- // Run hook for extension authorization plugins
- /** @var $result array */
- $result = null;
- if ( !wfRunHooks( 'ImgAuthBeforeStream', array( &$title, &$path, &$name, &$result ) ) ) {
- wfForbidden( $result[0], $result[1], array_slice( $result, 2 ) );
- return;
+ $title = Title::makeTitleSafe( NS_FILE, $name );
+ if ( !$title instanceof Title ) { // files have valid titles
+ wfForbidden( 'img-auth-accessdenied', 'img-auth-badtitle', $name );
+ return;
+ }
+
+ // Run hook for extension authorization plugins
+ /** @var $result array */
+ $result = null;
+ if ( !wfRunHooks( 'ImgAuthBeforeStream', array( &$title, &$path, &$name, &$result ) ) ) {
+ wfForbidden( $result[0], $result[1], array_slice( $result, 2 ) );
+ return;
+ }
+
+ // Check user authorization for this title
+ // Checks Whitelist too
+ if ( !$title->userCan( 'read' ) ) {
+ wfForbidden( 'img-auth-accessdenied', 'img-auth-noread', $name );
+ return;
+ }