X-Git-Url: https://git.heureux-cyclage.org/?a=blobdiff_plain;f=img_auth.php;h=72a7dab85536e74eed2cf48230d1d3ae80400711;hb=b5239e608f5909ad9ce351e9014de70e66f5b952;hp=eba81f3c61073510b4b18eefc2ed52152feb1e55;hpb=4c6f3d83245520ac7e853dd71cd2a86de51f2fb9;p=lhc%2Fweb%2Fwiklou.git

diff --git a/img_auth.php b/img_auth.php
index eba81f3c61..72a7dab855 100644
--- a/img_auth.php
+++ b/img_auth.php
@@ -40,7 +40,7 @@
  */
 
 define( 'MW_NO_OUTPUT_COMPRESSION', 1 );
-require ( __DIR__ . '/includes/WebStart.php' );
+require __DIR__ . '/includes/WebStart.php';
 wfProfileIn( 'img_auth.php' );
 
 # Set action base paths so that WebRequest::getPathInfo()
@@ -52,7 +52,7 @@ wfImageAuthMain();
 wfLogProfilingData();
 
 function wfImageAuthMain() {
-	global $wgImgAuthPublicTest, $wgRequest;
+	global $wgImgAuthPublicTest, $wgImgAuthUrlPathMap, $wgRequest;
 
 	// See if this is a public Wiki (no protections).
 	if ( $wgImgAuthPublicTest
@@ -77,14 +77,37 @@ function wfImageAuthMain() {
 
 	// Check for bug 28235: QUERY_STRING overriding the correct extension
 	$whitelist = array();
-	$dotPos = strrpos( $path, '.' );
-	if ( $dotPos !== false ) {
-		$whitelist[] = substr( $path, $dotPos + 1 );
+	$extension = FileBackend::extensionFromPath( $path );
+	if ( $extension != '' ) {
+		$whitelist[] = $extension;
 	}
 	if ( !$wgRequest->checkUrlExtension( $whitelist ) ) {
 		return;
 	}
 
+	// Various extensions may have their own backends that need access.
+	// Check if there is a special backend and storage base path for this file.
+	foreach ( $wgImgAuthUrlPathMap as $prefix => $storageDir ) {
+		$prefix = rtrim( $prefix, '/' ) . '/'; // implicit trailing slash
+		if ( strpos( $path, $prefix ) === 0 ) {
+			$be = FileBackendGroup::singleton()->backendFromPath( $storageDir );
+			$filename = $storageDir . substr( $path, strlen( $prefix ) ); // strip prefix
+                       // Check basic user authorization
+                       if ( !RequestContext::getMain()->getUser()->isAllowed( 'read' ) ) {
+                               wfForbidden( 'img-auth-accessdenied', 'img-auth-noread', $path );
+                               return;
+                       }
+			if ( $be->fileExists( array( 'src' => $filename ) ) ) {
+				wfDebugLog( 'img_auth', "Streaming `" . $filename . "`." );
+				$be->streamFile( array( 'src' => $filename ),
+					array( 'Cache-Control: private', 'Vary: Cookie' ) );
+			} else {
+				wfForbidden( 'img-auth-accessdenied', 'img-auth-nofile', $path );
+			}
+			return;
+		}
+	}
+
 	// Get the local file repository
 	$repo = RepoGroup::singleton()->getRepo( 'local' );
 
@@ -145,6 +168,7 @@ function wfForbidden( $msg1, $msg2 ) {
 	$args = func_get_args();
 	array_shift( $args );
 	array_shift( $args );
+	$args = ( isset( $args[0] ) && is_array( $args[0] ) ) ? $args[0] : $args;
 
 	$msgHdr = wfMessage( $msg1 )->escaped();
 	$detailMsgKey = $wgImgAuthDetails ? $msg2 : 'badaccess-group0';