wiki.techinc.nl/img_auth.php

<?php

/**
 * Image authorisation script
 *
 * To use this, see http://www.mediawiki.org/wiki/Manual:Image_Authorization
 *
 * - Set $wgUploadDirectory to a non-public directory (not web accessible)
 * - Set $wgUploadPath to point to this file
 *
 * Optional Parameters
 *
 * - Set $wgImgAuthDetails = true if you want the reason the access was denied messages to be displayed 
 *       instead of just the 403 error (doesn't work on IE anyway),  otherwise will only appear in error logs
 * - Set $wgImgAuthPublicTest false if you don't want to just check and see if all are public
 *       must be set to false if using specific restrictions such as LockDown or NSFileRepo
 *
 *  For security reasons, you usually don't want your user to know *why* access was denied, just that it was.
 *  If you want to change this, you can set $wgImgAuthDetails to 'true' in localsettings.php and it will give the user the reason
 *  why access was denied.
 *
 * Your server needs to support PATH_INFO; CGI-based configurations usually don't.
 *
 * @file
 *
 **/

define( 'MW_NO_OUTPUT_COMPRESSION', 1 );
require_once( dirname( __FILE__ ) . '/includes/WebStart.php' );
wfProfileIn( 'img_auth.php' );
require_once( dirname( __FILE__ ) . '/includes/StreamFile.php' );

$perms = User::getGroupPermissions( array( '*' ) );

// See if this is a public Wiki (no protections)
if ( $wgImgAuthPublicTest && in_array( 'read', $perms, true ) )
	wfForbidden('img-auth-accessdenied','img-auth-public');

// Extract path and image information
if( !isset( $_SERVER['PATH_INFO'] ) )
	wfForbidden('img-auth-accessdenied','img-auth-nopathinfo');

$path = $_SERVER['PATH_INFO'];
$filename = realpath( $wgUploadDirectory . $_SERVER['PATH_INFO'] );
$realUpload = realpath( $wgUploadDirectory );

// Basic directory traversal check
if( substr( $filename, 0, strlen( $realUpload ) ) != $realUpload )
	wfForbidden('img-auth-accessdenied','img-auth-notindir');

// Extract the file name and chop off the size specifier
// (e.g. 120px-Foo.png => Foo.png)
$name = wfBaseName( $path );
if( preg_match( '!\d+px-(.*)!i', $name, $m ) )
	$name = $m[1];

// Check to see if the file exists
if( !file_exists( $filename ) )
	wfForbidden('img-auth-accessdenied','img-auth-nofile',htmlspecialchars($filename));

// Check to see if tried to access a directory
if( is_dir( $filename ) )
	wfForbidden('img-auth-accessdenied','img-auth-isdir',htmlspecialchars($filename));


$title = Title::makeTitleSafe( NS_FILE, $name );

// See if could create the title object
if( !$title instanceof Title ) 
	wfForbidden('img-auth-accessdenied','img-auth-badtitle',htmlspecialchars($name));

// Run hook
if (!wfRunHooks( 'ImgAuthBeforeStream', array( &$title, &$path, &$name, &$result ) ) )
	call_user_func_array('wfForbidden',merge_array(array($result[0],$result[1]),array_slice($result,2)));
	
//  Check user authorization for this title
//  UserCanRead Checks Whitelist too
if( !$title->userCanRead() )
	wfForbidden('img-auth-accessdenied','img-auth-noread',htmlspecialchars($name));


// Stream the requested file
wfDebugLog( 'img_auth', "Streaming `".htmlspecialchars($filename)."`." );
wfStreamFile( $filename, array( 'Cache-Control: private', 'Vary: Cookie' ) );
wfLogProfilingData();

