X-Git-Url: https://git.heureux-cyclage.org/?a=blobdiff_plain;f=thumb.php;h=50d3754da90d993824df7fa0cc9e2200a3cd3030;hb=7b22e8bd6098777e1db44284b2b0229dc7f0aae1;hp=9f5eeba583f9af3eff705661b4b6df8c994f6bca;hpb=7ed5ec7893b7a603c17cfdf726794f22be564ce9;p=lhc%2Fweb%2Fwiklou.git

diff --git a/thumb.php b/thumb.php
index 9f5eeba583..50d3754da9 100644
--- a/thumb.php
+++ b/thumb.php
@@ -1,84 +1,362 @@
 <?php
-
 /**
  * PHP script to stream out an image thumbnail.
- * If the file exists, we make do with abridged MediaWiki initialisation.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+ * http://www.gnu.org/copyleft/gpl.html
+ *
+ * @file
+ * @ingroup Media
  */
 
-define( 'MEDIAWIKI', true );
-unset( $IP );
-if ( isset( $_REQUEST['GLOBALS'] ) ) {
-	echo '<a href="http://www.hardened-php.net/index.76.html">$GLOBALS overwrite vulnerability</a>';
-	die( -1 );
+define( 'MW_NO_OUTPUT_COMPRESSION', 1 );
+if ( isset( $_SERVER['MW_COMPILED'] ) ) {
+	require( 'core/includes/WebStart.php' );
+} else {
+	require( dirname( __FILE__ ) . '/includes/WebStart.php' );
 }
 
-define( 'MW_NO_OUTPUT_BUFFER', true );
+// Don't use fancy mime detection, just check the file extension for jpg/gif/png
+$wgTrivialMimeDetection = true;
 
-require_once( './includes/Defines.php' );
-require_once( './LocalSettings.php' );
-require_once( 'GlobalFunctions.php' );
+if ( defined( 'THUMB_HANDLER' ) ) {
+	// Called from thumb_handler.php via 404; extract params from the URI...
+	wfThumbHandle404();
+} else {
+	// Called directly, use $_REQUEST params
+	wfThumbHandleRequest();
+}
+wfLogProfilingData();
 
-$wgTrivialMimeDetection = true; //don't use fancy mime detection, just check the file extension for jpg/gif/png.
+//--------------------------------------------------------------------------
 
-require_once( 'Image.php' );
-require_once( 'StreamFile.php' );
+/**
+ * Handle a thumbnail request via query parameters
+ *
+ * @return void
+ */
+function wfThumbHandleRequest() {
+	$params = get_magic_quotes_gpc()
+		? array_map( 'stripslashes', $_REQUEST )
+		: $_REQUEST;
 
-// Get input parameters
+	wfStreamThumb( $params ); // stream the thumbnail
+}
 
-if ( get_magic_quotes_gpc() ) {
-	$fileName = stripslashes( $_REQUEST['f'] );
-	$width = stripslashes( $_REQUEST['w'] );
-} else {
-	$fileName = $_REQUEST['f'];
-	$width = $_REQUEST['w'];
+/**
+ * Handle a thumbnail request via thumbnail file URL
+ *
+ * @return void
+ */
+function wfThumbHandle404() {
+	# lighttpd puts the original request in REQUEST_URI, while sjs sets
+	# that to the 404 handler, and puts the original request in REDIRECT_URL.
+	if ( isset( $_SERVER['REDIRECT_URL'] ) ) {
+		# The URL is un-encoded, so put it back how it was
+		$uri = str_replace( "%2F", "/", urlencode( $_SERVER['REDIRECT_URL'] ) );
+		# Just get the URI path (REDIRECT_URL is either a full URL or a path)
+		if ( $uri[0] !== '/' ) {
+			$bits = wfParseUrl( $uri );
+			if ( $bits && isset( $bits['path'] ) ) {
+				$uri = $bits['path'];
+			}
+		}
+	} else {
+		$uri = $_SERVER['REQUEST_URI'];
+	}
+
+	$params = wfExtractThumbParams( $uri ); // basic wiki URL param extracting
+	if ( $params == null ) {
+		wfThumbError( 404, 'The source file for the specified thumbnail does not exist.' );
+		return;
+	}
+
+	wfStreamThumb( $params ); // stream the thumbnail
 }
 
