img_auth.php

   1 <?php
   2 # Image download authorisation script
   3 # To use, in LocalSettings.php set $wgUploadDirectory to point to a non-public directory, and
   4 # $wgUploadPath to point to this file. Also set $wgWhitelistRead to an array of pages you want
   5 # everyone to be able to access. Your server must support PATH_INFO, CGI-based configurations
   6 # generally don't.
   7
   8 define( "MEDIAWIKI", true );
   9 require_once( "./LocalSettings.php" );
  10 require_once( "includes/Setup.php" );
  11
  12 # Get filenames/directories
  13 $filename = realpath( $wgUploadDirectory . $_SERVER['PATH_INFO'] );
  14 $realUploadDirectory = realpath( $wgUploadDirectory );
  15 $imageName = $wgLang->getNsText( NS_IMAGE ) . ":" . basename( $_SERVER['PATH_INFO'] );
  16
  17 # Check if the filename is in the correct directory
  18 if ( substr( $filename, 0, strlen( $realUploadDirectory ) ) != $realUploadDirectory ) {
  19         wfForbidden();
  20 }
  21
  22 if ( is_array( $wgWhitelistRead ) && !in_array( $imageName, $wgWhitelistRead ) && !$wgUser->getID() ) {
  23         wfForbidden();
  24 }
  25
  26 # Write file
  27 $type = wfGetType( $filename );
  28 if ( $type ) {
  29         header("Content-type: $type");
  30 }
  31
  32 readfile( $filename );
  33
  34 function wfGetType( $filename ) {
  35         # There's probably a better way to do this
  36         $types = <<<END_STRING
  37 application/andrew-inset ez
  38 application/mac-binhex40 hqx
  39 application/mac-compactpro cpt
  40 application/mathml+xml mathml
  41 application/msword doc
  42 application/octet-stream bin dms lha lzh exe class so dll
  43 application/oda oda
  44 application/ogg ogg
  45 application/pdf pdf
  46 application/postscript ai eps ps
  47 application/rdf+xml rdf
  48 application/smil smi smil
  49 application/srgs gram
  50 application/srgs+xml grxml
  51 application/vnd.mif mif
  52 application/vnd.ms-excel xls
  53 application/vnd.ms-powerpoint ppt
  54 application/vnd.wap.wbxml wbxml
  55 application/vnd.wap.wmlc wmlc
  56 application/vnd.wap.wmlscriptc wmlsc
  57 application/voicexml+xml vxml
  58 application/x-bcpio bcpio
  59 application/x-cdlink vcd
  60 application/x-chess-pgn pgn
  61 application/x-cpio cpio
  62 application/x-csh csh
  63 application/x-director dcr dir dxr
  64 application/x-dvi dvi
  65 application/x-futuresplash spl
  66 application/x-gtar gtar
  67 application/x-hdf hdf
  68 application/x-javascript js
  69 application/x-koan skp skd skt skm
  70 application/x-latex latex
  71 application/x-netcdf nc cdf
  72 application/x-sh sh
  73 application/x-shar shar
  74 application/x-shockwave-flash swf
  75 application/x-stuffit sit
  76 application/x-sv4cpio sv4cpio
  77 application/x-sv4crc sv4crc
  78 application/x-tar tar
  79 application/x-tcl tcl
  80 application/x-tex tex
  81 application/x-texinfo texinfo texi
  82 application/x-troff t tr roff
  83 application/x-troff-man man
  84 application/x-troff-me me
  85 application/x-troff-ms ms
  86 application/x-ustar ustar
  87 application/x-wais-source src
  88 application/xhtml+xml xhtml xht
  89 application/xslt+xml xslt
  90 application/xml xml xsl
  91 application/xml-dtd dtd
  92 application/zip zip
  93 audio/basic au snd
  94 audio/midi mid midi kar
  95 audio/mpeg mpga mp2 mp3
  96 audio/x-aiff aif aiff aifc
  97 audio/x-mpegurl m3u
  98 audio/x-pn-realaudio ram rm
  99 audio/x-pn-realaudio-plugin rpm
 100 audio/x-realaudio ra
 101 audio/x-wav wav
 102 chemical/x-pdb pdb
 103 chemical/x-xyz xyz
 104 image/bmp bmp
 105 image/cgm cgm
 106 image/gif gif
 107 image/ief ief
 108 image/jpeg jpeg jpg jpe
 109 image/png png
 110 image/svg+xml svg
 111 image/tiff tiff tif
 112 image/vnd.djvu djvu djv
 113 image/vnd.wap.wbmp wbmp
 114 image/x-cmu-raster ras
 115 image/x-icon ico
 116 image/x-portable-anymap pnm
 117 image/x-portable-bitmap pbm
 118 image/x-portable-graymap pgm
 119 image/x-portable-pixmap ppm
 120 image/x-rgb rgb
 121 image/x-xbitmap xbm
 122 image/x-xpixmap xpm
 123 image/x-xwindowdump xwd
 124 model/iges igs iges
 125 model/mesh msh mesh silo
 126 model/vrml wrl vrml
 127 text/calendar ics ifb
 128 text/css css
 129 text/html html htm
 130 text/plain asc txt
 131 text/richtext rtx
 132 text/rtf rtf
 133 text/sgml sgml sgm
 134 text/tab-separated-values tsv
 135 text/vnd.wap.wml wml
 136 text/vnd.wap.wmlscript wmls
 137 text/x-setext etx
 138 video/mpeg mpeg mpg mpe
 139 video/quicktime qt mov
 140 video/vnd.mpegurl mxu
 141 video/x-msvideo avi
 142 video/x-sgi-movie movie
 143 x-conference/x-cooltalk ice";
 144 END_STRING;
 145         $endl = "
 146 ";
 147         $types = explode( $endl, $types );
 148         if ( !preg_match( "/\.(.*?)$/", $filename, $matches ) ) {
 149                 return false;
 150         }
 151
 152         foreach( $types as $type ) {
 153                 $extensions = explode( " ", $type );
 154                 for ( $i=1; $i<count( $extensions ); $i++ ) {
 155                         if ( $extensions[$i] == $matches[1] ) {
 156                                 return $extensions[0];
 157                         }
 158                 }
 159         }
 160         return false;
 161 }
 162
 163 function wfForbidden() {
 164         header( "HTTP/1.0 403 Forbidden" );
 165         print
 166 "<html><body>
 167 <h1>Access denied</h1>
 168 <p>You need to log in to access files on this server</p>
 169 </body></html>";
 170         exit;
 171 }
 172
 173 ?>