jenkins-bot has submitted this change and it was merged. Change subject: Moved isDeleted() check down to avoid information leakage in thumb.php ......................................................................
Moved isDeleted() check down to avoid information leakage in thumb.php Change-Id: Idcbf79ef7c82f5bcf3c0ab1002fde2201d81313f --- M thumb.php 1 file changed, 6 insertions(+), 6 deletions(-) Approvals: CSteipp: Looks good to me, approved jenkins-bot: Verified diff --git a/thumb.php b/thumb.php index c5da918..1f823bd 100644 --- a/thumb.php +++ b/thumb.php @@ -163,12 +163,6 @@ return; } - // Check if the file is hidden - if ( $img->isDeleted( File::DELETED_FILE ) ) { - wfThumbError( 404, "The source file '$fileName' does not exist." ); - return; - } - // Check permissions if there are read restrictions $varyHeader = array(); if ( !in_array( 'read', User::getGroupPermissions( array( '*' ) ), true ) ) { @@ -181,6 +175,12 @@ $varyHeader[] = 'Cookie'; } + // Check if the file is hidden + if ( $img->isDeleted( File::DELETED_FILE ) ) { + wfThumbError( 404, "The source file '$fileName' does not exist." ); + return; + } + // Do rendering parameters extraction from thumbnail name. if ( isset( $params['thumbName'] ) ) { $params = wfExtractThumbParams( $img, $params ); -- To view, visit https://gerrit.wikimedia.org/r/130571 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: Idcbf79ef7c82f5bcf3c0ab1002fde2201d81313f Gerrit-PatchSet: 1 Gerrit-Project: mediawiki/core Gerrit-Branch: master Gerrit-Owner: Aaron Schulz <asch...@wikimedia.org> Gerrit-Reviewer: CSteipp <cste...@wikimedia.org> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits