From c1f9b1f7b1b77776192048005dcc66dcf3df2bfb Mon Sep 17 00:00:00 2001 From: Pierre Schmitz Date: Sat, 27 Dec 2014 15:41:37 +0100 Subject: Update to MediaWiki 1.24.1 --- img_auth.php | 138 +++++++++++++++++++++++++++++++++++++++-------------------- 1 file changed, 91 insertions(+), 47 deletions(-) (limited to 'img_auth.php') diff --git a/img_auth.php b/img_auth.php index c8759ec8..dcd171f9 100644 --- a/img_auth.php +++ b/img_auth.php @@ -2,7 +2,7 @@ /** * Image authorisation script * - * To use this, see http://www.mediawiki.org/wiki/Manual:Image_Authorization + * To use this, see https://www.mediawiki.org/wiki/Manual:Image_Authorization * * - Set $wgUploadDirectory to a non-public directory (not web accessible) * - Set $wgUploadPath to point to this file @@ -12,8 +12,6 @@ * - Set $wgImgAuthDetails = true if you want the reason the access was denied messages to * be displayed instead of just the 403 error (doesn't work on IE anyway), * otherwise it will only appear in error logs - * - Set $wgImgAuthPublicTest false if you don't want to just check and see if all are public - * must be set to false if using specific restrictions such as LockDown or NSFileRepo * * For security reasons, you usually don't want your user to know *why* access was denied, * just that it was. If you want to change this, you can set $wgImgAuthDetails to 'true' @@ -49,19 +47,18 @@ $wgArticlePath = false; # Don't let a "/*" article path clober our action path $wgActionPaths = array( "$wgUploadPath/" ); wfImageAuthMain(); +wfProfileOut( 'img_auth.php' ); wfLogProfilingData(); +// Commit and close up! +$factory = wfGetLBFactory(); +$factory->commitMasterChanges(); +$factory->shutdown(); function wfImageAuthMain() { - global $wgImgAuthPublicTest, $wgRequest; - - // See if this is a public Wiki (no protections). - if ( $wgImgAuthPublicTest - && in_array( 'read', User::getGroupPermissions( array( '*' ) ), true ) - ) { - // This is a public wiki, so disable this script (for private wikis only) - wfForbidden( 'img-auth-accessdenied', 'img-auth-public' ); - return; - } + global $wgImgAuthUrlPathMap; + + $request = RequestContext::getMain()->getRequest(); + $publicWiki = in_array( 'read', User::getGroupPermissions( array( '*' ) ), true ); // Get the requested file path (source file or thumbnail) $matches = WebRequest::getPathInfo(); @@ -77,67 +74,113 @@ function wfImageAuthMain() { // Check for bug 28235: QUERY_STRING overriding the correct extension $whitelist = array(); - $dotPos = strrpos( $path, '.' ); - if ( $dotPos !== false ) { - $whitelist[] = substr( $path, $dotPos + 1 ); + $extension = FileBackend::extensionFromPath( $path, 'rawcase' ); + if ( $extension != '' ) { + $whitelist[] = $extension; } - if ( !$wgRequest->checkUrlExtension( $whitelist ) ) { + if ( !$request->checkUrlExtension( $whitelist ) ) { return; } + // Various extensions may have their own backends that need access. + // Check if there is a special backend and storage base path for this file. + foreach ( $wgImgAuthUrlPathMap as $prefix => $storageDir ) { + $prefix = rtrim( $prefix, '/' ) . '/'; // implicit trailing slash + if ( strpos( $path, $prefix ) === 0 ) { + $be = FileBackendGroup::singleton()->backendFromPath( $storageDir ); + $filename = $storageDir . substr( $path, strlen( $prefix ) ); // strip prefix + // Check basic user authorization + if ( !RequestContext::getMain()->getUser()->isAllowed( 'read' ) ) { + wfForbidden( 'img-auth-accessdenied', 'img-auth-noread', $path ); + return; + } + if ( $be->fileExists( array( 'src' => $filename ) ) ) { + wfDebugLog( 'img_auth', "Streaming `" . $filename . "`." ); + $be->streamFile( array( 'src' => $filename ), + array( 'Cache-Control: private', 'Vary: Cookie' ) ); + } else { + wfForbidden( 'img-auth-accessdenied', 'img-auth-nofile', $path ); + } + return; + } + } + // Get the local file repository $repo = RepoGroup::singleton()->getRepo( 'local' ); + $zone = strstr( ltrim( $path, '/' ), '/', true ); // Get the full file storage path and extract the source file name. // (e.g. 120px-Foo.png => Foo.png or