Tim Starling
6b5e2f5f0b
Send Cache-Control: private and Vary headers in img_auth.php.
2007-11-03 02:38:40 +00:00
Rob Church
2062e9508f
* Fix img_auth.php image name extraction for whitelist checking
...
* (bug 10756) img_auth.php will now refuse logged-out requests when there is no whitelist, rather than allowing them through
2007-08-06 06:15:21 +00:00
Aryeh Gregor
a15c419b3d
Remove ?>'s from files. They're pointless, and just asking for people to mess with the files and add trailing whitespace. (Yes, I looked over every one and reverted those that were bogus. Slash-enter a million times in less worked well enough, although it was a bit mind-numbing.)
2007-06-29 01:19:14 +00:00
Brion Vibber
2d5ac3c276
* Add 'charset' to Content-Type headers on various HTTP error responses
...
to forestall additional UTF-7-autodetect XSS issues. Probably not an
issue on Apache 2.0+, but most servers send only 'text/html' by default
when the script didn't specify more details.
This fixes an issue with the Ajax interface error message on MSIE when
$wgUseAjax is enabled (not default configuration); this UTF-7 variant
on a previously fixed attack vector was discovered by Moshe BA from BugSec:
http://www.bugsec.com/articles.php?Security=24
* Trackback responses now specify XML content type
2007-02-21 01:02:47 +00:00
Tim Starling
28dc3ec888
* Moved the main ob_start() from the default LocalSettings.php to WebStart.php.
...
The ob_start() section should preferably be removed from older
LocalSettings.php files.
* Give Content-Length header for HTTP/1.0 clients.
* Partial support for Flash cross-domain-policy filtering. Text entry points should be protected, but uploads are not.
2007-02-19 23:03:37 +00:00
Brion Vibber
c3343c0f1a
add some debugging output to img_auth.php
2006-11-16 12:26:34 +00:00
Brion Vibber
cbb9596427
* (bug 7279) Use wfBaseName in place of basename() in more places
2006-09-10 12:11:36 +00:00
Tim Starling
c447831419
wrong language object
2006-07-16 04:07:01 +00:00
Tim Starling
3ea576aa25
Consolidated web initialisation code into includes/WebStart.php. Moved profiling setup to a hook file "StartProfiler.php", following Brion's suggestion to merge Wikimedia's early profiling patch into subversion. Renamed Profiling.php and logProfilingData(), removed unnecessary wfProfileClose() calls.
2006-07-14 05:35:31 +00:00
Brion Vibber
266d41f165
* Added wfDie() wrapper, and some manual die(-1), to force the return code
...
to the shell to return nonzero when we crap out with an error.
2006-01-14 02:49:43 +00:00
Ævar Arnfjörð Bjarmason
7bbe971aec
* s~ +$~~
2006-01-07 13:09:30 +00:00
Tim Starling
239ba39261
workaround for any current or future exploit of the $GLOBALS overwrite vulnerability
2005-10-31 21:14:07 +00:00
Tim Starling
9411d91b49
Optional thumbnail generation by client request, using thumb.php. This removes any need for access to image files on page view. Experimental, some aspects still haven't been tested.
2005-04-16 04:33:34 +00:00
Brion Vibber
b090ca3fd5
* (bug 1642) fix a mime type typo in img_auth.php
2005-03-07 06:34:46 +00:00
Antoine Musso
773f135ab1
* phpdoc for file description
...
* single quotes
2005-01-27 04:30:18 +00:00
Brion Vibber
53856406a6
Clean up a few scriptlets
2004-10-14 02:13:12 +00:00
Tim Starling
cd2e8170d2
Ahh, so that's what that does
2004-08-12 06:54:58 +00:00
Tim Starling
24babf696a
Output actual content with the error message, better usage of $wgWhitelistRead, explanation of how to use
2004-06-10 11:52:04 +00:00
Tim Starling
0655c03974
Script to allow MediaWiki-based authentication for downloading items from the upload directory. To use, deny access to the actual directory, and set $wgUploadPath to this script. Image URLs will be of the form " http://server.com/wiki/img_auth.php/0/00/Image.png ". The script checks the cookies and the session data, and if everything is OK, streams out the named file.
2004-06-07 06:57:53 +00:00
