Revision: 43625
Author: brion
Date: 2008-11-17 19:01:07 +0000 (Mon, 17 Nov 2008)
Log Message:
-----------
* Add a .htaccess to deleted images directory for additional protection
against exposure of deleted files with known SHA-1 hashes on default
installations.
Applying Tim's fixes
Modified Paths:
--------------
trunk/phase3/RELEASE-NOTES
trunk/phase3/includes/filerepo/FSRepo.php
Modified: trunk/phase3/RELEASE-NOTES
===================================================================
--- trunk/phase3/RELEASE-NOTES 2008-11-17 18:58:57 UTC (rev 43624)
+++ trunk/phase3/RELEASE-NOTES 2008-11-17 19:01:07 UTC (rev 43625)
@@ -349,8 +349,10 @@
* Less verbose errors from profileinfo.php when not configured
* Blacklist redirects via Special:Filepath, hard to use.
* Improved input validation on Special:Import form
+* Add a .htaccess to deleted images directory for additional protection
+ against exposure of deleted files with known SHA-1 hashes on default
+ installations.
-
=== API changes in 1.14 ===
* Registration time of users registered before the DB field was created is now
Modified: trunk/phase3/includes/filerepo/FSRepo.php
===================================================================
--- trunk/phase3/includes/filerepo/FSRepo.php 2008-11-17 18:58:57 UTC (rev
43624)
+++ trunk/phase3/includes/filerepo/FSRepo.php 2008-11-17 19:01:07 UTC (rev
43625)
@@ -149,10 +149,8 @@
if ( !wfMkdirParents( $dstDir ) ) {
return $this->newFatal(
'directorycreateerror', $dstDir );
}
- // In the deleted zone, seed new directories
with a blank
- // index.html, to prevent crawling
if ( $dstZone == 'deleted' ) {
- file_put_contents(
"$dstDir/index.html", '' );
+ $this->initDeletedDir( $dstDir );
}
}
@@ -215,6 +213,20 @@
}
/**
+ * Take all available measures to prevent web accessibility of new
deleted
+ * directories, in case the user has not configured offline storage
+ */
+ protected function initDeletedDir( $dir ) {
+ // Add a .htaccess file to the root of the deleted zone
+ $root = $this->getZonePath( 'deleted' );
+ if ( !file_exists( "$root/.htaccess" ) ) {
+ file_put_contents( "$root/.htaccess", "Deny from all\n"
);
+ }
+ // Seed new directories with a blank index.html, to prevent
crawling
+ file_put_contents( "$dir/index.html", '' );
+ }
+
+ /**
* Pick a random name in the temp zone and store a file to it.
* @param string $originalName The base name of the file as specified
* by the user. The file extension will be maintained.
@@ -393,8 +405,7 @@
$status->fatal( 'directorycreateerror',
$archiveDir );
continue;
}
- // Seed new directories with a blank
index.html, to prevent crawling
- file_put_contents( "$archiveDir/index.html", ''
);
+ $this->initDeletedDir( $archiveDir );
}
// Check if the archive directory is writable
// This doesn't appear to work on NTFS
_______________________________________________
MediaWiki-CVS mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-cvs
