function showImage() { global $wgOut; $wgOut->disable(); $info = $this->retrieveCaptcha(); if ($info) { /* // Be a little less restrictive for now; in at least some circumstances, // Konqueror tries to reload the image even if you haven't navigated // away from the page. if( $info['viewed'] ) { wfHttpError( 403, 'Access Forbidden', "Can't view captcha image a second time." ); return false; } */ $info['viewed'] = wfTimestamp(); $this->storeCaptcha($info); $salt = $info['salt']; $hash = $info['hash']; $file = $this->imagePath($salt, $hash); if (file_exists($file)) { global $IP; require_once "{$IP}/includes/StreamFile.php"; header("Cache-Control: private, s-maxage=0, max-age=3600"); wfStreamFile($file); return true; } } wfHttpError(500, 'Internal Error', 'Requested bogus captcha image'); return false; }
} // OK, no valid thumbnail, time to get out the heavy machinery wfProfileOut('thumb.php-start'); require_once 'Setup.php'; wfProfileIn('thumb.php-render'); $img = Image::newFromName($fileName); try { if ($img) { if (!is_null($page)) { $img->selectPage($page); } $thumb = $img->renderThumb($width, false); } else { $thumb = false; } } catch (Exception $ex) { // Tried to select a page on a non-paged file? $thumb = false; } if ($thumb && $thumb->path) { wfStreamFile($thumb->path); } else { $badtitle = wfMsg('badtitle'); $badtitletext = wfMsg('badtitletext'); header('Cache-Control: no-cache'); header('Content-Type: text/html; charset=utf-8'); echo "<html><head>\n\t<title>{$badtitle}</title>\n\t<body>\n<h1>{$badtitle}</h1>\n<p>{$badtitletext}</p>\n</body></html>\n"; } wfProfileOut('thumb.php-render'); wfProfileOut('thumb.php'); wfLogProfilingData();
// Check the whitelist if needed if (!$wgUser->getId() && (!is_array($wgWhitelistRead) || !in_array($title, $wgWhitelistRead))) { wfDebugLog('img_auth', "Not logged in and `{$title}` not in whitelist."); wfForbidden(); } if (!file_exists($filename)) { wfDebugLog('img_auth', "`{$filename}` does not exist"); wfForbidden(); } if (is_dir($filename)) { wfDebugLog('img_auth', "`{$filename}` is a directory"); wfForbidden(); } // Stream the requested file wfDebugLog('img_auth', "Streaming `{$filename}`"); wfStreamFile($filename, array('Cache-Control: private', 'Vary: Cookie')); wfLogProfilingData(); /** * Issue a standard HTTP 403 Forbidden header and a basic * error message, then end the script */ function wfForbidden() { header('HTTP/1.0 403 Forbidden'); header('Vary: Cookie'); header('Content-Type: text/html; charset=utf-8'); echo <<<ENDS <html> <body> <h1>Access Denied</h1> <p>You need to log in to access files on this server.</p>
/** * Stream a contained file directly to HTTP output. * Will throw a 404 if file is missing; 400 if invalid key. * @return true on success, false on failure */ function stream($key) { $path = $this->filePath($key); if ($path === false) { wfHttpError(400, "Bad request", "Invalid or badly-formed filename."); return false; } if (file_exists($path)) { // Set the filename for more convenient save behavior from browsers // FIXME: Is this safe? header('Content-Disposition: inline; filename="' . $key . '"'); require_once 'StreamFile.php'; wfStreamFile($path); } else { return wfHttpError(404, "Not found", "The requested resource does not exist."); } }
function showImage() { global $wgOut; /* Wikia change start */ $error = null; /* Wikia change end */ $wgOut->disable(); $info = $this->retrieveCaptcha(); if ($info) { /* // Be a little less restrictive for now; in at least some circumstances, // Konqueror tries to reload the image even if you haven't navigated // away from the page. if( $info['viewed'] ) { wfHttpError( 403, 'Access Forbidden', "Can't view captcha image a second time." ); return false; } */ $info['viewed'] = wfTimestamp(); $this->storeCaptcha($info); $salt = $info['salt']; $hash = $info['hash']; $file = $this->imagePath($salt, $hash); if (file_exists($file)) { global $IP; require_once "{$IP}/includes/StreamFile.php"; header("Cache-Control: private, s-maxage=0, max-age=3600"); wfStreamFile($file); return true; } else { $error = 'File ' . $file . ' does not exist'; } /* Wikia change end*/ } else { $error = 'Info is empty'; } wfHttpError(404, '404 not found', 'Requested non-existing captcha image'); Wikia::log(__METHOD__, '', 'Captcha returned 404: ' . $error); /* Wikia change end */ return false; }