/**
 * Issue a standard HTTP 403 Forbidden header ($msg1-a message index, not a message) and an
 * error message ($msg2, also a message index), (both required) then end the script
 * subsequent arguments to $msg2 will be passed as parameters only for replacing in $msg2 
 */
function wfForbidden($msg1,$msg2) {
	global $wgImgAuthDetails;
	$args = func_get_args();
	array_shift( $args );
	array_shift( $args );
	$MsgHdr = wfMsgHTML($msg1);
	$detailMsg = call_user_func_array('wfMsgHTML',array_merge(array($wgImgAuthDetails ? $msg2 : 'badaccess-group0'),$args));
	wfDebugLog('img_auth', "wfForbidden Hdr:".wfMsgExt( $msg1, array('language' => 'en'))." Msg: ".
				call_user_func_array('wfMsgExt',array_merge( array($msg2, array('language' => 'en')),$args)));
	header( 'HTTP/1.0 403 Forbidden' );
	header( 'Cache-Control: no-cache' );
	header( 'Content-Type: text/html; charset=utf-8' );
	echo <<<ENDS
<html>
<body>
<h1>$MsgHdr</h1>
<p>$detailMsg</p>
</body>
</html>
ENDS;
	wfLogProfilingData();
	exit();
}
Script to allow MediaWiki-based authentication for downloading items from the upload directory. To use, deny access to the actual directory, and set $wgUploadPath to this script. Image URLs will be of the form "http://server.com/wiki/img_auth.php/0/00/Image.png". The script checks the cookies and the session data, and if everything is OK, streams out the named file. 2004-06-07 06:57:53 +00:00			`<?php`
* Fix img_auth.php image name extraction for whitelist checking * (bug 10756) img_auth.php will now refuse logged-out requests when there is no whitelist, rather than allowing them through 2007-08-06 06:15:21 +00:00
* phpdoc for file description * single quotes 2005-01-27 04:30:18 +00:00			`/**`
* Fix img_auth.php image name extraction for whitelist checking * (bug 10756) img_auth.php will now refuse logged-out requests when there is no whitelist, rather than allowing them through 2007-08-06 06:15:21 +00:00			`* Image authorisation script`
			`*`
bug 19646 Localization of img_auth.php - with enhancements https://bugzilla.wikimedia.org/show_bug.cgi?id=19646 1. Localize img_auth.php using core messages 2. Reorder checks to make sense (and eliminate redundancy)n 3. Add hook 'ImgAuthBeforeStream' to allow custom checking 4. Add globals wgImgAuthDetails, 5. Move all "wfDebugLog" into the rejection functions 2009-09-04 02:44:05 +00:00			`* To use this, see http://www.mediawiki.org/wiki/Manual:Image_Authorization`
* Fix img_auth.php image name extraction for whitelist checking * (bug 10756) img_auth.php will now refuse logged-out requests when there is no whitelist, rather than allowing them through 2007-08-06 06:15:21 +00:00			`*`
Same as r48631; added "@file" when needed, also added doc in redirect.php and install-utils.inc 2009-03-21 16:48:09 +00:00			`* - Set $wgUploadDirectory to a non-public directory (not web accessible)`
			`* - Set $wgUploadPath to point to this file`
* s~ +$~~ 2006-01-07 13:09:30 +00:00			`*`
bug 19646 Localization of img_auth.php - with enhancements https://bugzilla.wikimedia.org/show_bug.cgi?id=19646 1. Localize img_auth.php using core messages 2. Reorder checks to make sense (and eliminate redundancy)n 3. Add hook 'ImgAuthBeforeStream' to allow custom checking 4. Add globals wgImgAuthDetails, 5. Move all "wfDebugLog" into the rejection functions 2009-09-04 02:44:05 +00:00			`* Optional Parameters`
			`*`
			`* - Set $wgImgAuthDetails = true if you want the reason the access was denied messages to be displayed`
			`* instead of just the 403 error (doesn't work on IE anyway), otherwise will only appear in error logs`
			`* - Set $wgImgAuthPublicTest false if you don't want to just check and see if all are public`
			`* must be set to false if using specific restrictions such as LockDown or NSFileRepo`
			`*`
			`* For security reasons, you usually don't want your user to know why access was denied, just that it was.`
			`* If you want to change this, you can set $wgImgAuthDetails to 'true' in localsettings.php and it will give the user the reason`
			`* why access was denied.`
			`*`
			`* Your server needs to support PATH_INFO; CGI-based configurations usually don't.`
Same as r48631; added "@file" when needed, also added doc in redirect.php and install-utils.inc 2009-03-21 16:48:09 +00:00			`*`
			`* @file`
bug 19646 Localization of img_auth.php - with enhancements https://bugzilla.wikimedia.org/show_bug.cgi?id=19646 1. Localize img_auth.php using core messages 2. Reorder checks to make sense (and eliminate redundancy)n 3. Add hook 'ImgAuthBeforeStream' to allow custom checking 4. Add globals wgImgAuthDetails, 5. Move all "wfDebugLog" into the rejection functions 2009-09-04 02:44:05 +00:00			`*`
			`**/`

