From d5aeff51afd8a451c9185f0f754f86408185c876 Mon Sep 17 00:00:00 2001
From: Tim Starling <tstarling@wikimedia.org>
Date: Tue, 31 Mar 2020 17:02:49 +1100
Subject: [PATCH] SECURITY: Fix accidental public CC headers in img_auth.php

Incorrect parameters to FileBackend::streamFile() caused
Cache-Control:private and Vary:Cookie response headers to be omitted
when requesting a file in a path configured by $wgImgAuthUrlPathMap.
Typically this is used to deliver images generated by extensions.

CVE-2020-15005

Bug: T248947
Change-Id: I404d9462e4b35d3d832bfab21954ff87e46e3eb2
---
 RELEASE-NOTES-1.31 | 2 ++
 img_auth.php       | 6 ++++--
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/RELEASE-NOTES-1.31 b/RELEASE-NOTES-1.31
index 5d7f0c52e8..2b48c93dab 100644
--- a/RELEASE-NOTES-1.31
+++ b/RELEASE-NOTES-1.31
@@ -16,6 +16,8 @@ THIS IS NOT A RELEASE YET
 * (T206476) Call ob_start() before running tests.
 * (T234450) Per-user concurrency in SpecialContributions can now be limited by
   setting $wgPoolCounterConf['SpecialContributions'] appropriately.
+* (T248947) SECURITY: img_auth.php may leak private extension images into the
+  public cache.
 
 == MediaWiki 1.31.7 ==
 
diff --git a/img_auth.php b/img_auth.php
index 70570d8649..2caf57ad58 100644
--- a/img_auth.php
+++ b/img_auth.php
@@ -92,8 +92,10 @@ function wfImageAuthMain() {
 			}
 			if ( $be->fileExists( [ 'src' => $filename ] ) ) {
 				wfDebugLog( 'img_auth', "Streaming `" . $filename . "`." );
-				$be->streamFile( [ 'src' => $filename ],
-					[ 'Cache-Control: private', 'Vary: Cookie' ] );
+				$be->streamFile( [
+					'src' => $filename,
+					'headers' => [ 'Cache-Control: private', 'Vary: Cookie' ]
+				] );
 			} else {
 				wfForbidden( 'img-auth-accessdenied', 'img-auth-nofile', $path );
 			}
-- 
2.20.1