MediaWiki  1.33.1
img_auth.php
Go to the documentation of this file.
1 <?php
41 define( 'MW_NO_OUTPUT_COMPRESSION', 1 );
42 require __DIR__ . '/includes/WebStart.php';
43 
44 # Set action base paths so that WebRequest::getPathInfo()
45 # recognizes the "X" as the 'title' in ../img_auth.php/X urls.
46 $wgArticlePath = false; # Don't let a "/*" article path clober our action path
47 $wgActionPaths = [ "$wgUploadPath/" ];
48 
49 wfImageAuthMain();
50 
51 $mediawiki = new MediaWiki();
52 $mediawiki->doPostOutputShutdown( 'fast' );
53 
54 function wfImageAuthMain() {
55  global $wgImgAuthUrlPathMap;
56 
57  $request = RequestContext::getMain()->getRequest();
58  $publicWiki = in_array( 'read', User::getGroupPermissions( [ '*' ] ), true );
59 
60  // Get the requested file path (source file or thumbnail)
61  $matches = WebRequest::getPathInfo();
62  if ( !isset( $matches['title'] ) ) {
63  wfForbidden( 'img-auth-accessdenied', 'img-auth-nopathinfo' );
64  return;
65  }
66  $path = $matches['title'];
67  if ( $path && $path[0] !== '/' ) {
68  // Make sure $path has a leading /
69  $path = "/" . $path;
70  }
71 
72  // Check for T30235: QUERY_STRING overriding the correct extension
73  $whitelist = [];
74  $extension = FileBackend::extensionFromPath( $path, 'rawcase' );
75  if ( $extension != '' ) {
76  $whitelist[] = $extension;
77  }
78  if ( !$request->checkUrlExtension( $whitelist ) ) {
79  return;
80  }
81 
82  // Various extensions may have their own backends that need access.
83  // Check if there is a special backend and storage base path for this file.
84  foreach ( $wgImgAuthUrlPathMap as $prefix => $storageDir ) {
85  $prefix = rtrim( $prefix, '/' ) . '/'; // implicit trailing slash
86  if ( strpos( $path, $prefix ) === 0 ) {
87  $be = FileBackendGroup::singleton()->backendFromPath( $storageDir );
88  $filename = $storageDir . substr( $path, strlen( $prefix ) ); // strip prefix
89  // Check basic user authorization
90  if ( !RequestContext::getMain()->getUser()->isAllowed( 'read' ) ) {
91  wfForbidden( 'img-auth-accessdenied', 'img-auth-noread', $path );
92  return;
93  }
94  if ( $be->fileExists( [ 'src' => $filename ] ) ) {
95  wfDebugLog( 'img_auth', "Streaming `" . $filename . "`." );
96  $be->streamFile( [ 'src' => $filename ],
97  [ 'Cache-Control: private', 'Vary: Cookie' ] );
98  } else {
99  wfForbidden( 'img-auth-accessdenied', 'img-auth-nofile', $path );
100  }
101  return;
102  }
103  }
104 
105  // Get the local file repository
106  $repo = RepoGroup::singleton()->getRepo( 'local' );
107  $zone = strstr( ltrim( $path, '/' ), '/', true );
108 
109  // Get the full file storage path and extract the source file name.
110  // (e.g. 120px-Foo.png => Foo.png or page2-120px-Foo.png => Foo.png).
111  // This only applies to thumbnails/transcoded, and each of them should
112  // be under a folder that has the source file name.
113  if ( $zone === 'thumb' || $zone === 'transcoded' ) {
114  $name = wfBaseName( dirname( $path ) );
115  $filename = $repo->getZonePath( $zone ) . substr( $path, strlen( "/" . $zone ) );
116  // Check to see if the file exists
117  if ( !$repo->fileExists( $filename ) ) {
118  wfForbidden( 'img-auth-accessdenied', 'img-auth-nofile', $filename );
119  return;
120  }
121  } else {
122  $name = wfBaseName( $path ); // file is a source file
123  $filename = $repo->getZonePath( 'public' ) . $path;
124  // Check to see if the file exists and is not deleted
125  $bits = explode( '!', $name, 2 );
126  if ( substr( $path, 0, 9 ) === '/archive/' && count( $bits ) == 2 ) {
127  $file = $repo->newFromArchiveName( $bits[1], $name );
128  } else {
129  $file = $repo->newFile( $name );
130  }
131  if ( !$file->exists() || $file->isDeleted( File::DELETED_FILE ) ) {
132  wfForbidden( 'img-auth-accessdenied', 'img-auth-nofile', $filename );
133  return;
134  }
135  }
136 
137  $headers = []; // extra HTTP headers to send
138 
139  $title = Title::makeTitleSafe( NS_FILE, $name );
140 
141  if ( !$publicWiki ) {
142  // For private wikis, run extra auth checks and set cache control headers
143  $headers['Cache-Control'] = 'private';
144  $headers['Vary'] = 'Cookie';
145 
146  if ( !$title instanceof Title ) { // files have valid titles
147  wfForbidden( 'img-auth-accessdenied', 'img-auth-badtitle', $name );
148  return;
149  }
150 
151  // Run hook for extension authorization plugins
153  $result = null;
154  if ( !Hooks::run( 'ImgAuthBeforeStream', [ &$title, &$path, &$name, &$result ] ) ) {
155  wfForbidden( $result[0], $result[1], array_slice( $result, 2 ) );
156  return;
157  }
158 
159  // Check user authorization for this title
160  // Checks Whitelist too
161  if ( !$title->userCan( 'read' ) ) {
162  wfForbidden( 'img-auth-accessdenied', 'img-auth-noread', $name );
163  return;
164  }
165  }
166 
167  if ( isset( $_SERVER['HTTP_RANGE'] ) ) {
168  $headers['Range'] = $_SERVER['HTTP_RANGE'];
169  }
170  if ( isset( $_SERVER['HTTP_IF_MODIFIED_SINCE'] ) ) {
171  $headers['If-Modified-Since'] = $_SERVER['HTTP_IF_MODIFIED_SINCE'];
172  }
173 
174  if ( $request->getCheck( 'download' ) ) {
175  $headers['Content-Disposition'] = 'attachment';
176  }
177 
178  // Allow modification of headers before streaming a file