function wfThumbMain() { wfProfileIn(__METHOD__); $headers = array(); // Get input parameters if (get_magic_quotes_gpc()) { $params = array_map('stripslashes', $_REQUEST); } else { $params = $_REQUEST; } $fileName = isset($params['f']) ? $params['f'] : ''; unset($params['f']); // Backwards compatibility parameters if (isset($params['w'])) { $params['width'] = $params['w']; unset($params['w']); } if (isset($params['p'])) { $params['page'] = $params['p']; } unset($params['r']); // ignore 'r' because we unconditionally pass File::RENDER // Is this a thumb of an archived file? $isOld = isset($params['archived']) && $params['archived']; unset($params['archived']); // Some basic input validation $fileName = strtr($fileName, '\\/', '__'); // Actually fetch the image. Method depends on whether it is archived or not. if ($isOld) { // Format is <timestamp>!<name> $bits = explode('!', $fileName, 2); if (!isset($bits[1])) { wfThumbError(404, wfMsg('badtitletext')); wfProfileOut(__METHOD__); return; } $title = Title::makeTitleSafe(NS_FILE, $bits[1]); if (is_null($title)) { wfThumbError(404, wfMsg('badtitletext')); wfProfileOut(__METHOD__); return; } $img = RepoGroup::singleton()->getLocalRepo()->newFromArchiveName($title, $fileName); } else { $img = wfLocalFile($fileName); } // Check permissions if there are read restrictions if (!in_array('read', User::getGroupPermissions(array('*')), true)) { if (!$img->getTitle()->userCanRead()) { wfThumbError(403, 'Access denied. You do not have permission to access ' . 'the source file.'); wfProfileOut(__METHOD__); return; } $headers[] = 'Cache-Control: private'; $headers[] = 'Vary: Cookie'; } if (!$img) { wfThumbError(404, wfMsg('badtitletext')); wfProfileOut(__METHOD__); return; } if (!$img->exists()) { wfThumbError(404, 'The source file for the specified thumbnail does not exist.'); wfProfileOut(__METHOD__); return; } $sourcePath = $img->getPath(); if ($sourcePath === false) { wfThumbError(500, 'The source file is not locally accessible.'); wfProfileOut(__METHOD__); return; } // Check IMS against the source file // This means that clients can keep a cached copy even after it has been deleted on the server if (!empty($_SERVER['HTTP_IF_MODIFIED_SINCE'])) { // Fix IE brokenness $imsString = preg_replace('/;.*$/', '', $_SERVER["HTTP_IF_MODIFIED_SINCE"]); // Calculate time wfSuppressWarnings(); $imsUnix = strtotime($imsString); $stat = stat($sourcePath); wfRestoreWarnings(); if ($stat['mtime'] <= $imsUnix) { header('HTTP/1.1 304 Not Modified'); wfProfileOut(__METHOD__); return; } } // Stream the file if it exists already try { if (false != ($thumbName = $img->thumbName($params))) { $thumbPath = $img->getThumbPath($thumbName); if (is_file($thumbPath)) { wfStreamFile($thumbPath, $headers); wfProfileOut(__METHOD__); return; } } } catch (MWException $e) { wfThumbError(500, $e->getHTML()); wfProfileOut(__METHOD__); return; } try { $thumb = $img->transform($params, File::RENDER_NOW); } catch (Exception $ex) { // Tried to select a page on a non-paged file? $thumb = false; } $errorMsg = false; if (!$thumb) { $errorMsg = wfMsgHtml('thumbnail_error', 'File::transform() returned false'); } elseif ($thumb->isError()) { $errorMsg = $thumb->getHtmlMsg(); } elseif (!$thumb->getPath()) { $errorMsg = wfMsgHtml('thumbnail_error', 'No path supplied in thumbnail object'); } elseif ($thumb->getPath() == $img->getPath()) { $errorMsg = wfMsgHtml('thumbnail_error', 'Image was not scaled, ' . 'is the requested width bigger than the source?'); } else { wfStreamFile($thumb->getPath(), $headers); } if ($errorMsg !== false) { wfThumbError(500, $errorMsg); } wfProfileOut(__METHOD__); }