page2-120px-Foo.png => Foo.png). - // This only applies to thumbnails, and all thumbnails should + // This only applies to thumbnails/transcoded, and each of them should // be under a folder that has the source file name. - if ( strpos( $path, '/thumb/' ) === 0 ) { - $name = wfBaseName( dirname( $path ) ); // file is a thumbnail - $filename = $repo->getZonePath( 'thumb' ) . substr( $path, 6 ); // strip "/thumb" + if ( $zone === 'thumb' || $zone === 'transcoded' ) { + $name = wfBaseName( dirname( $path ) ); + $filename = $repo->getZonePath( $zone ) . substr( $path, strlen( "/" . $zone ) ); + // Check to see if the file exists + if ( !$repo->fileExists( $filename ) ) { + wfForbidden( 'img-auth-accessdenied', 'img-auth-nofile', $filename ); + return; + } } else { $name = wfBaseName( $path ); // file is a source file $filename = $repo->getZonePath( 'public' ) . $path; + // Check to see if the file exists and is not deleted + $bits = explode( '!', $name, 2 ); + if ( substr( $path, 0, 9 ) === '/archive/' && count( $bits ) == 2 ) { + $file = $repo->newFromArchiveName( $bits[1], $name ); + } else { + $file = $repo->newFile( $name ); + } + if ( !$file->exists() || $file->isDeleted( File::DELETED_FILE ) ) { + wfForbidden( 'img-auth-accessdenied', 'img-auth-nofile', $filename ); + return; + } } - // Check to see if the file exists - if ( !$repo->fileExists( $filename ) ) { - wfForbidden( 'img-auth-accessdenied', 'img-auth-nofile', $filename ); - return; + $headers = array(); // extra HTTP headers to send + + if ( !$publicWiki ) { + // For private wikis, run extra auth checks and set cache control headers + $headers[] = 'Cache-Control: private'; + $headers[] = 'Vary: Cookie'; + + $title = Title::makeTitleSafe( NS_FILE, $name ); + if ( !$title instanceof Title ) { // files have valid titles + wfForbidden( 'img-auth-accessdenied', 'img-auth-badtitle', $name ); + return; + } + + // Run hook for extension authorization plugins + /** @var $result array */ + $result = null; + if ( !wfRunHooks( 'ImgAuthBeforeStream', array( &$title, &$path, &$name, &$result ) ) ) { + wfForbidden( $result[0], $result[1], array_slice( $result, 2 ) ); + return; + } + + // Check user authorization for this title + // Checks Whitelist too + if ( !$title->userCan( 'read' ) ) { + wfForbidden( 'img-auth-accessdenied', 'img-auth-noread', $name ); + return; + } } - $title = Title::makeTitleSafe( NS_FILE, $name ); - if ( !$title instanceof Title ) { // files have valid titles - wfForbidden( 'img-auth-accessdenied', 'img-auth-badtitle', $name ); - return; - } - - // Run hook for extension authorization plugins - /** @var $result array */ - $result = null; - if ( !wfRunHooks( 'ImgAuthBeforeStream', array( &$title, &$path, &$name, &$result ) ) ) { - wfForbidden( $result[0], $result[1], array_slice( $result, 2 ) ); - return; - } - - // Check user authorization for this title - // Checks Whitelist too - if ( !$title->userCan( 'read' ) ) { - wfForbidden( 'img-auth-accessdenied', 'img-auth-noread', $name ); - return; + if ( $request->getCheck( 'download' ) ) { + $headers[] = 'Content-Disposition: attachment'; } // Stream the requested file wfDebugLog( 'img_auth', "Streaming `" . $filename . "`." ); - $repo->streamFile( $filename, array( 'Cache-Control: private', 'Vary: Cookie' ) ); + $repo->streamFile( $filename, $headers ); } /** * Issue a standard HTTP 403 Forbidden header ($msg1-a message index, not a message) and an * error message ($msg2, also a message index), (both required) then end the script * subsequent arguments to $msg2 will be passed as parameters only for replacing in $msg2 - * @param $msg1 - * @param $msg2 + * @param string $msg1 + * @param string $msg2 */ function wfForbidden( $msg1, $msg2 ) { global $wgImgAuthDetails; @@ -145,6 +188,7 @@ function wfForbidden( $msg1, $msg2 ) { $args = func_get_args(); array_shift( $args ); array_shift( $args ); + $args = ( isset( $args[0] ) && is_array( $args[0] ) ) ? $args[0] : $args; $msgHdr = wfMessage( $msg1 )->escaped(); $detailMsgKey = $wgImgAuthDetails ? $msg2 : 'badaccess-group0'; -- cgit v1.2.2