X-Git-Url: http://git.heureux-cyclage.org/?a=blobdiff_plain;f=img_auth.php;h=e139227eba69d8e29d9a373fd067b3e391ef7779;hb=dd877c916a4588dc6a59e4e6b37d5e633b2505ab;hp=ccaa8af0fcf1dcb7d141f6a77c06c7774ae17a06;hpb=99e968b5aa933a33a45216f6355f00780a0cf203;p=lhc%2Fweb%2Fwiklou.git diff --git a/img_auth.php b/img_auth.php index ccaa8af0fc..e139227eba 100644 --- a/img_auth.php +++ b/img_auth.php @@ -2,7 +2,7 @@ /** * Image authorisation script * - * To use this, see http://www.mediawiki.org/wiki/Manual:Image_Authorization + * To use this, see https://www.mediawiki.org/wiki/Manual:Image_Authorization * * - Set $wgUploadDirectory to a non-public directory (not web accessible) * - Set $wgUploadPath to point to this file @@ -40,11 +40,7 @@ */ define( 'MW_NO_OUTPUT_COMPRESSION', 1 ); -if ( isset( $_SERVER['MW_COMPILED'] ) ) { - require ( 'core/includes/WebStart.php' ); -} else { - require ( __DIR__ . '/includes/WebStart.php' ); -} +require __DIR__ . '/includes/WebStart.php'; wfProfileIn( 'img_auth.php' ); # Set action base paths so that WebRequest::getPathInfo() @@ -56,7 +52,7 @@ wfImageAuthMain(); wfLogProfilingData(); function wfImageAuthMain() { - global $wgImgAuthPublicTest, $wgRequest; + global $wgImgAuthPublicTest, $wgImgAuthUrlPathMap, $wgRequest; // See if this is a public Wiki (no protections). if ( $wgImgAuthPublicTest @@ -81,14 +77,37 @@ function wfImageAuthMain() { // Check for bug 28235: QUERY_STRING overriding the correct extension $whitelist = array(); - $dotPos = strrpos( $path, '.' ); - if ( $dotPos !== false ) { - $whitelist[] = substr( $path, $dotPos + 1 ); + $extension = FileBackend::extensionFromPath( $path ); + if ( $extension != '' ) { + $whitelist[] = $extension; } if ( !$wgRequest->checkUrlExtension( $whitelist ) ) { return; } + // Various extensions may have their own backends that need access. + // Check if there is a special backend and storage base path for this file. + foreach ( $wgImgAuthUrlPathMap as $prefix => $storageDir ) { + $prefix = rtrim( $prefix, '/' ) . '/'; // implicit trailing slash + if ( strpos( $path, $prefix ) === 0 ) { + $be = FileBackendGroup::singleton()->backendFromPath( $storageDir ); + $filename = $storageDir . substr( $path, strlen( $prefix ) ); // strip prefix + // Check basic user authorization + if ( !RequestContext::getMain()->getUser()->isAllowed( 'read' ) ) { + wfForbidden( 'img-auth-accessdenied', 'img-auth-noread', $path ); + return; + } + if ( $be->fileExists( array( 'src' => $filename ) ) ) { + wfDebugLog( 'img_auth', "Streaming `" . $filename . "`." ); + $be->streamFile( array( 'src' => $filename ), + array( 'Cache-Control: private', 'Vary: Cookie' ) ); + } else { + wfForbidden( 'img-auth-accessdenied', 'img-auth-nofile', $path ); + } + return; + } + } + // Get the local file repository $repo = RepoGroup::singleton()->getRepo( 'local' ); @@ -117,6 +136,8 @@ function wfImageAuthMain() { } // Run hook for extension authorization plugins + /** @var $result array */ + $result = null; if ( !wfRunHooks( 'ImgAuthBeforeStream', array( &$title, &$path, &$name, &$result ) ) ) { wfForbidden( $result[0], $result[1], array_slice( $result, 2 ) ); return; @@ -129,6 +150,10 @@ function wfImageAuthMain() { return; } + if ( $wgRequest->getCheck( 'download' ) ) { + header( 'Content-Disposition: attachment' ); + } + // Stream the requested file wfDebugLog( 'img_auth', "Streaming `" . $filename . "`." ); $repo->streamFile( $filename, array( 'Cache-Control: private', 'Vary: Cookie' ) ); @@ -138,8 +163,8 @@ function wfImageAuthMain() { * Issue a standard HTTP 403 Forbidden header ($msg1-a message index, not a message) and an * error message ($msg2, also a message index), (both required) then end the script * subsequent arguments to $msg2 will be passed as parameters only for replacing in $msg2 - * @param $msg1 - * @param $msg2 + * @param string $msg1 + * @param string $msg2 */ function wfForbidden( $msg1, $msg2 ) { global $wgImgAuthDetails; @@ -147,6 +172,7 @@ function wfForbidden( $msg1, $msg2 ) { $args = func_get_args(); array_shift( $args ); array_shift( $args ); + $args = ( isset( $args[0] ) && is_array( $args[0] ) ) ? $args[0] : $args; $msgHdr = wfMessage( $msg1 )->escaped(); $detailMsgKey = $wgImgAuthDetails ? $msg2 : 'badaccess-group0';