/** * Show a deleted file version requested by the visitor. */ private function showFile($key) { $this->getOutput()->disable(); # We mustn't allow the output to be Squid cached, otherwise # if an admin previews a deleted image, and it's cached, then # a user without appropriate permissions can toddle off and # nab the image, and Squid will serve it $response = $this->getRequest()->response(); $response->header('Expires: ' . gmdate('D, d M Y H:i:s', 0) . ' GMT'); $response->header('Cache-Control: no-cache, no-store, max-age=0, must-revalidate'); $response->header('Pragma: no-cache'); global $IP; require_once "{$IP}/includes/StreamFile.php"; $repo = RepoGroup::singleton()->getLocalRepo(); $path = $repo->getZonePath('deleted') . '/' . $repo->getDeletedHashPath($key) . $key; wfStreamFile($path); }
// Run hook if (!wfRunHooks('ImgAuthBeforeStream', array(&$title, &$path, &$name, &$result))) { wfForbidden($result[0], $result[1], array_slice($result, 2)); } // Check user authorization for this title // UserCanRead Checks Whitelist too if (!$title->userCanRead()) { wfForbidden('img-auth-accessdenied', 'img-auth-noread', $name); } // Stream the requested file wfDebugLog('img_auth', "Streaming `" . $filename . "`."); # PATCH if (!isset($wgImgAuthMaxAge)) { $wgImgAuthMaxAge = 0; } wfStreamFile($filename, array("Cache-Control:max-age={$wgImgAuthMaxAge}", 'Vary: Cookie')); # /PATCH // This was added by Yann Missler for Seizam wfRunHooks('ImgAuthFullyStreamedFile', array(&$title, $filename)); /* $wikiplaces_img_auth_file_mod = dirname( __FILE__ ) .'/extensions/Wikiplaces/Wikiplaces.img_auth.php'; if ( file_exists($wikiplaces_img_auth_file_mod) ) { // ensure to not break img_auth if wikiplaces not available require_once ( $wikiplaces_img_auth_file_mod ); WikiplacesImgAuth::onImgAuthFullyStreamedFile($filename); }*/ wfLogProfilingData(); /** * Issue a standard HTTP 403 Forbidden header ($msg1-a message index, not a message) and an * error message ($msg2, also a message index), (both required) then end the script * subsequent arguments to $msg2 will be passed as parameters only for replacing in $msg2 */
/** * Show a deleted file version requested by the visitor. * TODO Mostly copied from Special:Undelete. Refactor. */ protected function tryShowFile($archiveName) { global $wgOut, $wgRequest, $wgUser, $wgLang; $repo = RepoGroup::singleton()->getLocalRepo(); $oimage = $repo->newFromArchiveName($this->targetObj, $archiveName); $oimage->load(); // Check if user is allowed to see this file if (!$oimage->exists()) { $wgOut->addWikiMsg('revdelete-no-file'); return; } if (!$oimage->userCan(File::DELETED_FILE)) { if ($oimage->isDeleted(File::DELETED_RESTRICTED)) { $wgOut->permissionRequired('suppressrevision'); } else { $wgOut->permissionRequired('deletedtext'); } return; } if (!$wgUser->matchEditToken($this->token, $archiveName)) { $wgOut->addWikiMsg('revdelete-show-file-confirm', $this->targetObj->getText(), $wgLang->date($oimage->getTimestamp()), $wgLang->time($oimage->getTimestamp())); $wgOut->addHTML(Xml::openElement('form', array('method' => 'POST', 'action' => $this->getTitle()->getLocalUrl('target=' . urlencode($oimage->getName()) . '&file=' . urlencode($archiveName) . '&token=' . urlencode($wgUser->editToken($archiveName))))) . Xml::submitButton(wfMsg('revdelete-show-file-submit')) . '</form>'); return; } $wgOut->disable(); # We mustn't allow the output to be Squid cached, otherwise # if an admin previews a deleted image, and it's cached, then # a user without appropriate permissions can toddle off and # nab the image, and Squid will serve it $wgRequest->response()->header('Expires: ' . gmdate('D, d M Y H:i:s', 0) . ' GMT'); $wgRequest->response()->header('Cache-Control: no-cache, no-store, max-age=0, must-revalidate'); $wgRequest->response()->header('Pragma: no-cache'); # Stream the file to the client global $IP; require_once "{$IP}/includes/StreamFile.php"; $key = $oimage->getStorageKey(); $path = $repo->getZonePath('deleted') . '/' . $repo->getDeletedHashPath($key) . $key; wfStreamFile($path); }
