img_auth.php

   1 <?php
   2 /**
   3  * Image download authorisation script
   4  *
   5  * To use, in LocalSettings.php set $wgUploadDirectory to point to a non-public
   6  * directory, and $wgUploadPath to point to this file. Also set $wgWhitelistRead
   7  * to an array of pages you want everyone to be able to access. Your server must
   8  * support PATH_INFO, CGI-based configurations generally don't.
   9  */
  10 # Valid web server entry point, enable includes
  11 define( 'MEDIAWIKI', true );
  12
  13 require_once( 'includes/Defines.php' );
  14 require_once( './LocalSettings.php' );
  15 require_once( 'includes/Setup.php' );
  16
  17 if( !isset( $_SERVER['PATH_INFO'] ) ) {
  18         wfForbidden();
  19 }
  20
  21 # Get filenames/directories
  22 $filename = realpath( $wgUploadDirectory . $_SERVER['PATH_INFO'] );
  23 $realUploadDirectory = realpath( $wgUploadDirectory );
  24 $imageName = $wgLang->getNsText( NS_IMAGE ) . ":" . basename( $_SERVER['PATH_INFO'] );
  25
  26 # Check if the filename is in the correct directory
  27 if ( substr( $filename, 0, strlen( $realUploadDirectory ) ) != $realUploadDirectory ) {
  28         wfForbidden();
  29 }
  30
  31 if ( is_array( $wgWhitelistRead ) && !in_array( $imageName, $wgWhitelistRead ) && !$wgUser->getID() ) {
  32         wfForbidden();
  33 }
  34
  35 if( !file_exists( $filename ) ) {
  36         wfForbidden();
  37 }
  38 if( is_dir( $filename ) ) {
  39         wfForbidden();
  40 }
  41
  42 # Write file
  43 $type = wfGetType( $filename );
  44 if ( $type ) {
  45         header('Content-type: '.$type);
  46 } else {
  47         header('Content-type: application/x-wiki');
  48 }
  49
  50 readfile( $filename );
  51
  52 function wfGetType( $filename ) {
  53         # There's probably a better way to do this
  54         $types = <<<END_STRING
  55 application/andrew-inset ez
  56 application/mac-binhex40 hqx
  57 application/mac-compactpro cpt
  58 application/mathml+xml mathml
  59 application/msword doc
  60 application/octet-stream bin dms lha lzh exe class so dll
  61 application/oda oda
  62 application/ogg ogg
  63 application/pdf pdf
  64 application/postscript ai eps ps
  65 application/rdf+xml rdf
  66 application/smil smi smil
  67 application/srgs gram
  68 application/srgs+xml grxml
  69 application/vnd.mif mif
  70 application/vnd.ms-excel xls
  71 application/vnd.ms-powerpoint ppt
  72 application/vnd.wap.wbxml wbxml
  73 application/vnd.wap.wmlc wmlc
  74 application/vnd.wap.wmlscriptc wmlsc
  75 application/voicexml+xml vxml
  76 application/x-bcpio bcpio
  77 application/x-cdlink vcd
  78 application/x-chess-pgn pgn
  79 application/x-cpio cpio
  80 application/x-csh csh
  81 application/x-director dcr dir dxr
  82 application/x-dvi dvi
  83 application/x-futuresplash spl
  84 application/x-gtar gtar
  85 application/x-hdf hdf
  86 application/x-javascript js
  87 application/x-koan skp skd skt skm
  88 application/x-latex latex
  89 application/x-netcdf nc cdf
  90 application/x-sh sh
  91 application/x-shar shar
  92 application/x-shockwave-flash swf
  93 application/x-stuffit sit
  94 application/x-sv4cpio sv4cpio
  95 application/x-sv4crc sv4crc
  96 application/x-tar tar
  97 application/x-tcl tcl
  98 application/x-tex tex
  99 application/x-texinfo texinfo texi
 100 application/x-troff t tr roff
 101 application/x-troff-man man
 102 application/x-troff-me me
 103 application/x-troff-ms ms
 104 application/x-ustar ustar
 105 application/x-wais-source src
 106 application/xhtml+xml xhtml xht
 107 application/xslt+xml xslt
 108 application/xml xml xsl
 109 application/xml-dtd dtd
 110 application/zip zip
 111 audio/basic au snd
 112 audio/midi mid midi kar
 113 audio/mpeg mpga mp2 mp3
 114 audio/x-aiff aif aiff aifc
 115 audio/x-mpegurl m3u
 116 audio/x-pn-realaudio ram rm
 117 audio/x-pn-realaudio-plugin rpm
 118 audio/x-realaudio ra
 119 audio/x-wav wav
 120 chemical/x-pdb pdb
 121 chemical/x-xyz xyz
 122 image/bmp bmp
 123 image/cgm cgm
 124 image/gif gif
 125 image/ief ief
 126 image/jpeg jpeg jpg jpe
 127 image/png png
 128 image/svg+xml svg
 129 image/tiff tiff tif
 130 image/vnd.djvu djvu djv
 131 image/vnd.wap.wbmp wbmp
 132 image/x-cmu-raster ras
 133 image/x-icon ico
 134 image/x-portable-anymap pnm
 135 image/x-portable-bitmap pbm
 136 image/x-portable-graymap pgm
 137 image/x-portable-pixmap ppm
 138 image/x-rgb rgb
 139 image/x-xbitmap xbm
 140 image/x-xpixmap xpm
 141 image/x-xwindowdump xwd
 142 model/iges igs iges
 143 model/mesh msh mesh silo
 144 model/vrml wrl vrml
 145 text/calendar ics ifb
 146 text/css css
 147 text/richtext rtx
 148 text/rtf rtf
 149 text/sgml sgml sgm
 150 text/tab-separated-values tsv
 151 text/vnd.wap.wml wml
 152 text/vnd.wap.wmlscript wmls
 153 text/x-setext etx
 154 video/mpeg mpeg mpg mpe
 155 video/quicktime qt mov
 156 video/vnd.mpegurl mxu
 157 video/x-msvideo avi
 158 video/x-sgi-movie movie
 159 x-conference/x-cooltalk ice";
 160 END_STRING;
 161         $endl = "
 162 ";
 163         $types = explode( $endl, $types );
 164         if ( !preg_match( "/\.([^.]*?)$/", $filename, $matches ) ) {
 165                 return false;
 166         }
 167
 168         foreach( $types as $type ) {
 169                 $extensions = explode( " ", $type );
 170                 for ( $i=1; $i<count( $extensions ); $i++ ) {
 171                         if ( $extensions[$i] == $matches[1] ) {
 172                                 return $extensions[0];
 173                         }
 174                 }
 175         }
 176         return false;
 177 }
 178
 179 function wfForbidden() {
 180         header( 'HTTP/1.0 403 Forbidden' );
 181         print
 182 "<html><body>
 183 <h1>Access denied</h1>
 184 <p>You need to log in to access files on this server</p>
 185 </body></html>";
 186         exit;
 187 }
 188
 189 ?>