/** * Handle a thumbnail request via thumbnail file URL * * @return void */ function wfThumbHandle404() { global $wgArticlePath; # Set action base paths so that WebRequest::getPathInfo() # recognizes the "X" as the 'title' in ../thumb_handler.php/X urls. # Note: If Custom per-extension repo paths are set, this may break. $repo = RepoGroup::singleton()->getLocalRepo(); $oldArticlePath = $wgArticlePath; $wgArticlePath = $repo->getZoneUrl( 'thumb' ) . '/$1'; $matches = WebRequest::getPathInfo(); $wgArticlePath = $oldArticlePath; if ( !isset( $matches['title'] ) ) { wfThumbError( 404, 'Could not determine the name of the requested thumbnail.' ); return; } $params = wfExtractThumbRequestInfo( $matches['title'] ); // basic wiki URL param extracting if ( $params == null ) { wfThumbError( 400, 'The specified thumbnail parameters are not recognized.' ); return; } wfStreamThumb( $params ); // stream the thumbnail }
/** * Handle a thumbnail request via thumbnail file URL * * @return void */ function wfThumbHandle404() { global $wgArticlePath; # Set action base paths so that WebRequest::getPathInfo() # recognizes the "X" as the 'title' in ../thumb_handler.php/X urls. $wgArticlePath = false; # Don't let a "/*" article path clober our action path $matches = WebRequest::getPathInfo(); if (!isset($matches['title'])) { wfThumbError(404, 'Could not determine the name of the requested thumbnail.'); return; } $params = wfExtractThumbParams($matches['title']); // basic wiki URL param extracting if ($params == null) { wfThumbError(400, 'The specified thumbnail parameters are not recognized.'); return; } wfStreamThumb($params); // stream the thumbnail }
function wfImageAuthMain() { global $wgImgAuthPublicTest, $wgRequest; // See if this is a public Wiki (no protections). if ($wgImgAuthPublicTest && in_array('read', User::getGroupPermissions(array('*')), true)) { // This is a public wiki, so disable this script (for private wikis only) wfForbidden('img-auth-accessdenied', 'img-auth-public'); return; } // Get the requested file path (source file or thumbnail) $matches = WebRequest::getPathInfo(); if (!isset($matches['title'])) { wfForbidden('img-auth-accessdenied', 'img-auth-nopathinfo'); return; } $path = $matches['title']; if ($path && $path[0] !== '/') { // Make sure $path has a leading / $path = "/" . $path; } // Check for bug 28235: QUERY_STRING overriding the correct extension $whitelist = array(); $dotPos = strrpos($path, '.'); if ($dotPos !== false) { $whitelist[] = substr($path, $dotPos + 1); } if (!$wgRequest->checkUrlExtension($whitelist)) { return; } // Get the local file repository $repo = RepoGroup::singleton()->getRepo('local'); // Get the full file storage path and extract the source file name. // (e.g. 120px-Foo.png => Foo.png or page2-120px-Foo.png => Foo.png). // This only applies to thumbnails, and all thumbnails should // be under a folder that has the source file name. if (strpos($path, '/thumb/') === 0) { $name = wfBaseName(dirname($path)); // file is a thumbnail $filename = $repo->getZonePath('thumb') . substr($path, 6); // strip "/thumb" } else { $name = wfBaseName($path); // file is a source file $filename = $repo->getZonePath('public') . $path; } // Check to see if the file exists if (!$repo->fileExists($filename)) { wfForbidden('img-auth-accessdenied', 'img-auth-nofile', $filename); return; } $title = Title::makeTitleSafe(NS_FILE, $name); if (!$title instanceof Title) { // files have valid titles wfForbidden('img-auth-accessdenied', 'img-auth-badtitle', $name); return; } // Run hook for extension authorization plugins /** @var $result array */ $result = null; if (!wfRunHooks('ImgAuthBeforeStream', array(&$title, &$path, &$name, &$result))) { wfForbidden($result[0], $result[1], array_slice($result, 2)); return; } // Check user authorization for this title // Checks Whitelist too if (!$title->userCan('read')) { wfForbidden('img-auth-accessdenied', 'img-auth-noread', $name); return; } // Stream the requested file wfDebugLog('img_auth', "Streaming `" . $filename . "`."); $repo->streamFile($filename, array('Cache-Control: private', 'Vary: Cookie')); }
