X-Git-Url: http://git.heureux-cyclage.org/?a=blobdiff_plain;f=thumb.php;h=64f24c1877fbfb96bf80b6baf41730c18d072e27;hb=a6aac77d16bb7d5683bc7f67ac96f88e6ab177e3;hp=9fdc6017ba7cd89a9e859851f5e0aad7c2c3b27b;hpb=c64c3961cd3f350efced83d8e0cb5959ebc2d3d9;p=lhc%2Fweb%2Fwiklou.git diff --git a/thumb.php b/thumb.php index 9fdc6017ba..64f24c1877 100644 --- a/thumb.php +++ b/thumb.php @@ -20,6 +20,9 @@ wfLogProfilingData(); function wfThumbMain() { wfProfileIn( __METHOD__ ); + + $headers = array(); + // Get input parameters if ( get_magic_quotes_gpc() ) { $params = array_map( 'stripslashes', $_REQUEST ); @@ -55,7 +58,7 @@ function wfThumbMain() { wfThumbError( 404, wfMsg( 'badtitletext' ) ); return; } - $title = Title::makeTitleSafe( NS_IMAGE, $bits[1] ); + $title = Title::makeTitleSafe( NS_FILE, $bits[1] ); if( is_null($title) ) { wfThumbError( 404, wfMsg( 'badtitletext' ) ); return; @@ -65,6 +68,17 @@ function wfThumbMain() { $img = wfLocalFile( $fileName ); } + // Check permissions if there are read restrictions + if ( !in_array( 'read', User::getGroupPermissions( array( '*' ) ), true ) ) { + if ( !$img->getTitle()->userCanRead() ) { + wfThumbError( 403, 'Access denied. You do not have permission to access ' . + 'the source file.' ); + return; + } + $headers[] = 'Cache-Control: private'; + $headers[] = 'Vary: Cookie'; + } + if ( !$img ) { wfThumbError( 404, wfMsg( 'badtitletext' ) ); return; @@ -73,7 +87,7 @@ function wfThumbMain() { wfThumbError( 404, 'The source file for the specified thumbnail does not exist.' ); return; } - $sourcePath = $isOld ? $img->getArchivePath() : $img->getPath(); + $sourcePath = $img->getPath(); if ( $sourcePath === false ) { wfThumbError( 500, 'The source file is not locally accessible.' ); return; @@ -87,8 +101,8 @@ function wfThumbMain() { // Calculate time wfSuppressWarnings(); $imsUnix = strtotime( $imsString ); + $stat = stat( $sourcePath ); wfRestoreWarnings(); - $stat = @stat( $sourcePath ); if ( $stat['mtime'] <= $imsUnix ) { header( 'HTTP/1.1 304 Not Modified' ); return; @@ -101,7 +115,7 @@ function wfThumbMain() { $thumbPath = $img->getThumbPath( $thumbName ); if ( is_file( $thumbPath ) ) { - wfStreamFile( $thumbPath ); + wfStreamFile( $thumbPath, $headers ); return; } } @@ -124,11 +138,11 @@ function wfThumbMain() { $errorMsg = $thumb->getHtmlMsg(); } elseif ( !$thumb->getPath() ) { $errorMsg = wfMsgHtml( 'thumbnail_error', 'No path supplied in thumbnail object' ); - } elseif ( $thumb->getPath() == $sourcePath ) { + } elseif ( $thumb->getPath() == $img->getPath() ) { $errorMsg = wfMsgHtml( 'thumbnail_error', 'Image was not scaled, ' . 'is the requested width bigger than the source?' ); } else { - wfStreamFile( $thumb->getPath() ); + wfStreamFile( $thumb->getPath(), $headers ); } if ( $errorMsg !== false ) { wfThumbError( 500, $errorMsg ); @@ -143,11 +157,14 @@ function wfThumbError( $status, $msg ) { header( 'Content-Type: text/html; charset=utf-8' ); if ( $status == 404 ) { header( 'HTTP/1.1 404 Not found' ); + } elseif ( $status == 403 ) { + header( 'HTTP/1.1 403 Forbidden' ); + header( 'Vary: Cookie' ); } else { header( 'HTTP/1.1 500 Internal server error' ); } if( $wgShowHostnames ) { - $url = htmlspecialchars( @$_SERVER['REQUEST_URI'] ); + $url = htmlspecialchars( isset( $_SERVER['REQUEST_URI'] ) ? $_SERVER['REQUEST_URI'] : '' ); $hostname = htmlspecialchars( wfHostname() ); $debug = "\n\n"; } else {