179  Hooks::run( 'ImgAuthModifyHeaders', [ $title->getTitleValue(), &$headers ] );
180 
181  // Stream the requested file
182  list( $headers, $options ) = HTTPFileStreamer::preprocessHeaders( $headers );
183  wfDebugLog( 'img_auth', "Streaming `" . $filename . "`." );
184  $repo->streamFile( $filename, $headers, $options );
185 }
186 
194 function wfForbidden( $msg1, $msg2 ) {
195  global $wgImgAuthDetails;
196 
197  $args = func_get_args();
198  array_shift( $args );
199  array_shift( $args );
200  $args = ( isset( $args[0] ) && is_array( $args[0] ) ) ? $args[0] : $args;
201 
202  $msgHdr = wfMessage( $msg1 )->escaped();
203  $detailMsgKey = $wgImgAuthDetails ? $msg2 : 'badaccess-group0';
204  $detailMsg = wfMessage( $detailMsgKey, $args )->escaped();
205 
206  wfDebugLog( 'img_auth',
207  "wfForbidden Hdr: " . wfMessage( $msg1 )->inLanguage( 'en' )->text() . " Msg: " .
208  wfMessage( $msg2, $args )->inLanguage( 'en' )->text()
209  );
210 
211  HttpStatus::header( 403 );
212  header( 'Cache-Control: no-cache' );
213  header( 'Content-Type: text/html; charset=utf-8' );
214  echo <<<ENDS
215 <!DOCTYPE html>
216 <html>
217 <head>
218 <meta charset="UTF-8" />
219 <title>$msgHdr</title>
220 </head>
221 <body>
222 <h1>$msgHdr</h1>
223 <p>$detailMsg</p>
224 </body>
225 </html>
226 ENDS;
227 }
cache
you have access to all of the normal MediaWiki so you can get a DB use the cache
Definition: maintenance.txt:52
php
injection txt This is an overview of how MediaWiki makes use of dependency injection The design described here grew from the discussion of RFC T384 The term dependency this means that anything an object needs to operate should be injected from the the object itself should only know narrow no concrete implementation of the logic it relies on The requirement to inject everything typically results in an architecture that based on two main types of and essentially stateless service objects that use other service objects to operate on the value objects As of the beginning MediaWiki is only starting to use the DI approach Much of the code still relies on global state or direct resulting in a highly cyclical dependency which acts as the top level factory for services in MediaWiki which can be used to gain access to default instances of various services MediaWikiServices however also allows new services to be defined and default services to be redefined Services are defined or redefined by providing a callback the instantiator that will return a new instance of the service When it will create an instance of MediaWikiServices and populate it with the services defined in the files listed by thereby bootstrapping the DI framework Per $wgServiceWiringFiles lists includes ServiceWiring php
Definition: injection.txt:35
Makefile.download
def download(url, dest)
Definition: Makefile.py:47
title
title
Definition: parserTests.txt:245
Content
Base interface for content objects.
Definition: Content.php:34
$wgArticlePath
$wgArticlePath
Definition: img_auth.php:46
text
This list may contain false positives That usually means there is additional text with links below the first Each row contains links to the first and second as well as the first line of the second redirect text
Definition: All_system_messages.txt:1267
Cookie
Definition: Cookie.php:24
If
c Accompany it with the information you received as to the offer to distribute corresponding source complete source code means all the source code for all modules it plus any associated interface definition plus the scripts used to control compilation and installation of the executable as a special the source code distributed need not include anything that is normally and so on of the operating system on which the executable unless that component itself accompanies the executable If distribution of executable or object code is made by offering access to copy from a designated then offering equivalent access to copy the source code from the same place counts as distribution of the source even though third parties are not compelled to copy the source along with the object code You may not or distribute the Program except as expressly provided under this License Any attempt otherwise to sublicense or distribute the Program is and will automatically terminate your rights under this License parties who have received or from you under this License will not have their licenses terminated so long as such parties remain in full compliance You are not required to accept this since you have not signed it nothing else grants you permission to modify or distribute the Program or its derivative works These actions are prohibited by law if you do not accept this License by modifying or distributing the you indicate your acceptance of this License to do and all its terms and conditions for distributing or modifying the Program or works based on it Each time you redistribute the the recipient automatically receives a license from the original licensor to distribute or modify the Program subject to these terms and conditions You may not impose any further restrictions on the recipients exercise of the rights granted herein You are not responsible for enforcing compliance by third parties to this License If
Definition: COPYING.txt:191