diff options
Diffstat (limited to 'img_auth.php')
| -rw-r--r-- | img_auth.php | 28 |
1 files changed, 19 insertions, 9 deletions
diff --git a/img_auth.php b/img_auth.php index 0fe239ba..1daba85f 100644 --- a/img_auth.php +++ b/img_auth.php @@ -37,19 +37,29 @@ if ( $wgImgAuthPublicTest wfForbidden('img-auth-accessdenied','img-auth-public'); } +// Extract path and image information +if( !isset( $_SERVER['PATH_INFO'] ) ) { + $path = $wgRequest->getText( 'path' ); + if( !$path ) { + wfForbidden( 'img-auth-accessdenied', 'img-auth-nopathinfo' ); + } + $path = "/$path"; +} else { + $path = $_SERVER['PATH_INFO']; +} + // Check for bug 28235: QUERY_STRING overriding the correct extension -if ( isset( $_SERVER['QUERY_STRING'] ) - && preg_match( '/\.[^\\/:*?"<>|%]+(#|\?|$)/i', $_SERVER['QUERY_STRING'] ) ) +$dotPos = strpos( $path, '.' ); +$whitelist = array(); +if ( $dotPos !== false ) { + $whitelist[] = substr( $path, $dotPos + 1 ); +} +if ( !$wgRequest->checkUrlExtension( $whitelist ) ) { - wfForbidden( 'img-auth-accessdenied', 'img-auth-bad-query-string' ); + return; } -// Extract path and image information -if( !isset( $_SERVER['PATH_INFO'] ) ) - wfForbidden('img-auth-accessdenied','img-auth-nopathinfo'); - -$path = $_SERVER['PATH_INFO']; -$filename = realpath( $wgUploadDirectory . $_SERVER['PATH_INFO'] ); +$filename = realpath( $wgUploadDirectory . $path ); $realUpload = realpath( $wgUploadDirectory ); // Basic directory traversal check |