some coding style tweaks

[lhc/web/wiklou.git] / img_auth.php

diff --git a/img_auth.php b/img_auth.php
index e6485fc..b059be3 100644 (file)
--- a/img_auth.php
+++ b/img_auth.php
@@ -38,6 +38,13 @@ if ( $wgImgAuthPublicTest
        wfForbidden('img-auth-accessdenied','img-auth-public');
 }
 
+// Check for bug 28235: QUERY_STRING overriding the correct extension
+if ( isset( $_SERVER['QUERY_STRING'] )
+       && preg_match( '/\.[^\\/:*?"<>|%]+(#|\?|$)/i', $_SERVER['QUERY_STRING'] ) )
+{
+       wfForbidden( 'img-auth-accessdenied', 'img-auth-bad-query-string' );
+}      
+
 $matches = WebRequest::getPathInfo();
 $path = $matches['title'];
 $filename = realpath( $wgUploadDirectory . $path );