Remove unused parameter
[mediawiki.git] / img_auth.php
blob9141018103b4c0a0fe2e8347cce663ad0ec6c502
1 <?php
3 /**
4 * Image authorisation script
6 * To use this:
8 * Set $wgUploadDirectory to a non-public directory (not web accessible)
9 * Set $wgUploadPath to point to this file
11 * Your server needs to support PATH_INFO; CGI-based configurations
12 * usually don't.
15 define( 'MW_NO_OUTPUT_COMPRESSION', 1 );
16 require_once( dirname( __FILE__ ) . '/includes/WebStart.php' );
17 wfProfileIn( 'img_auth.php' );
18 require_once( dirname( __FILE__ ) . '/includes/StreamFile.php' );
20 $perms = User::getGroupPermissions( array( '*' ) );
21 if ( in_array( 'read', $perms, true ) ) {
22 wfDebugLog( 'img_auth', 'Public wiki' );
23 wfPublicError();
26 // Extract path and image information
27 if( !isset( $_SERVER['PATH_INFO'] ) ) {
28 wfDebugLog( 'img_auth', 'Missing PATH_INFO' );
29 wfForbidden();
32 $path = $_SERVER['PATH_INFO'];
33 $filename = realpath( $wgUploadDirectory . $_SERVER['PATH_INFO'] );
34 $realUpload = realpath( $wgUploadDirectory );
35 wfDebugLog( 'img_auth', "\$path is {$path}" );
36 wfDebugLog( 'img_auth', "\$filename is {$filename}" );
38 // Basic directory traversal check
39 if( substr( $filename, 0, strlen( $realUpload ) ) != $realUpload ) {
40 wfDebugLog( 'img_auth', 'Requested path not in upload directory' );
41 wfForbidden();
44 // Extract the file name and chop off the size specifier
45 // (e.g. 120px-Foo.png => Foo.png)
46 $name = wfBaseName( $path );
47 if( preg_match( '!\d+px-(.*)!i', $name, $m ) )
48 $name = $m[1];
49 wfDebugLog( 'img_auth', "\$name is {$name}" );
51 $title = Title::makeTitleSafe( NS_FILE, $name );
52 if( !$title instanceof Title ) {
53 wfDebugLog( 'img_auth', "Unable to construct a valid Title from `{$name}`" );
54 wfForbidden();
56 $title = $title->getPrefixedText();
58 // Check the whitelist if needed
59 if( !$wgUser->getId() && ( !is_array( $wgWhitelistRead ) || !in_array( $title, $wgWhitelistRead ) ) ) {
60 wfDebugLog( 'img_auth', "Not logged in and `{$title}` not in whitelist." );
61 wfForbidden();
64 if( !file_exists( $filename ) ) {
65 wfDebugLog( 'img_auth', "`{$filename}` does not exist" );
66 wfForbidden();
68 if( is_dir( $filename ) ) {
69 wfDebugLog( 'img_auth', "`{$filename}` is a directory" );
70 wfForbidden();
73 // Stream the requested file
74 wfDebugLog( 'img_auth', "Streaming `{$filename}`" );
75 wfStreamFile( $filename, array( 'Cache-Control: private', 'Vary: Cookie' ) );
76 wfLogProfilingData();
78 /**
79 * Issue a standard HTTP 403 Forbidden header and a basic
80 * error message, then end the script
82 function wfForbidden() {
83 header( 'HTTP/1.0 403 Forbidden' );
84 header( 'Vary: Cookie' );
85 header( 'Content-Type: text/html; charset=utf-8' );
86 echo <<<ENDS
87 <html>
88 <body>
89 <h1>Access Denied</h1>
90 <p>You need to log in to access files on this server.</p>
91 </body>
92 </html>
93 ENDS;
94 wfLogProfilingData();
95 exit();
98 /**
99 * Show a 403 error for use when the wiki is public
101 function wfPublicError() {
102 header( 'HTTP/1.0 403 Forbidden' );
103 header( 'Content-Type: text/html; charset=utf-8' );
104 echo <<<ENDS
105 <html>
106 <body>
107 <h1>Access Denied</h1>
108 <p>The function of img_auth.php is to output files from a private wiki. This wiki
109 is configured as a public wiki. For optimal security, img_auth.php is disabled in
110 this case.
111 </p>
112 </body>
113 </html>
114 ENDS;
115 wfLogProfilingData();
116 exit;