+$filename = realpath( $wgUploadDirectory . $path );
+$realUpload = realpath( $wgUploadDirectory );
+
+// Basic directory traversal check
+if( substr( $filename, 0, strlen( $realUpload ) ) != $realUpload )
+ wfForbidden('img-auth-accessdenied','img-auth-notindir');
+
+// Extract the file name and chop off the size specifier
+// (e.g. 120px-Foo.png => Foo.png)
+$name = wfBaseName( $path );
+if( preg_match( '!\d+px-(.*)!i', $name, $m ) )
+ $name = $m[1];
+
+// Check to see if the file exists
+if( !file_exists( $filename ) )
+ wfForbidden('img-auth-accessdenied','img-auth-nofile',$filename);
+
+// Check to see if tried to access a directory
+if( is_dir( $filename ) )
+ wfForbidden('img-auth-accessdenied','img-auth-isdir',$filename);
+
+
+$title = Title::makeTitleSafe( NS_FILE, $name );
+
+// See if could create the title object
+if( !$title instanceof Title )
+ wfForbidden('img-auth-accessdenied','img-auth-badtitle',$name);
+
+// Run hook
+if (!wfRunHooks( 'ImgAuthBeforeStream', array( &$title, &$path, &$name, &$result ) ) )
+ wfForbidden($result[0],$result[1],array_slice($result,2));
+
+// Check user authorization for this title
+// UserCanRead Checks Whitelist too
+if( !$title->userCanRead() )
+ wfForbidden('img-auth-accessdenied','img-auth-noread',$name);
+
+// Stream the requested file
+wfDebugLog( 'img_auth', "Streaming `".$filename."`." );
+wfStreamFile( $filename, array( 'Cache-Control: private', 'Vary: Cookie' ) );