SECURITY: Fix accidental public CC headers in img_auth.php

Incorrect parameters to FileBackend::streamFile() caused
Cache-Control:private and Vary:Cookie response headers to be omitted
when requesting a file in a path configured by $wgImgAuthUrlPathMap.
Typically this is used to deliver images generated by extensions.

CVE-2020-15005

Bug: T248947
Change-Id: I404d9462e4b35d3d832bfab21954ff87e46e3eb2

diff --git a/RELEASE-NOTES-1.34 b/RELEASE-NOTES-1.34
index c010b2b..ac02b62 100644 (file)
--- a/RELEASE-NOTES-1.34
+++ b/RELEASE-NOTES-1.34
@@ -21,6 +21,8 @@ THIS IS NOT A RELEASE YET
 * (T249730) Password Reset Updates.
 * (T234450) Per-user concurrency in SpecialContributions can now be limited by
   setting $wgPoolCounterConf['SpecialContributions'] appropriately.
+* (T248947) SECURITY: img_auth.php may leak private extension images into the
+  public cache.
 
 == MediaWiki 1.34.1 ==
 

diff --git a/img_auth.php b/img_auth.php
index f23de4f..44ef0a1 100644 (file)
--- a/img_auth.php
+++ b/img_auth.php
@@ -97,8 +97,10 @@ function wfImageAuthMain() {
                        }
                        if ( $be->fileExists( [ 'src' => $filename ] ) ) {
                                wfDebugLog( 'img_auth', "Streaming `" . $filename . "`." );
-                               $be->streamFile( [ 'src' => $filename ],
-                                       [ 'Cache-Control: private', 'Vary: Cookie' ] );
+                               $be->streamFile( [
+                                       'src' => $filename,
+                                       'headers' => [ 'Cache-Control: private', 'Vary: Cookie' ]
+                               ] );
                        } else {
                                wfForbidden( 'img-auth-accessdenied', 'img-auth-nofile', $path );
                        }