r63436 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r63435‎ \| r63436 \| r63437 >
Date:	22:49, 8 March 2010
Author:	tstarling
Status:	ok
Tags:
Comment:	* MFT r63431: Fix data leakage from thumb.php for wikis where access to images is restricted (e.g. using img_auth.php). * Updated RELEASE-NOTES ready for release today.
Modified paths:	/branches/REL1_15/phase3/RELEASE-NOTES (modified) (history) /branches/REL1_15/phase3/thumb.php (modified) (history)

Diff [purge]

Index: branches/REL1_15/phase3/thumb.php
—	—	@@ -20,6 +20,9 @@
21	21
22	22	function wfThumbMain() {
23	23	wfProfileIn( __METHOD__ );
	24	+
	25	+ $headers = array();
	26	+
24	27	// Get input parameters
25	28	if ( get_magic_quotes_gpc() ) {
26	29	$params = array_map( 'stripslashes', $_REQUEST );
—	—	@@ -65,6 +68,17 @@
66	69	$img = wfLocalFile( $fileName );
67	70	}
68	71
	72	+ // Check permissions if there are read restrictions
	73	+ if ( !in_array( 'read', User::getGroupPermissions( array( '*' ) ), true ) ) {
	74	+ if ( !$img->getTitle()->userCanRead() ) {
	75	+ wfThumbError( 403, 'Access denied. You do not have permission to access ' .
	76	+ 'the source file.' );
	77	+ return;
	78	+ }
	79	+ $headers[] = 'Cache-Control: private';
	80	+ $headers[] = 'Vary: Cookie';
	81	+ }
	82	+
69	83	if ( !$img ) {
70	84	wfThumbError( 404, wfMsg( 'badtitletext' ) );
71	85	return;
—	—	@@ -101,7 +115,7 @@
102	116	$thumbPath = $img->getThumbPath( $thumbName );
103	117
104	118	if ( is_file( $thumbPath ) ) {
105		~~- wfStreamFile( $thumbPath );~~
	119	+ wfStreamFile( $thumbPath, $headers );
106	120	return;
107	121	}
108	122	}
—	—	@@ -128,7 +142,7 @@
129	143	$errorMsg = wfMsgHtml( 'thumbnail_error', 'Image was not scaled, ' .
130	144	'is the requested width bigger than the source?' );
131	145	} else {
132		~~- wfStreamFile( $thumb->getPath() );~~
	146	+ wfStreamFile( $thumb->getPath(), $headers );
133	147	}
134	148	if ( $errorMsg !== false ) {
135	149	wfThumbError( 500, $errorMsg );
—	—	@@ -143,6 +157,9 @@
144	158	header( 'Content-Type: text/html; charset=utf-8' );
145	159	if ( $status == 404 ) {
146	160	header( 'HTTP/1.1 404 Not found' );
	161	+ } elseif ( $status == 403 ) {
	162	+ header( 'HTTP/1.1 403 Forbidden' );
	163	+ header( 'Vary: Cookie' );
147	164	} else {
148	165	header( 'HTTP/1.1 500 Internal server error' );
149	166	}
Index: branches/REL1_15/phase3/RELEASE-NOTES
—	—	@@ -5,6 +5,10 @@
6	6
7	7	== MediaWiki 1.15.2 ==
8	8
	9	+March 8, 2010
	10	+
	11	+This is a security and maintenance release.
	12	+
9	13	MediaWiki is now using a "continuous integration" development model with
10	14	quarterly snapshot releases. The latest development code is always kept
11	15	"ready to run", and in fact runs our own sites on Wikipedia.
—	—	@@ -28,6 +32,9 @@
29	33	* upgrade1_5.php now requires to be run --update option to prevent confusion
30	34	* Fixed a CSS validation issue which allowed external images to be included
31	35	into wikis where that is disallowed by configuration.
	36	+* Fixed a data leakage vulnerability for private wikis using img_auth.php or
	37	+ similar image access authentication schemes. Check user permissions before
	38	+ streaming out scaled images from thumb.php.
32	39
33	40	=== Changes since 1.15.0 ===
34	41

Follow-up revisions

Revision	Commit summary	Author	Date
r63437	Merge r63436 RELEASE-NOTES to trunk HISTORY	demon	22:52, 8 March 2010
r63439	Merge r63436 RELEASE-NOTES to 1.16 HISTORY	demon	22:52, 8 March 2010

Past revisions this follows-up on

Revision	Commit summary	Author	Date
r63431	Fix data leakage from thumb.php for wikis where access to images is restricte...	tstarling	22:39, 8 March 2010

Status & tagging log

22:49, 8 March 2010 😂 (talk | contribs) changed the status of r63436 [removed: new added: ok]