-$pre_render= isset($_REQUEST['r']) && $_REQUEST['r']!="0";
+/**
+ * Stream a thumbnail specified by parameters
+ *
+ * @param $params Array
+ * @return void
+ */
+function wfStreamThumb( array $params ) {
+	wfProfileIn( __METHOD__ );
 
-// Some basic input validation
+	$headers = array(); // HTTP headers to send
 
-$width = intval( $width );
-$fileName = strtr( $fileName, '\\/', '__' );
+	$fileName = isset( $params['f'] ) ? $params['f'] : '';
+	unset( $params['f'] );
 
-// Work out paths, carefully avoiding constructing an Image object because that won't work yet
+	// Backwards compatibility parameters
+	if ( isset( $params['w'] ) ) {
+		$params['width'] = $params['w'];
+		unset( $params['w'] );
+	}
+	if ( isset( $params['p'] ) ) {
+		$params['page'] = $params['p'];
+	}
+	unset( $params['r'] ); // ignore 'r' because we unconditionally pass File::RENDER
 
-$imagePath = wfImageDir( $fileName ) . '/' . $fileName;
-$thumbName = "{$width}px-$fileName";
-if ( $pre_render ) {
-	$thumbName .= '.png';
-}
-$thumbPath = wfImageThumbDir( $fileName ) . '/' . $thumbName;
+	// Is this a thumb of an archived file?
+	$isOld = ( isset( $params['archived'] ) && $params['archived'] );
+	unset( $params['archived'] ); // handlers don't care
 
-if ( is_file( $thumbPath ) && filemtime( $thumbPath ) >= filemtime( $imagePath ) ) {
-	wfStreamFile( $thumbPath );
-	exit;
-}
+	// Is this a thumb of a temp file?
+	$isTemp = ( isset( $params['temp'] ) && $params['temp'] );
+	unset( $params['temp'] ); // handlers don't care
 
-// OK, no valid thumbnail, time to get out the heavy machinery
-require_once( 'Setup.php' );
-wfProfileIn( 'thumb.php' );
+	// Some basic input validation
+	$fileName = strtr( $fileName, '\\/', '__' );
 