* Moved the main ob_start() from the default LocalSettings.php to WebStart.php. The ob_start() section should preferably be removed from older LocalSettings.php files. * Give Content-Length header for HTTP/1.0 clients. * Partial support for Flash cross-domain-policy filtering. Text entry points should be protected, but uploads are not. 2007-02-19 23:03:37 +00:00			`define( 'MW_NO_OUTPUT_COMPRESSION', 1 );`
Revert "Follow up on r43982. Reduce dirname(__FILE__) calls in core and extensions." Uses $dir in extension files, and assumes that it remains unchanged in require_once( 'maintenance/commandLine.inc' ). In fact, it is likely that '$dir' will be set when setting up command-line, as some extensions will use the same var. Recommended fix: Use $CentralAuth_dir, $EmailPage_dir, etc. 2008-11-30 03:15:22 +00:00			`require_once( dirname( __FILE__ ) . '/includes/WebStart.php' );`
Consolidated web initialisation code into includes/WebStart.php. Moved profiling setup to a hook file "StartProfiler.php", following Brion's suggestion to merge Wikimedia's early profiling patch into subversion. Renamed Profiling.php and logProfilingData(), removed unnecessary wfProfileClose() calls. 2006-07-14 05:35:31 +00:00			`wfProfileIn( 'img_auth.php' );`
Revert "Follow up on r43982. Reduce dirname(__FILE__) calls in core and extensions." Uses $dir in extension files, and assumes that it remains unchanged in require_once( 'maintenance/commandLine.inc' ). In fact, it is likely that '$dir' will be set when setting up command-line, as some extensions will use the same var. Recommended fix: Use $CentralAuth_dir, $EmailPage_dir, etc. 2008-11-30 03:15:22 +00:00			`require_once( dirname( __FILE__ ) . '/includes/StreamFile.php' );`
Script to allow MediaWiki-based authentication for downloading items from the upload directory. To use, deny access to the actual directory, and set $wgUploadPath to this script. Image URLs will be of the form "http://server.com/wiki/img_auth.php/0/00/Image.png". The script checks the cookies and the session data, and if everything is OK, streams out the named file. 2004-06-07 06:57:53 +00:00
Protect users from attacks against their browsers via malicious script-containing uploads, by: 1) Requiring a session token before streaming files out via Special:Undelete 2) Restricting img_auth.php to private wikis only (its intended use case) 2008-11-18 05:57:08 +00:00			`$perms = User::getGroupPermissions( array( '*' ) );`
bug 19646 Localization of img_auth.php - with enhancements https://bugzilla.wikimedia.org/show_bug.cgi?id=19646 1. Localize img_auth.php using core messages 2. Reorder checks to make sense (and eliminate redundancy)n 3. Add hook 'ImgAuthBeforeStream' to allow custom checking 4. Add globals wgImgAuthDetails, 5. Move all "wfDebugLog" into the rejection functions 2009-09-04 02:44:05 +00:00
			`// See if this is a public Wiki (no protections)`
			`if ( $wgImgAuthPublicTest && in_array( 'read', $perms, true ) )`
			`wfForbidden('img-auth-accessdenied','img-auth-public');`
Protect users from attacks against their browsers via malicious script-containing uploads, by: 1) Requiring a session token before streaming files out via Special:Undelete 2) Restricting img_auth.php to private wikis only (its intended use case) 2008-11-18 05:57:08 +00:00
* Fix img_auth.php image name extraction for whitelist checking * (bug 10756) img_auth.php will now refuse logged-out requests when there is no whitelist, rather than allowing them through 2007-08-06 06:15:21 +00:00			`// Extract path and image information`
bug 19646 Localization of img_auth.php - with enhancements https://bugzilla.wikimedia.org/show_bug.cgi?id=19646 1. Localize img_auth.php using core messages 2. Reorder checks to make sense (and eliminate redundancy)n 3. Add hook 'ImgAuthBeforeStream' to allow custom checking 4. Add globals wgImgAuthDetails, 5. Move all "wfDebugLog" into the rejection functions 2009-09-04 02:44:05 +00:00			`if( !isset( $_SERVER['PATH_INFO'] ) )`
			`wfForbidden('img-auth-accessdenied','img-auth-nopathinfo');`
Clean up a few scriptlets 2004-10-14 02:13:12 +00:00
* Fix img_auth.php image name extraction for whitelist checking * (bug 10756) img_auth.php will now refuse logged-out requests when there is no whitelist, rather than allowing them through 2007-08-06 06:15:21 +00:00			`$path = $_SERVER['PATH_INFO'];`
Script to allow MediaWiki-based authentication for downloading items from the upload directory. To use, deny access to the actual directory, and set $wgUploadPath to this script. Image URLs will be of the form "http://server.com/wiki/img_auth.php/0/00/Image.png". The script checks the cookies and the session data, and if everything is OK, streams out the named file. 2004-06-07 06:57:53 +00:00			`$filename = realpath( $wgUploadDirectory . $_SERVER['PATH_INFO'] );`
* Fix img_auth.php image name extraction for whitelist checking * (bug 10756) img_auth.php will now refuse logged-out requests when there is no whitelist, rather than allowing them through 2007-08-06 06:15:21 +00:00			`$realUpload = realpath( $wgUploadDirectory );`

