img_auth.php

   1 <?php
   2 # Image download authorisation script
   3 # To use, in LocalSettings.php set $wgUploadDirectory to point to a non-public directory, and
   4 # $wgUploadPath to point to this file. Also set $wgWhitelistRead to an array of pages you want
   5 # everyone to be able to access. Your server must support PATH_INFO, CGI-based configurations
   6 # generally don't.
   7
   8 # Valid web server entry point, enable includes
   9 define( "MEDIAWIKI", true );
  10
  11 require_once( "./LocalSettings.php" );
  12 require_once( "includes/Setup.php" );
  13
  14 # Get filenames/directories
  15 $filename = realpath( $wgUploadDirectory . $_SERVER['PATH_INFO'] );
  16 $realUploadDirectory = realpath( $wgUploadDirectory );
  17 $imageName = $wgLang->getNsText( NS_IMAGE ) . ":" . basename( $_SERVER['PATH_INFO'] );
  18
  19 # Check if the filename is in the correct directory
  20 if ( substr( $filename, 0, strlen( $realUploadDirectory ) ) != $realUploadDirectory ) {
  21         wfForbidden();
  22 }
  23
  24 if ( is_array( $wgWhitelistRead ) && !in_array( $imageName, $wgWhitelistRead ) && !$wgUser->getID() ) {
  25         wfForbidden();
  26 }
  27
  28 # Write file
  29 $type = wfGetType( $filename );
  30 if ( $type ) {
  31         header("Content-type: $type");
  32 }
  33
  34 readfile( $filename );
  35
  36 function wfGetType( $filename ) {
  37         # There's probably a better way to do this
  38         $types = <<<END_STRING
  39 application/andrew-inset ez
  40 application/mac-binhex40 hqx
  41 application/mac-compactpro cpt
  42 application/mathml+xml mathml
  43 application/msword doc
  44 application/octet-stream bin dms lha lzh exe class so dll
  45 application/oda oda
  46 application/ogg ogg
  47 application/pdf pdf
  48 application/postscript ai eps ps
  49 application/rdf+xml rdf
  50 application/smil smi smil
  51 application/srgs gram
  52 application/srgs+xml grxml
  53 application/vnd.mif mif
  54 application/vnd.ms-excel xls
  55 application/vnd.ms-powerpoint ppt
  56 application/vnd.wap.wbxml wbxml
  57 application/vnd.wap.wmlc wmlc
  58 application/vnd.wap.wmlscriptc wmlsc
  59 application/voicexml+xml vxml
  60 application/x-bcpio bcpio
  61 application/x-cdlink vcd
  62 application/x-chess-pgn pgn
  63 application/x-cpio cpio
  64 application/x-csh csh
  65 application/x-director dcr dir dxr
  66 application/x-dvi dvi
  67 application/x-futuresplash spl
  68 application/x-gtar gtar
  69 application/x-hdf hdf
  70 application/x-javascript js
  71 application/x-koan skp skd skt skm
  72 application/x-latex latex
  73 application/x-netcdf nc cdf
  74 application/x-sh sh
  75 application/x-shar shar
  76 application/x-shockwave-flash swf
  77 application/x-stuffit sit
  78 application/x-sv4cpio sv4cpio
  79 application/x-sv4crc sv4crc
  80 application/x-tar tar
  81 application/x-tcl tcl
  82 application/x-tex tex
  83 application/x-texinfo texinfo texi
  84 application/x-troff t tr roff
  85 application/x-troff-man man
  86 application/x-troff-me me
  87 application/x-troff-ms ms
  88 application/x-ustar ustar
  89 application/x-wais-source src
  90 application/xhtml+xml xhtml xht
  91 application/xslt+xml xslt
  92 application/xml xml xsl
  93 application/xml-dtd dtd
  94 application/zip zip
  95 audio/basic au snd
  96 audio/midi mid midi kar
  97 audio/mpeg mpga mp2 mp3
  98 audio/x-aiff aif aiff aifc
  99 audio/x-mpegurl m3u
 100 audio/x-pn-realaudio ram rm
 101 audio/x-pn-realaudio-plugin rpm
 102 audio/x-realaudio ra
 103 audio/x-wav wav
 104 chemical/x-pdb pdb
 105 chemical/x-xyz xyz
 106 image/bmp bmp
 107 image/cgm cgm
 108 image/gif gif
 109 image/ief ief
 110 image/jpeg jpeg jpg jpe
 111 image/png png
 112 image/svg+xml svg
 113 image/tiff tiff tif
 114 image/vnd.djvu djvu djv
 115 image/vnd.wap.wbmp wbmp
 116 image/x-cmu-raster ras
 117 image/x-icon ico
 118 image/x-portable-anymap pnm
 119 image/x-portable-bitmap pbm
 120 image/x-portable-graymap pgm
 121 image/x-portable-pixmap ppm
 122 image/x-rgb rgb
 123 image/x-xbitmap xbm
 124 image/x-xpixmap xpm
 125 image/x-xwindowdump xwd
 126 model/iges igs iges
 127 model/mesh msh mesh silo
 128 model/vrml wrl vrml
 129 text/calendar ics ifb
 130 text/css css
 131 text/html html htm
 132 text/plain asc txt
 133 text/richtext rtx
 134 text/rtf rtf
 135 text/sgml sgml sgm
 136 text/tab-separated-values tsv
 137 text/vnd.wap.wml wml
 138 text/vnd.wap.wmlscript wmls
 139 text/x-setext etx
 140 video/mpeg mpeg mpg mpe
 141 video/quicktime qt mov
 142 video/vnd.mpegurl mxu
 143 video/x-msvideo avi
 144 video/x-sgi-movie movie
 145 x-conference/x-cooltalk ice";
 146 END_STRING;
 147         $endl = "
 148 ";
 149         $types = explode( $endl, $types );
 150         if ( !preg_match( "/\.(.*?)$/", $filename, $matches ) ) {
 151                 return false;
 152         }
 153
 154         foreach( $types as $type ) {
 155                 $extensions = explode( " ", $type );
 156                 for ( $i=1; $i<count( $extensions ); $i++ ) {
 157                         if ( $extensions[$i] == $matches[1] ) {
 158                                 return $extensions[0];
 159                         }
 160                 }
 161         }
 162         return false;
 163 }
 164
 165 function wfForbidden() {
 166         header( "HTTP/1.0 403 Forbidden" );
 167         print
 168 "<html><body>
 169 <h1>Access denied</h1>
 170 <p>You need to log in to access files on this server</p>
 171 </body></html>";
 172         exit;
 173 }
 174
 175 ?>