User "Brion VIBBER" changed the status of MediaWiki.r103738. Old Status: new New Status: fixme
User "Brion VIBBER" also posted a comment on MediaWiki.r103738. Full URL: http://www.mediawiki.org/wiki/Special:Code/MediaWiki/103738#c26400 Commit summary: image_auth.php cleanups: * Factored main code into wfImageAuthMain() * Made preg_match() for $name account for "page3-" type specifiers in the thumb name * Code style cleanups Comment: The stripping of the page2 prefix is wrong, and allows files to masquerade as other files. I uploaded a file as 'Fake-stuff-200px-Main_Page.jpg'. URL is like http://stormcloud.local/trunk/img_auth.php/5/53/Fake-stuff-200px-Main_Page.jpg <pre> $wgHooks['ImgAuthBeforeStream'][] = function (&$title, &$path, &$name, &$result) { wfDebug("XXX t " . $title->getPrefixedText() . "\n"); wfDebug("XXX p " . $path. "\n"); wfDebug("XXX n " . $name. "\n"); return true; }; </pre> Shows: <pre> XXX t File:Main Page.jpg XXX p /5/53/Fake-stuff-200px-Main_Page.jpg XXX n Main_Page.jpg </pre> the name/title being used for auth checks here are 'Main_Page.jpg' instead of 'Fake-stuff-200px-Main_Page.jpg'. Looks like the old check would have come up with the same bad response, though; it wasn't anchored at the start of the filename. Probably better to check for the 'thumb' directory, and use the thumbnail image's immediate parent directory's name for thumbs (which will match the actual orig filename) _______________________________________________ MediaWiki-CodeReview mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-codereview