			`// Basic directory traversal check`
bug 19646 Localization of img_auth.php - with enhancements https://bugzilla.wikimedia.org/show_bug.cgi?id=19646 1. Localize img_auth.php using core messages 2. Reorder checks to make sense (and eliminate redundancy)n 3. Add hook 'ImgAuthBeforeStream' to allow custom checking 4. Add globals wgImgAuthDetails, 5. Move all "wfDebugLog" into the rejection functions 2009-09-04 02:44:05 +00:00			`if( substr( $filename, 0, strlen( $realUpload ) ) != $realUpload )`
			`wfForbidden('img-auth-accessdenied','img-auth-notindir');`
Output actual content with the error message, better usage of $wgWhitelistRead, explanation of how to use 2004-06-10 11:52:04 +00:00
* Fix img_auth.php image name extraction for whitelist checking * (bug 10756) img_auth.php will now refuse logged-out requests when there is no whitelist, rather than allowing them through 2007-08-06 06:15:21 +00:00			`// Extract the file name and chop off the size specifier`
			`// (e.g. 120px-Foo.png => Foo.png)`
			`$name = wfBaseName( $path );`
			`if( preg_match( '!\d+px-(.*)!i', $name, $m ) )`
			`$name = $m[1];`
bug 19646 Localization of img_auth.php - with enhancements https://bugzilla.wikimedia.org/show_bug.cgi?id=19646 1. Localize img_auth.php using core messages 2. Reorder checks to make sense (and eliminate redundancy)n 3. Add hook 'ImgAuthBeforeStream' to allow custom checking 4. Add globals wgImgAuthDetails, 5. Move all "wfDebugLog" into the rejection functions 2009-09-04 02:44:05 +00:00
			`// Check to see if the file exists`
			`if( !file_exists( $filename ) )`
			`wfForbidden('img-auth-accessdenied','img-auth-nofile',htmlspecialchars($filename));`

			`// Check to see if tried to access a directory`
			`if( is_dir( $filename ) )`
			`wfForbidden('img-auth-accessdenied','img-auth-isdir',htmlspecialchars($filename));`

* Fix img_auth.php image name extraction for whitelist checking * (bug 10756) img_auth.php will now refuse logged-out requests when there is no whitelist, rather than allowing them through 2007-08-06 06:15:21 +00:00
Step 2 in NS_IMAGE -> NS_FILE transition (bug 44) (WARNING: huge commit). This is a global search and replace of NS_IMAGE and NS_IMAGE_TALK with NS_FILE and NS_FILE_TALK respectively in all core files, excluding those already updated in step 1 (r44004). 2008-12-01 17:14:30 +00:00			`$title = Title::makeTitleSafe( NS_FILE, $name );`
Output actual content with the error message, better usage of $wgWhitelistRead, explanation of how to use 2004-06-10 11:52:04 +00:00
bug 19646 Localization of img_auth.php - with enhancements https://bugzilla.wikimedia.org/show_bug.cgi?id=19646 1. Localize img_auth.php using core messages 2. Reorder checks to make sense (and eliminate redundancy)n 3. Add hook 'ImgAuthBeforeStream' to allow custom checking 4. Add globals wgImgAuthDetails, 5. Move all "wfDebugLog" into the rejection functions 2009-09-04 02:44:05 +00:00			`// See if could create the title object`
			`if( !$title instanceof Title )`
			`wfForbidden('img-auth-accessdenied','img-auth-badtitle',htmlspecialchars($name));`

