function wfImageAuthMain()
{
global $wgImgAuthPublicTest, $wgRequest;
// See if this is a public Wiki (no protections).
if ($wgImgAuthPublicTest && in_array('read', User::getGroupPermissions(array('*')), true)) {
// This is a public wiki, so disable this script (for private wikis only)
wfForbidden('img-auth-accessdenied', 'img-auth-public');
return;
}
// Get the requested file path (source file or thumbnail)
$matches = WebRequest::getPathInfo();
if (!isset($matches['title'])) {
wfForbidden('img-auth-accessdenied', 'img-auth-nopathinfo');
return;
}
$path = $matches['title'];
if ($path && $path[0] !== '/') {
// Make sure $path has a leading /
$path = "/" . $path;
}
// Check for bug 28235: QUERY_STRING overriding the correct extension
$whitelist = array();
$dotPos = strrpos($path, '.');
if ($dotPos !== false) {
$whitelist[] = substr($path, $dotPos + 1);
}
if (!$wgRequest->checkUrlExtension($whitelist)) {
return;
}
// Get the local file repository
$repo = RepoGroup::singleton()->getRepo('local');
// Get the full file storage path and extract the source file name.
// (e.g. 120px-Foo.png => Foo.png or page2-120px-Foo.png => Foo.png).
// This only applies to thumbnails, and all thumbnails should
// be under a folder that has the source file name.
if (strpos($path, '/thumb/') === 0) {
$name = wfBaseName(dirname($path));
// file is a thumbnail
$filename = $repo->getZonePath('thumb') . substr($path, 6);
// strip "/thumb"
} else {
$name = wfBaseName($path);
// file is a source file
$filename = $repo->getZonePath('public') . $path;
}
// Check to see if the file exists
if (!$repo->fileExists($filename)) {
wfForbidden('img-auth-accessdenied', 'img-auth-nofile', $filename);
return;
}
$title = Title::makeTitleSafe(NS_FILE, $name);
if (!$title instanceof Title) {
// files have valid titles
wfForbidden('img-auth-accessdenied', 'img-auth-badtitle', $name);
return;
}
// Run hook for extension authorization plugins
/** @var $result array */
$result = null;
if (!wfRunHooks('ImgAuthBeforeStream', array(&$title, &$path, &$name, &$result))) {
wfForbidden($result[0], $result[1], array_slice($result, 2));
return;
}
// Check user authorization for this title
// Checks Whitelist too
if (!$title->userCan('read')) {
wfForbidden('img-auth-accessdenied', 'img-auth-noread', $name);
return;
}
// Stream the requested file
wfDebugLog('img_auth', "Streaming `" . $filename . "`.");
$repo->streamFile($filename, array('Cache-Control: private', 'Vary: Cookie'));
}
wfDebugLog('img_auth', "Unable to construct a valid Title from `{$name}`");
wfForbidden();
}
$title = $title->getPrefixedText();
// Check the whitelist if needed
if (!$wgUser->getId() && (!is_array($wgWhitelistRead) || !in_array($title, $wgWhitelistRead))) {
wfDebugLog('img_auth', "Not logged in and `{$title}` not in whitelist.");
wfForbidden();
}
if (!file_exists($filename)) {
wfDebugLog('img_auth', "`{$filename}` does not exist");
wfForbidden();
}
if (is_dir($filename)) {
wfDebugLog('img_auth', "`{$filename}` is a directory");
wfForbidden();
}
// Stream the requested file
wfDebugLog('img_auth', "Streaming `{$filename}`");
wfStreamFile($filename, array('Cache-Control: private', 'Vary: Cookie'));
wfLogProfilingData();
/**
* Issue a standard HTTP 403 Forbidden header and a basic
* error message, then end the script
*/
function wfForbidden()
{
header('HTTP/1.0 403 Forbidden');
header('Vary: Cookie');
header('Content-Type: text/html; charset=utf-8');
echo <<<ENDS
function wfImageAuthMain()
{
global $wgImgAuthUrlPathMap;
$request = RequestContext::getMain()->getRequest();
$publicWiki = in_array('read', User::getGroupPermissions(array('*')), true);
// Get the requested file path (source file or thumbnail)
$matches = WebRequest::getPathInfo();
if (!isset($matches['title'])) {
wfForbidden('img-auth-accessdenied', 'img-auth-nopathinfo');
return;
}
$path = $matches['title'];
if ($path && $path[0] !== '/') {
// Make sure $path has a leading /
$path = "/" . $path;
}
// Check for bug 28235: QUERY_STRING overriding the correct extension
$whitelist = array();
$extension = FileBackend::extensionFromPath($path, 'rawcase');
if ($extension != '') {
$whitelist[] = $extension;
}
if (!$request->checkUrlExtension($whitelist)) {
return;
}
// Various extensions may have their own backends that need access.
