wfProfileIn( 'img_auth.php' );
require_once( dirname( __FILE__ ) . '/includes/StreamFile.php' );
-$perms = User::getGroupPermissions( array( '*' ) );
-
// See if this is a public Wiki (no protections)
-if ( $wgImgAuthPublicTest && in_array( 'read', $perms, true ) )
+if ( $wgImgAuthPublicTest
+ && in_array( 'read', User::getGroupPermissions( array( '*' ) ), true ) )
+{
wfForbidden('img-auth-accessdenied','img-auth-public');
+}
// Extract path and image information
-if( !isset( $_SERVER['PATH_INFO'] ) )
- wfForbidden('img-auth-accessdenied','img-auth-nopathinfo');
+if( !isset( $_SERVER['PATH_INFO'] ) ) {
+ $path = $wgRequest->getText( 'path' );
+ if( !$path ) {
+ wfForbidden( 'img-auth-accessdenied', 'img-auth-nopathinfo' );
+ }
+} else {
+ $path = $_SERVER['PATH_INFO'];
+}
-$path = $_SERVER['PATH_INFO'];
-$filename = realpath( $wgUploadDirectory . $_SERVER['PATH_INFO'] );
+$filename = realpath( $wgUploadDirectory . '/' . $path );
$realUpload = realpath( $wgUploadDirectory );
// Basic directory traversal check