			`// Run hook`
			`if (!wfRunHooks( 'ImgAuthBeforeStream', array( &$title, &$path, &$name, &$result ) ) )`
			`call_user_func_array('wfForbidden',merge_array(array($result[0],$result[1]),array_slice($result,2)));`

			`// Check user authorization for this title`
			`// UserCanRead Checks Whitelist too`
			`if( !$title->userCanRead() )`
			`wfForbidden('img-auth-accessdenied','img-auth-noread',htmlspecialchars($name));`
Script to allow MediaWiki-based authentication for downloading items from the upload directory. To use, deny access to the actual directory, and set $wgUploadPath to this script. Image URLs will be of the form "http://server.com/wiki/img_auth.php/0/00/Image.png". The script checks the cookies and the session data, and if everything is OK, streams out the named file. 2004-06-07 06:57:53 +00:00
Clean up a few scriptlets 2004-10-14 02:13:12 +00:00
* Fix img_auth.php image name extraction for whitelist checking * (bug 10756) img_auth.php will now refuse logged-out requests when there is no whitelist, rather than allowing them through 2007-08-06 06:15:21 +00:00			`// Stream the requested file`
bug 19646 Localization of img_auth.php - with enhancements https://bugzilla.wikimedia.org/show_bug.cgi?id=19646 1. Localize img_auth.php using core messages 2. Reorder checks to make sense (and eliminate redundancy)n 3. Add hook 'ImgAuthBeforeStream' to allow custom checking 4. Add globals wgImgAuthDetails, 5. Move all "wfDebugLog" into the rejection functions 2009-09-04 02:44:05 +00:00			wfDebugLog( 'img_auth', "Streaming `".htmlspecialchars($filename)."`." );
Send Cache-Control: private and Vary headers in img_auth.php. 2007-11-03 02:38:40 +00:00			`wfStreamFile( $filename, array( 'Cache-Control: private', 'Vary: Cookie' ) );`
Consolidated web initialisation code into includes/WebStart.php. Moved profiling setup to a hook file "StartProfiler.php", following Brion's suggestion to merge Wikimedia's early profiling patch into subversion. Renamed Profiling.php and logProfilingData(), removed unnecessary wfProfileClose() calls. 2006-07-14 05:35:31 +00:00			`wfLogProfilingData();`
Output actual content with the error message, better usage of $wgWhitelistRead, explanation of how to use 2004-06-10 11:52:04 +00:00
* Fix img_auth.php image name extraction for whitelist checking * (bug 10756) img_auth.php will now refuse logged-out requests when there is no whitelist, rather than allowing them through 2007-08-06 06:15:21 +00:00			`/**`
bug 19646 Localization of img_auth.php - with enhancements https://bugzilla.wikimedia.org/show_bug.cgi?id=19646 1. Localize img_auth.php using core messages 2. Reorder checks to make sense (and eliminate redundancy)n 3. Add hook 'ImgAuthBeforeStream' to allow custom checking 4. Add globals wgImgAuthDetails, 5. Move all "wfDebugLog" into the rejection functions 2009-09-04 02:44:05 +00:00			`* Issue a standard HTTP 403 Forbidden header ($msg1-a message index, not a message) and an`
			`* error message ($msg2, also a message index), (both required) then end the script`
			`* subsequent arguments to $msg2 will be passed as parameters only for replacing in $msg2`
* Fix img_auth.php image name extraction for whitelist checking * (bug 10756) img_auth.php will now refuse logged-out requests when there is no whitelist, rather than allowing them through 2007-08-06 06:15:21 +00:00			`*/`
bug 19646 Localization of img_auth.php - with enhancements https://bugzilla.wikimedia.org/show_bug.cgi?id=19646 1. Localize img_auth.php using core messages 2. Reorder checks to make sense (and eliminate redundancy)n 3. Add hook 'ImgAuthBeforeStream' to allow custom checking 4. Add globals wgImgAuthDetails, 5. Move all "wfDebugLog" into the rejection functions 2009-09-04 02:44:05 +00:00			`function wfForbidden($msg1,$msg2) {`