-$img = Image::newFromName( $fileName );
-if ( $img ) {
-	$thumb = $img->renderThumb( $width, false );
-} else {
-	$thumb = false;
+	// Actually fetch the image. Method depends on whether it is archived or not.
+	if ( $isOld ) {
+		// Format is <timestamp>!<name>
+		$bits = explode( '!', $fileName, 2 );
+		if ( count( $bits ) != 2 ) {
+			wfThumbError( 404, wfMsg( 'badtitletext' ) );
+			wfProfileOut( __METHOD__ );
+			return;
+		}
+		$title = Title::makeTitleSafe( NS_FILE, $bits[1] );
+		if ( !$title ) {
+			wfThumbError( 404, wfMsg( 'badtitletext' ) );
+			wfProfileOut( __METHOD__ );
+			return;
+		}
+		$img = RepoGroup::singleton()->getLocalRepo()->newFromArchiveName( $title, $fileName );
+	} elseif ( $isTemp ) {
+		$repo = RepoGroup::singleton()->getLocalRepo()->getTempRepo();
+		// Format is <timestamp>!<name> or just <name>
+		$bits = explode( '!', $fileName, 2 );
+		// Get the name without the timestamp so hash paths are correctly computed
+		$title = Title::makeTitleSafe( NS_FILE, isset( $bits[1] ) ? $bits[1] : $fileName );
+		if ( !$title ) {
+			wfThumbError( 404, wfMsg( 'badtitletext' ) );
+			wfProfileOut( __METHOD__ );
+			return;
+		}
+		$img = new UnregisteredLocalFile( $title, $repo,
+			$repo->getZonePath( 'public' ) . '/' . $repo->getTempHashPath( $fileName ) . $fileName
+		);
+	} else {
+		$img = wfLocalFile( $fileName );
+	}
+
+	// Check permissions if there are read restrictions
+	if ( !in_array( 'read', User::getGroupPermissions( array( '*' ) ), true ) ) {
+		if ( !$img->getTitle() || !$img->getTitle()->userCan( 'read' ) ) {
+			wfThumbError( 403, 'Access denied. You do not have permission to access ' .
+				'the source file.' );
+			wfProfileOut( __METHOD__ );
+			return;
+		}
+		$headers[] = 'Cache-Control: private';
+		$headers[] = 'Vary: Cookie';
+	}
+
+	// Check the source file storage path
+	if ( !$img ) {
+		wfThumbError( 404, wfMsg( 'badtitletext' ) );
+		wfProfileOut( __METHOD__ );
+		return;
+	}
+	if ( !$img->exists() ) {
+		wfThumbError( 404, 'The source file for the specified thumbnail does not exist.' );
+		wfProfileOut( __METHOD__ );
+		return;
+	}
+	$sourcePath = $img->getPath();
+	if ( $sourcePath === false ) {
+		wfThumbError( 500, 'The source file is not locally accessible.' );
+		wfProfileOut( __METHOD__ );
+		return;
+	}
+
+	// Check IMS against the source file
+	// This means that clients can keep a cached copy even after it has been deleted on the server
+	if ( !empty( $_SERVER['HTTP_IF_MODIFIED_SINCE'] ) ) {
+		// Fix IE brokenness
+		$imsString = preg_replace( '/;.*$/', '', $_SERVER["HTTP_IF_MODIFIED_SINCE"] );
+		// Calculate time
+		wfSuppressWarnings();
+		$imsUnix = strtotime( $imsString );
+		wfRestoreWarnings();
+		$sourceTsUnix = wfTimestamp( TS_UNIX, $img->getTimestamp() );
+		if ( $sourceTsUnix <= $imsUnix ) {
+			header( 'HTTP/1.1 304 Not Modified' );
+			wfProfileOut( __METHOD__ );
+			return;
+		}
+	}
+
+	// Stream the file if it exists already...
+	try {
+		$thumbName = $img->thumbName( $params );
+		if ( strlen( $thumbName ) ) { // valid params?
+			// For 404 handled thumbnails, we only use the the base name of the URI
+			// for the thumb params and the parent directory for the source file name.
+			// Check that the zone relative path matches up so squid caches won't pick
+			// up thumbs that would not be purged on source file deletion (bug 34231).
+			if ( isset( $params['rel404'] ) // thumbnail was handled via 404
+				&& urldecode( $params['rel404'] ) !== $img->getThumbRel( $thumbName ) )
+			{
+				wfThumbError( 404, 'The source file for the specified thumbnail does not exist.' );
+				wfProfileOut( __METHOD__ );
+				return;
+			}
+			$thumbPath = $img->getThumbPath( $thumbName );
+			if ( $img->getRepo()->fileExists( $thumbPath ) ) {
+				$img->getRepo()->streamFile( $thumbPath, $headers );
+				wfProfileOut( __METHOD__ );
+				return;
+			}
+		}
+	} catch ( MWException $e ) {
+		wfThumbError( 500, $e->getHTML() );
+		wfProfileOut( __METHOD__ );
+		return;
+	}
+
+	// Thumbnail isn't already there, so create the new thumbnail...
+	try {
+		$thumb = $img->transform( $params, File::RENDER_NOW );
+	} catch ( Exception $ex ) {
+		// Tried to select a page on a non-paged file?
+		$thumb = false;
+	}
+
+	// Check for thumbnail generation errors...
+	$errorMsg = false;
+	if ( !$thumb ) {
+		$errorMsg = wfMsgHtml( 'thumbnail_error', 'File::transform() returned false' );
+	} elseif ( $thumb->isError() ) {
+		$errorMsg = $thumb->getHtmlMsg();
+	} elseif ( !$thumb->hasFile() ) {
+		$errorMsg = wfMsgHtml( 'thumbnail_error', 'No path supplied in thumbnail object' );
+	} elseif ( $thumb->fileIsSource() ) {
+		$errorMsg = wfMsgHtml( 'thumbnail_error',
+			'Image was not scaled, is the requested width bigger than the source?' );
+	}
+
+	if ( $errorMsg !== false ) {
+		wfThumbError( 500, $errorMsg );
+	} else {
+		// Stream the file if there were no errors
+		$thumb->streamFile( $headers );
+	}
+
+	wfProfileOut( __METHOD__ );
 }
 
