require ( dirname( __FILE__ ) . '/includes/WebStart.php' );
}
wfProfileIn( 'img_auth.php' );
-require_once( dirname( __FILE__ ) . '/includes/StreamFile.php' );
$wgActionPaths[] = $_SERVER['SCRIPT_NAME'];
// See if this is a public Wiki (no protections)
wfForbidden('img-auth-accessdenied','img-auth-public');
}
+$matches = WebRequest::getPathInfo();
+$path = $matches['title'];
+
// Check for bug 28235: QUERY_STRING overriding the correct extension
-if ( $wgRequest->isQueryStringBad() )
+$dotPos = strrpos( $path, '.' );
+$whitelist = array();
+if ( $dotPos !== false ) {
+ $whitelist[] = substr( $path, $dotPos + 1 );
+}
+if ( !$wgRequest->checkUrlExtension( $whitelist ) )
{
- wfForbidden( 'img-auth-accessdenied', 'img-auth-bad-query-string' );
-}
+ return;
+}
-$matches = WebRequest::getPathInfo();
-$path = $matches['title'];
$filename = realpath( $wgUploadDirectory . $path );
$realUpload = realpath( $wgUploadDirectory );
// Stream the requested file
wfDebugLog( 'img_auth', "Streaming `".$filename."`." );
-wfStreamFile( $filename, array( 'Cache-Control: private', 'Vary: Cookie' ) );
+StreamFile::stream( $filename, array( 'Cache-Control: private', 'Vary: Cookie' ) );
wfLogProfilingData();
/**