// Check if there is a special backend and storage base path for this file.
foreach ($wgImgAuthUrlPathMap as $prefix => $storageDir) {
$prefix = rtrim($prefix, '/') . '/';
// implicit trailing slash
if (strpos($path, $prefix) === 0) {
$be = FileBackendGroup::singleton()->backendFromPath($storageDir);
$filename = $storageDir . substr($path, strlen($prefix));
// strip prefix
// Check basic user authorization
if (!RequestContext::getMain()->getUser()->isAllowed('read')) {
wfForbidden('img-auth-accessdenied', 'img-auth-noread', $path);
return;
}
if ($be->fileExists(array('src' => $filename))) {
wfDebugLog('img_auth', "Streaming `" . $filename . "`.");
$be->streamFile(array('src' => $filename), array('Cache-Control: private', 'Vary: Cookie'));
} else {
wfForbidden('img-auth-accessdenied', 'img-auth-nofile', $path);
}
return;
}
}
// Get the local file repository
$repo = RepoGroup::singleton()->getRepo('local');
$zone = strstr(ltrim($path, '/'), '/', true);
// Get the full file storage path and extract the source file name.
// (e.g. 120px-Foo.png => Foo.png or page2-120px-Foo.png => Foo.png).
// This only applies to thumbnails/transcoded, and each of them should
// be under a folder that has the source file name.
if ($zone === 'thumb' || $zone === 'transcoded') {
$name = wfBaseName(dirname($path));
$filename = $repo->getZonePath($zone) . substr($path, strlen("/" . $zone));
// Check to see if the file exists
if (!$repo->fileExists($filename)) {
wfForbidden('img-auth-accessdenied', 'img-auth-nofile', $filename);
return;
}
} else {
$name = wfBaseName($path);
// file is a source file
$filename = $repo->getZonePath('public') . $path;
// Check to see if the file exists and is not deleted
$bits = explode('!', $name, 2);
if (substr($path, 0, 9) === '/archive/' && count($bits) == 2) {
$file = $repo->newFromArchiveName($bits[1], $name);
} else {
$file = $repo->newFile($name);
}
if (!$file->exists() || $file->isDeleted(File::DELETED_FILE)) {
wfForbidden('img-auth-accessdenied', 'img-auth-nofile', $filename);
return;
}
}
$headers = array();
// extra HTTP headers to send
if (!$publicWiki) {
// For private wikis, run extra auth checks and set cache control headers
$headers[] = 'Cache-Control: private';
$headers[] = 'Vary: Cookie';
$title = Title::makeTitleSafe(NS_FILE, $name);
if (!$title instanceof Title) {
// files have valid titles
wfForbidden('img-auth-accessdenied', 'img-auth-badtitle', $name);
return;
}
// Run hook for extension authorization plugins
/** @var $result array */
$result = null;
if (!wfRunHooks('ImgAuthBeforeStream', array(&$title, &$path, &$name, &$result))) {
wfForbidden($result[0], $result[1], array_slice($result, 2));
return;
}
// Check user authorization for this title
// Checks Whitelist too
if (!$title->userCan('read')) {
wfForbidden('img-auth-accessdenied', 'img-auth-noread', $name);
return;
}
}
if ($request->getCheck('download')) {
$headers[] = 'Content-Disposition: attachment';
}
// Stream the requested file
wfDebugLog('img_auth', "Streaming `" . $filename . "`.");
$repo->streamFile($filename, $headers);
}
if (is_dir($filename)) {
wfForbidden('img-auth-accessdenied', 'img-auth-isdir', $filename);
}
$title = Title::makeTitleSafe(NS_FILE, $name);
// See if could create the title object
if (!$title instanceof Title) {
wfForbidden('img-auth-accessdenied', 'img-auth-badtitle', $name);
}
// Run hook
if (!wfRunHooks('ImgAuthBeforeStream', array(&$title, &$path, &$name, &$result))) {
wfForbidden($result[0], $result[1], array_slice($result, 2));
}
// Check user authorization for this title
// UserCanRead Checks Whitelist too
if (!$title->userCanRead()) {
wfForbidden('img-auth-accessdenied', 'img-auth-noread', $name);
}
// Stream the requested file
wfDebugLog('img_auth', "Streaming `" . $filename . "`.");
wfStreamFile($filename, array('Cache-Control: private', 'Vary: Cookie'));
wfLogProfilingData();
/**
* Issue a standard HTTP 403 Forbidden header ($msg1-a message index, not a message) and an
* error message ($msg2, also a message index), (both required) then end the script
* subsequent arguments to $msg2 will be passed as parameters only for replacing in $msg2
*/
function wfForbidden($msg1, $msg2)
{
global $wgImgAuthDetails;
$args = func_get_args();
array_shift($args);
function wfImageAuthMain()
{
global $wgImgAuthPublicTest, $wgImgAuthUrlPathMap, $wgRequest;
// See if this is a public Wiki (no protections).
