+ // Check for bug 28235: QUERY_STRING overriding the correct extension
+ $whitelist = array();
+ $extension = FileBackend::extensionFromPath( $path );
+ if ( $extension != '' ) {
+ $whitelist[] = $extension;
+ }
+ if ( !$wgRequest->checkUrlExtension( $whitelist ) ) {
+ return;
+ }
+
+ // Various extensions may have their own backends that need access.
+ // Check if there is a special backend and storage base path for this file.
+ foreach ( $wgImgAuthUrlPathMap as $prefix => $storageDir ) {
+ $prefix = rtrim( $prefix, '/' ) . '/'; // implicit trailing slash
+ if ( strpos( $path, $prefix ) === 0 ) {
+ $be = FileBackendGroup::singleton()->backendFromPath( $storageDir );
+ $filename = $storageDir . substr( $path, strlen( $prefix ) ); // strip prefix
+ if ( $be->fileExists( array( 'src' => $filename ) ) ) {
+ wfDebugLog( 'img_auth', "Streaming `" . $filename . "`." );
+ $be->streamFile( array( 'src' => $filename ),
+ array( 'Cache-Control: private', 'Vary: Cookie' ) );
+ } else {
+ wfForbidden( 'img-auth-accessdenied', 'img-auth-nofile', $filename );
+ }
+ return;
+ }
+ }
+
+ // Get the local file repository
+ $repo = RepoGroup::singleton()->getRepo( 'local' );
+
+ // Get the full file storage path and extract the source file name.
+ // (e.g. 120px-Foo.png => Foo.png or page2-120px-Foo.png => Foo.png).
+ // This only applies to thumbnails, and all thumbnails should
+ // be under a folder that has the source file name.
+ if ( strpos( $path, '/thumb/' ) === 0 ) {
+ $name = wfBaseName( dirname( $path ) ); // file is a thumbnail
+ $filename = $repo->getZonePath( 'thumb' ) . substr( $path, 6 ); // strip "/thumb"
+ } else {
+ $name = wfBaseName( $path ); // file is a source file
+ $filename = $repo->getZonePath( 'public' ) . $path;
+ }
+
+ // Check to see if the file exists
+ if ( !$repo->fileExists( $filename ) ) {
+ wfForbidden( 'img-auth-accessdenied', 'img-auth-nofile', $filename );
+ return;
+ }
+
+ $title = Title::makeTitleSafe( NS_FILE, $name );
+ if ( !$title instanceof Title ) { // files have valid titles
+ wfForbidden( 'img-auth-accessdenied', 'img-auth-badtitle', $name );
+ return;
+ }
+
+ // Run hook for extension authorization plugins
+ /** @var $result array */
+ $result = null;
+ if ( !wfRunHooks( 'ImgAuthBeforeStream', array( &$title, &$path, &$name, &$result ) ) ) {
+ wfForbidden( $result[0], $result[1], array_slice( $result, 2 ) );
+ return;
+ }
+
+ // Check user authorization for this title
+ // Checks Whitelist too
+ if ( !$title->userCan( 'read' ) ) {
+ wfForbidden( 'img-auth-accessdenied', 'img-auth-noread', $name );
+ return;
+ }
+
+ // Stream the requested file
+ wfDebugLog( 'img_auth', "Streaming `" . $filename . "`." );
+ $repo->streamFile( $filename, array( 'Cache-Control: private', 'Vary: Cookie' ) );