https://bugzilla.wikimedia.org/show_bug.cgi?id=32486
--- Comment #2 from Voyagerfan5761 / dgw <[email protected]> 2011-11-21 23:22:27 UTC --- (In reply to comment #1) > What value does it get set to? Adding a couple debugging lines to img_auth.php@45112b89 (I use the GitHub mirror) dated 2011-11-20, I get: $matches = Array ( [title] => img_auth.php/a/ab/File_name.ext ) 1 $path = img_auth.php/a/ab/File_name.ext The extra bit at the beginning makes the realpath() call on Line 71 return false (see https://github.com/mediawiki/mediawiki-trunk-phase3/blob/797386c6fa75a3c4d239c8ebcd2f6c796f512f8e/img_auth.php#L71 ) That in turn makes $filename = '' (empty) and so the directory traversal check on L75 fails. This is all because WebRequest::getPathInfo() is returning the filename of the calling script along with the actual PATH_INFO data. Hope that helps. I don't really understand WebRequest too well, and I don't have time to dig until later this week. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