* **/ define('MW_NO_OUTPUT_COMPRESSION', 1); if (isset($_SERVER['MW_COMPILED'])) { require 'phase3/includes/WebStart.php'; } else { require dirname(__FILE__) . '/includes/WebStart.php'; } wfProfileIn('img_auth.php'); require_once dirname(__FILE__) . '/includes/StreamFile.php'; $wgActionPaths[] = $_SERVER['SCRIPT_NAME']; // See if this is a public Wiki (no protections) if ($wgImgAuthPublicTest && in_array('read', User::getGroupPermissions(array('*')), true)) { wfForbidden('img-auth-accessdenied', 'img-auth-public'); } $matches = WebRequest::getPathInfo(); $path = $matches['title']; // Check for bug 28235: QUERY_STRING overriding the correct extension $dotPos = strrpos($path, '.'); $whitelist = array(); if ($dotPos !== false) { $whitelist[] = substr($path, $dotPos + 1); } if (!$wgRequest->checkUrlExtension($whitelist)) { return; } $filename = realpath($wgUploadDirectory . $path); $realUpload = realpath($wgUploadDirectory); // Basic directory traversal check if (substr($filename, 0, strlen($realUpload)) != $realUpload) { wfForbidden('img-auth-accessdenied', 'img-auth-notindir');
function wfImageAuthMain() { global $wgImgAuthUrlPathMap; $request = RequestContext::getMain()->getRequest(); $publicWiki = in_array('read', User::getGroupPermissions(array('*')), true); // Get the requested file path (source file or thumbnail) $matches = WebRequest::getPathInfo(); if (!isset($matches['title'])) { wfForbidden('img-auth-accessdenied', 'img-auth-nopathinfo'); return; } $path = $matches['title']; if ($path && $path[0] !== '/') { // Make sure $path has a leading / $path = "/" . $path; } // Check for bug 28235: QUERY_STRING overriding the correct extension $whitelist = array(); $extension = FileBackend::extensionFromPath($path, 'rawcase'); if ($extension != '') { $whitelist[] = $extension; } if (!$request->checkUrlExtension($whitelist)) { return; } // Various extensions may have their own backends that need access. // Check if there is a special backend and storage base path for this file. foreach ($wgImgAuthUrlPathMap as $prefix => $storageDir) { $prefix = rtrim($prefix, '/') . '/'; // implicit trailing slash if (strpos($path, $prefix) === 0) { $be = FileBackendGroup::singleton()->backendFromPath($storageDir); $filename = $storageDir . substr($path, strlen($prefix)); // strip prefix // Check basic user authorization if (!RequestContext::getMain()->getUser()->isAllowed('read')) { wfForbidden('img-auth-accessdenied', 'img-auth-noread', $path); return; } if ($be->fileExists(array('src' => $filename))) { wfDebugLog('img_auth', "Streaming `" . $filename . "`."); $be->streamFile(array('src' => $filename), array('Cache-Control: private', 'Vary: Cookie')); } else { wfForbidden('img-auth-accessdenied', 'img-auth-nofile', $path); } return; } } // Get the local file repository $repo = RepoGroup::singleton()->getRepo('local'); $zone = strstr(ltrim($path, '/'), '/', true); // Get the full file storage path and extract the source file name. // (e.g. 120px-Foo.png => Foo.png or page2-120px-Foo.png => Foo.png). // This only applies to thumbnails/transcoded, and each of them should // be under a folder that has the source file name. if ($zone === 'thumb' || $zone === 'transcoded') { $name = wfBaseName(dirname($path)); $filename = $repo->getZonePath($zone) . substr($path, strlen("/" . $zone)); // Check to see if the file exists if (!$repo->fileExists($filename)) { wfForbidden('img-auth-accessdenied', 'img-auth-nofile', $filename); return; } } else { $name = wfBaseName($path); // file is a source file $filename = $repo->getZonePath('public') . $path; // Check to see if the file exists and is not deleted $bits = explode('!', $name, 2); if (substr($path, 0, 9) === '/archive/' && count($bits) == 2) { $file = $repo->newFromArchiveName($bits[1], $name); } else { $file = $repo->newFile($name); } if (!$file->exists() || $file->isDeleted(File::DELETED_FILE)) { wfForbidden('img-auth-accessdenied', 'img-auth-nofile', $filename); return; } } $headers = array(); // extra HTTP headers to send if (!$publicWiki) { // For private wikis, run extra auth checks and set cache control headers $headers[] = 'Cache-Control: private'; $headers[] = 'Vary: Cookie'; $title = Title::makeTitleSafe(NS_FILE, $name); if (!