			`global $wgImgAuthDetails;`
			`$args = func_get_args();`
			`array_shift( $args );`
			`array_shift( $args );`
			`$MsgHdr = wfMsgHTML($msg1);`
			`$detailMsg = call_user_func_array('wfMsgHTML',array_merge(array($wgImgAuthDetails ? $msg2 : 'badaccess-group0'),$args));`
			`wfDebugLog('img_auth', "wfForbidden Hdr:".wfMsgExt( $msg1, array('language' => 'en'))." Msg: ".`
			`call_user_func_array('wfMsgExt',array_merge( array($msg2, array('language' => 'en')),$args)));`
* phpdoc for file description * single quotes 2005-01-27 04:30:18 +00:00			`header( 'HTTP/1.0 403 Forbidden' );`
bug 19646 Localization of img_auth.php - with enhancements https://bugzilla.wikimedia.org/show_bug.cgi?id=19646 1. Localize img_auth.php using core messages 2. Reorder checks to make sense (and eliminate redundancy)n 3. Add hook 'ImgAuthBeforeStream' to allow custom checking 4. Add globals wgImgAuthDetails, 5. Move all "wfDebugLog" into the rejection functions 2009-09-04 02:44:05 +00:00			`header( 'Cache-Control: no-cache' );`
* Add 'charset' to Content-Type headers on various HTTP error responses to forestall additional UTF-7-autodetect XSS issues. Probably not an issue on Apache 2.0+, but most servers send only 'text/html' by default when the script didn't specify more details. This fixes an issue with the Ajax interface error message on MSIE when $wgUseAjax is enabled (not default configuration); this UTF-7 variant on a previously fixed attack vector was discovered by Moshe BA from BugSec: http://www.bugsec.com/articles.php?Security=24 * Trackback responses now specify XML content type 2007-02-21 01:02:47 +00:00			`header( 'Content-Type: text/html; charset=utf-8' );`
Send Cache-Control: private and Vary headers in img_auth.php. 2007-11-03 02:38:40 +00:00			`echo <<<ENDS`
* Fix img_auth.php image name extraction for whitelist checking * (bug 10756) img_auth.php will now refuse logged-out requests when there is no whitelist, rather than allowing them through 2007-08-06 06:15:21 +00:00			`<html>`
			`<body>`
bug 19646 Localization of img_auth.php - with enhancements https://bugzilla.wikimedia.org/show_bug.cgi?id=19646 1. Localize img_auth.php using core messages 2. Reorder checks to make sense (and eliminate redundancy)n 3. Add hook 'ImgAuthBeforeStream' to allow custom checking 4. Add globals wgImgAuthDetails, 5. Move all "wfDebugLog" into the rejection functions 2009-09-04 02:44:05 +00:00			`<h1>$MsgHdr</h1>`
			`<p>$detailMsg</p>`
* Fix img_auth.php image name extraction for whitelist checking * (bug 10756) img_auth.php will now refuse logged-out requests when there is no whitelist, rather than allowing them through 2007-08-06 06:15:21 +00:00			`</body>`
			`</html>`
Send Cache-Control: private and Vary headers in img_auth.php. 2007-11-03 02:38:40 +00:00			`ENDS;`
Consolidated web initialisation code into includes/WebStart.php. Moved profiling setup to a hook file "StartProfiler.php", following Brion's suggestion to merge Wikimedia's early profiling patch into subversion. Renamed Profiling.php and logProfilingData(), removed unnecessary wfProfileClose() calls. 2006-07-14 05:35:31 +00:00			`wfLogProfilingData();`
* Fix img_auth.php image name extraction for whitelist checking * (bug 10756) img_auth.php will now refuse logged-out requests when there is no whitelist, rather than allowing them through 2007-08-06 06:15:21 +00:00			`exit();`
Send Cache-Control: private and Vary headers in img_auth.php. 2007-11-03 02:38:40 +00:00			`}`