if ($wgImgAuthPublicTest && in_array('read', User::getGroupPermissions(array('*')), true)) {
// This is a public wiki, so disable this script (for private wikis only)
wfForbidden('img-auth-accessdenied', 'img-auth-public');
return;
}
// Get the requested file path (source file or thumbnail)
$matches = WebRequest::getPathInfo();
if (!isset($matches['title'])) {
wfForbidden('img-auth-accessdenied', 'img-auth-nopathinfo');
return;
}
$path = $matches['title'];
if ($path && $path[0] !== '/') {
// Make sure $path has a leading /
$path = "/" . $path;
}
// Check for bug 28235: QUERY_STRING overriding the correct extension
$whitelist = array();
$extension = FileBackend::extensionFromPath($path, 'rawcase');
if ($extension != '') {
$whitelist[] = $extension;
}
if (!$wgRequest->checkUrlExtension($whitelist)) {
return;
}
// Various extensions may have their own backends that need access.
// Check if there is a special backend and storage base path for this file.
foreach ($wgImgAuthUrlPathMap as $prefix => $storageDir) {
$prefix = rtrim($prefix, '/') . '/';
// implicit trailing slash
if (strpos($path, $prefix) === 0) {
$be = FileBackendGroup::singleton()->backendFromPath($storageDir);
$filename = $storageDir . substr($path, strlen($prefix));
// strip prefix
// Check basic user authorization
if (!RequestContext::getMain()->getUser()->isAllowed('read')) {
wfForbidden('img-auth-accessdenied', 'img-auth-noread', $path);
return;
}
if ($be->fileExists(array('src' => $filename))) {
wfDebugLog('img_auth', "Streaming `" . $filename . "`.");
$be->streamFile(array('src' => $filename), array('Cache-Control: private', 'Vary: Cookie'));
} else {
wfForbidden('img-auth-accessdenied', 'img-auth-nofile', $path);
}
return;
}
}
// Get the local file repository
$repo = RepoGroup::singleton()->getRepo('local');
// Get the full file storage path and extract the source file name.
// (e.g. 120px-Foo.png => Foo.png or page2-120px-Foo.png => Foo.png).
// This only applies to thumbnails, and all thumbnails should
// be under a folder that has the source file name.
if (strpos($path, '/thumb/') === 0) {
$name = wfBaseName(dirname($path));
// file is a thumbnail
$filename = $repo->getZonePath('thumb') . substr($path, 6);
// strip "/thumb"
} else {
$name = wfBaseName($path);
// file is a source file
$filename = $repo->getZonePath('public') . $path;
}
// Check to see if the file exists
if (!$repo->fileExists($filename)) {
wfForbidden('img-auth-accessdenied', 'img-auth-nofile', $filename);
return;
}
$title = Title::makeTitleSafe(NS_FILE, $name);
if (!$title instanceof Title) {
// files have valid titles
wfForbidden('img-auth-accessdenied', 'img-auth-badtitle', $name);
return;
}
// Run hook for extension authorization plugins
/** @var $result array */
$result = null;
if (!wfRunHooks('ImgAuthBeforeStream', array(&$title, &$path, &$name, &$result))) {
wfForbidden($result[0], $result[1], array_slice($result, 2));
return;
}
// Check user authorization for this title
// Checks Whitelist too
if (!$title->userCan('read')) {
wfForbidden('img-auth-accessdenied', 'img-auth-noread', $name);
return;
}
if ($wgRequest->getCheck('download')) {
header('Content-Disposition: attachment');
}
// Stream the requested file
wfDebugLog('img_auth', "Streaming `" . $filename . "`.");
$repo->streamFile($filename, array('Cache-Control: private', 'Vary: Cookie'));
}
