Clean up a few scriptlets

diff --git a/img_auth.php b/img_auth.php
index 803ec15..4ec68ea 100644 (file)
--- a/img_auth.php
+++ b/img_auth.php
@@ -8,9 +8,14 @@
 # Valid web server entry point, enable includes
 define( "MEDIAWIKI", true );
 
+require_once( "includes/Defines.php" );
 require_once( "./LocalSettings.php" );
 require_once( "includes/Setup.php" );
 
+if( !isset( $_SERVER['PATH_INFO'] ) ) {
+       wfForbidden();
+}
+
 # Get filenames/directories
 $filename = realpath( $wgUploadDirectory . $_SERVER['PATH_INFO'] );
 $realUploadDirectory = realpath( $wgUploadDirectory );
@@ -25,10 +30,19 @@ if ( is_array( $wgWhitelistRead ) && !in_array( $imageName, $wgWhitelistRead ) &
        wfForbidden();
 }
 
+if( !file_exists( $filename ) ) {
+       wfForbidden();
+}
+if( is_dir( $filename ) ) {
+       wfForbidden();
+}
+
 # Write file
 $type = wfGetType( $filename );
 if ( $type ) {
        header("Content-type: $type");
+} else {
+       header("Content-type: application/x-wiki");
 }
 
 readfile( $filename );
@@ -128,8 +142,6 @@ model/mesh msh mesh silo
 model/vrml wrl vrml
 text/calendar ics ifb
 text/css css
-text/html html htm
-text/plain asc txt
 text/richtext rtx
 text/rtf rtf
 text/sgml sgml sgm
@@ -147,7 +159,7 @@ END_STRING;
        $endl = "
 ";
        $types = explode( $endl, $types );
-       if ( !preg_match( "/\.(.*?)$/", $filename, $matches ) ) {
+       if ( !preg_match( "/\.([^.]*?)$/", $filename, $matches ) ) {
                return false;
        }
 

diff --git a/includes/Database.php b/includes/Database.php
index 2d6c87d..982e81c 100644 (file)
--- a/includes/Database.php
+++ b/includes/Database.php
@@ -836,7 +836,7 @@ class Database {
                if( function_exists( 'mysql_thread_id' ) ) {
                        # This will kill the query if it's still running after $timeout seconds.
                        $tid = mysql_thread_id( $this->mConn );
-                       exec( "php $IP/killthread.php $timeout $tid &>/dev/null &" );
+                       exec( "php $IP/includes/killthread.php $timeout $tid &>/dev/null &" );
                }
        }
 

diff --git a/includes/killthread.php b/includes/killthread.php
index ce7e4a9..669a7ce 100644 (file)
--- a/includes/killthread.php
+++ b/includes/killthread.php
@@ -7,15 +7,20 @@
 /**
  *
  */
+if( php_sapi_name() != 'cli' ) {
+       die('');
+}
+
+define( 'MEDIAWIKI', 1 );
 $wgCommandLineMode = true;
 
 unset( $IP );
 ini_set( 'allow_url_fopen', 0 ); # For security...
-require_once( './LocalSettings.php' );
+require_once( '../LocalSettings.php' );
 
-# Windows requires ';' as separator, ':' for Unix
-$sep = strchr( $include_path = ini_get( 'include_path' ), ';' ) ? ';' : ':';
-ini_set( 'include_path', "$IP$sep$include_path" );
+if( !$wgAllowSysopQueries ) {
+       die( "Queries disabled.\n" );
+}
 
 require_once( 'Setup.php' );
 

diff --git a/includes/proxy_check.php b/includes/proxy_check.php
index b017f32..583e8fd 100644 (file)
--- a/includes/proxy_check.php
+++ b/includes/proxy_check.php
@@ -4,6 +4,10 @@
  * @package MediaWiki
  */
 
+if( php_sapi_name() != 'cli' ) {
+       die('');
+}
+
 /**
  *
  */

diff --git a/index.php b/index.php
index 39c815a..dec3d89 100644 (file)
--- a/index.php
+++ b/index.php
@@ -153,10 +153,10 @@ if( !is_null( $search ) && $search !== '' ) {
                                wfCreativeCommonsRdf( $wgArticle );
                        }
                        break;
-               case "credits":
-                       require_once( "includes/Credits.php" );
+               case "credits":
+                       require_once( "includes/Credits.php" );
                        showCreditsPage( $wgArticle );
-                       break;
+                       break;
                case "edit":
                case "submit":
                        if( !$wgCommandLineMode && !$wgRequest->checkSessionCookie() ) {