r63432 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r63431‎ \| r63432 \| r63433 >
Date:	22:40, 8 March 2010
Author:	tstarling
Status:	ok
Tags:
Comment:	MFT r63431: Fix data leakage from thumb.php for wikis where access to images is restricted (e.g. using img_auth.php).
Modified paths:	/branches/wmf-deployment/thumb.php (modified) (history)

Diff [purge]

Index: branches/wmf-deployment/thumb.php
—	—	@@ -20,6 +20,9 @@
21	21
22	22	function wfThumbMain() {
23	23	wfProfileIn( __METHOD__ );
	24	+
	25	+ $headers = array();
	26	+
24	27	// Get input parameters
25	28	if ( get_magic_quotes_gpc() ) {
26	29	$params = array_map( 'stripslashes', $_REQUEST );
—	—	@@ -65,6 +68,17 @@
66	69	$img = wfLocalFile( $fileName );
67	70	}
68	71
	72	+ // Check permissions if there are read restrictions
	73	+ if ( !in_array( 'read', User::getGroupPermissions( array( '*' ) ), true ) ) {
	74	+ if ( !$img->getTitle()->userCanRead() ) {
	75	+ wfThumbError( 403, 'Access denied. You do not have permission to access ' .
	76	+ 'the source file.' );
	77	+ return;
	78	+ }
	79	+ $headers[] = 'Cache-Control: private';
	80	+ $headers[] = 'Vary: Cookie';
	81	+ }
	82	+
69	83	if ( !$img ) {
70	84	wfThumbError( 404, wfMsg( 'badtitletext' ) );
71	85	return;
—	—	@@ -101,7 +115,7 @@
102	116	$thumbPath = $img->getThumbPath( $thumbName );
103	117
104	118	if ( is_file( $thumbPath ) ) {
105		~~- wfStreamFile( $thumbPath );~~
	119	+ wfStreamFile( $thumbPath, $headers );
106	120	return;
107	121	}
108	122	}
—	—	@@ -128,7 +142,7 @@
129	143	$errorMsg = wfMsgHtml( 'thumbnail_error', 'Image was not scaled, ' .
130	144	'is the requested width bigger than the source?' );
131	145	} else {
132		~~- wfStreamFile( $thumb->getPath() );~~
	146	+ wfStreamFile( $thumb->getPath(), $headers );
133	147	}
134	148	if ( $errorMsg !== false ) {
135	149	wfThumbError( 500, $errorMsg );
—	—	@@ -143,6 +157,9 @@
144	158	header( 'Content-Type: text/html; charset=utf-8' );
145	159	if ( $status == 404 ) {
146	160	header( 'HTTP/1.1 404 Not found' );
	161	+ } elseif ( $status == 403 ) {
	162	+ header( 'HTTP/1.1 403 Forbidden' );
	163	+ header( 'Vary: Cookie' );
147	164	} else {
148	165	header( 'HTTP/1.1 500 Internal server error' );
149	166	}

Past revisions this follows-up on

Revision	Commit summary	Author	Date
r63431	Fix data leakage from thumb.php for wikis where access to images is restricte...	tstarling	22:39, 8 March 2010

Status & tagging log

22:44, 8 March 2010 😂 (talk | contribs) changed the status of r63432 [removed: new added: ok]