$title instanceof Title) { // files have valid titles wfForbidden('img-auth-accessdenied', 'img-auth-badtitle', $name); return; } // Run hook for extension authorization plugins /** @var $result array */ $result = null; if (!wfRunHooks('ImgAuthBeforeStream', array(&$title, &$path, &$name, &$result))) { wfForbidden($result[0], $result[1], array_slice($result, 2)); return; } // Check user authorization for this title // Checks Whitelist too if (!$title->userCan('read')) { wfForbidden('img-auth-accessdenied', 'img-auth-noread', $name); return; } } if ($request->getCheck('download')) { $headers[] = 'Content-Disposition: attachment'; } // Stream the requested file wfDebugLog('img_auth', "Streaming `" . $filename . "`."); $repo->streamFile($filename, $headers); }
function wfImageAuthMain() { global $wgImgAuthPublicTest, $wgImgAuthUrlPathMap, $wgRequest; // See if this is a public Wiki (no protections). if ($wgImgAuthPublicTest && in_array('read', User::getGroupPermissions(array('*')), true)) { // This is a public wiki, so disable this script (for private wikis only) wfForbidden('img-auth-accessdenied', 'img-auth-public'); return; } // Get the requested file path (source file or thumbnail) $matches = WebRequest::getPathInfo(); if (!isset($matches['title'])) { wfForbidden('img-auth-accessdenied', 'img-auth-nopathinfo'); return; } $path = $matches['title']; if ($path && $path[0] !== '/') { // Make sure $path has a leading / $path = "/" . $path; } // Check for bug 28235: QUERY_STRING overriding the correct extension $whitelist = array(); $extension = FileBackend::extensionFromPath($path, 'rawcase'); if ($extension != '') { $whitelist[] = $extension; } if (!$wgRequest->checkUrlExtension($whitelist)) { return; } // Various extensions may have their own backends that need access. // Check if there is a special backend and storage base path for this file. foreach ($wgImgAuthUrlPathMap as $prefix => $storageDir) { $prefix = rtrim($prefix, '/') . '/'; // implicit trailing slash if (strpos($path, $prefix) === 0) { $be = FileBackendGroup::singleton()->backendFromPath($storageDir); $filename = $storageDir . substr($path, strlen($prefix)); // strip prefix // Check basic user authorization if (!RequestContext::getMain()->getUser()->isAllowed('read')) { wfForbidden('img-auth-accessdenied', 'img-auth-noread', $path); return; } if ($be->fileExists(array('src' => $filename))) { wfDebugLog('img_auth', "Streaming `" . $filename . "`."); $be->streamFile(array('src' => $filename), array('Cache-Control: private', 'Vary: Cookie')); } else { wfForbidden('img-auth-accessdenied', 'img-auth-nofile', $path); } return; } } // Get the local file repository $repo = RepoGroup::singleton()->getRepo('local'); // Get the full file storage path and extract the source file name. // (e.g. 120px-Foo.png => Foo.png or page2-120px-Foo.png => Foo.png). // This only applies to thumbnails, and all thumbnails should // be under a folder that has the source file name. if (strpos($path, '/thumb/') === 0) { $name = wfBaseName(dirname($path)); // file is a thumbnail $filename = $repo->getZonePath('thumb') . substr($path, 6); // strip "/thumb" } else { $name = wfBaseName($path); // file is a source file $filename = $repo->getZonePath('public') . $path; } // Check to see if the file exists if (!$repo->fileExists($filename)) { wfForbidden('img-auth-accessdenied', 'img-auth-nofile', $filename); return; } $title = Title::makeTitleSafe(NS_FILE, $name); if (!$title instanceof Title) { // files have valid titles wfForbidden('img-auth-accessdenied', 'img-auth-badtitle', $name); return; } // Run hook for extension authorization plugins /** @var $result array */ $result = null; if (!wfRunHooks('ImgAuthBeforeStream', array(&$title, &$path, &$name, &$result))) { wfForbidden($result[0], $result[1], array_slice($result, 2)); return; } // Check user authorization for this title // Checks Whitelist too if (!$title->userCan('read')) { wfForbidden('img-auth-accessdenied', 'img-auth-noread', $name); return; } if ($wgRequest->getCheck('download')) { header('Content-Disposition: attachment'); } // Stream the requested file wfDebugLog('img_auth', "Streaming `" . $filename . "`."); $repo->streamFile($filename, array('Cache-Control: private', 'Vary: Cookie')); }