require_once './LocalSettings.php'; require_once 'includes/Setup.php'; require_once 'includes/StreamFile.php'; if (!isset($_SERVER['PATH_INFO'])) { wfForbidden(); } # Get filenames/directories $filename = realpath($wgUploadDirectory . $_SERVER['PATH_INFO']); $realUploadDirectory = realpath($wgUploadDirectory); $imageName = $wgLang->getNsText(NS_IMAGE) . ":" . basename($_SERVER['PATH_INFO']); # Check if the filename is in the correct directory if (substr($filename, 0, strlen($realUploadDirectory)) != $realUploadDirectory) { wfForbidden(); } if (is_array($wgWhitelistRead) && !in_array($imageName, $wgWhitelistRead) && !$wgUser->getID()) { wfForbidden(); } if (!file_exists($filename)) { wfForbidden(); } if (is_dir($filename)) { wfForbidden(); } # Write file wfStreamFile($filename); function wfForbidden() { header('HTTP/1.0 403 Forbidden'); print "<html><body>\n<h1>Access denied</h1>\n<p>You need to log in to access files on this server</p>\n</body></html>"; exit; }
function wfThumbMain() { wfProfileIn(__METHOD__); // Get input parameters if (get_magic_quotes_gpc()) { $params = array_map('stripslashes', $_REQUEST); } else { $params = $_REQUEST; } $fileName = isset($params['f']) ? $params['f'] : ''; unset($params['f']); // Backwards compatibility parameters if (isset($params['w'])) { $params['width'] = $params['w']; unset($params['w']); } if (isset($params['p'])) { $params['page'] = $params['p']; } unset($params['r']); // Some basic input validation $fileName = strtr($fileName, '\\/', '__'); $img = wfLocalFile($fileName); if (!$img) { wfThumbError(404, wfMsg('badtitletext')); return; } if (!$img->exists()) { wfThumbError(404, 'The source file for the specified thumbnail does not exist.'); return; } $sourcePath = $img->getPath(); if ($sourcePath === false) { wfThumbError(500, 'The source file is not locally accessible.'); return; } // Check IMS against the source file // This means that clients can keep a cached copy even after it has been deleted on the server if (!empty($_SERVER['HTTP_IF_MODIFIED_SINCE'])) { // Fix IE brokenness $imsString = preg_replace('/;.*$/', '', $_SERVER["HTTP_IF_MODIFIED_SINCE"]); // Calculate time wfSuppressWarnings(); $imsUnix = strtotime($imsString); wfRestoreWarnings(); $stat = @stat($sourcePath); if ($stat['mtime'] <= $imsUnix) { header('HTTP/1.1 304 Not Modified'); return; } } // Stream the file if it exists already try { if (false != ($thumbName = $img->thumbName($params))) { $thumbPath = $img->getThumbPath($thumbName); if (is_file($thumbPath)) { wfStreamFile($thumbPath); return; } } } catch (MWException $e) { wfThumbError(500, $e->getHTML()); return; } try { $thumb = $img->transform($params, File::RENDER_NOW); } catch (Exception $ex) { // Tried to select a page on a non-paged file? $thumb = false; } $errorMsg = false; if (!$thumb) { $errorMsg = wfMsgHtml('thumbnail_error', 'File::transform() returned false'); } elseif ($thumb->isError()) { $errorMsg = $thumb->getHtmlMsg(); } elseif (!$thumb->getPath()) { $errorMsg = wfMsgHtml('thumbnail_error', 'No path supplied in thumbnail object'); } elseif ($thumb->getPath() == $img->getPath()) { $errorMsg = wfMsgHtml('thumbnail_error', 'Image was not scaled, ' . 'is the requested width bigger than the source?'); } else { wfStreamFile($thumb->getPath()); } if ($errorMsg !== false) { wfThumbError(500, $errorMsg); } wfProfileOut(__METHOD__); }