-if ( $thumb && $thumb->path ) {
-	wfStreamFile( $thumb->path );
-} else {
-	$badtitle = wfMsg( 'badtitle' );
-	$badtitletext = wfMsg( 'badtitletext' );
-	echo "<html><head>
-	<title>$badtitle</title>
-	<body>
-<h1>$badtitle</h1>
-<p>$badtitletext</p>
-</body></html>";
+/**
+ * Extract the required params for thumb.php from the thumbnail request URI.
+ * At least 'width' and 'f' should be set if the result is an array.
+ *
+ * @param $uri String Thumbnail request URI path
+ * @return Array|null associative params array or null
+ */
+function wfExtractThumbParams( $uri ) {
+	$repo = RepoGroup::singleton()->getLocalRepo();
+
+	$zoneURI = $repo->getZoneUrl( 'thumb' );
+	if ( substr( $zoneURI, 0, 1 ) !== '/' ) {
+		$bits = wfParseUrl( $zoneURI );
+		if ( $bits && isset( $bits['path'] ) ) {
+			$zoneURI = $bits['path'];
+		} else {
+			return null;
+		}
+	}
+	$zoneUrlRegex = preg_quote( $zoneURI );
+
+	$hashDirRegex = $subdirRegex = '';
+	for ( $i = 0; $i < $repo->getHashLevels(); $i++ ) {
+		$subdirRegex .= '[0-9a-f]';
+		$hashDirRegex .= "$subdirRegex/";
+	}
+
+	$thumbUrlRegex = "!^$zoneUrlRegex/((archive/|temp/)?$hashDirRegex([^/]*)/([^/]*))$!";
+
+	// Check if this is a valid looking thumbnail request...
+	if ( preg_match( $thumbUrlRegex, $uri, $matches ) ) {
+		list( /* all */, $rel, $archOrTemp, $filename, $thumbname ) = $matches;
+		$filename = urldecode( $filename );
+		$thumbname = urldecode( $thumbname );
+
+		$params = array( 'f' => $filename, 'rel404' => $rel );
+		if ( $archOrTemp == 'archive/' ) {
+			$params['archived'] = 1;
+		} elseif ( $archOrTemp == 'temp/' ) {
+			$params['temp'] = 1;
+		}
+
+		// Check if the parameters can be extracted from the thumbnail name...
+		if ( preg_match( '!^(page(\d*)-)*(\d*)px-[^/]*$!', $thumbname, $matches ) ) {
+			list( /* all */, $pagefull, $pagenum, $size ) = $matches;
+			$params['width'] = $size;
+			if ( $pagenum ) {
+				$params['page'] = $pagenum;
+			}
+			return $params; // valid thumbnail URL
+		// Hooks return false if they manage to *resolve* the parameters
+		} elseif ( !wfRunHooks( 'ExtractThumbParameters', array( $thumbname, &$params ) ) ) {
+			return $params; // valid thumbnail URL (via extension or config)
+		}
+	}
+
+	return null; // not a valid thumbnail URL
 }
 
-wfProfileOut( 'thumb.php' );
+/**
+ * Output a thumbnail generation error message
+ *
+ * @param $status integer
+ * @param $msg string
+ * @return void
+ */
+function wfThumbError( $status, $msg ) {
+	global $wgShowHostnames;
 
+	header( 'Cache-Control: no-cache' );
+	header( 'Content-Type: text/html; charset=utf-8' );
+	if ( $status == 404 ) {
+		header( 'HTTP/1.1 404 Not found' );
+	} elseif ( $status == 403 ) {
+		header( 'HTTP/1.1 403 Forbidden' );
+		header( 'Vary: Cookie' );
+	} else {
+		header( 'HTTP/1.1 500 Internal server error' );
+	}
+	if ( $wgShowHostnames ) {
+		$url = htmlspecialchars( isset( $_SERVER['REQUEST_URI'] ) ? $_SERVER['REQUEST_URI'] : '' );
+		$hostname = htmlspecialchars( wfHostname() );
+		$debug = "<!-- $url -->\n<!-- $hostname -->\n";
+	} else {
+		$debug = "";
+	}
+	echo <<<EOT
+<html><head><title>Error generating thumbnail</title></head>
+<body>
+<h1>Error generating thumbnail</h1>
+<p>
+$msg
+</p>
+$debug
+</body>
+</html>
 
-?>
+EOT;
+}