59 application/oda oda
  60 application/ogg ogg
  61 application/pdf pdf
  62 application/postscript ai eps ps
  63 application/rdf+xml rdf
  64 application/smil smi smil
  65 application/srgs gram
  66 application/srgs+xml grxml
  67 application/vnd.mif mif
  68 application/vnd.ms-excel xls
  69 application/vnd.ms-powerpoint ppt
  70 application/vnd.wap.wbxml wbxml
  71 application/vnd.wap.wmlc wmlc
  72 application/vnd.wap.wmlscriptc wmlsc
  73 application/voicexml+xml vxml
  74 application/x-bcpio bcpio
  75 application/x-cdlink vcd
  76 application/x-chess-pgn pgn
  77 application/x-cpio cpio
  78 application/x-csh csh
  79 application/x-director dcr dir dxr
  80 application/x-dvi dvi
  81 application/x-futuresplash spl
  82 application/x-gtar gtar
  83 application/x-hdf hdf
  84 application/x-javascript js
  85 application/x-koan skp skd skt skm
  86 application/x-latex latex
  87 application/x-netcdf nc cdf
  88 application/x-sh sh
  89 application/x-shar shar
  90 application/x-shockwave-flash swf
  91 application/x-stuffit sit
  92 application/x-sv4cpio sv4cpio
  93 application/x-sv4crc sv4crc
  94 application/x-tar tar
  95 application/x-tcl tcl
  96 application/x-tex tex
  97 application/x-texinfo texinfo texi
  98 application/x-troff t tr roff
  99 application/x-troff-man man
 100 application/x-troff-me me
 101 application/x-troff-ms ms
 102 application/x-ustar ustar
 103 application/x-wais-source src
 104 application/xhtml+xml xhtml xht
 105 application/xslt+xml xslt
 106 application/xml xml xsl
 107 application/xml-dtd dtd
 108 application/zip zip
 109 audio/basic au snd
 110 audio/midi mid midi kar
 111 audio/mpeg mpga mp2 mp3
 112 audio/x-aiff aif aiff aifc
 113 audio/x-mpegurl m3u
 114 audio/x-pn-realaudio ram rm
 115 audio/x-pn-realaudio-plugin rpm
 116 audio/x-realaudio ra
 117 audio/x-wav wav
 118 chemical/x-pdb pdb
 119 chemical/x-xyz xyz
 120 image/bmp bmp
 121 image/cgm cgm
 122 image/gif gif
 123 image/ief ief
 124 image/jpeg jpeg jpg jpe
 125 image/png png
 126 image/svg+xml svg
 127 image/tiff tiff tif
 128 image/vnd.djvu djvu djv
 129 image/vnd.wap.wbmp wbmp
 130 image/x-cmu-raster ras
 131 image/x-icon ico
 132 image/x-portable-anymap pnm
 133 image/x-portable-bitmap pbm
 134 image/x-portable-graymap pgm
 135 image/x-portable-pixmap ppm
 136 image/x-rgb rgb
 137 image/x-xbitmap xbm
 138 image/x-xpixmap xpm
 139 image/x-xwindowdump xwd
 140 model/iges igs iges
 141 model/mesh msh mesh silo
 142 model/vrml wrl vrml
 143 text/calendar ics ifb
 144 text/css css
 145 text/richtext rtx
 146 text/rtf rtf
 147 text/sgml sgml sgm
 148 text/tab-separated-values tsv
 149 text/vnd.wap.wml wml
 150 text/vnd.wap.wmlscript wmls
 151 text/x-setext etx
 152 video/mpeg mpeg mpg mpe
 153 video/quicktime qt mov
 154 video/vnd.mpegurl mxu
 155 video/x-msvideo avi
 156 video/x-sgi-movie movie
 157 x-conference/x-cooltalk ice";
 158 END_STRING;
 159         $endl = "
 160 ";
 161         $types = explode( $endl, $types );
 162         if ( !preg_match( "/\.([^.]*?)$/", $filename, $matches ) ) {
 163                 return false;
 164         }
 165
 166         foreach( $types as $type ) {
 167                 $extensions = explode( " ", $type );
 168                 for ( $i=1; $i<count( $extensions ); $i++ ) {
 169                         if ( $extensions[$i] == $matches[1] ) {
 170                                 return $extensions[0];
 171                         }
 172                 }
 173         }
 174         return false;
 175 }
 176
 177 function wfForbidden() {
 178         header( "HTTP/1.0 403 Forbidden" );
 179         print
 180 "<html><body>
 181 <h1>Access denied</h1>
 182 <p>You need to log in to access files on this server</p>
 183 </body></html>";
 184         exit;
 185 }
 186
 187 ?>