X-Git-Url: https://git.heureux-cyclage.org/?a=blobdiff_plain;f=img_auth.php;h=bb419b39aa222a297c3aa3721990d03fe4517440;hb=75cd7536b097ae9a0463a31dbcba8e7903593c40;hp=f38d40033836fc4adf6ee448922adfb909240a0d;hpb=0655c03974a7dfa6636e82d0b134ccfa1d3b0db2;p=lhc%2Fweb%2Fwiklou.git diff --git a/img_auth.php b/img_auth.php index f38d400338..bb419b39aa 100644 --- a/img_auth.php +++ b/img_auth.php @@ -1,153 +1,90 @@ getID() ) { - header( "HTTP/1.0 403 Forbidden" ); - exit; +/** + * Image authorisation script + * + * To use this: + * + * Set $wgUploadDirectory to a non-public directory (not web accessible) + * Set $wgUploadPath to point to this file + * + * Your server needs to support PATH_INFO; CGI-based configurations + * usually don't. + */ + +define( 'MW_NO_OUTPUT_COMPRESSION', 1 ); +require_once( dirname( __FILE__ ) . '/includes/WebStart.php' ); +wfProfileIn( 'img_auth.php' ); +require_once( dirname( __FILE__ ) . '/includes/StreamFile.php' ); + +// Extract path and image information +if( !isset( $_SERVER['PATH_INFO'] ) ) { + wfDebugLog( 'img_auth', 'Missing PATH_INFO' ); + wfForbidden(); } -# Check if the filename is in the correct directory +$path = $_SERVER['PATH_INFO']; $filename = realpath( $wgUploadDirectory . $_SERVER['PATH_INFO'] ); -$realUploadDirectory = realpath( $wgUploadDirectory ); -if ( substr( $filename, 0, strlen( $realUploadDirectory ) ) != $realUploadDirectory ) { - header( "HTTP/1.0 403 Forbidden" ); - exit; +$realUpload = realpath( $wgUploadDirectory ); +wfDebugLog( 'img_auth', "\$path is {$path}" ); +wfDebugLog( 'img_auth', "\$filename is {$filename}" ); + +// Basic directory traversal check +if( substr( $filename, 0, strlen( $realUpload ) ) != $realUpload ) { + wfDebugLog( 'img_auth', 'Requested path not in upload directory' ); + wfForbidden(); } -# Write file -$type = wfGetType( $filename ); -if ( $type ) { - header("Content-type: $type"); +// Extract the file name and chop off the size specifier +// (e.g. 120px-Foo.png => Foo.png) +$name = wfBaseName( $path ); +if( preg_match( '!\d+px-(.*)!i', $name, $m ) ) + $name = $m[1]; +wfDebugLog( 'img_auth', "\$name is {$name}" ); + +$title = Title::makeTitleSafe( NS_IMAGE, $name ); +if( !$title instanceof Title ) { + wfDebugLog( 'img_auth', "Unable to construct a valid Title from `{$name}`" ); + wfForbidden(); } +$title = $title->getPrefixedText(); -readfile( $filename ); +// Check the whitelist if needed +if( !$wgUser->getId() && ( !is_array( $wgWhitelistRead ) || !in_array( $title, $wgWhitelistRead ) ) ) { + wfDebugLog( 'img_auth', "Not logged in and `{$title}` not in whitelist." ); + wfForbidden(); +} -function wfGetType( $filename ) { - # There's probably a better way to do this - $types = "application/andrew-inset ez -application/mac-binhex40 hqx -application/mac-compactpro cpt -application/mathml+xml mathml -application/msword doc -application/octet-stream bin dms lha lzh exe class so dll -application/oda oda -application/ogg ogg -application/pdf pdf -application/postscript ai eps ps -application/rdf+xml rdf -application/smil smi smil -application/srgs gram -application/srgs+xml grxml -application/vnd.mif mif -application/vnd.ms-excel xls -application/vnd.ms-powerpoint ppt -application/vnd.wap.wbxml wbxml -application/vnd.wap.wmlc wmlc -application/vnd.wap.wmlscriptc wmlsc -application/voicexml+xml vxml -application/x-bcpio bcpio -application/x-cdlink vcd -application/x-chess-pgn pgn -application/x-cpio cpio -application/x-csh csh -application/x-director dcr dir dxr -application/x-dvi dvi -application/x-futuresplash spl -application/x-gtar gtar -application/x-hdf hdf -application/x-javascript js -application/x-koan skp skd skt skm -application/x-latex latex -application/x-netcdf nc cdf -application/x-sh sh -application/x-shar shar -application/x-shockwave-flash swf -application/x-stuffit sit -application/x-sv4cpio sv4cpio -application/x-sv4crc sv4crc -application/x-tar tar -application/x-tcl tcl -application/x-tex tex -application/x-texinfo texinfo texi -application/x-troff t tr roff -application/x-troff-man man -application/x-troff-me me -application/x-troff-ms ms -application/x-ustar ustar -application/x-wais-source src -application/xhtml+xml xhtml xht -application/xslt+xml xslt -application/xml xml xsl -application/xml-dtd dtd -application/zip zip -audio/basic au snd -audio/midi mid midi kar -audio/mpeg mpga mp2 mp3 -audio/x-aiff aif aiff aifc -audio/x-mpegurl m3u -audio/x-pn-realaudio ram rm -audio/x-pn-realaudio-plugin rpm -audio/x-realaudio ra -audio/x-wav wav -chemical/x-pdb pdb -chemical/x-xyz xyz -image/bmp bmp -image/cgm cgm -image/gif gif -image/ief ief -image/jpeg jpeg jpg jpe -image/png png -image/svg+xml svg -image/tiff tiff tif -image/vnd.djvu djvu djv -image/vnd.wap.wbmp wbmp -image/x-cmu-raster ras -image/x-icon ico -image/x-portable-anymap pnm -image/x-portable-bitmap pbm -image/x-portable-graymap pgm -image/x-portable-pixmap ppm -image/x-rgb rgb -image/x-xbitmap xbm -image/x-xpixmap xpm -image/x-xwindowdump xwd -model/iges igs iges -model/mesh msh mesh silo -model/vrml wrl vrml -text/calendar ics ifb -text/css css -text/html html htm -text/plain asc txt -text/richtext rtx -text/rtf rtf -text/sgml sgml sgm -text/tab-separated-values tsv -text/vnd.wap.wml wml -text/vnd.wap.wmlscript wmls -text/x-setext etx -video/mpeg mpeg mpg mpe -video/quicktime qt mov -video/vnd.mpegurl mxu -video/x-msvideo avi -video/x-sgi-movie movie -x-conference/x-cooltalk ice"; +if( !file_exists( $filename ) ) { + wfDebugLog( 'img_auth', "`{$filename}` does not exist" ); + wfForbidden(); +} +if( is_dir( $filename ) ) { + wfDebugLog( 'img_auth', "`{$filename}` is a directory" ); + wfForbidden(); +} - $types = explode( "\n", $types ); - if ( !preg_match( "/\.(.*?)$/", $filename, $matches ) ) { - return false; - } +// Stream the requested file +wfDebugLog( 'img_auth', "Streaming `{$filename}`" ); +wfStreamFile( $filename, array( 'Cache-Control: private', 'Vary: Cookie' ) ); +wfLogProfilingData(); - foreach( $types as $type ) { - $extensions = explode( " ", $type ); - for ( $i=1; $i + +

Access Denied

+

You need to log in to access files on this server.

+ + +ENDS; + wfLogProfilingData(); + exit(); } -?>