update to MediaWiki 1.16.3

author: Pierre Schmitz <pierre@archlinux.de> 2011-04-13 05:42:02 +0200
committer: Pierre Schmitz <pierre@archlinux.de> 2011-04-13 05:42:02 +0200
commit: 124299758ca7454561118f466a0470905758924f (patch)
tree: f4d09ea1286d6747ae36aecd4ba28dfb04c9e7c5 /img_auth.php
parent: 3bddedf685051638fdba61268ad195fee041db1c (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/img_auth.php b/img_auth.php
index bc4464d4..534d1fd2 100644
--- a/img_auth.php
+++ b/img_auth.php
@@ -37,6 +37,13 @@ if ( $wgImgAuthPublicTest
 	wfForbidden('img-auth-accessdenied','img-auth-public');
 }
 
+// Check for bug 28235: QUERY_STRING overriding the correct extension
+if ( isset( $_SERVER['QUERY_STRING'] )
+	&& preg_match( '/\.[a-z]{1,4}$/i', $_SERVER['QUERY_STRING'] ) )
+{
+	wfForbidden( 'img-auth-accessdenied', 'img-auth-bad-query-string' );
+}
+
 // Extract path and image information
 if( !isset( $_SERVER['PATH_INFO'] ) )
 	wfForbidden('img-auth-accessdenied','img-auth-nopathinfo');
author	Pierre Schmitz <pierre@archlinux.de>	2011-04-13 05:42:02 +0200
committer	Pierre Schmitz <pierre@archlinux.de>	2011-04-13 05:42:02 +0200
commit	124299758ca7454561118f466a0470905758924f (patch)
tree	f4d09ea1286d6747ae36aecd4ba28dfb04c9e7c5 /img_auth.php
parent	3bddedf685051638fdba61268ad195fee041db1c (diff)