img_auth.php

   1 <?php
   2
   3 /**
   4  * Image authorisation script
   5  *
   6  * To use this:
   7  *
   8  * Set $wgUploadDirectory to a non-public directory (not web accessible)
   9  * Set $wgUploadPath to point to this file
  10  *
  11  * Your server needs to support PATH_INFO; CGI-based configurations
  12  * usually don't.
  13  */
  14
  15 define( 'MW_NO_OUTPUT_COMPRESSION', 1 );
  16 require_once( dirname( __FILE__ ) . '/includes/WebStart.php' );
  17 wfProfileIn( 'img_auth.php' );
  18 require_once( dirname( __FILE__ ) . '/includes/StreamFile.php' );
  19
  20 // Extract path and image information
  21 if( !isset( $_SERVER['PATH_INFO'] ) ) {
  22         wfDebugLog( 'img_auth', 'Missing PATH_INFO' );
  23         wfForbidden();
  24 }
  25
  26 $path = $_SERVER['PATH_INFO'];
  27 $filename = realpath( $wgUploadDirectory . $_SERVER['PATH_INFO'] );
  28 $realUpload = realpath( $wgUploadDirectory );
  29 wfDebugLog( 'img_auth', "\$path is {$path}" );
  30 wfDebugLog( 'img_auth', "\$filename is {$filename}" );
  31
  32 // Basic directory traversal check
  33 if( substr( $filename, 0, strlen( $realUpload ) ) != $realUpload ) {
  34         wfDebugLog( 'img_auth', 'Requested path not in upload directory' );
  35         wfForbidden();
  36 }
  37
  38 // Extract the file name and chop off the size specifier
  39 // (e.g. 120px-Foo.png => Foo.png)
  40 $name = wfBaseName( $path );
  41 if( preg_match( '!\d+px-(.*)!i', $name, $m ) )
  42         $name = $m[1];
  43 wfDebugLog( 'img_auth', "\$name is {$name}" );
  44
  45 $title = Title::makeTitleSafe( NS_IMAGE, $name );
  46 if( !$title instanceof Title ) {
  47         wfDebugLog( 'img_auth', "Unable to construct a valid Title from `{$name}`" );
  48         wfForbidden();
  49 }
  50 $title = $title->getPrefixedText();
  51
  52 // Check the whitelist if needed
  53 if( !$wgUser->getId() && ( !is_array( $wgWhitelistRead ) || !in_array( $title, $wgWhitelistRead ) ) ) {
  54         wfDebugLog( 'img_auth', "Not logged in and `{$title}` not in whitelist." );
  55         wfForbidden();
  56 }
  57
  58 if( !file_exists( $filename ) ) {
  59         wfDebugLog( 'img_auth', "`{$filename}` does not exist" );
  60         wfForbidden();
  61 }
  62 if( is_dir( $filename ) ) {
  63         wfDebugLog( 'img_auth', "`{$filename}` is a directory" );
  64         wfForbidden();
  65 }
  66
  67 // Stream the requested file
  68 wfDebugLog( 'img_auth', "Streaming `{$filename}`" );
  69 wfStreamFile( $filename, array( 'Cache-Control: private', 'Vary: Cookie' ) );
  70 wfLogProfilingData();
  71
  72 /**
  73  * Issue a standard HTTP 403 Forbidden header and a basic
  74  * error message, then end the script
  75  */
  76 function wfForbidden() {
  77         header( 'HTTP/1.0 403 Forbidden' );
  78         header( 'Vary: Cookie' );
  79         header( 'Content-Type: text/html; charset=utf-8' );
  80         echo <<<ENDS
  81 <html>
  82 <body>
  83 <h1>Access Denied</h1>
  84 <p>You need to log in to access files on this server.</p>
  85 </body>
  86 </html>
  87 ENDS;
  88         wfLogProfilingData();
  89         exit();
  90 }